How to build a Firewall
May 12th, 2002
When you're building a firewall there are several things you must pay attention to and incorporate into the design of the firewall. If you don't, you risk fallible security, poor performance, and management nightmares. In order of importance, apply these concepts.
- Understanding
- Security
- Management
- Efficiency
If you apply these in the order specified when designing your network and you apply them with each other in mind, then your firewall will be more secure, easier to manage and will perform better. If not, then you're probably going to have a hassle on your hands that nobody wants to touch for fear of breaking it and you or your customers will probably be annoyed by it's quirks and latency.
- Understanding
- Put short and simple, know what you're talking about and know how to do it. There is nothing more damaging than a person who talks big and knows very little. Train yourself and train your people.
- Security
- The whole point of a firewall is to allow or deny traffic, sometimes modifying it to fit your parameters. Nothing else is required of a firewall. A firewall may also do other things if those other things do not impact or degrade the security of your firewall. Efficiency may be degraded only as long as the degradation remains above an acceptable performance level.
- Management
- Ever been somewhere where people utter the phrase don't fix it if it ain't broke or we finally got it working, now don't touch it! Most of us have encountered this. Unfortunately it's common and it is a sure indicator that there wasn't much thought or planning put into it's design before the implementation occurred. This is also indicative of a job with much higher levels of frustration, missed deadlines, and stress leading to burnout. Plan it right, do it right, and management of it will be a breeze. You won't be afraid to touch it because you and your team understand it.
- Efficiency
- Once you have the first two covered, the performance of the firewall needs to be kept up to par. Believe it or not, if you designed it well, then it is going to work well. Things just fall into place like they belong there simply because they do belong there. In the scope of security and performance, ensure that your security is not weakened by sorting the rules for hit order and resource consumption order. If your performance doesn't measure up, don't skip out on security; increase the power of your firewall.
How do you design your firewall? Here is where you brainstorm, writing down your ideas and comparing them to your Policies and Procedures..You do have P&P, right? You need to make sure you document everything you need to do with your firewall and everything you want to do. Do keep these two separate. Assign a priority for each distinct function. For example, it's very important that you fully handle port 80 (HTTP) data, it's mildly important that the legacy FTP site be handled, and it's an really not important if GOPHER traffic is handled.
Make a list of services you need and want to handle. After that your default policy should be to drop or reject other traffic. You may want a mixture of drop/reject. For example, if you choose to ignore ident requests, you don't really want to just drop those packets because it will cause timeout delays for both your internal users and your external users. Reject these packets so the requesting server can immediately get on with it's business.
References