home
NEWS       BLOGS       FORUMS       NEWSLETTERS       RESEARCH       EVENTS       DIGITAL LIBRARY       CAREERS  
Network Computing Network Computing Powered by InformationWeek Business Technology Network

IMMERSE YOURSELF:

SOA

  |

Data Center

  |

802.11n

  |

Data Privacy

  |		 APO  |

Virtualization

  |

NAC

  |

Security

  |

Network Mgmt

  |

Enterprise Apps

  |

Storage & Servers





Turning Up The Heat On SOHO Firewalls

System Integration System integration depends on integrating the firewall into your existing network infrastructure. Choosing between the single-vendor and the best-of-breed approach is a tough one because there are advantages to both. Single-vendor systems are central-site routers and SOHO firewalls from the same vendor that let you take advantage of proprietary features and provide a common management system. The best-of-breed solution lets you tailor your firewall strategy to suit your specific needs. However, this approach may be harder to integrate and doesn't provide common management.

Vendors such as Ascend Communications and 3Com Corp. offer complete lines of security products that connect the SOHO to the central site. Leveraging a common security strategy, these products are combined in building-block fashion to fit specific needs in terms of WAN access and security needs. Lower-end firewalls with modem or BRI interfaces connect to high-end central site routers offering multiple PRI interfaces.

Single-vendor solutions provide advanced features, such as encryption and virtual private networking. Encrypting data across the LAN or WAN typically requires a single-vendor solution on both ends of the link because no standards exist for negotiating the algorithms. The higher-priced (more than $3,000) SOHO firewall devices already offer data encryption between the firewalls, and with the vendor's proprietary client, data encryption for the remote user as well.

From an administrative view, single-vendor solutions offer common centralized management consoles for tying together your firewall solutions and integrating them into the larger enterprise network. Various aspects of the firewall's security can be managed alongside tasks such as access control lists and routing and filtering configurations. Firewall configurations in single-vendor solutions can be centrally managed by copying configuration files to multiple firewalls with minimal customization. Multiple systems remotely managed through a single console give you direct control over your firewalls regardless of their location on the network.

Best-of-breed solutions let you tailor your remote network security needs without relying on a single vendor. The advantage here lies with the ability to get the appropriate features into the SOHO for more competitive pricing. For example, sites with direct T1/PRI connections may need data encryption or VPN to the central site. These features require more sophisticated management and reporting functionality and generally cost more to implement. Smaller SOHOs may require packet filtering on modem links or ISDN BRI; the management requirements here are fewer and the devices will cost less as a result. While c ommon product lines provide similar options, you may realize significant cost breaks of up to $500 per unit with best-of-breed solutions.

The downside to best-of-breed solutions include multiple management interfaces and the firewalls' differing abilities that will complicate your efforts at setting up a secure environment. Learning multiple management consoles, the inability to copy multiple configurations from sites and the loss of proprietary features may outweigh the advantages to best of breed.

On the bright side, common management platforms are available for centralized management in a multi-vendor environment, such as Check Point Software's Open Platform for Secure Enterprise Connectivity (OPSEC) initiative. Security on routers and firewalls from numerous vendors are managed through the common management application. However, you must license the management product and ensure that your firewalls are supported. And technical support may be complicated.

The key point with best-of-breed solution s is to know what you're securing. Be sure administrators thoroughly understand security issues and products and examine the advantages of a multivendor environment compared to the risk (cost) of a compromised system.

Mike Fratto can be reached at mfratto@nwc.com.




A Primer On Firewall Technologies
Security methods employed by SOHO (small office/home office) devices vary and understanding the differences is essential to making good purchasing decisions. If you don't know what's available, you may end up paying for less than adequate security. Here are the most common security methods in use:

· ęPacket Filtering
Packet filtering examines packets passing through the firewall and, based on a rule set, blocks or passes the packet along. Most p acket filters base decisions on IP address or IP-port pairs. Some of the more sophisticated packet filters track connections and can handle complex protocols, such as FTP (two separate FTP sessions are needed to transfer files). Some SOHO firewalls also offer further packet-filter customization based on data in the IP header.

