Does my company, which has 50+ servers, need both external (on the Web) and internal (on our intranet) firewalls AND firewalls on client PCs? How many layers of firewalls do we need? Are there open source firewalls for each level?
The specifics of how a security defense barrier should be designed and implemented for your site is something that demands professional input. It is beyond the scope of what we can offer here.
One thing is certain: Any site that is not adequately protected using appropriate defense barrier technology is playing Russian Roulette with potential intruders.
There are a few universal rules for secure network design:
- Use the best perimeter security barrier technology you can afford. The best does not need to be the most expensive or the most costly. You can use Linux of FreeBSD based firewall systems. Typically one would install an external firewall that will accept only incoming traffic to ports that match active services provided from your site. In the case of an intranet, a paranoid policy would be to allow incoming traffic to, say, a Web server only to the machine/s that provide/s Web services. Requests to other than permitted Web servers should be denied.
- On all machines, no matter where located, turn off all services that are not in use or are not needed. Make sure that perimeter security barriers (eg: an external firewall) deny any requests for non-existent services. Do not reject requests -- that would help a potential intruder to determine what services your site provides. Deny the request silently. Do not respond to a denied request. By simply denying to accept the request your barrier will "drop the request on the floor."
- In addition to a perimeter firewall, install a network address translation (NAT) firewall between the secure (private or internal) network and the intranet (publicly accessible network).
- Do not route packets between the private network and the outside world. Handle all such traffic through proxy servers. Locate the proxy servers in the intranet area (also known as a demilitarized zone). This way the outgoing request will not be capable of being traced to an internal network address. Take every effort to not reveal how your network is configured -- knowledge is power to a potential intruder.
- Use virus filters (scanners) on all incoming mail traffic.
Your defense barriers are only as good as the best methods known to keep a cracker out yesterday. Today's would-be cracker knows that he needs to come up with a smarter way to penetrate your network -- only script kiddies try to use old methods; they know that there are plenty of poorly-protected sites. A well protected site will drive away most script kiddies.
Linux has two well-known tools from which a firewall may be created. These are ipchains and iptables. The more recent of these is iptables. But someone who configures a firewall for commercial use will likely use a tool such as fwbuilder to help with the design and implementation. No matter how you build your firewall, do make sure that it is well tested and that protective policies are validated as effective.
It is not necessary to run specific firewall software on all PCs inside a well-protected network, but you should certainly use anti-virus software on all client PCs.
Also, you ought to have clear site policies in respect of network usage, as well as in respect of what software and services users are permitted to run on their PCs. The indescriminate operation of software like Kazaa can totally expose your internal network.
Finally, I must stress that there is no substitute for professional guidance in the design and maintenance of network security.
- John T.