Installation of a Firewall Policy in a Small Office-Home Office Environment - Literature review Example

?Installation of a Firewall Policy in a Small Office-Home Office Environment Introduction A small office/home office environment involves one or manyworkers. Such an environment consists of a number of machines whether connected to the Internet or not. It can also be a part of a large company’s network that has been decentralized or just an independent business. The advent of SOHO environments has undergone major transformations since anyone working from a home office can globally compete due to the inception of the Internet. Technology has made this possible through email, the World Wide Web, e-commerce, videoconferencing, remote desktop software, webinar systems and telephone connections by VOIP (Briere et al., 2010). Consequentially, it has become inevitable to protect these environments from any attack. Though none can claim that a network is totally secure, advanced security measures need always be implemented. In SOHO network, to protect any external intrusion using a firewall, one can consider using either a hardware or software firewall. A hardware firewall is a digital edge device put in a network that serves to allow or disallow network transmissions. A firewall once installed, it protects a network from unauthorised access while permitting only legitimate communications to pass through the network. Most vendors of operating systems (OS) for personal computers include software-based firewall packages in the OSs to protect threats from the public Internet. Different types of firewalls can be implemented at different levels in a network but since in a SOHO environment cost implications are vastly considered, only one level of a firewall can be implemented (Briere et al., 2010). This single level of firewall application must be effective enough so as to ensure that any outbound communication is secure. The installation of a firewall is based upon several set of rules that play a great role in deciding the type of a firewall to employ and the overall effectiveness of it. It would an unimportant and impractically costly venture to implement a firewall policy for a large company’s network for a small office/home office network since this firewall would serve as a central offloading point for security-related activity. Through the installation of a firewall appliance in a SOHO environment, client systems can easily share Internet connections. Internet connections pose the main risk to every network whether in a shared or unshared environment. Hackers are constantly finding new ways either to create vulnerabilities in a highly secured network or even to attack any network that would have security vulnerabilities. As technology changes, application-level attacks are greatly advancing too. This whole situation has cause a huge tradeoff between the provision of a secure network and the cost of that provision. To secure a network especially one that has access to the Internet has proved to a challenging task to the network administrators since the more they put hard security measure both in hardware and software forms, the more attacks are being targeted and executed on their networks. This has led to the introduction of integrated firewall appliances e.g. gateways and routers, that handle both the work of data transmission and data screening at the perimeter wall. Clients in SOHO network depend a lot on emails. These emails can be outbound or inbound. Both should be screened at the firewall level to ensure that only legitimate emails are given access to the network. Emails carry attachments and security compromisers have always been bent on imitating their attacks using email attachment that contain worms, Trojans, spyware or even a malware. These embedded threats once that gain access to the network would cause undesired trouble in the stability of the network as some of them have the potential to iniatiate a denial of service attack. This attack is among the most hazardous on a network since the entire business is brought in to a halt. Another harmful attack would be the one initiated with intent of stealing or compromising an organisation’s data. An attacker who gains access to a network and initiates this attack would put the organisation into a very comprimising situation if vital data such as the credentials of the employees is going to be stolen. Though there is no a standard way of providing security to a network, system/network administrators must ensure that they employ the most robust ways of ensuring all the security vulnerabilities are sealed. These robust measures come with the disadvantage of high costs and since many SOHO environments have the problem of resources, it is the duty of the system/network administrators to advise the administrative department of the organization on how to strike a balance between the deployment of robust firewalls and the cost of deployment. Discussion When deploying a firewall a firewall in a network whether being a wired connection or wireless, several issues of importance have to be factored in. Such issues include the bandwidth, length of connection, performance, logistical issues as well as the cost of deployment (Muller, 2002). Regardless of the type of firewall you intend to deploy, the amount of bandwidth in your network should not be reduced to a level that was not in your requirement. The length of a connection as another factor should be addressed with uttermost concern. The length of a network to its Internet Services Provider (ISP) to the point at which the firewall should be minimise so as to reduce the length at which data that is not filtered travels. This will ensure that the bandwidth is not coagulated with unnecessary traffic. According to Reynolds (2003), the type of business handled in a SOHO determines the need of the performance level of the network. Speed of the Internet connection may be compromised if the network does not have a firewall installed as unnecessary traffic will be created in the transmission media. The overhead cost for installing a firewall especially when one considers having a hardware firewall, would be great and if there is no prior consideration done, the implementation could cause a huge financial implication. Therefore it is vital to consider the type of firewall to deploy in your network before hand. In