2000-04-22-11:43:43 Kelly Scroggins:
> My boss has asked me to investigate the various firewall/proxy
> solutions that would work for our company.
A great start.
But not, unfortunately, enough to make really great use of these
mailing lists and the expertise they contain.
I recommend you ask your question again, and this time provide some
more details. The first ones are easy:
1. What are your network requirements? What speed connection do you
have to the internet? Approximately how many users do you have?
Do they run any especially resource-intensive applications? Will
you want to publish any large volume of traffic through the
firewall back out to the internet? Do you have multiple
connections that the firewall will have to intelligently route?
Do you need High-Availability or load balancing with multiple
firewalls?
2. What's your in-house expertise? Do the folks who are going to
administer this have any particular systems on which they're
exceptionally strong --- or particularly weak?
The last one is the toughie, answering it thoroughly may require a
good bit of work, but it will be critical to the success of your
project:
3. What's your security policy? What protocols must you allow
incoming? What protocols must you permit outbound? Do you require
per-user authentication for these protocols? Are you going to be
attempting to examine or filter the content passed through
various protocols --- e.g. email, http, ftp, ... --- as it passes
through the firewall? Are you interested only in protecting
against unassisted outside attacks, or are you also concerned
with protecting against potentially hostile attackers or code
running inside the firewall? How about email worms, viruses, and
other such problems?
If you can nail down 1 and 2 reasonably tightly, and even just offer
some reasonable guesses about 3, you can get much better answers
from the folks out here.
But thoroughly answering 3 is the most valuable, and at the same
time far and away the hardest. To really do the job, you need to
define what resources you must protect, and what threats you care
about. For some sites, the combination of good backups and a loose
firewall can bring things to a reasonable balance. At other sites
you need to impose a really really strict, draconian policy that
prohibits users from using anything but proxied, scanned, examined
email, and proxied, logged, filtered http. Most sites are somewhere
in between the extremes. The tighter the security you want, the more
inconvenience you must impose upon your users.
-Bennett
PGP signature
