Many people fail to consider the maintenance issues of the firewall. With the rapid rate of change in the computer industry, a large organization may have to update the firewall frequently in order to support new requirements. For a very large infrastructure, this can become a nightmare. Some support and maintenance issues to consider are:
- How many systems will be in the firewall architecture?
- Is a central management station important?
- How frequently will the firewall rules have to be modified?
- Is it likely that on-the-fly solutions will be required? Would the technical staff be able to implement these easily? Are the vendor's engineers available, if necessary?
Intranet firewalls -- trust relationships
No matter how good the external firewall is, you may still be at risk. In large organizations, more than one division may have an Internet connection. The problem is that you can't control their security and, by trusting their network, you may be vulnerable.
For example, if you are in a brokerage environment, the trading desks may need to attach market data feeds to your network. Most market data vendors will simply convince the trading desk to hook their connection right to your network without going through a firewall. After all, the firewall will slow down the feed and make them look bad. However, in such a situation the market data vendor is controlling your security, because you are relying on them to protect you. Many vendors do provide security capabilities, such as secure lines and network segments to your site. The question is, are you willing to rely on them to make sure they don't make mistakes? I certainly don't with regard to either scenario.
An intranet firewall is a good tool for protecting yourself from the rest of the company. This type of firewall may be much more complicated than an Internet firewall. You will have company applications that may have to be passed through. You may also have market data vendors who have varying ways of supplying data, such as an X Windows-based delivery, FTP, etc. The point is that this firewall may be a very different beast from the external firewall. Where a stateful inspection may be appropriate for the external link with general services, a proxy may be better for an intranet firewall.
There are, no doubt, other issues to consider. Every site is different and may have different issues. If you think of issues that you'd like to share, please send me email. If there's enough input, I'll post a comprehensive checklist that reflects the real requirements of the industry from the people who have to make it work -- not just the vendors. Next month, we'll examine firewall implementation and performance issues.