Firewall Selection Requires Clear Understanding of Requirements

It is important to know the details of what your firewall needs to accomplish, says consultant Mike Chapple in a white paper sponsored by Villanova University.

Before choosing a firewall, he advises considering the following questions:

Why are you implementing a firewall? The answer is not "because we need one," he says. Instead, you should take the time to define the technical objectives. There's no need for an expensive, feature-rich firewall that's complicated to administer if your technical requirements can be met by a simpler product. How will the firewall fit into your network topology? For example, will the firewall sit at the perimeter of your corporate network and be directly connected to the internet, or will it serve to segment a sensitive local area network from the remainder of the system? How much traffic will it process? How many interfaces will it require? Performance requirements like these account for much of the financial load you'll pay for a system, so don't overdo it, he says. What type of traffic inspection do you need to perform? While different vendors use different buzzwords to describe this area, Chapple says it boils down to three basic options (in order of increasing cost and complexity): packet-filtering, stateful-inspection and application-proxy. Is your organization better suited for an appliance or a software solution? Appliances have the advantage of being much easier to install. Normally you just plug in the appropriate Ethernet cables, perform some basic network configuration and configure your firewall rules. But software firewalls "can be tricky to install and require tweaking," he says. They also lack the security often built into firewall appliances. The tradeoff: Appliances are more expensive. What operating system is best for your requirements? Even appliances run an operating system and, chances are, according to Chapple, you'll need to work with one at some point in your firewall administration career. But before moving forward, have a clear understanding of your own team's strengths and weaknesses. "If you're a Linux jockey, you probably don't want to choose a Windows-based firewall," he says. "On the other hand, if you don't know /dev/null from /var/log, you probably want to steer clear of Unix-based solutions."

And once a firewall is set up, it becomes important to build and implement strong auditing activity, Chapple says. "In the real world of firewall management, we're faced with balancing a continuous stream of change requests and vendor patches against the operational management of our firewalls."

Work closely with system administrators. They "tend to be quick on the trigger to ask for new rules, but not quite so eager to let you know when a rule is no longer necessary" and can be trimmed, he said. He estimated that at least 20 percent of the average firewall's rulebase is unnecessary. -- Michael Causey