Selecting and Configuring a Firewall

The Internet is a dangerous place filled with a constant barrage of automated scans that scour the Internet for vulnerable targets. Once identified, these targets receive a variety of attacks. Many of the attackers have no idea who owns the target, and the ultimate goal depends on both the attacker and the type of target. Selecting an appropriate firewall helps protect your network from the Internet and the Internet from your network.

Why Do You Need a Firewall?

  • Guaranteed network resources protection from the malicious activity on the Internet
  • Ensured safe and secure access to your internal resources to external users
  • Maximized performance of your network resources

Important Considerations when Selecting a Firewall

  • Network firewalls vs. desktop firewalls – Many desktop firewalls exist to protect individual computers (e.g., ZoneAlarm); however, for overall network security you need to consider a network firewall device. This article is dedicated to network firewalls. For information about the desktop variety, see the Home PC Firewall Guide
  • Software/hardware – With software firewalls, like Microsoft ISA Server or Smoothwall, you install the program on top of an existing Windows or Linux server, which then becomes your dedicated firewall. Hardware firewalls, manufactured by Linksys, Cisco, Netgear, Watchguard, SonicWall and many others are devices with their own operating systems and specific hardware. In other words, with a hardware device, the manufacturer designs both the hardware and the software and sells them as a unit. With a software firewall, you provide your own hardware.
  • Extremes – With so many firewall devices on the market, you must ensure that your firewall fits your requirements. Purchasing a high-­end firewall with features your library will never utilize results in a waste of resources. At the same time, you do not want to purchase a firewall that will not support your security policy.
  • Size of network – Does the firewall device have enough processing power to handle the number of connections for your network?
  • Network topology – How many networks do you have that need some unique level of protection or isolation? Suppose the firewall you’re evaluating has three Ethernet ports. Is that enough? Let’s say you need one subnetwork for the staff machines, one for the public access machines, one for your wireless access point and one for your servers. In this case you need a firewall with four Ethernet ports, as well as a port for your Internet connection. Or you could use a second firewall or a managed switch to provide the network separation you’re looking for.
  • DMZ ­­ – Do you need a DMZ for your Internet­-facing servers? A DMZ (short for demilitarized zone) is a small subnetwork for hosted Internet services, such as Web servers and e­mail servers. The firewall protects the servers in the DMZ and checks traffic to and from those servers, but it also isolates them from the rest of your local area network as much as possible. Your Web server can handle requests from random computers on the Internet because you’ve presumably hardened and secured that server. On the other hand, your average staff machine shouldn’t be exposed to the Internet in that way. Also, if something goes wrong and the Web server is compromised, the damage will be partially contained. There are several ways to set up a DMZ, and your DMZ architecture may affect the type of firewall(s) you decide to buy. Wikipedia describes two common approaches to setting up a DMZ.
  • VPN – A VPN (Virtual Private Network) encrypts data between dispersed locations when that data is sent over the Internet or another public network. Libraries often set up VPNs so that staff who work from home can securely access files and programs on the library’s network. Also, in many libraries the main branch and outlying branches use VPNs to transfer circulation records and sensitive patron information. If you’ve purchased high­-speed, dedicated data lines from your service provider, you may not need VPNs for branch­-to­-branch communication. However, dedicated lines are expensive, so a lot of libraries use VPNs instead. Some firewalls can handle VPN encryption and decryption, but you can also buy separate, standalone devices to handle this function. VPNs can be tricky to configure and maintain, so you should talk to an expert. See the following story from Cindy Murdock for one library’s experience securing their data over the Internet.
  • Content filtering – Does your security policy require some form of content filtering? Some firewall companies offer this feature. Your firewall will download a blacklist of banned sites on a regular basis or filter sites by keyword or both. However, this feature may cost extra.
  • Level of control – Do you want to block all traffic for certain applications or do you need to implement more granular filtering so certain computers or users have more capability than others? For example, you might block ssh traffic (ssh stands for secure shell, a remote logon utility) for most of your network, but allow it for systems administrators who need to access remote servers. Does the firewall you’re evaluating give you the degree of control you’re looking for?
  • Bandwidth management – Do you need to control bandwidth usage? Do you need to limit bandwidth per user or per computer? Do you need hourly or daily limits? Some firewalls have these capabilities, and you can also buy separate, standalone devices to handle these tasks. For more information, read Bandwidth Management.
  • Technical expertise – Do you have the in-­house expertise to properly configure and manage the firewall, or will you need external technology support? Often your service provider will configure and maintain your firewall for a price.
  • Budget – With firewalls ranging in price from $50 to $10,000, the budget represents the biggest consideration for most public libraries. While your library may want all of the features, you need to determine the most important based on your requirements and resources.

