Line of Firewalls

By Lynn Haber | Oct 7, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/624311/Line-of-Firewalls.htm

The healthcare industry has tough requirements for data security. That's why Atlanta, Ga.-based Promina Health System Inc., an organization with more than 16,000 employees, including 2,500 metro Atlanta physicians, and more than one dozen hospitals, made its first investment in firewall technology five years ago. The Internet was, and is, increasingly being relied on as a way for Promina's network of doctors, who serve residents in Atlanta and the surrounding area, to communicate. Further expansion of Internet use among their members is what also drove the healthcare organization to make another, more recent, firewall purchase.

The bottom line is that we need keep our data secure and firewalls help us do that, says George Bright, senior network engineer at Promina.

The corporate network security infrastructure has always been a work in progress, but never more so since the advent of the Internet and its impact on the commercial sector. Any organization conducting e-business must protect itself from external threats, or literally risk losing everything. Where IT security used to be viewed as a cost drain, today, most organizations view a robust security infrastructure a business enabler.

What we can't afford are security accidents, says Bright.

Firewalls appeared on the IT security scene almost 10 years ago. Although products have matured, presenting buyers with new purchasing options, the basic functionality of the technology has remained the same: Firewalls block various kinds of Internet traffic that match a set of predefined rules. This functionality is analogous to how a water filter works: the job of the firewall is to filter out the bad things among both the good and bad things coming in from the public Internet, so that only the good things come in.

The fact of the matter is that with connectivity to the Internet comes obvious security risks, says Phil Schacter, director of network strategy services at The Burton Group, in Midvale, Utah, adding that firewalls are critical to any company's security architecture.

"Any organization conducting e-business must protect itself from external threats, or literally risk losing everything. Where IT security used to be viewed as a cost drain, today, most organizations view a robust security infrastructure a business enabler. "

Similar but Different

Firewalls are considered a basic component to the company's security architecture at Suncoast School Federal Credit Union based in Tampa, Fla. Firewalls keep our internal network safe, says Duane Verzone, network security technician at Suncoast, the fifth largest credit union in the U.S.

Offering a broad range of services that include trust services, tax-sheltered investments, banking services and loans, Suncoast customers are employees, elected officials, and retirees of public and non-public schools in 14 counties, covering just about the entire west coast of Florida.

Suncoast installed its first firewall in 1997 when the bank granted Internet access to internal employees. In January 1999, the bank began offering Internet-based home banking and bill paying to its customers and recently purchased an additional firewall from Rockville, Md.-based Axent Technologies Inc.

It's almost taken for granted today that any Web site with links to the back end enterprise systems will have a firewall. The need is obvious: when opening up internal information assets to the public Internet, or even extranets, measures are needed to prevent intruder disruptions.

Early firewall technology, which was primarily software-based, was difficult to configure and costly to administer and manage. The technology often used command-line interfaces, and, in cases where there was more than one firewall, each had to be managed separately.

Much has changed. While functionally the job of the firewall is the same as it's always been, product packaging has evolved. For example:

  • Software-based firewalls have morphed into firewall appliances

  • New hybrid firewalls are available that include dual mechanisms, such as state-based inspections and application gateway proxies

  • Firewalls can be managed remotely via Web browsers

  • Integrated products now offer both firewall and virtual private networking (VPN)

  • Vendors are offering personal firewalls

  • Firewall solutions are now available as hosting (ASP) services

So, it makes sense that companies like Proxima, which made early firewall purchases, are reexamining those purchases as traffic loads increase, requirements change, and better performance is demanded. Not only are most companies encountering more traffic flow across their networks, they're also seeing a greater variety of flavors, such as web traffic, HTML, business applications, etc.

With more companies leveraging the Internet for cost savings with things like e-commerce, business-to-business commerce and corporate extranets, access control is key to doing it safely, says Bob Gelinas, vice president of sales at CyberGuard Corp., Fort Lauderdale, Fla.

Filtering Vs. AGP

What do today's IT decision makers need to know about currently available firewall solutions?

One of the most important things they need to know is that network performance is key. No matter how many applications get added to the network, and no matter how much traffic grows, firewall technology must be able to keep up with performance requirements. However, it's been a given, up until recently, that firewalls slow down the network.

