Forrester analyst outlines types of firewalls on the market and deployment strategies for large and small organizations.
By Johanna Ambrosio
All companies need firewalls these days, large or small. Even security-conscious behemoths such as Microsoft Corp. have been hacked, and the different variants of the Code Red virus rightly have everyone up in arms.
Depending on the size of your company and how much money you're willing to spend on securing your information, there are different types of firewalls that come packaged with various features and functions. But it's also important to keep in mind that there's no absolute security, or silver bullet, to keeping your organization completely safe.
That said, however, Frank Prince, senior analyst at Forrester Research Inc. in Cambridge, Mass., feels very strongly that only the largest companies, or those with the most complex needs, should select and implement a firewall without outside help. His advice to almost everyone else is to outsource.
Prince explains why, and gives more background about firewalls, in this interview with TechTarget.
TechTarget: What are the different types of firewalls?
Prince: All firewalls act as a perimeter access-control device. They
let some people into a network of computer systems, and they keep some people out.
Firewalls are classified into three different levels: packet-level
firewalls that don't keep a history of who's talking to whom;
stateful inspection firewalls that keep low-protocol records (at the
IP level); and proxy firewalls that do take history into account.
Proxy firewalls have higher protocols carried on low-level
protocols, like e-mail or HTML. So the differences have to do with
whether the firewall takes history into account, as well as the
level of protocol that the firewall handles.
TechTarget: How else do firewalls differ, in terms of features and
functions?
Prince: It mostly comes down to packaging differences -- how much
tailoring of the firewall is allowed. There are highly flexible and
configurable firewalls (like those from Check Point Software) that
operate on dedicated computer systems. These are generally used by
organizations with the need to specifically configure the firewalls
for their own purposes -- and the resources to do so. At the other
end of the spectrum are firewalls that come as part of an appliance
or some other system, like those from Sonicwall Inc. or Linksys
Group Inc., and that have limited configurability. These are
generally made to drop into the home and SOHO environments. Then you
have everything in between, depending on what is needed. Cisco, for
instance, builds its firewall into routers and VPNs.
TechTarget: Should companies look at different types of firewalls,
or will one do the trick?
Prince: Global organizations will generally have all three types of
firewall. They have to think about different groups within the
company, and these various groups might have different security
needs. A large branch office might need something more sophisticated
than will a small branch office, which needs something entirely
different from corporate headquarters. If you're setting up a global
extranet, you'll need a firewall that is big and flexible. Also keep
in mind companies like Nokia, which packages a number of things in a
kind of firewall appliance, but with more configurability and at a
range of prices. So they're bridging the medium to high end with a
number of firewalls.
TechTarget: What other firewall-related considerations should
companies think about?
Prince: Most companies simply don't have the human resources needed
to choose, install and maintain a firewall -- and most aren't
particularly honest with themselves regarding their abilities in
these areas. Expect to dedicate a minimum of two people to the
firewall: one to handle the business and contractual end; another to
handle the technical details and be the interface to your
subcontractors. This technical person will need to monitor logs,
handle setting up access rights for individual users, and so on. But
two people are the minimum investment you can make. So we strongly
suggest that the majority of organizations get help and outsource
this. Most small and medium-sized enterprises should probably not be
doing this themselves.
TechTarget: What's your advice for those bound and determined to
roll their own?
Prince: I hesitate to give blanket guidelines. Any kind of little
checklist is going to be insensitive to the real needs of the
company. I suggest that organizations draw on places like the SANS
Institute and make use of the online and training resources there.
They should dedicate a person to understanding the organizational
needs and the technological alternatives, and then tailor the
solution to what they've learned about what the company needs. And
this person needs to be well placed in the company, so he or she can
tap into what's really going on and what the real needs are. The
dedicated person also has to have management support to get the
budget he or she needs for people and technology.
Also keep in mind that there is no absolute security. There's no
protection, just some amount of reduction of risk. Companies
generally don't feel insecure until they're violated.
Ambrosio is a freelance writer in Marlborough, MA. Reach her at
mailto:jambrosio@mediaone.net.
MORE INFORMATION ON THIS TOPIC:
Visit Search Security.com's best web links section on firewalls.
You'll also find tons of resources in SearchNetworking.com's firewalls and security devices category.
