For our purposes here, a small office is one with public-facing servers, internal servers, and wireless and wired workstations. Sound security practices for this setup require at least three networks because the internal servers and workstations can share the same network. This configuration rules out using most broadband routers for the firewall. Instead, the small business needs a firewall system with four interfaces: one facing the Internet, one for the external systems, one for the wireless workstations and one for the internal systems.

Takes More Than Two

Not surprisingly, the standard low-end firewall configuration has just two interfaces, short-changing a good security posture for small businesses. Perhaps small businesses look for the cheapest solutions, based on what they are told is adequate for their needs. A broadband router or an $80 box as the firewall is financially attractive, after all.

But Internet gateways are ill-conceived for providing security services. They must be upgraded cautiously; a mishap could disable Internet access, which may be needed for other gateway updates to get the connection working again. And updates occur frequently: New threats against firewalls are constant. Is your Internet gateway maintained through a Web front end? Is it current against the attacks aimed at Web servers? Is it maintained by your ISP, and thus only the ISP can adjust any firewall rules?

The single protected network is, perhaps, a greater limitation, as we have always known the risks inherent in placing external and internal servers on the same network. Even if the firewall will support separate rules for the external servers and the internal systems, if an external server is compromised, the internal network is open to attack. In addition, a wealth of information now shows that wireless 802.11-based systems put your network at real risk, which can best be mitigated by placing the wireless systems on a separate, firewalled network.

There is a certain attraction to using three two-interfaced firewalls. If the upgrade on one fails, you're not completely out of business, and you probably can use the wireless firewall as your upgrade test unit. But management of three units has its own perils.

Small businesses present a risk to the entire Internet; therefore, it behooves even the largest business to recognize the value of good security practices for the small business (which may be your business partner). These sites need sound security practices and soundly constructed firewalls that are not hamstrung on simple networking assumptions.