Vendors compete to provide the best performance with one of two key mechanisms used for access control: filtering technologies, primarily stateful inspection; and application gateway proxy (AGP). Of course, as we stated earlier, there's a trend in the market towards a hybrid firewall that deploys both mechanisms. Still, there are vendors, like Axent, for example, that solely offer AGP-based technology.

The conventional wisdom is that AGP is more apt to slow down network performance for the simple reason that this mechanism, which examines interactions on a higher level, requires more cycles to do its job. That job includes inspecting commands at the application level. In a nutshell, AGP requires two connections. One connection occurs when there's a request for connection. The firewall catches the request and looks through its rules; if the request is OK, an AGP firewall establishes a second connection, which means the firewall sits in the middle while it governs the connections between the two points. AGP performance has improved markedly, and the technology is respected for offering stronger firewall protection than stateful inspection-based solutions.

We selected the Raptor firewall because we believe it provides the most robust and flexible solution for the bank, says Suncoast's Verzone. The Axent product also has the ability to separate the home banking piece as a separate subnetwork from the main campus network while still allowing it to be on the same physical network.

Although Verzone is a fan of AGP technology, he admits that the bank's network did take a performance hit when it instituted home banking, which averaged 30 to 40 seconds when internal users tried to access the Internet. At the time, the bank ran a full T1 connection. We lived with the degradation for a while then moved the home banking service onto a separate cable-based connection, which cleared up the problem, he says.

Filtering technology, on the other hand, looks at packets and makes authorize-or-deny decisions about making a connection. According to Schacter, vendors with filtering firewalls are doing a better job of examining more content, closing the gap with AGP. Users reportedly get performance advantages, as well.

Vendors like Checkpoint Software have enabled their firewall to run some AGP on some network traffic. CyberGuard also offers a hybrid firewall.

"For companies with little in-house security expertise or for companies of any size deploying firewalls in a small or remote office, the firewall appliance is a good solution that requires little baby-sitting. "

Firewall Appliances

Another major trend in firewall technology is the move toward the firewall appliance. Originally, firewalls were software solutions that required users to buy a platform to run it on, usually Unix or Microsoft Windows NT, with Unix being the favored over the two to offer better performance and stability. Today, however, most vendors have added firewall appliances to their line of solutions.

The black box approach packages hardware and software and uses proprietary operating systems. This turnkey approach is generally less expensive, and is easy to manage and administer. For companies with little in-house security expertise or for companies of any size deploying firewalls in a small or remote office, the firewall appliance is a good solution that requires little baby-sitting. By the same token, vendors don't provide the same kind of hand-holding for these products.

Here's the good news about firewall appliances: When it breaks, you send it back. At the same time, these sealed devices can't be upgraded and are less scalable. When the time comes to upgrade, companies have to upgrade to the latest product versions, or newer models.

By contrast, software solutions require more expertise to configure and deploy and require more administrative effort. However, they can be upgraded and scaled.

A firewall appliance from Netscreen Technologies Inc., of Santa Clara, Calif., was the product of choice for Web Crossing Inc., a San Jose, Calif.-based provider of Web-based discussion software that handles over 65,000 concurrent TCP connections over 100BaseT connections. The company serves over 15 million pages per day at thousands of active Web Crossing sites, including Cnet.com, CNN.com, Lycos, NYTimes.com, , and Pathfinder.

A firewall appliance is configured to get better performance because it's designed for the application rather than taking an existing operating system and adding security, says Jeff Soule, systems administrator at Web Crossing. The company looked at both software and firewall appliances before making a purchase decision. However, according to Soule, We wouldn't be able to get the kind of speed we needed with a software firewall without purchasing expensive hardware. The company currently has eight Web servers in San Jose, Calif.

Product Costs

How do product costs compare? According to industry participants, the acquisition costs for a firewall are lower than the total cost of ownership (i.e., the people required to configure it and provide ongoing maintenance). Overall, however, costs are declining.

According to Axent, a 25-user license for its Raptor software firewall is $1,995, going as high as $24,000 for a full-blown product suite including unlimited VPN. Expect to pay an additional 18% of the product list price for 8-hour, 5-days a week maintenance and support or an additional 25% of the price tag for 24/7 maintenance.

