Building your firewall, Part 1

By Carole Fennelly, Unix Insider |  Security

  • Use of TCP-based connections (such as telnet or FTP) must be accompanied by an evaluation of your usage requirements. Do you need to limit by user or time of day? Does the service need to be proxied?

  • UDP-based services are usually considered dangerous for an
    external firewall. I'd recommend looking for alternatives, but if
    you have to support UDP, consider NAT or stateful inspection-based

  • If you have private data feeds, it is strongly recommended that you
    deploy a separate intranet firewall. This allows you to maintain security with other sites without potentially exposing them to the Internet by
    putting them on the same firewall.

  • Internal routing table issues determine if NAT or stateful
    inspection can be used. If you have UDP-based services, you are
    probably looking at using a NAT or stateful inspection firewall
    rather than one that is proxy based. However, neither NAT nor stateful
    inspection will work if you can't route the traffic to them. A
    proxy-based firewall works with applications that can handle the
    definition of the proxy, so you do not need routes or DNS to
    Internet networks on your private network. An example of this is
    Netscape or RealAudio, which allow you to define a proxy to which to send the
    traffic. Be sure to check with your networking people on this.

  • Some application clients utilize SOCKS. Almost any firewall can
    support this, but if you must have this support, it is best to double-check. Many vendor applications now support a SOCKS 5-based proxy that can be added to
    most firewalls.

  • Do you need to support X Windows through the firewall? There are
    some major security implications with using X in this way.
    For outbound X support, an application proxy works well. For
    inbound, I would use a VPN. Be aware that, aside from the security
    issues, there is a lot of overhead. Make sure you really have to
    have this feature and that you can secure it.

  • What operating system platform is acceptable? This is getting
    into the territory of religious debate, but I always recommend a hardened
    Unix platform. Whatever your choice, be sure to evaluate all the
    risks and apply all security patches.

Support and maintenance issues

Many people fail to consider the maintenance issues of the
firewall. With the rapid rate of change in the computer industry,
a large organization may have to update the firewall frequently in order to
support new requirements. For a very large infrastructure, this can
become a nightmare. Some support and maintenance issues to consider

Join us:






Ask a Question