1999-11-05-04:07:43 Ashley Culver:
> I'm just starting a feasibility study on implementing a firewall for our
> site. I have become aware that there are a large number of firewall products
> out there and I would like to draw up a shortlist of products to examine
> more closely which best suit our needs.
>
> I am specifically looking for firewalls which would handle a load of approx.
> 500 - 1000 computers (Enterprise Level ? )- some of which would access the
> 'outside world' fairly often (email, web e.t.c.)
Before you can start to pick products, you have to more precisely specify your
needs. Email is ubiquitous, it can be taken as a given. It's also a piece of
cake; you could handle email relay for thousands of systems with a wheezing,
elderly PC running a nice open source Unix (e.g. Linux, OpenBSD, FreeBSD,
NetBSD, whatever turns you on) with a nice open source MTA (Postfix or qmail),
as long as you gave it plenty of RAM and a decent (i.e. SCSI) disk subsystem.
This is no chore at all.
Web can be trickier; if you wish to specify fine-grained security restrictions
(e.g. blocking incoming applets) that's liable to narrow your choices,
eliminating packet filters in favour of application-level proxies. But the
best firewalls these days include both, so that still leaves your choices
open.
The biggest question that arises is, what's contained in "e.t.c."? You really
have to have a security policy, that answers a bazillion questions, so you can
have sufficiently precise requirements laid out to narrow your field of
choices. Here are some examples of the kinds of questions that your policy
needs to answer before you go shopping for a firewall:
- Do you need to authenticate outbound users?
- Do you need to have varying restrictions on what they can do --- different
users permitted to access different internet facilities?
- Do you need to restrict what they can do within a given protocol (e.g.
applet filtering)?
- Do you need to support badly-designed protocols (e.g. ICQ)?
- Do you need to allow wide-spread incoming traffic --- are people
throughout the organization permitted to set up un-announced servers
offering internet services from their desktops?
The more you can restrict what your users are permitted to do, the better you
can secure your systems. That's the tradeoff that the security policy has to
weigh.
Now, to picking a particular firewall, if I had to specify a solution for c.
1000 users (and presumably expected to scale up), I'd go for a server farm, to
spread load out as much as practical; I'd have separate boxes for email relay
(because it's so easy) and cacheing web proxy (likewise); and I tend, where
practical, to specify suitable quality and performance PCs running open source
Unix with open source packet filters and open source proxies, for the actual
firewall boxes. Good bang/buck, and you can easily size it to your needs.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