CyberGuard, a vendor that first offered a software solution, will continue to do so, but is also introducing a complete line of firewall appliances; the company reports that its high-end appliance runs $21,000 list. By contrast, a copy of its firewall software costs about $18,000-$20,000. Expect to pay about $15,000 for a Unix server, adding up to $35,000-$40,000 in total. On top of the hardware/software costs, companies must also think about acquiring the expertise to configure, implement, and manage the firewall.

"Outsourcing firewall management is an attractive option for many companies. Not only do managed firewall service providers off-load a company's need to hire in-house expertise, but companies get 24/7 management, as well."

Doing business in an increasingly demanding and fast-paced business world has led many IT shops to the doors of service providers for a variety of contract work arrangements: application hosting, systems management, e-business management, and security. Outsourcing has, for many organizations, become a new way of taking care of the systems on which the organization relies. The reasons are many: An organization may be under time-to-market pressure; have insufficient IT resources for its projects, or suffering a lack of IT staff with those specific skills; or IT may not an organization's core competency.

For any or all of the above reasons, including total cost of ownership (TCO), outsourcing firewall management is an attractive option for many companies. Not only do managed firewall service providers off-load a company's need to hire in-house expertise, but companies get 24/7 management, as well.

Pch.com, the New York-based online division of Publishers Clearing House, which offers sweepstakes and shopping to users, knew it needed a firewall from the first day it went live last year. The company immediately looked for a provider of managed services. My main concern is service levels, says John Zerden, director of technology at pch.com.

The company signed a one-year contract with Digex Inc., of Beltsville, Md., for outsourced firewall management. For about $10,000 per month, or $100,000 per year, pch.com gets two top-of-the- line firewalls and managed 24/7 service for both. Pch.com gets millions of hits per day and in addition to getting around-the-clock coverage and technical expertise, Zerden notes that Digex has clout with the firewall vendors and can handle any issues quickly.

To get the same level of coverage I'm getting with Digex, I'd have to hire five certified firewall engineers at a cost of about $100,000 each, he says.

New Options

There's no shortage of providers for managed firewall services. ISPs, hosting vendors, and security vendors are all jumping into this market space. In fact, many vendors in this technology area provide managed services, as well as products, for companies who want to assume in-house responsibility for the firewall.

CrossLinks

Coming from the Internet security space, for example, is DefendNet Solutions Inc., a Providence, R.I., company, that offers a suite of security products. The vendor also tailors its solutions to different size organizations. DefendNet DSL is for small and home offices, DefendNet MT was designed for the mid-tier company, while DefendNet Enterprise addresses the needs of large organizations.

DefendNet product features include 24/7 managed security; vulnerability assessment, Web site filtering; monthly usage/trend reports; remote access and encryption; unlimited users; and, four- hour parts replacement. The vendor also recommends firewall technology to its customers and specializes in firewall equipment from about half-a-dozen leading vendors.

According to Vincent Giordano, president and CEO at DefendNet, a 100-user shop can expect to pay below $10,000/year for managed firewall services, which translates to roughly $800 or less per month. Of course, the savings any company reaps depends upon the infrastructure it needs to support. So, for example, the 100-user shop would probably pay about $20,000 for an in-house firewall solution, including firewall purchase, installation and management (consisting of about one hour a week at $100/hour for maintenance). The savings between outsourcing and owning are about 50%, or $10,000 annually.

The small business market, in particular, is one that's poised for significant growth, according to International Data Corp. (IDC), of Framingham, Mass. Revenues from this market sector are expected to reach $1.6 billion in 2000. By year-end 2000, the small business market has the lowest adoption rate for firewall security, only 14% in 2000 compared to 50% for large businesses and 41% for medium-size businesses in the U.S.

Firewalls are a requirement for doing business today. So, companies aren't asking if they need a firewall, but rather which one they need. Not only is there a broad range of products available, but many vendors in this market space, as well. The good news, says Schacter, is that companies have flexibility when shopping. //

Lynn Haber writes on business and information technology from Norwell, Ma.

The Bottom Line