A firewall is designed to protect network resources. Through a firewall, information can be securely shared amongst servers and workstations. They are a common form of security for any organization that has data to protect from mainly external sources. Firewalls are designed to block incoming traffic by preventing access through open ports. After installing a firewall, however, it is not necessarily safe to say that the organization is now protected against denial-of-service attacks. How can the network administrator know if the firewall is doing its job?
- The system that supports the firewall must be properly maintained. The network administrator
should create a list of all field replaceable components for this system. Once this list is
compiled, the components should be located in a safe storage area so that in the event of a system
failure the components can be readily available. An ideal situation would be to have a totally
redundant firewall system so that in the event of primary system failure, security would not be
- Whenever a change is made to the firewall configuration, perform a backup immediately to
reflect that change. For example, there may be rules set up to perform specific functions. Whenever
an update to any rule is made, the network administrator should perform an immediate backup of the
- Have the firewall vendor test both the firewall software
- and system hardware periodically for
any "leaks." The testing procedure should include scanning the firewall system to determine the
presence of known vulnerabilities and, if any are found, the immediate application of patches or
fixes. Alternately, the network administrator should also have third-party certified vendors
perform the same tests to ensure that the firewall's vendor does not have a bias. The tests should
be performed when there is the least network traffic, because test scripts can possibly overload a
network. The person conducting the tests should be supervised by either the CIO or the network
administrator. In this way, questions can be asked about the testing procedure and results
presented by the tests.
- The results of the tests should be stored in a secure location to prevent any unauthorized
persons from gaining access to it
- As part of the testing phase, the firewall alarms and thresholds should also be tested. Delays
in receiving alarms via e-mail or pager should be observed.
- Some vendors may require remote access to the firewall in order to perform testing procedure whenever there is a problem. This should be avoided unless there is written assurance from the vendor and approval by the client company's legal advisor.
Adesh Rampat has 10 years of experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals and the International Webmasters Association. He has also lectured extensively on a variety of topics.
This was first published in May 2001