business continuity planning business analyst and technical writer

 Home  Who We Help  Services  Approach  Case Studies  Resources  Contacts  About Us


Malicious intruders known as "crackers" routinely scan the internet seeking to crack the security of our information technology (IT) systems. Network firewalls do a good job of providing perimeter defenses when configured properly. So, the crackers have gotten smarter and more sophisticated. A network firewall may no longer be enough.

The IT industry is evolving toward a layered security model to address these concerns. New devices have entered the market including intrusion detectors, intrusion preventers and application firewalls. These devices don't replace the network firewall, but when properly applied can greatly improve security.

What is a network firewall?

A network firewall is a combination of hardware and software that enforces an access control policy. It makes decisions about the types of network access to allow between two networks. Most commonly, one network is a company local area network (LAN) while the other network is the Internet. Network firewalls can also be used to separate LAN's within a larger company that has many PC's and wants to control internal access.

Every business and home with a high-speed network connection should have at least one network firewall. For small networks, these devices are very low cost and quite simple to install. Larger networks require more sophisticated firewalls and often more than one.

Using multiple firewalls from multiple vendors ensures the highest level of protection. If an intruder cracks one firewall, he has to start over and crack another before reaching secured information. Most attackers will move on when faced with this scenario.

What other security systems are available?

An application firewall sits behind the network firewall and in front of a web-based application. Initially, it monitors and learns the application's behavior patterns in the form of Uniform Resource Locator (URL) requests. Having learned what "normal behavior" looks like, it then watches for anomalous behavior. When unusual request patterns occur, those requests are blocked. Application firewalls are specialized pattern matching systems.

An application firewall is needed when the software application and the information it manages are a tempting target or when the application's built-in security functions are suspect. This type of firewall is complex and requires substantial care and feeding. Most companies don't need this security layer but it's a lifesaver in the right situations.

An intrusion detection system (IDS) is software that monitors and logs network traffic looking for intrusive activity or misuse. It learns what normal traffic looks like and can highlight suspicious patterns. Because attacks are logged not blocked, a trained administrator must regularly review the log files.

IDS devices are readily available even for the home user. There are commercial and open-source solutions out there. If you ever examined the logs of an IDS, you'd be amazed at the amount of probing that occurs on the internet. Crackers setup automated systems to constantly probe for network ports left wide open or networks running without firewalls. Once a weakness is found, the cracker uses more advanced tools to launch an attack. A good IDS will spot subtle probing patterns that alert system administrators to potential attacks.

An intrusion prevention system (IPS) is similar to an IDS in that it can identify intrusive activity. However, an IPS is specifically targeted at identifying and stopping (preventing) attacks. An IPS will store known attack patterns or signatures. It compares network activity to these patterns and can dynamically respond by blocking requests or sending the attacker incorrect data.

An IPS acts like a firewall in that it blocks attacks however it much more sophisticated in the types of attacks it can prevent. Of course, increased sophistication means increased complexity and the risk that normal activity may be perceived as an attack. If so, workers may be prevented from doing their jobs until network administrators can unblock the traffic.

Define security policies and meet with vendors.

How much network security do you need? Many people discover the answer to that question after a major attack. Don't wait that long. Take inventory of what needs protection within your organization, from whom and its value to the company. Use the results to create a comprehensive set of security policies. Contact the major vendors of security products and match their capabilities against your needs.

A major security violation can be much like a physical disaster such as a fire or storm. Key systems will be unavailable and will need re-building. Thus, be sure to have a disaster recovery plan in place no matter how much security is implemented. Conduct periodic reviews and tests of the plan.

Your layered security model will have to evolve over time. The business will grow, the amount of sensitive information handled will increase, and the complexity of the corporate network will rise. Be sure to re-examine security needs during any major change or addition to the company's IT infrastructure. Also, remember that the crackers are using more advanced techniques all the time and have a proven ability to adapt to new security systems.

It's important to note that none of these systems provide virus protection, spam filtering or spyware blocking. Those components are still essential to any secure network. There are also products on the market called "personal firewalls" that are installed on desktop and laptop PC's. None of the systems described eliminate the need for personal firewalls.

Vin D'Amico is Founder and President of DAMICON, your ADJUNCT CIO™. He is an expert in leveraging open software to drive growth. DAMICON provides Freelance Technical Writing, IT Disaster Response Planning, and Network Security Management services to firms throughout New England.

This article appeared in Vin's monthly Virtual Business column for the IndUS Business Journal in September 2004.

To learn more about how DAMICON can help your business, please take a look at our service programs.

Virtual Business

Virtual Business

This column appears monthly in the IndUS Business Journal.