WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices
           9  3.1.1  Firewalls

Previous Topic/Section
Personal Firewalls
Previous Page
Pages in Current Topic/Section
1
Next Page
 3.1.2  Routers
Next Topic/Section

If We Buy It, Will It Protect Us?

ICSA Labs reports that, “an alarming number of firewalls aren’t functioning as intended.”268 This is largely due to the “people” component in the firewall configuration process, rather than shortcomings in the firewalls themselves. Many firewalls are simply improperly installed or configured.

[spacer]Which One Should I Get?

It depends, on many factors, because firewalls vary greatly in functionality. Many people consider Checkpoint the market leader in network firewalls, but the cost and complexity of their solutions tends to be overkill for the typical small office. Other companies, whose networks are full of Cisco’s’ networking equipment, like Cisco’s PIX. Still others, particularly those constrained by cost and those who like to inspect the source code for their security devices, like open source firewalls such as the network-level IP tables in Linux. Several independent organizations certify firewalls, including ITSEC, TCSEC and Common Criteria. Commercially, ICSA and West Coast Labs Check Mark provide somewhat more-limited certification.


It appears that Tiny is getting out of the firewall business. Kerio and Tiny at one point appeared to be the same code base with different marketing. One of your authors has been both fooling around with a new version of Kerio and lurking on a newsgroup for the currently beta product269. Early indications are that the new Kerio is vastly more powerful, and in the current beta, equally more complex. Other users swear by the popular ZoneAlarm firewall.

So, it is important that staff is trained on proper firewall configuration and security techniques, and that firewall configurations and rules are documented. Again, security isn’t a one-time action that is taken and then is over with. It is a process! A single setting can sometimes turn on (and thus, OFF) packet inspection, turning a firewall with a well-designed rule base into a box that blindly passes along every packet it sees.

In addition to regular audits of your firewall rules and configuration, and perhaps an occasional penetration test by staff (or a consulting group) using an outside Internet connection, what else can be done to maximize the security of a firewall? Check with your firewall vendor regularly to ensure that you are running the most up-to-date software, which is likely to be the most resistant to known vulnerabilities.

Follow popular mailing lists like BUGTRAQ, and Usenet newsgroups related to your firewall platform to keep up with potential issues. As with any network device, if the vendor has a security bulletins list, sign up for it and take the recommendations posted on it. For example, sometimes a vendor suggests temporarily disabling a feature until a patch for a security vulnerability involving it is tested and released. Ignore these (we know many people will, often based on, “I don’t have the time”) at your own peril, and don’t say you weren’t warned.


 __________________

268. Firewalls FAQ, ICSA Labs, http://www.icsalabs.com/html/communities/firewalls/faqs/index.shtml, 2000.

269. http://www.kerio.com/us/beta_section.html

Previous Topic/Section
Personal Firewalls
Previous Page
Pages in Current Topic/Section
1
Next Page
 3.1.2  Routers
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.