a SOHO environment, it is advisable to deploy a software firewall. Since most SOHO networks use private IP addresses, to connect to the Internet an address translation has to occur so as to make them public addresses. Only public addresses can access the Internet. Since data security is the most important reason as to why firewalls are implemented in any network. Any compromise afflicted on a business data may be harmful and costly than the cost involved in deployment of a firewall. Most SOHO LANs do not host their web sites or even support their Virtual Private Networks (VPNs) themselves but even if they do, there are techniques and policies that should be applied to ensure proper secure web access, VPN connection and other customer services that you provide (Hodson, 2006). Securing a SOHO LAN may be a daunting task but the below two key points when put into consideration, a high level of security can be guaranteed. These key points are: i) detecting and deleting unwanted messages such as worms, Trojans, etc, attached on emails and ii) prevention and detection of unwanted access. Between the two main SOHO configurations that exist, one of them maximises your exposure to potentially malicious actions. If a connection is done using a cable or DSL modem directly to a hub and then connect your other systems to the same hub, then this ensures that each of your systems is has a direct Internet connection. This configuration is highly vulnerable and it adds another task of deploying a system-based security deterrent (Muller, 2002). To counter the vulnerability presented by this configuration, you need to set one system that connects directly to the Internet and then install a second network adapter to the modem. On the interface of the hub, connect one adapter and then connect the other to the modem. This configuration centralises all your network traffic that allows easy management and protection of your SOHO network (Held, 2000). Having put this configuration in place and then installing a firewall integrated router allows your clients in the SOHO LAN to initiate communications to the Internet. This SOHO network client system has to have installed antivirus software. Depending on where the communication is taking place, intercepted or the state that the communication is being traced, different types of firewalls can be used that include: a) Network and packet filters – these operate at the lower level of the TCP/IP protocol stack. They do not allow packets to pass through the firewall unless they match the predefined set of rules either defined by system administrators or the default rules. Stateful network filters/firewalls usually maintain context about active sessions. When a packet does not match to an existing connection, an evaluation is done in accordance to ruleset for new connections. The state table of the firewall is used to determine whether a packet is genuine or not on comparison with the existing connection. The necessity of stateless firewalls presents itself when filtering stateless network protocols that have no concept of a session though they are unable to make complex decisions based on the communication’s stage between hosts. b) Application layer filters/firewalls – these have capability to all traffic into or out of an application since they normally operate at the application level of the TCP/IP stack. This ensures that all machines are protected from any unwanted outside traffic. Application firewalls hook into sockets so as to filter connections between the application layer and the lower layers of the OSI model (Gallo & Hancock, 2002). They operate much like packet filters but they apply filtering rules on per process basis rather than per port basis thoroughly examining the process ID of data packets in comparison to a set of rules for the local process involved in the data transmission (Lamb, 2003). c) Proxy servers – proxies can either run on dedicated hardware or as software to act as a firewall by responding to input packets as an application while blocking others. When a proxy application is well configured, any external intrusion to a network becomes very difficult. d) Network address translation (NAT) – most of the hosts behind a firewall have private IP addresses. The functionality of NAT is to hide the true address of the protected hosts behind the firewall. Both small and huge organizations have deployed network perimeter firewalls rather than host-based firewalls enabled on each computer. To protect computers from unwanted outbound and inbound network traffic in a SOHO, you need to deploy firewall rules to each computer to allow traffic that is required by the programs that are used which ensures that all unmatching traffic is discarded. Basic firewall design when deployed helps to block unwanted traffic based on several characteristics of each network packet. The main characteristics are: the source/destination IP address, source/destination port numbers and the program on the computer that receives the inbound packets (Gallo & Hancock, 2002). Firewalls are installed and managed in a SOHO environment regardless of the operating platform. An attacker can easily turn a network useless by simply having control over one system in the network. Remote control capacities in systems operating systems can be used by such attackers to control such the attacked system, and then be able to initiate the attack on other systems or networks. To comprehensively secure your small and home office from any external attacks, you should not allow unauthorised users and applications to gain access but allow network pass through for authentic data. To install and maintain a firewall in a small and home office, some policies come into consideration on the usage and cost implications of the firewall. A firewall in a SOHO is the first line of defense that plays a vital role in the overall security strategy that should be implemented since SOHOs have limited resources. Such firewalls should be easy to maintain as well as be cost effective. There exists a range of firewall appliances available for the SOHO that come equipped with different types of options and prices. When considering the deployment of a firewall appliance for a SOHO, you can either consider software or a hardware appliance although it is always wise to include both appliances for optimum security protection. The tradeoff