||"They" are out there. "They"
will attempt to crack your online systems, sometimes for profit, revenge, or just for the
fun of it. "They" are the cyber-criminals.
Business communication needs
dictate that you must connect yourself to the Internet, but you cant leave yourself
unprotected You need a firewall.
A Firewall is a device that sits between your network and the Internet. It makes
sure that "They" dont get in, while allowing you access to fulfill your
There are a number of firewall products on the market. They fall into two basic
categories Stateful Packet Inspection and basic NAT. Either type can be
implemented in software on a server or as a hardware "appliance" solution.
A NAT router is your basic, less than $100, firewall. It works by translating a
single Internet IP address into multiple local IP addresses, and is sufficient for many
businesses and home users. The idea behind it is that it only traffic from the
Internet that has been "solicited" from a machine on your network, a
cyber-criminal cannot get through it and compromise your internal network. If a
packet of data was solicited by a machine, then the router sends the packet back to that
machine without even inspecting the packet to see what it is. While effective
against most attacks, if you host any services locally such as remote access, web server,
or Email then the effectiveness becomes very limited. It will also not protect you
against "backdoor" programs commonly installed as components of
"spyware" or peer-to-peer sharing software such as Kazaa of Napster. If
one of your employees installs such software on a machine on your internal network, then
the effectiveness of a NAT router is extremely diminished.
A "real" firewall looks inside of a packet, compares it against a list of
rules that you establish, and then decides whether to allow it through or not. In
addition to doing a much better job protecting you against outside attack, it also
protects you from inside carelessness. For example a stateful packet inspection
firewall can be configured to filter the files your employees download to limit your
exposure to viruses or completely prevent them from using file-sharing software without
A number of companies make good stateful packet inspection firewall appliances, such as
Cisco (PIX) and Watchguard. On the software side Microsoft has their ISA server,
Novell has BorderManager, and Nokia has Checkpoint.
We often combine Firewall and VPN functionality into the same appliance, and usually
recommend something from the Cisco or Watchguard product lines.