- Use of TCP-based connections (such as telnet or FTP) must be accompanied by an evaluation of your usage requirements. Do you need to limit by user or time of day? Does the service need to be proxied?
- UDP-based services are usually considered dangerous for an
external firewall. I'd recommend looking for alternatives, but if
you have to support UDP, consider NAT or stateful inspection-based
- If you have private data feeds, it is strongly recommended that you
deploy a separate intranet firewall. This allows you to maintain security with other sites without potentially exposing them to the Internet by
putting them on the same firewall.
- Internal routing table issues determine if NAT or stateful
inspection can be used. If you have UDP-based services, you are
probably looking at using a NAT or stateful inspection firewall
rather than one that is proxy based. However, neither NAT nor stateful
inspection will work if you can't route the traffic to them. A
proxy-based firewall works with applications that can handle the
definition of the proxy, so you do not need routes or DNS to
Internet networks on your private network. An example of this is
Netscape or RealAudio, which allow you to define a proxy to which to send the
traffic. Be sure to check with your networking people on this.
- Some application clients utilize SOCKS. Almost any firewall can
support this, but if you must have this support, it is best to double-check. Many vendor applications now support a SOCKS 5-based proxy that can be added to
- Do you need to support X Windows through the firewall? There are
some major security implications with using X in this way.
For outbound X support, an application proxy works well. For
inbound, I would use a VPN. Be aware that, aside from the security
issues, there is a lot of overhead. Make sure you really have to
have this feature and that you can secure it.
- What operating system platform is acceptable? This is getting
into the territory of religious debate, but I always recommend a hardened
Unix platform. Whatever your choice, be sure to evaluate all the
risks and apply all security patches.
Support and maintenance issues
Many people fail to consider the maintenance issues of the
firewall. With the rapid rate of change in the computer industry,
a large organization may have to update the firewall frequently in order to
support new requirements. For a very large infrastructure, this can
become a nightmare. Some support and maintenance issues to consider