BUYER'S GUIDE

For this reason, "that which is not expressly permitted is denied," rather than "that which is not expressly prohibited is allowed," is the best philosophy on which to build a strategy for protecting your network. With this approach, you begin with no access . Then, as need is demonstrated, you systematically provide the smallest opening required while having a good understanding of the risks added with each opening.

First, a Strategy Some of the firewalls listed in the accompanying charts provide pleasant graphical interfaces that attempt to make this task as painless as possible. Although graphical interfaces can be very helpful in easing the additional administrative burden a firewall can add, do not allow yourself to be seduced into thinking that network security is a simple point-and-click operation. On the contrary, allowing access to your network with out compromising its integrity requires a thorough understanding of network protocols, Internet applications and host operating systems. The more hosts you have, the more difficult this becomes, and the more reliant you may be on your firewall.

A larger organization could have a team of individuals who understand the issues involved. Many companies even have positions dedicated solely to networ k security. If you don't have the resources in your organization to effectively grapple with this issue, then you need to find another way to cover all the bases. For instance, you may hire a consultant to provide these services. In some cases, a value-added reseller that markets firewalls will be able to provide assistance. But there are no guarantees that the outsourcer is qualified to do the job. You will want to check references carefully before you entrust the security of your network to a third party. You might be better off working with a well-known firewall vendor that provides security services or a systems integrator.

But no matter who installs your firewall, you will need to define the parameters for access. For example, do you want to allow your employees to telnet out to the Internet, or do you want individuals on the Internet to be able to telnet into your organization? A good firewall will allow you to control all Internet and network services, even to the point of determining access (in and out of your network) based on a combination of the application and the IP address of the internal or external host.

The more access you add, however, the greater your risks. A good firewall will let you add access while minimizing risks. But you will need to have a handle on the vulnerabilities of the hosts with which you're dealing. Although a firewall can limit these vulnerabilities, you'll want to shore up defenses on both fronts.

Additionally, you should have a security policy in place that addresses the manner in which you will implement safeguards, as well as address other issues such as the use of passwords and dial-up modems. A great firewall in place at your Internet connection point won't help a bit if someone bypasses it by dialing into your network.

Basically, securing your network comes down to determining how much cost you want to incur to minimize the risks. Aside from the financial costs, there's also the inconvenience that can result when additional restrictions and safeguards ar e applied. Deciding how much access to provide and the ensuing level of costs to be endured should be addressed from the top down.

First, management will have to sign off on a security policy that will determine how much security should be provided. Sometimes this requires a great deal of education from technical personnel regarding the risks involved and what can be done to address them. Some of the measures you can take to decrease risk will require compromises in freedom and access. This is another reason you'll want to make sure that there are policies in place that came down from the top. This way, when the inevitable challenges come, you won't be caught in the middle.

The Proof Is in the Pudding One of the more inconvenient, yet effective features offered by some firewalls is authentication. This capability will force a user login and password every time someone attempts to access a service on the other side of the firewall. The login can be secured even further through the use of one-ti me password schemes. You can control the level of access by time of day, and in some cases, by day of the week as well. Time-of-day access also can be applied in other ways.

You can, for example, limit access to some or all of your services to business hours. One benefit here is there's less time available for hackers to exploit vulnerabilities. It may also put you in a better position to monitor for suspic ious activities during those limited hours, since you'll be more readily available.