WebJunction

As the popularity of broadband has increased, firewalls have been gaining increasing media attention. Suddenly you and your network have an open door to the Internet, a place that is rife with hackers, criminals, and various other ne'er-do-wells -- at least that is what I hear. This report is designed to introduce you to firewalls.

As with all technology, you need a basic understanding of firewalls or you will end up with something that may or may not be the right solution for your library.

What is a firewall?

A firewall is a system or group of systems that enforces an access/deny policy. The firewall filters all the packets that go in and out of your network and either blocks them or allows them to continue to their destination.

For example, you can configure a firewall to allow only e-mail to enter your network, thus shielding you from any attacks except for ones that arrive via e-mail.

A firewall is typically a separate computer or device on your network that sits between your private network and your Internet connection. This way the successful break into your network must still go through a separate level of security to get to your files.

A firewall often includes or works with a proxy server that makes network requests on behalf of workstation users. This way your network users' information is hidden from the outside world.

A firewall also acts as the concentrator for your Internet access. Since all of your traffic goes through one place, you can produce detailed logs of who tried to access your network, what traffic went where, and much, much more.

Types of firewalls

There are really just two different types of firewalls. Though there are several gradations of these types, and some firewalls will have both in one.

Network Layer

Using the classic OSI network model taught to every young network engineer (who then almost immediately forgets), the network layer is essentially the layer where you get into TCP/IP packets of data. These packets contain information about where they are from, where they are going, what state are they in (for example, whether they have just spoken to the server) and the actual data they are transferring.

Network Layer firewalls can do things like block access to an IP address altogether, or allow only specific types of packets to pass through, i.e. packets destined for port 80 (a Web server).

Recent improvements to this model are the Stateful Packet Inspection or SPI firewalls, such as the Cisco PIX firewalls. These firewalls look at the state of the packet, and can allow or disallow them based on that information. Many network attacks, such as the Denial of Service attacks, rely on sending packets in the wrong state to a server causing the systems to freak out (in a purely scientific sense, of course).

Application Layer

Application Layer firewalls are subtler and are mainly used for logging or filtering your Internet connection. They do not specifically allow or deny a connection, but are required to negotiate the connection and due to their middleman role can monitor and report based on this information.

Every computer on the Internet needs a unique IP address to communicate. However, these Application Layer firewalls allow organizations to use one real IP address for external communication, and hundreds of non-routable IP addresses. Proxy servers and Network Address Translation (NAT) servers are examples of these firewalls.

Good security is more than a firewall

A firewall is your first line of defense. I mention this because if the rest of your network is insecure, a firewall breach will be disastrous. Network security is a tricky business, and you need to be diligent about keeping your entire network secure. But no network is safe if the entire system isn't safe. Your security policy needs to take employees, physical systems (such as doors), and waste paper, amongst many other things, into consideration. A locked door means nothing if the window is wide open.

The first thing you need to concern yourself with is your overall security policy. I know this sounds suspiciously like planning, but if you don't have a strong security policy, your firewall will be nothing more than an interesting experiment.

A good security policy will take into account your entire system. You'll need to think about how long your passwords are in place before they must be changed, who has the keys to the server, and your own paranoia level. Pay special attention to the level of security and the effect on usability. The more secure a system is, the more often the users are required to remember multiple passwords or to change their passwords, making the system less useful.

After you have worked that out, you want to think specifically about the firewall. A firewall policy will answer the questions:

• What type of traffic do you want to allow?
• Is your firewall just there for queuing traffic and monitoring, or do you want to restrict everything but HTTP/Web traffic?
• What are the risks associated with these things?
• Is security more important than usability or vice-versa?

Configure your firewall

If you are setting up a firewall, you have the advantageous position of being able to decide what traffic to allow and what traffic to disallow. Usually it is best to deny first and ask questions later. Deny all services not crucial to your needs. This is, of course, easier said than done.

First you will need to define your network. If you don't have a network diagram, now is as good a time as any to build one. List out your network protocols, main systems (such as e-mail, file server version, and patch level), as well as your Internet connection, speed, IP addresses, and services. Defining where a firewall will go and what its purpose will be can help you determine which device will work best for your library.

Once you have decided what services to allow, you will need to determine what TCP port these services are using, and allow that port or ports.

TCP/IP traffic is routed based on a specific port number that is kept in the TCP data packet. You can connect to the same server's IP address and domain name with a Web browser on port 80, or with an FTP client on port 21, or with an e-mail client using POP3 on port 110. The server knows what services you are trying to access based on the port.

