Control versus protection – the role of a firewall

Firewalls have always had a simple purpose; let through specific traffic types, and deny everything else. While this works very well for general network control and security, it can be a positive hindrance for desktop Internet users.

On the other hand, many services, from IM to Skype, use port 80 so you can’t block them by closing their standard ports. Yet many companies still use this form of access control, even though it is an incredibly blunt instrument. Modern firewalls are capable of a much more fine-grained approach to user-level security. And this is where the philosophy and politics of internal network security come into play; should that security be about controlling what users can and cannot do, or should it concentrate on protecting the users as far as possible?

Functions such as TCP stream analysis and deep packet inspection can root out all sorts of threats; viruses, malware, even Web advertising that may lead to a potentially dangerous site. Web site block lists can prevent adult or offensive web sites being accessed. Deploying these functions means that users can be protected from malicious activity while having nearly unrestricted Internet access. As needs become more sophisticated, you can recommend complementary security appliances and network management hardware that automate these approaches.

Traffic denial by type still has its place. SMTP should only exit your network from the mail server, for example. But better, I think, to allow users to use the Internet in a protected manner, than having them try to bypass network security entirely because of frustration.

Share |

Download


Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010

 
FREE SUBSCRIPTION!
Banner

IT EXPERT TOP TIP

leave When you add a new user and their email address doesn't show up in the Global Address List, work through the tips and suggestions in the ever-useful Exchangepedia Blog: http://exchangepedia.com/blog/2005/11/new-user-does-not-show-up-in-gal.html
Bulk-add new users with the script here (http://www.exchangepedia.com/blog/2006/11/exchange-server-2007-bulk-creation-of.html) or give existing users mail access (http://exchangepedia.com/blog/2006/12/bulk-mailbox-enabling-users-exchange-shell.html - this also has details for adding multiple meeting rooms as resources). And when an employee gets replaced, the steps at http://exchangepedia.com/blog/2006/03/how-to-reconnect-mailbox-to-another.html make it easy to connect the previous user's mailbox to the new user account so that mail for that job role keeps going to the right place. Reject spam with a custom message Just in case the message you're rejecting comes from a real person, you can have Exchange send a less cryptic message that the default error; it will make your customers look more professional. This blog post http://mostlyexchange.blogspot.com/2006/12/exchange-2003-sp2-imf-tuning.html
explains how - but make sure to keep the 550 error code at the beginning.
read more

TAKE THE POLL

Unified communications

Banner

The #1 Bestseller for Only 77p

RECENT COMMENTS