Another prerequisite is a management-approved security policy. Ultimately, management should decide--based on the advice of staff members who understand the technology--how much risk to take and how inconvenienced users can afford to be. After those decisions have been made, you're ready to look for a firewall that will effectively execute your plan.

Firewall Management
How do you translate your security policy into a firewall's configuration? If you have a very simple policy, firewall management may not be a critical feature. For example, a simple policy may let your users access the Web and e-mail, and provide a Web server of your own that can be accessed from the Internet. This presents you with some significant risks, especially from the e-mail and Web services, but you can put these behind a "demilitarized zone" (DMZ). Configuring your firewall for a simple policy like this is fairly straightforward, but it still requires some expertise.

For a complex security policy--especially one that requires frequent changes--good firewall management features are critical. Additionally, while a complex policy will require more expertise to implement, a good GUI will ease the administrative burden and make it easier to train less-skilled administrators in how to perform the more routine tasks.

Good management features also are essential if you have multiple firewalls. If you have firewalls at remote locations, remote-management capabilities are obviously important. Most firewalls offer GUI-based management--but some are easy to use while others sacrifice usability for power. Check Point Software Technologies' FireWall-1 GUI, for example, makes it easy to edit rules and add comments, providing valuable documentation explaining why a particular rule was added.

Many firewall vendors provide filtering based on time of day (Cisco Systems is one notable exception). Axent Technologies' Raptor Firewall, Check Point's FireWall-1, FreeGate Corp.'s OneGate 1000, Internet Dynamics' Conclave 2, LanOptics' Guardian and NetScreen Technologies' NetScreen all go a step further and support filters that expire at a predetermined time. If you'll be providing temporary access, such filters can be helpful because they guarantee the access expiration.

Black Box vs. Software-Only
Some firewalls package hardware and software, and use proprietary OSes. This "black box" solution can be advantageous. It makes installation easier (software-only products usually require OS installation, fol- lowed by the firewall software installation). Disadvantages to the black-box approach include less scalability and reduced third-party support for complementary products, such as URL filtering, and virus detection and reporting. And if you require faster hardware somewhere down the line, you cannot redeploy the existing hardware; you'll need to purchase the vendor's next model or some other solution.

Software-based solutions often support Microsoft Windows NT as well as multiple versions of Unix. Generally, Unix versions provide better performance and more stability.

VPNs and Encryption
One of the more common and useful firewall features is VPN (virtual private network) support. You may have to pay more to take advantage of this option, but if you're planning to implement VPNs, it's worth the extra cost. VPNs provide an encrypted session between two firewalls or between a firewall and a desktop or laptop, making it possible to use the Internet with a level of privacy previously attainable only on privately leased lines. A firewall is an obvious point at which to implement VPN functionality, because at that site you're already controlling the traffic entering and leaving your network. Instead of supporting another standalone box, you can administer your VPN and firewall from the same platform.

A firewall that supports VPNs will let you determine which network conversations are encrypted, based on the IP address and applications involved. The encryption can be transport mode (transparent), meaning it only encrypts the data portion of the IP packet, or "tunnel mode," wherein the internally generated IP packet is hidden in another IP packet generated by the firewall.

A disadvantage associated with running a VPN on a firewall is that encryption is very CPU-intensive and could have a detrimental impact on response time if you're not careful. By implementing a VPN in a standalone box, you off-load this processing. Your firewall vendor should provide some guidelines--for example, data rates that can be handled with DES as opposed to 3DES. This information can help you scale your hardware. If your firewall is serving a high-speed connection, such as T3 or Fast Ethernet, there's a good chance it won't be able to handle the VPN tasks in software. Some vendors will use hardware cards to off-load this process. If you plan to implement high-speed VPNs, target vendors that provide this option, such as Cisco and Check Point.

The IPsec (IP security) standard governs how keys are exchanged and how encryption is set up in VPN environments. Most vendors that do encryption will support IPsec in their products. However, there is no guarantee that IPsec implementations will interoperate, so test a multivendor IPsec implementation before you commit to it.

The ICSA (International Computer Security Association) certifies the interoperability of IPsec implementations. Its Web site (www. ncsa.net) includes a list of vendors that have certified VPN products.

Above and Beyond the Call
Many firewalls also can scan for viruses. Usually the firewall transfers data to a third-party product, which scans incoming SMTP mail, and sometimes FTP and Web traffic, for viruses. This approach is more centralized than, say, a desktop virus scanner, and may be more effective. But it may not scale well.

Virus scanning can consume a lot of CPU, so consider that implication, especially on a network with high-volume traffic. Slowdowns may go unnoticed with a store-and-forward application, such as SMTP mail, but any sluggishness in a real-time app, such as Web access, will be noticed.

Many firewalls also can monitor internal users' Web use by examining URL access based on Web-site categories provided by a third party. This feature lets you set up filters that determine which categories of Web sites can be accessed. No direct security benefits are gained from this feature, but it's often used to ensure that employees don't waste time at unproductive Web sites, and to prevent bandwidth from being wasted. An indirect security benefit is that sites more likely to contain viruses may become inaccessible.

The more features you activate on your firewall, the more of a performance hit your network will take. More important, the software becomes more complex, adding the potential for bugs that could crash the firewall. We recommend testing one feature at a time before activating the next feature. And we strongly recommend avoiding integration with intrusion-detection software, which scans your traffic for patterns that indicate possible attacks. While it may be fine to run intrusion detection as a standalone product, it is far from an exact science, and it issues lots of false alarms that must be investigated and verified.

Peter Morrissey is a network systems programmer at Syracuse University and a Network Computing contributing editor. Send your comments on this article to him at ppmorris@syr.edu.