Chapter 7. Firewall Design

In previous chapters, we've discussed the technologies and architectures that are usually used to build firewalls. Now we can discuss how you put them together to get a solution that's right for your site. The "right solution" to building a firewall is seldom a single technology; it's usually a carefully crafted combination of technologies to solve different problems. This chapter starts the discussion of how to come up with the combination that's right for you. Which problems you need to solve depend on what services you want to provide your users and what level of risk you're willing to accept. Which techniques you use to solve those problems depend on how much time, money, and expertise you have available.

When you design a firewall, you go through a process that you will then repeat over time as your needs change. The basic outline is as follows:

Define your needs.
Evaluate the available products.
Figure out how to assemble the products into a working firewall.

7.1. Define Your Needs

The first step in putting together a firewall is to figure out exactly what you need. You should do this before you start to look at firewall products, because otherwise you risk being influenced more by advertising than by your own situation. This is inevitable, and it has nothing to do with being gullible. If you don't know clearly what you need, the products that you look at will shape your decisions, no matter how suspicious you are.

You may need to re-evaluate your needs if you find that there are no products on the market that can meet them, of course, but at least you'll have some idea of what you're aiming for.

7.1.1. What Will the Firewall Actually Do?

First, you need to determine what the firewall needs to do, in detail. Yes, you're trying to make your site secure, but how secure does it need to be?

Your first starting point will be your security policy. If you don't have a security policy, see Chapter 25, "Security Policies", for some suggestions on how to go about setting one up. You can't just do without a policy because a firewall is an enforcement device; if you didn't have a policy before, you do once you have a firewall in place, and it may not be a policy that meets your needs.

7.1.1.1. What services do you need to offer?

You need to know what services are going to go between your site and the Internet. What will your users do on the Internet? Are you going to offer any services to users on the Internet (for instance, will you have a web site)? Are you going to let your users come into your site from the Internet (if not, how are you providing your users with remote access)? Do you have special relationships with other companies that you're going to need to provide services for?

7.1.1.2. How secure do you need to be?

any decisions have to do with relative levels of security. Are you trying to protect the world from destruction by protecting nuclear secrets, or do you want to keep from looking silly? Note that looking silly is not necessarily a trivial problem; if you look silly on the front page of a major newspaper, it can be a real disaster for the organization, at least. Many banks and financial institutions regard being "above the fold" (in the top half of the front page of the newspaper) as a significantly worse problem than losing money. One large organization in a small country found that any time they appeared on the front page of the newspaper looking silly, their nation's currency dropped in value. You need to know what level of security you're aiming for.

7.1.1.3. How much usage will there be?

What kinds of network lines do you have? How many users will you have, and what will they do?

7.1.1.4. How much reliability do you need?

If you are cut off from the network, what will happen? Will it be an inconvenience or a disaster?

7.1.2. What Are Your Constraints?

Once you've determined what you need the firewall to do, your next job is to determine what the limits are.

7.1.2.1. What budget do you have available?

How much money can you spend, and what can you spend it on? Does personnel time count in the budget? How about consulting time? If you use a machine that you already own, what does that do to your budget? (Can you use one somebody else has and make his or her budget pay to replace it?) The budget is often the most visible constraint, but it tends to be the most flexible as well (as long as the organization you are building the firewall for actually has money somewhere).

7.1.2.2. What personnel do you have available?

How many people do you have and what do they know? Personnel is much harder to change than budget -- even if you get agreement to hire people, you have to find them and integrate them. Therefore, your first effort should be to fit the firewall to the available resources. If you have 47 Windows NT administrators and one Unix person, start looking at Windows NT-based firewalls. If you have only one person to run the firewall, and that's in addition to a full-time job he or she is already doing, get a commercial firewall and a consultant to install it.

7.1.2.3. What is your environment like?

Do you have political constraints? Are there forbidden operating systems or vendors, or preferred ones? It is sometimes possible to work around these, but not always; for instance, if you work for a company that sells firewalls, it is probably never going to be acceptable to run somebody else's firewall anywhere visible.

What country or countries are you going to need to install the firewall in? Firewalls often involve encryption technology, and laws about encryption and its export and import vary from country to country. If you are going to need to install multiple firewalls in different countries, you may need to use the lowest common denominator or develop an exception policy and strategy to deal with the situation.


6.7. Internal Firewalls		7.2. Evaluate the Available Products