Watch What Gets In
With a Web presence come security risks. You wouldn't want some 16-year-old hacker compromising your data. But you run that risk if your LAN is connected to the Internet without a firewall.
A firewall, which acts as an intermediary between your users and the Internet, comes in three varieties: packet-level (or packet filter), proxy-based (or application-level) and stateful inspection.
Packet-level firewalls examine all data traveling between your local LAN and the Internet. Using a preprogrammed set of rules, packet filtering determines whether a packet is authorized based on its source and destination addresses.
Proxy-based firewalls stand between the Internet and a private network, and communicate with the Internet on the private network's behalf. When you configure a browser to use a proxy, the firewall passes a request from the browser to the Internet, then relays the Internet server's reply back to the browser. Proxy servers were originally designed to allow faster access through caching of Web documents. Instead of forwarding all requests to the Internet, they would attempt to fulfill them based on cached data first. Proxy servers have become the foundation of a new breed of firewalls that allow or restrict network access. Some applications have built-in proxy capability, including several Web servers.
The newest type of firewall is based on a technology called stateful inspection, developed by Checkpoint Software Technologies. This firewall type remembers information, such as source and destination addresses and port number, in a packet known to be legitimate. It uses this information to compare the "friendly" packet to the packet in question.
Each firewall type has its advantages and disadvantages; it's debatable which is the most secure. Packet-filtering and stateful-inspection firewalls require each system be assigned a separate IP address; application-level firewalls let a single Internet address speak for all its users. The downside is only the client application that supports proxies can communicate with the Internet. The firewall must have a proxy for every application or service for which clients require Internet access. Fortunately, many proxy servers allow you to create your own proxies.
Here's a sampling of some firewall products, along with their features:
AltaVista Firewall 97 ($3,985 to $13,985, depending on the number of users; Digital Equipment Corp., 800-336-7890, 508-493-5111). An NT version of a UNIX product, AltaVista Firewall combines application-proxy and packet-filtering services. It features remote administration, real-time monitoring, a graphical interface and support for native NT authentication. It can support both proxy and virtual-private network (VPN) tunnel services on the same server.
CSM Proxy Plus ($599; Computer Software Manufaktur, 801-547-0914, fax 801-546-0716). This update to a shareware proxy server (formerly known as Open Sesame) combines Internet-proxy and Web-caching capabilities. It supports HTTP, POP3 e-mail, ftp, VDO Live, Real Audio, telnet, SSL proxy-to-proxy protocols and SOCKS4-compatible socket proxy services. It also supports remote administration, automatic Netscape Navigator proxy configuration and automatic site replication.
Eagle NT ($6,500 for 50 users; Raptor Systems, 800-9-EAGLE-6, 617-487-7700). The first commercially available firewall for Windows NT, Eagle-NT features application-level proxies for common services, such as Web (HTTP), telnet, ftp, gopher, WAIS and SMTP. It also includes graphical administration, strong authentication and suspicious-activity monitoring.
Check Point Firewall-1 3.0 (50-node network, from $4,995; Check Point Software Technologies, 800-429-4391, 415-562-0400). Firewall-1 is both a proxy-server and a stateful-inspection firewall that examines the contents of packets to determine whether to admit them. It supports Web (HTTP), mail (SMTP) and ftp, as well as common audio, video, search, security, database, routing, remote procedure call, low-level TCP services and ICMP (the ping protocol). As an added bonus, Firewall-1 provides automatic virus-checking.
FireWall/Plus (server edition, from $750; enterprise edition, from $4,500; client edition, from $125; Network-1 Software and Technology, 800-NET-WRK1, 212-293-3068). This proxy-server and stateful-inspection firewall supports both Internet and intranet protocols, including IPX, DECnet and TCP/IP. The enterprise edition provides full standalone Internet firewall services, the server edition is designed for use in combination with a standalone firewall, and the client edition is for individual NT workstations.
Microsoft Proxy Server ($995, Microsoft Corp., 800-426-9400, 206-882-8080). Proxy Server runs on NT Server, which has its own limited filtering capability. Microsoft provides both a Web proxy and a low-level socket proxy, as well as plain-text and encrypted user authentication (including SSL), local caching and on-demand dialing. Administrative options include site filtering and detailed per-user/group access control.