Types of Firewalls

For a quick review of the most typical firewalls for different­-sized library networks, take a look at the Firewalls at a Glance tool.

Common Configuring Issues

Most security experts agree that having a poorly configured firewall is worse than not having a firewall. At least you know your network is not secure without a firewall, while you have the misconception of security with a properly configured firewall. There are a few important steps to take when configuring your firewall.

  • Username/password – As with all computer devices, you need to modify the default password for your firewall device. Some firewalls also allow you to modify the default administrator username.
  • Remote administration – Most firewalls use a Web ­based graphical user interface for configuration and allow for remote administration from outside your network. Disable this feature unless absolutely necessary.
  • Port forwarding – For certain applications to work properly, such as a Web server or FTP server, you need to configure appropriate port forwarding.
  • DHCP server – Most firewall devices act as a router and include a DHCP server. Installing a firewall on a network with an existing DHCP server will cause conflicts unless the firewall’s DHCP server is disabled.
  • Logging – In order to troubleshoot firewall issues or potential attacks, you want to make sure to enable logging and understand how to view the logs. Make sure you understand this functionality on your firewall.
  • Policies – As discussed previously, you want to have solid security policies in place and make sure that your firewall is configured to enforce those policies.

Whether offering Internet access to patrons or providing an online catalogue, steps must be taken to implement effective network security to protect your resources. With a proper technology plan in place, you should have already addressed many of the issues surrounding network security. Our purpose here is to provide insight for the particular issues regarding network security.

Stories from the Field

We had some issues [with our Wide Area Network], because we’re encrypting all of our traffic for security reasons on the intranet side, the staff side. We found that it was really slow at the farthest library from the system headquarters. I had to use a hardware solution to get the encryption to speed up. Now that we’ve got that done, I should be able to get the other branches done pretty quickly. We wanted to encrypt our traffic so that patron information is protected when it’s being passed over the Internet. We’re circulating over the Internet. We don’t have our own private network.

We’re using a special router built on OpenBSD [a Unix-like operating system] and a VIA C7 chipset that has hardware encryption capabilities.  The speed difference is enormous. When we first noticed this problem, I did some benchmarks. Apache, the Web server that we’re using, handles about 4,000 transactions per second unencrypted. With the encryption in place, it can only handle 70­-80 transactions per second. So we had to offload the encryption onto this hardware solution [the OpenBSD router mentioned above] to speed it up. Before, when you would circulate a book from the most remote library, it would take 20-­30 seconds to finish the transaction, whereas now with the fast hardware encryption, it’s barely noticeable. It’s like using a regular Web page.

Cindy Murdock
Meadville Public Library, PA

We have one central firewall now that we allow multiple libraries to use, so all of their web traffic comes here and then out.  When the kids want to play in the library and someone asks me to open a port, I’ll try to determine what port number it is, and then I go out on the Internet and look and see if there are any vulnerabilities to that port.  Is there a known Trojan horse or virus that’s coming in on that port?  If there is, then we don’t allow the port; if I don’t find anything, then we will allow it, but we might only allow it for a few machines.

Jean Montgomery
Upper Peninsula Region of Library Cooperation, MI 

Further Resources

Interested in finding out more about firewalls? Check out our Further Resources section.