October 17, 2001, 3:37 PM — I am often asked, "What is the best firewall?" -- a leading question
if ever there was one. It reminds me of a time when I went to a
popular cigar shop to purchase a humidor and cigars as a gift. I
told the proprietor that I knew nothing about cigars, but would rely
on his judgment to choose "the best." He explained that it really
was a matter of taste, which was a point I could relate to my feelings about wine. I personally don't care for
Chardonnay, no matter how expensive. A reasonably priced Margaux is
more to my taste and, therefore, the better wine for me.
Firewall selection is not much different. There are many types that
suit different requirements. Simply purchasing "the industry leader"
is not necessarily the best solution. There's more involved than
installation. A firewall solution must be maintainable and
adaptable as well.
Part 1 of this three-part series will focus on the planning stage of
firewall architecture. We'll be focusing on what is required for a firewall rather than how to make one work, although the consequences of these decisions
will be discussed as well. Next month, Part 2 will focus on the
implementation issues, including platform security, installation,
performance tuning, and maintenance.
What is a firewall?
Anyone who has worked with firewall technology at all should be
familiar with the terminology used to describe it. I won't repeat here what has already been covered at
length in Unix Insider and elsewhere.
My focus is more elemental. What do you consider a
firewall to be? A network appliance that you drop in place and forget, or
a design concept that must adapt to changing requirements? Firewall vendors seem to encourage the
Internet toaster mindset. After all, the idea that you can drop something in place and forget about it is very appealing. While this certainly makes
implementation easier, there can be significant hidden costs in both
money and resources over time.
I consider a firewall to be more of a design concept rather than an
Internet toaster. The goals of a system's design should be driven by the
business initiatives, policies, and procedures of the particular
organization. How, then, can a
firewall be purchased off the rack and fit all my organization's
needs exactly? The answer is that it can't. It must be tailored to
fit. Well, in order to do any tailoring, you have to know what
you're working with.