A firewall is a computer security device that is situated between a small business's internal network and the Internet. It can work at either the software or the hardware level to prevent unwanted outside access to the company's computer system. Matthew Sarrel, writing for PC Magazine, provided the following definition: "A firewall must contain a stateful packet inspection (SPI) engine, which examines the content of packets and grants access to your network only if the traffic appears legitimate. Firewalls can also block inappropriate inbound and outbound traffic based on rules or filters. Internet Protocol (IP) filtering, for example, can block employees behind the firewall from accessing or receiving mail from specific IP addresses. Also, traffic can be blocked based on your network card's unique identifier, called a MAC (media access control) address. Many firewalls can control traffic using keyword and domain filters, letting you block traffic to specific sites. More sophisticated firewalls let you create complex rules." The firewall thus basically acts as a guard, identifying each packet of information before it is allowed to pass through. It is one of the most effective forms of protection yet developed against hackers operating on the Internet. A "stateful" engine, by the way, is electronics parlance for software able to remember its earlier states, usually by saving values in memory.
Ideally, a firewall will detect intruders, block them from entering the company's computer network, notify the system administrator, record information about the source of the attempted break-in, and produce reports to help authorities track down the culprits. Since firewalls can be set to monitor both incoming and outgoing Internet traffic, they can also be used to prevent employees from accessing games, newsgroups, or adult sites on the Internet.
Despite the potential advantages of firewalls, however, some small businesses remain unprotected. Owners sometimes believe that firewalls are too expensive or demand too much technical expertise. Others believe that no hacker would be interested in the information contained on their computers. Wrong! Intruders often seek unprotected computers to serve as unknowing transmitters for spam mail. Later the company may discover this when many sites that have protected themselves refuse the company's own mail. Many hackers also seek to disrupt companies' operations just for the hell of it. A small business may lose valuable information or cause itself no end of hassle by failing to erect a firewall.
EVALUATING THE NEED FOR A FIREWALL
Any computer connected to the Internet is vulnerable to hackers. Networked computers require more robust protection than free-standing machines. The free-standing machine connected to the Internet may be sufficiently protected by software arrangements—and the protection provided to its e-mail by the Internet portal operator.
Although firewalls have a number of potential advantages, they do not provide foolproof protection and also have some potential disadvantages. As Steffano Korper and Juanita Ellis wrote in The E-Commerce Book, firewalls cannot protect against computer viruses or against data theft by authorized users of a company's computer network. In addition, firewalls have some expense. Ideally they will be installed by a service organization.
Some small businesses avoid the need for a firewall by using a simple security measure known as "air gapping." This means that the company's computer network is kept completely separate from the Internet. One method of air gapping involves accessing the Internet only from a standalone computer not connected to the internal network; that machine, of course, will not hold any valuable or confidential information. This approach may be cheap but will not serve an organization that actively uses the Internet in its business operations. Another method involves only running Web servers that outsiders can reach on a secure system belonging to an Internet Service Provider (ISP).
TYPES OF FIREWALL PROTECTION
The hardware security systems that act as firewalls vary in configuration and sophistication. One relatively simple device involves using a router—which controls the sending and receiving of messages—equipped with packet filters to examine the messages. This system can be configured to block traffic to or from certain Internet destinations or all unknown destinations. This type of security system is relatively inexpensive and easy to set up, but it also offers only minimal protection from hackers. A slightly more sophisticated and secure system is a proxy server. A proxy server works by stopping all incoming and outgoing traffic for inspection before forwarding it. One advantage of this type of system is that it can create a log of all messages sent and received. Proxy servers can be difficult to install, however, and can also make Internet use less convenient for employees.
Both routers and proxy servers have one major disadvantage in terms of the security they provide. These systems base their evaluation and approval of messages on the header, which lists the sender, recipient, source, and destination. But hackers can easily create false headers to fool the filtering systems. One way to overcome this problem is through type enforcement, which also scans the content of messages. Another system, already mentioned, is the stateful inspection firewall; it uses an even more sophisticated method of verifying the sources of messages. Finally, it is possible to use any combination of routers, filters, proxy servers, and firewalls to create a layered security system. A large company like Motorola, for example, might place a firewall at the outside of the system, and connect it to a gateway computer, and then connect that machine to a router with packet filters, and finally connect the router to the internal computer network.
TIPS ON BUYING A FIREWALL
Before purchasing a firewall, a small business owner should consider what type of information must be protected, and how severe the consequences of an attack might be. These factors will help determine how much money and time the company should spend on the firewall purchase. It is important to remember that the true costs of a firewall include installation and setup, training, maintenance, and regular updates. In addition, understanding the distinctions between different products—and installing the product properly—requires technical expertise and may involve hiring an outside computer expert.
Firewall protection comes in a wide variety of forms. Some basic firewall software is available for free on the World Wide Web. These simple packages can be downloaded and installed fairly easily, but they provide fewer options for users and do not offer technical support in case of problems. Many other software solutions are available at retail computer stores or via mail order. These firewalls are also easy to install and often feature technical support. The most sophisticated firewalls are complete hardware systems that can cost thousands of dollars. These systems usually include a number of additional features. For example, they often can be used as routers for directing traffic among computers in a network. Some of the top firewall vendors include Ascend, Cisco, Sterling Commerce, CyberGuard, LanOptics, and Microsoft.
Besides meeting the small business's basic computer security needs, a firewall should work with your hardware and software, as well as that used by your ISP. It also should not slow down your Internet connection too noticeably. The most versatile products conform to the Open Platform for Secure Enterprise Connectivity (OPSEC), a standard that is supported by many top vendors and that makes it easier to combine security products from different sources.
When evaluating possible firewalls, it may be helpful to look for product reviews in computer magazines or on the World Wide Web. Once the purchase decision has been made and the firewall is up and running, it is important to test the product. Many firewalls are breached by hackers due to faulty installation or configuration. In fact, Emery recommends having a team of technically minded employees try to break into the system from outside. This exercise may help the internal experts understand the strengths and limitations of the firewall, as well as how it fits into the context of the small business's overall computer security policy.
Cert Coordination Center. Carnegie Mellon Software Engineering Institute. Available from http://www.cert.org. Retrieved on 29 April 2006.
Korper, Steffano, and Juanita Ellis. The E-Commerce Book: Building the E-Empire. Academic Press, 2000.
Passmore, David. "Inside-Out Security. Business Communications Review. March 2006.
Rae-Dupree, Janet. "Risky Business Online." U.S. News & World Report. 4 September 2000.
Sarrel, Matthew D. "Business Body Armor: All sorts of enemy combatants want to penetrate your network, but you can turn attacks aside with the right combo of hardware and tactics." PC Magazine. 7 March 2006.
Smith, Tim. "Firewalls Explained." Computer Act!ve. 2 February 2006.