SOHO Firewalls For Enterprise Access

How It Works

Most firewalls look at only the header of the data packet being sent over the network. For the most thorough security, however, we recommend fire- walls that provide SPI (stateful packet inspection), which lets a firewall examine the content of packets rather than just actions and rules based on packet headers.

With SPI, a firewall can be used for Web content filtering to deny access to objectionable or legally actionable material at the remote location. SPI also lets the firewall provide a measure of app-based security, protecting against certain e-mail or IM-based threats. Working in conjunction with antivirus, antispam and surf-guarding software, SPI can provide tight security for SOHO PC-based apps and the network beyond them.

No matter how complex the function of the SOHO attached to the network, enterprise IT staff must have access to all the firewall's settings to guarantee complete distributed network security. The most common management interface for SOHO firewalls is browser-based, but your admins may prefer other options. A serial management interface, for example, can allow 24/7 CLI (command-line interface) access to the firewall in the event of network interface misconfiguration or other network difficulties. Beyond the safety net aspect of the serial interface, the CLI supported by many firewalls is similar to Cisco's IOS. This will be more familiar to your IT staff and will let network technicians set up the firewall more quickly than would be possible through a Web browser.

If you plan to manage your SOHO firewalls remotely, you'll need secure access. Check that the proposed firewall supports SSH (Secure Shell) or SSL (Secure Sockets Layer). SSH is the most common interface for remote administration, but SSL transactions combined with authentication certificates will work too.Simple firewalls come with rules configured, but if you use VoIP, IM or any other custom apps, you'll want to add your own rules. The number of custom rules allowed and the ease with which they can be implemented will affect both the initial cost and the cost of deployment. Confer with your enterprise security team to determine the number of customizable rules you need.

Firewalls intended for SOHO deployment may offer features that go beyond the basic security. Most enterprises require their SOHOs be connected via VPN. For many VPN applications, two VPN tunnels must be established, one for each direction of traffic. If your network infrastructure uses separate VPN tunnels for a number of apps or locations, choose a firewall that will support that.

One way to simplify deployment and keep the box count down is local network dynamic addressing through DHCP and NAT (network address translation). A firewall that incorporates these along with one or more broadband interfaces may replace cable or DSL modems and routers with a single appliance. If you don't have standardized SOHO routers, a firewall that provides DHCP and NAT paired with a broadband modem may be all the network infrastructure a remote office needs. As a boon, multiple WAN interfaces--broadband or dial-up--give you failover options in the event of an ISP outage. This failover may be especially important if Web, mail or application servers accessible from outside the remote network are protected by the firewall.

If you have publicly accessible servers, you will need DMZ ("demilitarized zone") capability from the firewall. The DMZ is connected to the firewall via a distinct physical interface that is not governed by the same policies in place for the main SOHO network. Systems placed in the DMZ can be addressed from external systems directly, are typically protected from DoS (denial-of-service) attacks and are insulated from the network so that they cannot be used as launching pads for more destructive intrusions.In addition to preventing unauthorized access from outside the local network, SOHO firewalls may provide authentication for clients attaching to the local network using MAC (Media Access Control) address authentication, simple name/password access control lists or an internal RADIUS server. Some firewalls also support pass-through authentication to external RADIUS, NTLM or 802.1x servers that are in place for the network. Before insisting that your firewall include support for network authentication, thoroughly consider your need and the ease with which different authentication methods can be employed or combined.

SNMP support is vital if the SOHO will be managed internally through a network-management console or if the central network admin will include SOHO infrastructure within the managed enterprise network. If SNMP is supported, its implementation might include only traps, or the addition of gets or sets, which would allow more active remote administration of the firewall. If SNMP is critical to your remote network management, be sure that SNMP is supported and that all necessary levels of SNMP functionality are present.

For all enterprises, logging is critical. Check what form of logging the firewall supports--syslog, internal logging or server logging. Then see if the logging method will provide information that is useful to administrators or that can be captured and used by network-management tools.

Firewalls are a necessity for SOHOs on the network: The right firewall will not only offer protection against attack and intrusion, but also support applications and provide necessary network address and configuration features. Invest the time to make sure the firewall you purchase is the best fit for your enterprise, and it will pay off in improved application performance, enhanced security and lower overall infrastructure costs.

Curtis Franklin Jr. has been writing about the computer and network industries since 1985.

Post a comment or question on this story. Many firewall vendors submit their products to TruSecure's ICSA Labs for certification. The ICSA Labs test firewalls against a known set of criteria and issue certificates for specific firewall operating system versions based on the results. The criteria, which can be found at www.icsa.com, are based on open standards and may provide a level of comfort for those in the market for remote enterprise firewalls.

VoIP is becoming significant for enterprises seeking to reduce telephony expenses. Most VoIP applications use one of two standard protocols: H.323 or SIP (Session Initiation Protocol). H.323, standardized by the IEC (International Engineering Consortium) as part of the ITU-T H.32x group of IP multimedia standards, is employed by many first-generation VoIP telephones and supported by most routers. Since it was finalized by the IETF in June 2002, SIP has become the protocol of choice for VoIP systems.

SIP makes use of ephemeral high port assignments, in which high network ports, normally blocked by firewalls as part of routine security, are assigned when the VoIP transaction begins. This makes traversing the firewall difficult for many enterprise SIP deployments, especially when the call is initiated outside the SOHO network as the result of, for example, a call transferred from within the main enterprise network.

The IETF is working on new guidelines for firewall and VoIP vendors, but nothing conclusive is expected before mid-2004. Meantime, enterprise IM vendors have begun using SIP as a protocol to add rich media types to basic enterprise text messaging; these IM systems place the same demands on a firewall as do VoIP applications.