Network Computingwww.networkcomputing.com

One popular misconception about firewalls is that they guarantee protection of a network. Although a firewall is certainly a requirement, it will not by itself ensure that your network is secure. A firewall does not have mystical powers. It lets some packets in, and keeps some out. The important thing to remember is that as soon as you let some packets in, even if they travel through a firewall, you are putting your network at risk. This is why it's crucial that you have technical experts on hand who can understand which packets absolutely have to be allowed in, and how to minimize the risks implied by letting them pass into your network.

With the firewall located at such a strategic point in your network, it's no surprise to find vendors tacking on other services. Various firewalls come with authentication, VPN capabilities, URL screening, virus scanning and even integration with intrusion-detection systems. Check Point Software Technologies' FireWall-1, for example, now offers authentication services that can take advantage of Novell's NDS.

There are legitimate benefits to centralizing your VPN and firewall configurations. Your VPN traffic is probably going to go through your firewall anyway, so why not administer everything from one centralized point of control? This also gives you one less device to manage than if you bought a separate box on which to run your VPN. You do need to be careful about performance, though, because encryption can exact a high penalty on CPU resources. If you have VPNs on a 45-Mbps or higher link, consider a hardware-assist VPN card if there's one available. CheckPoint, Cisco Systems and NetScreen Technologies give you the option of VPN processing in hardware.

Given that a firewall is the central point of access to your network, it is also the ideal place to examine all incoming files for viruses. Vendors that support this feature will integrate their products with one of the major virus-detection vendors. However, this is a CPU-intensive process, and it won't scale very well. Also, users will raise response-time issues a lot sooner if you attempt to examine Web traffic for viruses, as opposed to just e-mail attachments.

Axent Technologies, Check Point and Cisco are among the vendors that have integrated intrusion-detection software into the firewall, which automatically activates filters if the software believes it has detected an intrusion. The coupling is a good idea, but this fruit's not yet ripe for picking. Intrusion detection is too immature and incorporating it in your firewall often will lead to false alarms. For now, it's more trouble than it's worth.

Spending some of your precious IT dollars on a firewall is a given. The firewall's core functionality, which centers on filtering packets based on applications and IP addresses, is mature; most products do exactly what they say they will do. The issue is deciding what services to run on your firewall hardware besides basic packet filtering. The temptation to add services needs to be tempered with a realization that running more stuff may slow down or destabilize your firewall. Finally, know that a firewall isn't a silver bullet. Even the packets allowed onto your network by the firewall can constitute an attack.

--Peter Morrissey