How to assess Firewall Strategies and Goals

The first step in designing a secure firewall strategy is to physically secure the firewalls themselves. Entire networks have been brought down because a cleaning person turned off a server in the middle of the night to save power. Read the following paragraph to learn more about the importance of physical security.

Many corporations or organizations have implemented sophisticated solutions, only to have the policy defeated because the actual machine was not physically secured. Commonly, an organization will place its firewall and network in a public area, exposing it to tampering. Others will forget to restrict access to otherwise secure rooms. Often, a hacker will use a non-Internet security breach to open an Internet security hole through which to breach a system. Such breaches might include:

1. An open door to the room containing the firewall equipment,
2. An employee who removes or introduces information manually,
3. An employee who divulges passwords and other information,
4. Or an employee who accidentally gives the network a virus.

In addition, you should ensure that the firewall:

1. Configures the most comprehensive and extensive monitoring tools on the choke points^[1]
2. Implements some type of logging, preferable at every device in your firewall
3. Uses firewall tokens or a reverse lookup on an IP address to verify the user point of origin
4. Incorporates the account database for user authentication
5. Is using the most current intrusion detection^[2] modules
   
6. Uses comprehensive logging devices and techniques
7. Provides alarm mechanisms such as a visible or audible alert from your computer
8. Responds to unacceptable activity by breaking the TCP/IP connection or automatically setting off alarms

Firewalls allow for end-user authentication. Most proxy servers provide integration with a user account database. The proxy can also use the account database to provide more detailed logs by providing information based on users and group memberships.

Intrusion detection is used to compare incoming packets to previously received ones during a connection and alert the administrator of inconsistencies. Intrusion detection is the natural progression of what was Checkpoint's stateful inspection

It is well known that packet filters and application-level gateways have difficulties filtering UDP. This is because UDP is stateless. In fact, packet filters are also stateless, meaning that they traditionally do not have the ability to track past connections and transactions. The result is that they cannot correlate attacks that occur over periods of time.
Stateful inspection (also called stateful multi-layer inspection), a term introduced by CheckPoint Corporation, allows a firewall to analyze packets and view them in context. This means that if it is able to capture a particular series of connections, it can effectively store these in a database, then refer to back this database during similar, subsequent connections. Stateful inspection also looks deeper into packets, viewing different UDP and TCP information. Once it finds a pattern of activity, it can then make decisions based on the rules you create. The word "multi-layer" refers to its ability to track activity at various levels of the OSI, particularly the application and session levels. If a pattern analyzed over a period of time meets a rule, then it can be blocked or allowed, depending upon how that particular firewall processes its rules. Stateful multi-layer inspection occurs at a firewall, and is generally meant as an enhancement to packet filters, but has also been applied to application gateways, as well. Many firewall manufacturers, including Cisco (PIX), Axent (Raptor), and Network Associates (Guardian) have also adopted this technology.

Some firewalls are now providing virtual private network (VPN)^[3] services. VPNs extend a company's network over a public medium such as the Internet. Because anyone with access to the public medium could eavesdrop on the data as it travels over the network, all data transmitted over a VPN is encrypted. The VPN encapsulates all the encrypted data within an IP packet and routes it normally over the Internet.

[1]Choke point:An intersection between a company's private and a public network used to monitor, filter, and verify all inbound and outbound traffic.

[2]Intrusion detection: Intrusion detection is a relatively new technology used with firewalls. It allows firewalls to perform specified actions when suspicious activity occurs.

[3](VPN)Virtual Private Network: An extended local area network (LAN) that enables an organization to conduct secure, real-time communication.