A firewall is a computer security device that is situated between a small business's internal network and the Internet. It can work at either the software or the hardware level to prevent unwanted outside access to the company's computer system. "A firewall gives you a single chokepoint through which all incoming and outgoing Internet traffic must pass, allowing you to control traffic," Vince Emery explained in How to Grow Your Business on the Internet. "A good firewall prevents Bad Guys from breaking in and helps keep confidential data from being sent out." The firewall basically acts as a guard, identifying each packet of information before it is allowed to pass through. It is one of the most effective forms of protection yet developed against hackers operating on the Internet.
Ideally, according to Emery, a firewall will detect intruders, block them from entering the company's computer network, notify the system administrator, record information about the source of the attempted break-in, and produce reports to help authorities track down the culprits. Since firewalls can be set to monitor both incoming and outgoing Internet traffic, they can also be used to prevent employees from accessing games, newsgroups, or adult sites on the World Wide Web.
Despite the potential advantages of firewalls, however, many small businesses remain unprotected. "Small businesses are particularly vulnerable to hacking because they rarely bother to invest in firewall protection," Phaedra Hise wrote in Growing Your Business Online. "Hackers know this." Some small business owners feel that installing a firewall would be too expensive or demand too much technical expertise. Others believe that no hacker would be interested in the information contained on their computers. But many hackers seek to disrupt companies' operations for the challenge of it, rather than for monetary gain. Even if a small business does not lose information of value during an attack, it loses time and money repairing the computer system as well as potential customers who are temporarily unable to access the system.
EVALUATING THE NEED FOR A FIREWALL
Any individual or small business that uses a computer to connect to the Internet is vulnerable to attacks by hackers. But some computer systems are definitely more vulnerable than others. Emery noted that firewall protection is most important for businesses that use more than one computer for Internet access, because it is more difficult to secure multiple connections. In contrast, a firewall may not be necessary for a person who uses a single computer in a home office and has dial-up Internet access through a modem. The temporary and unpredictable nature of this type of connection makes it an unlikely target for hackers.
Although firewalls have a number of potential advantages, they do not provide foolproof protection and also have some potential disadvantages. As Steffano Korper and Juanita Ellis wrote in The E-Commerce Book, firewalls cannot protect against computer viruses or against data theft by authorized users of a company's computer network. In addition, firewalls can be expensive for small businesses to purchase and maintain, and they do require technical expertise for proper installation. Furthermore, firewalls may limit a company's access to some Internet services or make the Internet less convenient or slower for employees to use.
Some small businesses avoid the need for a firewall by using a simple security measure known as "air gapping." This means that the company's computer network is kept completely separate from the Internet. One method of air gapping involves accessing the Internet only from a standalone computer that is not connected to the internal network and does not contain any confidential information. Another method involves only running Web servers that outsiders can reach on a secure system belonging to an Internet Service Provider (ISP).
Small businesses that choose not to use a firewall should take some basic precautions when connecting to the Internet. For example, Emery emphasizes the importance of using the latest release of networking software, which is less likely to contain known bugs that make it vulnerable to hackers. It is also a good idea to turn off or restrict access to any unnecessary Internet services. In addition, Emery recommends blocking access to Web ports that have been used by hackers for "sneak attacks." A list of these ports is available from the Computer Emergency Response Team (CERT) at www.cert.org.
TYPES OF FIREWALL PROTECTION
The hardware security systems that act as firewalls vary in configuration and sophistication. One relatively simple device involves using a router—which controls the sending and receiving of messages—equipped with packet filters to examine the messages. This system can be configured to block traffic to or from certain Internet destinations or all unknown destinations. This type of security system is relatively inexpensive and easy to set up, but it also offers only minimal protection from hackers. A slightly more sophisticated and secure system is a proxy server. A proxy server works by stopping all incoming and outgoing traffic for inspection before forwarding it. One advantage of this type of system is that it can create a log of all messages sent and received. Proxy servers can be difficult to install, however, and can also make Internet use less convenient for employees.
Both routers and proxy servers have one major disadvantage in terms of the security they provide. These systems base their evaluation and approval of messages on the header, which lists the sender, recipient, source, and destination. But hackers can easily create false headers to fool the filtering systems. One way to overcome this problem is through type enforcement, which also scans the content of messages. Another system, known as a stateful inspection firewall, uses an even more sophisticated method of verifying the sources of messages. Finally, it is possible to use any combination of routers, filters, proxy servers, and firewalls to create a layered security system. A large company like Motorola, for example, might place a firewall at the outside of the system, and connect it to a gateway computer, and then connect that machine to a router with packet filters, and finally connect the router to the internal computer network.
For companies that do business on the Internet, Emery suggests setting up a dedicated computer out-side the firewall to run the common network services that are most easily accessible from the outside. These include Web and FTP servers, Gopher servers, mailing list servers, Finger servers, Telnet servers, and SMTP e-mail software.
TIPS ON BUYING A FIREWALL
Before purchasing a firewall, a small business owner should consider what type of information must be protected, and how severe the consequences of an attack might be. These factors will help determine how much money and time the company should spend on the firewall purchase. As Emery noted, it is important to remember that the true costs of a firewall include installation and setup, training, maintenance, and regular updates. In addition, understanding the distinctions between different products—and installing the product properly—requires technical expertise and may involve hiring an outside computer expert.
Firewall protection comes in a wide variety of forms. Some basic firewall software is available for free on the World Wide Web. These simple packages can be downloaded and installed fairly easily, but they provide fewer options for users and do not offer technical support in case of problems. Many other software solutions are available at retail computer stores or via mail order. These firewalls are also easy to install and often feature technical support. The most sophisticated firewalls are complete hardware systems that can cost thousands of dollars. These systems usually include a number of additional features. For example, they often can be used as routers for directing traffic among computers in a network. Some of the top firewall vendors include Ascend, Cisco, Sterling Commerce, Cyber Guard, Lan Optics, and Microsoft.
Besides meeting the small business's basic computer security needs, a firewall should work with your hardware and software, as well as that used by your ISP. It also should not slow down your Internet connection too noticeably. The most versatile products conform to the Open Platform for Secure Enterprise Connectivity (OPSEC), a standard that is supported by many top vendors and that makes it easier to combine security products from different sources.
When evaluating possible firewalls, it may be helpful to look for product reviews in computer magazines or on the World Wide Web. One good source of information is the National Computer Security Association (www.ncsa.com), which offers tips on buying firewalls and also runs a certification program for firewall products. The NCSA site also provides links to members of the Firewall Product Developers' Consortium.
Once the purchase decision has been made and the firewall is up and running, it is important to test the product. Many firewalls are breached by hackers due to faulty installation or configuration. In fact, Emery recommends having a team of technically minded employees try to break into the system from outside. This exercise may help the internal experts understand the strengths and limitations of the firewall, as well as how it fits into the context of the small business's overall computer security policy.