A firewall is just the start. Etienne Greeff describes how
to create systems security that really works.
So far this year analysts, government bodies and even
security companies have all stated that internet security incidents
are on the rise.
Whether fact or fiction, the truth of the matter is that any
company with a connection to the internet increases the threat of
theft, hacking, vandalism and data loss.
But most companies know this, don’t they? More than likely, yes.
So they use a firewall to protect themselves, don’t they? Probably.
Well they’re safe then, and can sit back and put their feet up,
can’t they? No.
All organisations need to protect the valuable data and
documents held on their network, and a firewall is the most
efficient way to do this. Acting as guards, firewalls monitor and
examine traffic between a network and the internet. Any
unauthorised or suspicious traffic is blocked.
Firewalls can also be configured to secure one network from
another. However, correct management is crucial. The firewall can
become less than 30% effective within three months of installation
if managed incorrectly.
A firewall is simply an enforcement device. It does not provide
security in its own right. The actual firewall device provides
approximately 20% of the security capability. It is the way the
firewall is configured that provides the overall security
effectiveness.
It’s a bit like having locks on all the windows and doors in a
house but then leaving the key in the door, or one of the windows
open. The locks only work if time is taken to ensure that all
windows and doors are closed and all the keys are removed.
The best way to achieve security effectiveness is to design a
security policy. This will ensure the integrity of any mission
critical device - especially firewalls. But how do you go about
this?
The very first step in securing a network is to decide on the
different zones of trust present. In its most basic form, network
security is about zones of trust. A simple example would be the
internet (a "no trust" zone) and an internal network (a "high
trust" zone); a firewall controls traffic between these different
zones of trust. Of course, in the real world there are more than
two zones. Typically these include internet, web servers, external
connection zone, internal network, and remote access zone. Once the
zones are identified the different traffic flowing between the
zones can be defined and the firewall policy can be configured
accordingly.
Step two: with any firewall it is very important to have change
control. Far too often firewalls are found with rules that nobody
remembers adding. What normally happens is that these rules remain
because firewall administrators fear they might break something if
they are removed. When rules are introduced there should be a
well-defined method for documenting these and, in the case of
temporary rules, the removal date for the rule should be added in a
comment field.
The only way of checking if the firewall is actually enforcing
the agreed policy is to either verify it with an intrusion
detection system, or to do a manual verification using a
penetration test or a firewall review by a third party.
The third step is to log and review traffic. When deciding on a
firewall policy, do not forget the importance of logging. One of
the primary purposes of a firewall is to log traffic going through
the firewall. Logging is no good unless these logs are reviewed on
a regular basis; this should be included in the policy.
Next, you should manage stability. A firewall is like any other
infrastructure component and should be managed as such. In other
words it should be monitored for availability to ensure maximum
uptime. If a firewall isn’t stable, people will find ways of
avoiding it, leading to a low level of security. This should also
be reflected in the policy.
Finally, you must document your policy. A firewall policy and
the issues around it should always be documented to provide a
reference for administrators and people working on the firewall. If
the policy is documented, people can work to the policy. If no
formal policy exists people will tend to do things in an ad hoc
fashion.
What do you think?
Are you confident about your security policy? What really
matters in developing secure
systems?Tell us in an e-mail >> CW360.com
reserves the right to edit and publish answers on the Web site.
Please state if your answer is not for
publication.
Etienne Greeff is professional services
director with MIS Corporate Defence Solutions.
MIS Corporate Defence Solutions is exhibiting at Infosecurity
Europe, Europe's largest and most important information security
event. The show features Europe's largest free education programme,
and over 200 exhibitors at the Grand Hall at Olympia from 29 April
- 1May 2003.
www.infosec.co.uk