Network Computingwww.networkcomputing.com

Go to The Interactive Buyer's Guide
An alternative is a dedicated ISDN link. Moving from modem connections and 56-Kbps circuits to ISDN makes sense because of ISDN's lower cost--the price for ISDN BRI/PRI links is dropping in many areas of the country--and better performance. Remember, though, that every connection is a potential point of entry for intruders. And while you're looking over your shoulder, be aware that you can't discount the threat of the inside job. So, you must take action to secure remote sites from outside attacks and from acting as a back door into your central site.

One weapon at your disposal is the SOHO (small office/home office) firewall. However, it may be difficult to determine the appropriate features that integrate and complement your security and remote-connectivity strategy. SOHO firewalls run the gamut from small ISDN BRI routers with packet filtering to full-blown WAN routers with up to four T1/ISDN links and a host of security features. Note, though, that SOHO security isn' t all high-technology and fat WAN pipes. Thorough reporting and alerting, adequate security features to fit your needs and system integration also should play an important role in your decision.

Staying Informed When looking at securing your enterprise, you should concentrate on keeping intruders out and, if intruders get in, limiting their access to other network resources. Toward this end, you need tools that report and log security events, two key elements in maintaining a secure environment. Without these, you're essentially running blind.

However, while enterprise-scale firewalls have excellent logging facilities, SOHO devices tend to lack robust security event logging and reporting. And the amount of reporting available in terms of historical logs and real-time alerting will largely determine how well you can lock down your network.

The four basic types of logging are SNMP traps, syslog, local logging to a text file and console logging. SNMP and syslog log information to a network host provides more centralized reporting and historical analysis.

Many SOHO firewall devices claim to log via SNMP traps, but they typically log only security events, such as user authentication. Denial of service attacks, IP spoofing and other attempts at breaching security aren't reported via SNMP, but they can be logged through other mechanisms.

Logging via an external syslog utility is common and gives vendors a simple way to integrate logging into an existing network. Syslog is common on all Unix hosts and a number of Windows95 and NT syslog programs are available. Local logs kept on the SOHO firewall wrap around--replacing the oldest entries as needed--when the log becomes full. Logging on the firewall is useful for real-time troubleshooting but getting the information off the firewall for historical analysis is difficult.

If security logging can't be captured to an external file, you'll have a difficult time managing your security. No level of automated filtering can take the place of log analysis done by administrators because concentrated attacks take place over time. Port scanning is fairly nonintrusive, but it still yields valuable information about would-be hackers. To catch a port scan in progress, you'll need to trap that information and be on the console as it's happening.

Some vendors offer products that log security events to a telnet console. They'll tell you to leave a telnet session running and capture the screen to a local file. While this kludge does provide logging of a sort, it also leaves that management session open to anyone with access to the w orkstation running the telnet client. It also could result in having the telnet session disconnected in a denial-of-service attack.

Security alerting--notifying you of attack via pager, e-mail or on the console--provides 24x7 notification of events that might indicate an attack in progress. Hackers typically attack when the office is closed and the attack would go unnoticed. A SOHO firewall with alerting features lets you take swift action in the event of a potential attack. For example, multiple connection attempts with bad user name or password pairs may indicate an attack on the firewall itself--something you'd want to know about immediately.

Likewise, security alerting is essential when dealing with denial-of-service attacks. These attacks can devastate connectivity by sucking up resources from legitimate users. Without security alerting, discovering these attacks and restoring connectivity leaves your network vulnerable or inoperable until the attack is found and halted.

Finding the Right F it The more features available on your firewall, the more implementation options available to you and the more robust security for your organization becomes. But more features alone don't translate into more security; your level of security is determined by your security policy (what you want to secure and why). Your security policy should dictate which features you need in a firewall right now and help you to anticipate what you'll need tomorrow.

Your security policy could be as simple as allowing only outbound connections from SOHO offices to the corporate network. In this case, you would need only minimal features to implement the policy--block all inbound traffic and only allow traffic out to the corporate network. However, most security policies are a bit more complex. For more details on which firewall technology will support your security policy see "A Primer on Firewall Technologies" on page 112.

For the most flexibility in setting up security, look for SOHO firewall devices that let you b uild custom filters by examining specified fields in the IP header. For example, you can filter packets on TCP addresses, but for finer-grain control you could filter by protocol. Many SOHO ISDN routers only route IP while other protocols, such as IPX and AppleTalk, are bridged. The ability to filter bridged protocols can enhance your security by providing control over all LAN protocols.

Once your security policy is in place and the requisite firewall features are identified, you can begin building a rules base according to the level of rules support you need. A rules base establishes control for access to services across the firewall. Basic packet filters compare the IP address and TCP port number of IP traffic against the firewall rules and pass acceptable traffic.

Be aware that some lower-end SOHO firewalls have memory constraints that limit the number of rules that can be created. However, the way in which these limits manifest themselves varies from device to device. For example, a limit of 16 rul es may be applied to each interface. For the simplest SOHO firewall, that means a fixed set of rules on each BRI link and the Ethernet port. For a SOHO site that only needs to connect back to the corporate network, this simple device might be sufficient, but it leaves very little room for future expansion. On the other hand, if the SOHO site will be connecting to several sites or have connections coming to it from the Internet, then the rules base can quickly become too complicated to adequately secure your network while still correctly passing authorized traffic.

Some vendors have solved the complexity of multiple connections by letting you create profiles with distinctive firewall configurations. The firewall becomes a dynamic security tool changing to meet various security needs. Management of the rules base also becomes much easier because you change the rules for one profile at a time instead of for the entire firewall. In the case of the SOHO making a connection to the central site, the connection is made over ISDN and the firewall rules set is applied to the traffic passing between the central site and the SOHO. Once that connection is terminated, the profile is removed. A connection to a different site will apply a different profile. If users make connections to the SOHO firewall, the incoming connection will have a profile connection applied to it as well.

If you plan to host services to the enterprise or the Internet, look for devices that offer a DMZ (demilitarized zone). A separate interface where public hosts can be placed, the DMZ lets you grant public access to hardened hosts, without opening access to the internal network (see "Firewall DMZ" at right). Because hosting services requires a direct connection to the Internet or corporate network, DMZs usually are not used for dial-on-demand SOHO firewalls.