Republished with permission from WatchGuard Technologies, Inc.

Security and xDSL Connections, Part III: Firewalls and Transport Security In my first two columns on security and xDSL connections, I discussed issues that broadband connections, particularly DSL, present from a system administrator's perspective and policies and technologies to apply on the xDSL connected network. In this column, I discuss firewall solutions for these xDSL connections. Firewalls The majority of DSL deployment today requires a DSL modem/router, and a hubbed, or crossover, Ethernet connection to teleworker or remote office PC(s). The role and placement of a firewall for a remote LAN will differ little from the role firewalls play at an enterprise: The firewall should prevent unauthorized access to remote office resources and information, while allowing users access to Internet and enterprise services at other locations. Administrators should consider the pros and cons of the following firewall alternatives as they consider security for DSL connections: 1. Use the firewall capabilities provided by the xDSL router 2. Use personal firewall software 3. Use a firewall "appliance" 4. Have your remote user create their own firewall—enterprising individuals can take a PC, add a second Ethernet NIC, and convert it into a firewall by hardening the OS (NT or Linux, for example) and installing firewall software.  I mention the last option only for completeness: This solution requires serious expertise, and time and attention beyond what most teleworkers should devote to security. If you do have someone in your organization capable of properly hardening and configuring a software firewall, transfer him or her in to your security or network operations organization immediately.  1. Routers With Firewall Features At first glance, it's tempting to use the firewall capabilities provided by the DSL router. After all, you have already purchased or are leasing it. Also, many DSL routers do provide static packet filtering capabilities, Network Address Translation, Internet or port sharing, and possibly logging and auditing. (Note, however, that many do not provide all these features, so check your equipment carefully.) If you decide that the router has the appropriate features, and you want to use it as the firewall, first educate your remote users about security and the role and importance of firewalls. You may wish to provide training or pre-defined firewall configurations. If the DSL router includes a firewall, the installer will probably configure it to provider-defined default settings. Determine whether these sufficiently implement your security policy. Work with your provider as needed to tweak these defaults. Be sure to consider that no single service provider yet offers DSL ubiquitously: Though a provider offers DSL service in your region, it may not offer it out of every central office. To provide all teleworkers and remote offices with broadband local access, you may have to work with multiple service providers and ISPs, and multiple services (e.g., DSL and cable). Even if you are fortunate enough to work with a single DSL provider, you may find that the provider uses different equipment for ADSL, IDSL, or SDSL. Anticipate a variety of DSL access routers—and that some may not offer a satisfactory set of security features. Recognize how this may complicate your security deployment process before choosing this option. Another issue you may encounter is that access to modems/routers are often managed exclusively by the provider. While you may feel more confident about having a service provider manage firewall features for your teleworkers, this service may be an incremental cost over the basic transport service you have budgeted for. Managed security services are attractive in cases where your organization does not have the expertise, or manpower, to oversee security operations on a day-to-day basis. In this case, provider management of router firewall configuration can be more secure, more tightly monitored, and more cost effective than growing in-house expertise to address this new need. Ask about the service order/change process, and understand up front who will perform monitoring, and how incidents will be managed and escalated. Avoid a situation where you outsource teleworker and remote office firewall management to multiple service providers (DSL, cable and ISP), while retaining management of enterprise firewalls in-house. In this circumstance, you will have to coordinate security policy for enterprise Internet firewalls and xDSL firewalls between your staff and multiple service providers. Coordination of security policy, change control, monitoring, and exception processing among so many parties can be a nightmare.  2. Personal Firewall Software Personal firewall software may seem attractive, especially for teleworker residences where only a single PC is connected, or if you have already incorporated this form of software into a roaming employee (laptop) security practice. As with DSL modem/routers, consider the matters of educating users, training, and distribution of firewall configurations. Below is a partial checklist for evaluating personal firewall software: System requirements OS support (Windows 9x, NT, 2000, Macintosh, Unix) Ethernet NIC support, Adapter compatibility Compatibility with NDIS or other (e.g., IPsec VPN) adapters that are part of the standard desktop used by your organization Packet filtering Port filtering URL filtering and blocking Anti-virus measures (e.g., Visual Basic Script worm blocking) Intrusion detection features Logging and reporting Ability to distribute an administrator-defined configuration Support for central administration and monitoring When deploying personal firewall software, one big concern is compatibility with Ethernet adaptors and other software adaptors, especially 3rd party VPN adaptors. Lost productivity from systems experiencing adapter incompatibility problems that may only solved by having the teleworker lug a base unit to work, is something you really want to avoid. Ask the software vendor for a list of compatible NICs, and ask specifically about any VPN adapter your organization may use before you install. Seek out firewall products that support remote administration and monitoring so that your IT group can provide oversight. You should consider what may happen if the personal firewall software is itself attacked. Experience has shown that applications connected to the Internet can and do crash. When personal firewall software crashes, it could leave the host laptop or desktop unprotected, or cause the host itself to crash. Personal firewall software is in its infancy, and vendors are still hastily publishing patches as new exploits are discovered. Investigate your prospective vendor's track record, be diligent in applying new patches and appropriately cautious about where you install this software. Another matter to consider is the need to accommodate expansion in number of remote users. Personal firewall software, especially those that have any central administration features, are licensed per host. Teleworkers who have DSL connections to the public Internet may add personal use and family member PCs to their residential LAN (an activity nearly impossible to discern when NAT and Internet Sharing are used). Decide whether to: provide additional licensed copies per teleworker residence, accept the possibility that employees will pirate the single licensed copy provided to them, risk having an unprotected personal PC expose the company to one of the threats mentioned in earlier columns. The sum of the individual licenses for a teleworker or remote office LAN, coupled with the price (time or money) of help-desk support for software, often justifies the cost of a separate firewall appliance.  