between increased security, cost of purchasing both the appliances and maintenance presents a challenge to SOHO environments due to resource availability. Hardware appliances are the best for SOHO environments since they require less time for maintenance than maintaining software on individual systems. Host-based firewall solutions can serve to protect individual systems in a small and home office environment but they cannot be relied upon entirely for data protection in the network. The hardware appliance must be network compatible so that it can operate as first as the network itself as well as considering the number of connections allowed (Steinke et al., 2005). The number of users supported by the hardware firewall and the speed of connection should be high enough to allow for any planned or unplanned expansion of the SOHO environment. The hardware firewall should also support both NAT and high availability (HA). The capacity of NAT to hide the true IP addresses of systems in a SOHO environment provides a very important level of security. In the event that one firewall fails, the hardware firewall should have the capability to switch over to another back up firewall appliance for continuity purposes. This is referred to high availability (HA). The features contained in a firewall appliance are a key factor to consider when making a purchase planning. Some features such as the capability to perform filtering of all Internet information based on some key words or websites is of absolute importance. If such a firewall is using Stateful packet inspection filter technology, then the delivery of network packets is done after the examination of its contents, source and destination IP addresses (Openheimer, 2011). The consideration of the ease of managing a firewall cannot be ruled out. The easiness of changing a ruleset for this type of a firewall appliance allows the network administrator to change the settings to curb any intrusion. By instituting a web-interface that can call up the master controls for the firewall in any system on the network, the network administrator would have easy time in his management of the firewall appliance. As any central control of a network works to the advantage of the network/system administrator, a central tool to change the settings and monitor the firewall would be vital (Kenyon, 2002). Logging and reporting are other two essential features in a firewall that are vital in ensuring that it performs as per its design as well as creating alerts for any attacks on the network. A firewall that is not monitored is will be as well a threat in the network as not having a firewall at all (Kenyon, 2002). Monitoring a firewall logs helps in analysing the network to find any potential intrusions is vital in a firewall. Log files should occasionally be examined so as to ensure that the firewall is working properly and also identify any potential security holes in the network. Firewalls can be circumvented easily by use of modems in a network, through wireless network connections or through some Internet sharing protocols. Consequentially, restriction policies should be applied in the use of the SOHO environment that will not allow such network compromising issues to be done on the network (Steinke et al., 2005). The strength a firewall appliance will actually guarantee the SOHO network environment of its data security. A network administrator would configure firewall policies for specific users in a SOHO environment so as to grant levels of access to different groups as may be necessary. Firewall policies are usually organised according to the traffic direction i.e. from where the request originates to the receiver of the request (Andress, 2003). Considering the case of an email or a web page request that comes from the internal interface, the policy that protects the network would be internal rather than external. Policies must be matched to traffic though not by ID number so as to appear in the policy list. For a excellent match of policies, such as a policy blocking internal to external HTTP access for some employees should preceed the one that allows each one to access HTTP, policies must from the most exclusive to the most inclusive and thus each interface will be able to benefit from layered security created through multiple policies (Gallo & Hancock, 2002). Each or a couple of workstations in a SOHO environment may be running different applications from the others. This then means that different firewall policy needs to be applied on these categories of workstations. For instance, some workstations might not be required to access some websites in a SOHO environment. Web filter settings blocking these websites must be enabled where the web URL block and web exempt list are then enabled in a firewall for the workstations. Recurring schedules in a firewall policy can also be factored in. Some employees might be needed to access certain websites during certain times in the working hours. A policy that schedules these access details has to be applied. This can also be used to configure two firewall protections that apply strict settings to block communication between certain workstations during some hours (Minoli, 2002). A web server might be in existent in a SOHO environment for the easiness of their business transactions. When such exists, the administrator should configure virtual IP address for the web server so that all incoming requests to the web server are routed correctly. The policy used to configure this security detail should consider including the virtual IP address in a wide area network (WAN) firewall policy since the web server could be hosted by an Internet Service Provider (ISP) (Briere et al., 2010). Most clients in a SOHO environment depend a lot on internal websites and emails. The fact that this is a small/office may not allow it to have its own email server i.e. a server located in its own network. Therefore there should be a policy that provides a guideline on how to access the email server which is situated elsewhere and controlled in another network. The email server can be on a secure network separate from the SOHO with its internal IP addresses hidden. A policy in the firewall appliance located in the SOHO should therefore be configured to analyse the emails that originate both from the SOHO environment and the external network. Such policy would