It is actually a pretty cool system. However, there are 65,535 different possible port numbers. As you try to identify ports, take advantage of the helpful resources available on the Web. The good folks at the Internet Assigned Numbers Authority (IANA) maintain a useful official site. However, undocumented ports are also in use. Occasionally, tracking these down can be nearly impossible. I've found these sites helpful, though:

• Any Port in a Datastorm - Ports for Internet Services
• Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports

Why is Port 5631 open?

If you didn't set up your library's firewall personally, but want to see what it is currently protecting (or not protecting) you can start by getting access to your firewall. This may involve hunting down a password from the ISP, digging through manuals, deciphering the notes left by that guy who set the Internet connection up two years ago, and just plain guessing.

If you can't get access to your firewall, you won't be able to make any changes to the configuration rules. However, you may want to avoid resetting your router/firewall due to the disruption this would cause the staff.

If you just want to see how the thing is configured, the easiest way to do this is to use an online tool. There are several out there; the main one I use is from Gibson Research, which has two programs that can probe a server's ports. They look at the most vulnerable systems and check to see if you are vulnerable. These tests take about one or two minutes, and sometimes provide remarkable and eye-opening results.

A longer TCP scan (covering the main 1024 ports) is available at Sygate's Web site. This scan can take 40 minutes or so.

Your firewall

For most libraries, the best way to start is to look for a product to buy. If someone has told you about how you can build a firewall to meet your needs with existing routers, please think twice. In theory, this approach is good if you have a full-time IT staff that really understands wide-area networking. In practice, this approach often costs much more in staff time and energy than comparable out-of-the-box firewalls.

You can buy firewall systems in any shape or size that your heart desires. You can buy software, hardware devices, and hardware bundled with firewall software and the Unix, Windows NT/2000, and Macintosh operating systems.

Most organizations can get by with the basic packet filtering firewalls included with the router provided by their ISP or in the DSL sharing routers, such as those offered by Linksys, NetGear, and SMC. These devices are often limited by how many rules they can apply, in their logging and reporting capabilities, and in performance.

If you want sophisticated packet handling, decent logging features, e-mail notification of intrusion detection attempts, or Stateful Packet Inspection, you will need to upgrade to a better firewall. Standalone hardware such as the Cisco PIX or SonicWall firewalls can set you back between $500 to $5,000, depending on your requirements.

Another option is a server-based application. These devices have the advantage that you can increase their performance by getting faster hard drives and network cards. They are often easier to manage since their tools are integrated with your server management tools. CheckPoint has been the leader in this field for ages, but Microsoft has entered this arena with its ISA Server. There are many other notable players, including ISS's BlackICE. These products tend to start at around $1,000 and go up from there. Microsoft ISA server is included with Small Business Server 2000, though, making for a cost-effective solution if you have fewer than 35 users.

In the end, you are the only person who can tell you which is the right product for your library, based on your needs and budget. But there are a few things to consider when shopping:

1.       Will the firewall supplement your security system or are you dependent on the firewall security?

2.       Does the firewall use a flexible, user-friendly, IP-filtering language that is easy to program and can filter on a wide variety of attributes, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface?

3.       Does the firewall contain mechanisms for logging traffic and suspicious activity, as well as mechanisms for log reduction to keep logs readable and understandable?

4.       Is the firewall and any corresponding operating system updateable with patches and other bug fixes in a timely manner?

5.       Once you've considered all these questions, you can start approaching vendors and looking for something in your price range that suits your specifications. You can focus you energy on checking out the firewall products list in the appendix and just start hitting Web sites, or look through product reviews and decide which is best and which one you trust.

If you want my opinion

I can't guarantee that everyone will like these, but here's what I'd recommend without knowing the specifics of your situation.

For libraries, the first thing I would look at are the DSL modems with built-in firewalls. If you are getting DSL anyway, you might as well get a decent modem that has a firewall. Check with your DSL provider as to which modem they are giving you, or to make sure that the one you buy is compliant with their system. Often these devices include VPN, NAT (network address translation), and DHCP. Check out Netopia and Siemens for the products that suit your needs.

For stand-alone firewalls, I like the WatchGuard SOHO. It costs about $500 and is easy to install and configure.

Visit TechSoup for technology information, access to donated and discounted products, and support from nonprofit experts and your peers.