· Stateful Inspection
Stateful inspection is packet filtering on steroids. All connections are tracked and the pertinent information is held in memory. Virtually the entire packet, both header and data, are available for inspection by the firewall. The advantage for firewalls that perform stateful inspection rather than ordinary packet filtering is that they close all the TCP ports on the firewall and then dynamically open ports when connections require. This allows management of services that use port numbers above 1,023, such as PPTP and X Window. Stateful inspection firewalls also provide advanced features, such as TCP sequence number randomization and UDP (User Data gram Protocol) filtering.

· Circuit-Level Proxies
Circuit-level proxies typically operate at the application layer of the OSI stack. Proxies are applications that run on the firewall and separate the internal network from the external network. The proxy accepts connections from either side and, if the connection is permitted, makes a second connection to the destination host on the other side. The client attempting the connection is never directly connected to the destination. Circuit-level proxies offer higher security value because data at the application layer, such as authentication and encryption types, can be used to pass or block connections. However, proxies also are more processor-intensive, are susceptible to poor performance and require user interaction.

· Network Address Translation (NAT)
On its own, NAT is not a security method. Instead, NAT hides the internal network addressing from the external network and lets hosts on private IP networks communicate with hosts on public networks. If you configured the NAT with static address mapping, then intruders can discover the addresses and attack your hosts as if no firewall were in place. NAT-capable devices do provide secure filtering capabilities. For example, a NAT device can simply deny all connection requests coming from the outside and randomly assign IP addresses for internal hosts initiating connections to the outside. Many NAT devices do allow static IP translation so that internal hosts can be made publicly available. However, restricting access to those hosts also requires packet filtering.







Ready to take that job and shove it?

Function:

Keyword(s):

State:
SPONSOR
RECENT JOB POSTINGS
CAREER NEWS
Federal CTO Sees IT Leading U.S. Out Of Recession
Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

IT Spending To Fall By 3.8 Percent
IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.

More articles from our career center










2009 IT Salary Survey: Meager Raises, Solid Prospects
Though raises are notably smaller than a year ago, and job security’s shrinking, IT careers are looking safer than many others in this economic downturn. Get all the findings in InformationWeek's 2009 IT Salary Survey. Available FREE for a limited time.
 
ROLLING RIGHT ALONG
Follow key Network Computing Reviews from conception to completion. This Week: Holistic APM.



Network Computing Reports Emerging Enterprise Podcast Series: Secrets to Success








TechSearch
Microsite of the Week


Powerful Information at Your Fingertips



Techweb
Informationweek Business Technology Network
InformationweekInformationweek 500Informationweek 500 ConferenceInformationweek AnalyticsInformationweek Events
Informationweek MagazineGlobal CIOIWK Government ITbMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingPlug Into The CloudDr. DobbsContentinople
space
TechWeb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0Mobile Business ExpoNoJitter
Black HatGTECEnergy CampCloud ConnectGov 2.0 ExpoGov 2.0 Summit
space
Light Reading Communications Network
Light ReadingLight Reading AsiaUnstrungCable Digital NewsInternet EvolutionPyramid Research
Heavy ReadingLight Reading LiveLight Reading InsiderEthrnet ExpoTelco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems and TechnologyInsurance and TechnologyWall Street and TechnologyAccelerating WallstreetBST SummitBuyside Trading SummitIT Summit
space
Microsoft Technology Network
MSDNTechNetTotal IT ProTotal Dev ProNET Total Dev Pro CommunitySQL Total Dev Pro Community
space


App Infrastructure   |   Messaging & Collaboration   |   Network & Systems Mgmt   |   Network Infrastructure   |   Security  |   Storage & Servers   |   Wireless   |   Enterprise Apps
About Us  |  Contact Us  |  Site Map  |  Technology Marketing Solutions  |  Advertising Contacts  |   Briefing Centers
Copyright © 2009  United Business Media LLC  |  Privacy Statement  |  Terms of Service