| | |
7.2. Evaluate the Available Products
When you know what you need to do, and what constraints you have, you
can start looking at the products available to you. At this stage,
people often ask "What's the best firewall?", to
which the standard answer is "How long is a piece of
string?" -- a sarcastic way of suggesting that the answer
is, as always, "It depends". Here are some things to keep
in mind as you go through the process of determining what's
best for your situation.
7.2.1. Scalability
As your site gets larger, or your Internet usage gets larger, how are
you going to grow the solution? Can you increase the capacity without
changing anything fundamental (for instance, by adding more memory,
more CPUs, a higher-speed interface, an additional interface)? Can
you duplicate pieces of the configuration to get extra capacity, or
will that require reconfiguring lots of client machines, or break
functionality?
For instance, if you are using proxying, it may be difficult to add a
second proxy host because clients will need to be reconfigured. If
you are using stateful packet filtering, it may be impossible to add
a second packet filter. Stateful packet filtering relies on having
the packet filter see all the packets that make up a connection; if
some packets go through one filter, but other packets don't,
the two filters will have different state and make different
decisions. Either the packet filters need to exchange state, or you
need to scale up by making a single packet filter larger.
7.2.2. Reliability and Redundancy
In many situations, a firewall is a critical piece of the network; if
it stops passing traffic, important parts of your organization may be
unable to function. You need to decide how important the firewall
you're designing is going to be, and if it requires high
availability, you need to evaluate solutions on their ability to
provide high reliability and/or redundancy. Can you duplicate parts?
Can you use high-availability hardware?
7.2.3. Auditability
How are you going to tell whether the firewall is doing what you
want? Is there a way to set up accurate logging? Can you see details
of the configuration, or is your only access through a graphical user
interface that gives only an overview? If you are putting multiple
pieces in multiple places, can you see what's going on from a
single centralized place?
7.2.4. Price
The price of specialized components is the most visible part of a
firewall's price, and often the most visible criterion in the
entire evaluation. However appallingly high it may seem, it's
not the entire price. Like any other computer system, a firewall has
significant costs besides the initial purchase price:
- Hardware price
- If you are buying a software solution, what hardware do you need to
run it on? If the initial price includes hardware, will you require
any additional hardware? Do you need a UPS system, a backup system,
additional power or air-conditioning, new networking hardware?
- Software price
- Are you going to need anything besides the firewall software itself?
Do you need backup software or an operating system license? What is
the licensing scheme on the software? Is it a fixed price, a price
per outgoing connection, or a price per machine connected to your
networks?
- Support and upgrades
- What support contracts do you need and how much do they cost? Will
there be a separate fee for upgrades? Remember that you may need
separate contracts for software, hardware, and the operating
system -- on each component.
- Administration and installation
- How much time is it going to take to install and run, and whose time
is it? Can it be done in-house, or will you have to pay consultants?
Is installation time included in the purchase price? Will you need
training for the people who are going to administer it, and how much
will the training cost?
7.2.5. Management and Configuration
In order for a firewall to be useful, you need to be able to
configure it to meet your needs, change that configuration as your
needs change, and do day-to-day management of it. Who is going to do
the configuration? What sort of management and configuration tools
are available? Do they interface well with your existing environment?
7.2.6. Adaptability
Your needs will change over the lifetime of the firewall, and the
firewall will need to change to meet them. What will happen when you
need to add new protocols? What will happen if new attacks come out
based on malformed packets? If the firewall can adapt, do you have
the expertise to make the needed changes, or will you need assistance
from the vendor or a consultant?
7.2.7. Appropriateness
One size does not fit all; these days, even clothing manufacturers
have revised the motto to "One size fits most".
It's not clear that even that statement holds true for
firewalls. The sort of solution that's appropriate for a small
company that does minimal business over the Internet is not
appropriate for a small company that does all of its business over
the Internet, and neither of those solutions will be appropriate for
a medium or large company. A university of any size will probably
need a different solution from a company.
You are not looking for the perfect firewall; you are looking for the
firewall that best solves your particular problem. (This is good,
because there is no perfect firewall, so looking for it is apt to be
unrewarding.) You should not pay attention to absolute statements
like "Packet filtering doesn't provide enough
security" or "Proxying doesn't provide enough
performance". On a large network, the best solution will almost
always involve a combination of technologies. On a small network, the
best solution may well involve something that's said to be
"insecure" or "low performance" or
"unmaintainable" -- maybe you don't need that
much security, or performance, or maintainability.
You can think of it two ways. Either there are no bad firewalls, only
good firewalls used in silly ways, or there are no good firewalls,
only bad firewalls used in places where their weaknesses are
acceptable. Either way, the trick is to match the firewall to the
need.
| | | 7. Firewall Design | | 7.3. Put Everything Together |
|
|