ensure that the IP addresses of the data packets originating from the SOHO are genuine as well as the legitimacy of those emanating from without the SOHO network (Kenyon, 2007). A firewall appliance can also be integrated with an intrusion protection system (IPS) or an intrusion detection system (IDS). IPSs and IDSs secure organisations by protecting servers and critical data against both known and unknown network threats and vulnerabilities. Since most traditional firewall appliances are no longer sufficiently effective to provide protection against the ever evolving threats that travel across transmission media masquerading as legitimate traffic, the integration of these firewall appliances in to intrusion protection and detection systems provides an overly above normal security. Intrusion protection systems include redundancy and non-stop operation and services that ensure reliability of the IPS. One layer of the IPS inspection engine is charged the responsibility of identifying anomalous packets that are out of compliance with the set standards. The set of applications in this firewall integrated IPS should not compromise the performance of the SOHO network. Since the evolution of threats tends to render a hardened system to a vulnerable one, it should be easy for the network administrators to update the protections and keep them up (Lamb, 2003). There is increased use of Juniper network firewall appliance in a SOHO network as they integrate the IPS technology in the form of a deep inspection firewall to counter any level of attack in the secured system. The integrated deep inspection firewall determines whether to allow or deny traffic through effective analysis on the application message (Held, 2009). Since all the application in a system use protocols for their communications, this firewall focuses on the prevention of application-level attacks by deploying it on the perimeter wall of the network. Stomper (2009, P. 84) observes that depending on the requirements of the network especially where performance and attack protections are paramount, an integrated solution is the best. An integrated Intrusion Detection and Prevention system serves this purpose best as it stops worms, Trojans, malware and other emerging attacks from penetrating and proliferating across the network (Lamb, 2003) Juniper’s deep inspection firewalls allow network administrators to offer network security to smaller locations in an organisations network as well as being able to deploy IDP to focus on detecting the more sophisticated attacks that may be targeted to the larger organization’s network (Ivens, 2007) Opinion A SOHO environment may be termed as a LAN environment. Given the many OSs that are available in the market, the Linux OS would be an excellent choice in the provision of low cost firewall services for a SOHO LAN security. A SOHO Internet gateway will provide NAT and IP masquerading, a policy that will allow all machines on the network to connect to the Internet through a single IP address whereas the SOHO IP addresses are in the private range. With this configuration, the firewall gateway will accommodate virtually all machines in the SOHO LAN. Connectivity allowed by the firewall to the Internet is only initiated from the LAN while disallowing any connectivity from the Internet to the LAN. This ensures absolute security in the LAN. Linux firewall rules for Linux computers that are internal on a SOHO LAN would set access controls to or from the LAN. This internal firewall policy would provide access control over personal Linux computers residing on the LAN. Such rule sets limits for shared access to or from the other systems. A strategy to for quarantining any malicious email attachment that could pass through the SOHO LAN’s email gateway from the Internet is a feature that also needs prior consideration since many of these emails are initiated with worms and Trojans embedded in the attachments. A thorough scanning policy for emails should be instituted in the firewall. Conclusion Firewalls needed for a small business differ significantly from those required by a large company. A firewall for a SOHO that is carefully selected to meet the business needs of a small company can be cost-effective and relatively easy to implement and maintain if one has some basic network knowledge. For enhanced security protection, I recommend that software and hardware firewalls be installed together on the network. Firewalls are just one part of an overall network security plan. A firewall coupled with other essential security practices (virus protection, strong passwords, hardened operating system, security policy, etc) is essential in the provision of appropriate security for a small business and can greatly reduce the security risks to a network (Andress, 2002). No business large or small can afford to be considered secure when it is connected to the Internet but the only precaution that could be undertaken is to ensure increased complexity in exploiting the insecurity. Reference list Andress, M 2002, Surviving Security: How to Integrate People, Process and Technology, Sams Publishing, Canada. Briere, D, Hurley, P. & Perris, E 2010, Wireless Networking for Dummies, Wiley Publishing Inc., Canada. Gallo, MA & Hancock, B 2002, Networking Explained, Butterworth Press, USA. Held, G 2000, Network Design: Principles and Applications, Butterworth Press, USA. Hodson, P 2006, Local Area Networks, Letts Educational Press, United Kingdom. Ivens, K 2007, Home Networking for Dummies, John Wiley & Sons Publishing Incl., Canada. Kenyon, T 2002, Data Networks: Routing, Security and Performance Optimisation, Digital Press, USA. Kenyon, T 2007, High Performance Data Network Design, Digital Press, USA. Lamb, MF 2003, SOHO Networking: A Guide to Installing a Small/Home Office Network, Prentice Hall, USA. Minoli, D 2002, Hotspot networks: Wi-Fi for Public Access Locations, McGraw-Hill Companies Inc., USA. Muller, NJ 2002, Networking A to Z, McGraw-Hill Companies Inc., New York. Openheimer, P 2011, Top Down Network Design, Cisco Press, USA. Reynolds, J 2003, Going Wi-Fi: A Practical Guide to Planning and Building an 802.11 Network, CMP Books, New York. Steinke, S, Hurwicz, M, & Koontz, C 2005, Guide to Managing PC Networks: Tools and Techniques for Running LANs, Prentice Hall, USA. Stomper, DA 2009, Local Area Networks, Prentice Hall, USA. Read More