3. Firewall appliances A firewall appliance is a standalone device that runs hardened software designed to provide firewall functions. Unlike routers with extended firewall capabilities, firewall appliances are specifically designed to provide security, not routing. They have simple, easy to use interfaces and are simple to support and upgrade. And appliance software—particularly the operating system—has been scrutinized by security experts to correct or eliminate exploitable code. A firewall appliance sits between your DSL modem/router and your PC. As the market for broadband local access has grown, so has the market for this type of security product. Many firewall appliances are carefully designed to accommodate the SOHO market, where technical aptitude and security expertise may not be available. Some of these appliances install in minutes and can provide teleworker, home and small businesses with dynamic stateful packet filtering, static and dynamic NAT, Internet Sharing, and URL blocking, filtering and tracking. Some SOHO firewall appliances even come with a built-in Ethernet hub. Many firewall appliances are suitable for remote office applications, and may provide all the aforementioned features plus transparent application proxies, and even VPN capabilities. Firewall appliances suitable for large enterprises offer real-time monitoring and remote administration from a central location, as well as logging and auditing features.  Firewall appliances boast the following advantages: If you want to outsource teleworker security to a single managing entity, your ISP may offer an appliance-based solution that's more fully featured than simple router packet filters. If you want to manage teleworker security in-house, there's clean separation between your ISP's router administration, your employee's desktop administration, and your IT group's appliance administration. You can build an operational process based on a single, uniform management interface and consistent set of security features. You can avoid desktop compatibility issues and eliminate the need to distribute and manage per-desktop firewall software licenses. One of the most attractive aspects of the firewall appliance alternative is that you can find products, like the WatchGuard Firebox series, that offer administrative software to manage teleworker, remote office, and enterprise firewall and VPN services from a central location. In many cases, this alone justifies the incremental cost of ownership of a firewall appliance over other alternatives. Consider a five node remote office: Five user licenses for personal firewall software at $40/license might cost $200 less than a firewall appliance. Avoiding a single incident where a software install requires help desk support and prevents an employee from working for an hour justifies the additional cost of the hardware.  Firewall Best Practices As discussed in earlier columns, your company's security policy should discourage teleworkers from operating unnecessary services on their PCs. Minimizing the services operating behind a teleworker or remote office firewall simplifies administration. I've tested dozens of Internet appliances and access routers, and have found that well-designed products offer a default configuration, or rule set, to block incoming connections to "all hosts, all ports". This feature can prevent unauthorized access to servers on the teleworker LAN. Look for this feature and enforce its use. The most desirable firewall management process is to have your security staff define configurations for all firewalls, and to distribute (or install) these from a central location. Advise all staff responsible for firewall configuration of policies that must be applied uniformly, irrespective of location. Include instructions for configuring or implementing these policies in SOHO firewalls. If the business environment calls for services to operate behind the firewall, and if you are relying on teleworkers or staff unfamiliar with firewall operation to configure the firewall, provide instructions on how to safely provide access to those services. The accepted best practice for firewall configuration is to begin by denying all inbound access, then to allow selective access to the specific host (IP address) and port at which the allowed service operates. You may want to consider a firewall appliance that provides a third DMZ LAN or proxy-based authentication to further constrain local server access. Look for firewall appliances that offer the same kind of online upgrades for security patches that you have come to expect from anti-virus software vendors. Irrespective of the firewall solution you choose, you should design or employ a central logging, monitoring and auditing process to observe teleworker and remote office firewall activity, just as you do Internet firewalls. Leverage the always-connected nature of a DSL connection: Wherever possible, configure firewalls to forward intrusion detection results, activity logs, and system alarms to a central monitoring station(s). If you are a stakeholder in policy making, recommend an Exception and Change process: Require that any exception or change to the standard firewall configuration be submitted, in writing, with business justification, and approved before implemented. Implement routine scans of all ports and use these to confirm that the security policy is enforced at all firewalls. Conclusions I've only scratched the surface of the firewall best practices, touching primarily on those most often overlooked when DSL connections are introduced to an enterprise. Most practices I've mentioned assume that DSL-based users access the enterprise via a public ISP, but these should also apply to DSL connecting directly to the enterprise. If you run Internet firewalls today, what you have already implemented on these firewalls is good spring-board for defining policies for your organization's SOHO firewalls. In the final column in this series, I'll discuss the importance of ensuring message privacy, authenticity and integrity when sensitive information is exchanged over untrusted links, e.g., the Internet-through Virtual Private Networking (VPN) protocols and services.