Protecting your LAN is no longer Optional

Jun 3
15:47

2008

Sandra Prior

Sandra Prior

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

The Internet can be a powerful mix of intoxicating constituents that works wonders for your bottom line. Or it can be absolutely no use whatsoever. To run every aspect of your business off the next millenium's most powerful business tools, you're going to need a database driven website, a firewall, data encryption software and an Intra and Extranet.

mediaimage

The ever-increasing threat presented by viruses and crackers necessitates a hard-line approach to controlling access to your data.

Your LAN is one of your most precious assets. In fact,Protecting your LAN is no longer Optional Articles all the information on it and all the information that passes through it can be thought of as the blood of your company. Not too long ago, your only method of protecting it was to make sure that any disks brought into the company weren’t infected with viruses and to ensure that any disks leaving the company were safeguarded against your competitors.

Then came the Internet – a vast resource and an excellent medium for trading and communicating – and with it a populace of competitors, brazen crackers and people who enjoyed defacing property. Now that you’re connected, there’s a whole new game to play – a game that involves controlling who accesses what data. In short, you’re looking at firewalls. So what exactly is a firewall and why do you need one?

The main function of a firewall is to keep out all the vandals and pirates while you get your work done. Quite simply, it is a system that enforces an access control policy between two networks, most notably the Internet and your LAN. Most companies, particularly large ones, should already have some sort of security in place. And if those organizations are connected to the Internet, then a firewall should be functioning as an important aspect of that security policy as a whole.

Although many companies considering Internet access are concerned about the violation of data and decreased employee productivity, there are ways to prevent this. And a firewall, developed as it is around concept of filtering your Internet traffic, is the best way to do this.

A firewall probably is best described as a two-way filtering system that controls which resources are permitted on your network and which are denied. For instance, you may not want to block external access to your web server where you perform advertising tasks and online commerce, and you probably don’t want to block email as a resource. But, you do want to prevent unauthorized interactive logins from outside, and you may well want to prevent people on your network from browsing pornographic and gaming sites. Ultimately, your firewall controls the traffic coming in and the traffic going out.

In addition to that, your firewall provides you with an auditing tool, by which you can monitor all the traffic moving in and out of your network. The firewall should be able to provide the administrator with summaries of data including information such as the number of break-in attempts and from where they appear to come from. Essentially, your firewall is the last outpost on your network, and should anything go wrong, you should simply be able to pull the power and stop all network traffic between your LAN and the outside world.

The Ground Work

While all this may sound very neat and easy to implement, there are a number of considerations that should be taken into account before you kill the budget on a package that isn’t really designed to meet your needs. Among these are firewall objectives which will help clarify what you need and how much you’re willing to spend to meet that need.

The first thing you need to do is to outline your level of paranoia. Are you going to permit only mission critical Internet connections and deny all other services, or are you looking for a method of auditing and monitoring your connections? This should be seen as a method of establishing the risk factor involved in giving your LAN Internet connectivity. Once you have established this, you’re in a position to draw up an implementation checklist that will outline which services you’re going to permit and which you’re going to deny.

You can also identify which services you’re going to monitor and which will help you to clarify the focus of your network traffic. When this is done, you can develop a risk assessment of your policy with which your management should be happy. Finally, you need to establish the amount of control, monitoring, and maintenance that you’re looking for, and with that down, you’re ready to start browsing the marketplace for appropriate software.

Unfortunately, it’s not as simple as browsing through a couple of boxes with pretty logos and then selecting the one with the gold-embossed brand name.

The Firewalls

Today, you’re looking at two types of firewall. The first is the Network Layer Firewall which deals mostly with routing rules. In other words, when a packet of data arrives at the firewall it checks to see where it came from, where it is going, what it is used for, and then decides whether or not it is authorized.

The second is the Application Layer Firewall, which consists of proxy servers that prevent direct traffic between networks. Proxies tend to perform elaborate logging and auditing of all the network traffic intended to pass between the LAN and the Internet, and then cache information so that the client accesses it internally rather than directly from the source. Outgoing data is received from the proxy and not from the actual machine inside the network that is providing the information. Basically, an Application Layer Firewall acts as an ambassador for your LAN to the Internet.

Although the two firewalls are conceptually different, in an effort to provide a thorough product, many modern firewall packages do attempt to integrate the two. Obviously, there are pros and cons associated with each type of firewall.

A simple firewall exists in the form of a router on the network layer. However, actual routers don’t tend to make particularly sophisticated decisions about the content or source of a data packet. Recently, firewalls of this nature have become far more complex, and now many attempt to monitor the actual content of data streams and the services they make use of, while also checking for IP or DNS (Domain Name Service) spoofing.

The most distinguishable feature of a Network Layer firewall is its ability to allow IP traffic to pass through it. Unfortunately, that your network is probably going to need an assigned IP address block which can be difficult to obtain. Fortunately, Network Layer Firewalls are almost completely transparent and anyone using your LAN will not even be aware of its presence.

From here, you can look at connecting various subnets all behind the firewall. And the only configuration that is going to take place is at the actual firewall itself. Since they are performing routing tasks rather than actually reading or writing data, or running services, the system requirements are minimal and they tend to run very fast.

A proxy server or Application Layer Firewall will be the only Internet connected machine on your LAN. For the rest of the machines connected to the proxy server, Internet connectivity is just simulated. There are several benefits to this; you can for instance, limit internal access to the Internet, identifying which sites your LAN may and may not visit, and what services your LAN can actually use. The caching service provided by the proxy also means that you’re saving on bandwidth. Subsequently browsing popular web sites becomes a lot quicker.

As mentioned, proxies provide more than adequate logs. And because no other machines on the network are effectively connected to the Internet, you don’t need valid IP addresses for every machine. So, Application Layer Firewalls are very effective for small office environments that are not connected with a leased line and have allocated IP address blocks. In fact, your proxy server can even perform dial-up connections on behalf of your LAN, and manage all your LAN’s email and any other Internet requests.

The downside is quite dramatic, though. Since no traffic is allowed on to the Internet, any machine on the network that requires Internet access needs to be configured for the proxy. A proxy server hardly ever functions at a level completely transparent to your users. Furthermore, a proxy has to provide all the services that a user on the LAN uses, which means that you’ve got a lot of server-type software running for each request. This results in a slower performance than you would get out of a Network Layer Firewall. You’re also looking at lots of RAM to match the system requirements. Furthermore, because proxy servers do not provide the same kind of flexibility as a Network Layer Firewall, they tend to enforce a relatively conservative security policy on your network.

Systems Management

Unix-based operating systems have always been the favorite for firewall implementation, chiefly because their system requirements are relatively low (therefore freeing up resources for the firewall itself). Unix platforms also support routing facilities and there have been significant developments in the production of high quality material on the network layer. And, a lot of it is free.

However, Unix systems are not particularly user-friendly, and configuring a firewall is not an easy task to undertake. If you’re looking at this option you’re also going to be looking for an experienced Unix technician.

Remember that to be really effective, your firewall needs to form part of both a comprehensive and integrated security policy. After all, it’s no good having an iron door to a wooden house.