Manualshelf

Installation guide

ManualsBrandsCyberGuard ManualsComputer equipmentSG570
11121314151617181920
14
STEP 4: Understanding firewall technologies
Simple versus sophisticated
Once you have decided on the general network layout and where to place the firewall, you have to think
about what firewall technology to use. Unfortunately, there is no simple right answer that covers every
circumstance.
Firewalls can use simple or sophisticated methods to do their job. More sophisticated firewalls are usually
safer if properly configured, but configuration can be much more difficult.
Rule number one – a properly configured simple firewall is more secure than a poorly configured more
sophisticated firewall.
This is important to understand. Do not aim for highly sophisticated devices if you do not have the expertise
(or an expert) to set them up and maintain them.
Even simple packet filtering firewalls can achieve sufficiently secure separation of private and public
networks in a General Practice environment, as long as they are properly configured. Similarly, the way a
firewall is implemented in your local network is critical.
Rule number two – the firewall should be the only entry/exit point in your network. If not, you potentially
have an open backdoor in your network.
Here is a simple analogy. Imagine you have to defend a narrow passage into a castle. You can choose a
simple heavy club as a weapon, or a sophisticated pistol. While the pistol at first seems the better choice,
you might discover that the club will never fail you and still do the job in most cases, while you cannot really
predict when the pistol will fail, you need training before you can use it, as well as ammunition. If you are
not experienced with pistols, you are probably better off with the simple heavy club.
NAT (Network Address Translation)
This is not really firewall technology; rather it is a prerequisite for separating private and public networks.
However, you should be aware that some standalone NAT products on Windows (e.g. Windows 98 Internet
Sharing) are advertised as firewalls even though they are not.
NAT is essentially a mechanism to route traffic from a private network addressing scheme to the public
Internet addressing scheme. Anything behind a NAT router is already difficult to reach from the outside.
How NAT works
Imagine a practice with an internal phone system of four phones. They have the internal numbers 1, 2, 3
and 4. If somebody dials ‘2’ from any internal phone, they will be connected to extension number ‘2’. But
anybody outside, from the public phone system, dialling ‘2’ will not be connected to that phone. Why not?
Because the public phone system uses a specific phone number system which is different from the internal
phone number system.
However, anybody can dial the public phone number of that practice and the receptionist can put the caller
through to extensions 1 to 4 if requested and if it is appropriate.
The NAT router does essentially the same job as the receptionist, translating your own internal network
addresses into public networking addresses and vice versa.
Sideline: Early 2004, my home firewall died suddenly. It was temporarily replaced with a simple NAT router
('e-smith Linux distribution') to distribute the single dial-up Internet account to the whole family. An old
version was installed since we could not access the Internet to download the latest one. I was called away
to a patient just at the end of the installation and when I came back I was too tired to download and install
all the security patches that were made available since that version was released. By the next morning, that
NAT router had already been hacked. Fortunately, nothing but a sacrificial honey-pot computer was
connected and no confidential data was accessed or lost.
Lesson learned: not even dial-up lines are safe, and security patches definitely cannot wait overnight. Never
go live with an untested and un-configured firewall.
Dr Horst Herb