The Right Ways to Protect Your Net

Decisions, Decisions

Hard or Soft? Deciding between a hardware firewall and a software firewall is no trivial issue. In fact, the arguments in favor of each are so compelling that, of the two firewall solutions we hear about most from network administrators, one is hardware (Cisco Secure PIX) and the other is software (Check Point FireWall-1).

Hardware firewalls usually come in the form of plug-and-play appliances. Depending on the amount of traffic traversing your network, you may need a powerful model that can cost up to $100,000. Firewall appliances are normally easy to scale: As you need more protection, you just plug in another one. They may also have failover capabilities--you can have dual firewalls protecting your network; and if one fails, the other will pick up the slack.

Software firewalls run on your servers and often come in economical suites that may include a virtual private network or intrusion detection (see "Get Proactive," below).

Examine your network to determine the level of protection you need. Firewall appliances won't work in every environment, but their performance and ability to handle large loads make them worth a look. Software can slow down network performance if too much of it runs on one server (see "Break 'Em Up," below).

Remote Chance If your company employs a legion of mobile workers who connect to the corporate network through a remote-access server, the chances aren't so remote that a snoop could use that server to break in. You may diligently secure your network perimeters with firewalls and other systems, but if you don't authenticate remote-access connections or protect the server, you're leaving the back door wide open.

Consider installing a software-based firewall for your remote-access server. VPN suites, such as VPN-1 software from Check Point, also include remote-access security features.

If mobile workers handle confidential documents, their home PCs and notebooks should also run firewall software. A couple of our favorites: Zone Labs' $40 ZoneAlarm Pro and Network Ice's $40 BlackICE Defender.

Get Proactive Firewalls have become commonplace, but they're mostly reactive devices. That's why a growing number of companies are also deploying intrusion detection systems. If firewalls are the deadbolts, intrusion detection systems are the trip wires that set off alarms should someone get past the first line of defense. IDS products monitor and analyze network traffic to flag or stop intrusions, including denial-of-service attacks.

Intrusion.com is just one company with a line of hardware and software IDS products. Check Point, Cisco, Computer Associates, Symantec, and others also have IDS products.

Break 'Em Up Consider setting up servers or purchasing appliances that focus on one aspect of security apiece, separating your firewall, VPN, intrusion detection, and encryption systems. The chief benefit? Speed--as security measures become a ubiquitous part of your enterprise, they're liable to drag down your network. Separate servers, each focused on one task, can process data relatively quickly. As traffic grows, you can add a second or third firewall (or other security) more easily.

The Keys to Security An increasing number of companies are turning to public-key infrastructure technology to encrypt and secure all the data traveling along their networks. PKI software allocates digital certificates to company employees, enabling them to authenticate, encrypt, and decrypt files. But PKI products from companies like VeriSign and RSA Security don't come cheap. Research firm Gartner estimates that the typical cost of launching and managing PKI software for 5000 to 25,000 users ranges from $150 to $180 per seat.

When you investigate PKI products, ask the vendors how they charge for their systems. Is it per seat? Per application you want to secure? A combination? You'll also have to factor in training and support costs when you deploy a PKI system. It can be a very complex project, but PKI offers some of the best network security.

Solidify Your OS Anyone who uses Microsoft Windows (pick a version) already knows that operating systems are not always secure.

Enter trusted operating systems: security-hardened versions of standard operating systems. In the past, these products were so pricey and difficult to maintain that only big enterprises in need of rock-hard security bought them. But that was before the Internet made everyone a potential security casualty.

Trusted operating systems come in many flavors, including versions of Windows NT and 2000, Linux, Sun Solaris, IBM AIX, and HP-UX. They tighten security by isolating communications capabilities and other OS functions to keep them safe from hackers. You can also bolster your current operating systems by purchasing a product such as WatchGuard Technologies' $1295 ServerLock, which hardens Windows NT and 2000 servers.

Pull the Plug Even in this era of high-bandwidth, always-on Internet connections, there may be older desktop systems on your network that have dial-up modems inside. And if employees use those modems to get online or to synchronize information with home computers, they are circumventing your network firewalls.

The likelihood that a hacker will break in to your network through a modem connection is slim, but you should still take all reasonable precautions against it. Unless employees need dial-up modems to do their job, don't buy systems with bundled modems. And consider removing the modems from existing systems.

Scan Those Retinas Biometrics may seem like something out of Star Trek, but you ought to start thinking about using fingerprints, retina scans, voice recognition, and other unique-identifier technologies to authenticate network users. All these technologies offer protection against unauthorized users--whether company employees or folks meandering through the halls--who try to log on to a networked computer and then rifle through files.

Biometrics solutions may not be perfect (ask the vendors of fingerprint scanners how their products handle cellophane-tape impressions), but they're better than easy-to-remember (and -guess) passwords like birth dates and maiden names.

DigitalPersona's popular U.are.U fingerprint security system is available in one version for corporate use and in another for home and small offices (the $149 U.are.U Pro and $99 U.are.U Deluxe, respectively). Other choices abound. Veritel's VoiceCheck, for example, uses voice recognition to authenticate users, while products from Viisage use face recognition.

Vanquish Viruses Unless they have cute names like Melissa, viruses don't get much attention at the corporate level. But it's vital that you secure your enterprise against them. You can run antivirus software at all levels, from a gateway to a workstation, but you need central management to know what protection you have and whether it's working.

Symantec has an extensive line of enterprise antivirus products, including Norton AntiVirus for Gateways and Norton AntiVirus for Firewalls. Its Symantec System Center permits real-time communication with clients and servers from a single location. Competitors McAfee and Trend Micro also sell complete enterprise antivirus products.