Introduction to Firewall Services
Is This for You? This document set is written to meet the requirements of information technology (IT) professionals who are responsible for the planning, design, deployment, and operations of security and network infrastructure in enterprise environments. The readers of this document set are expected to have an understanding of its technical details; however, service-level expertise is not needed to follow the enterprise-level discussions and to understand the decisions that are made.
On This Page
 | Introduction |
| Blueprint |
| Planning Guide |
| Build Guide |
| Operations Guide |
Introduction
Every organization maintains certain sensitive information that can harm the organization if it falls into the wrong hands. The potential for such harm becomes even higher, and its impact greater, if an organization actively uses the Internet for hosting various applications and services such as:
| • | General information gathering and research. |
| • | Obtaining financial market data. |
| • | Providing online retail services. |
| • | E-mail communications. |
| • | VPN for remote workers. |
| • | VPN-based branch office connectivity. |
| • | Voice communications. |
To provide even the most common of such services, for example e-mail, organizations must connect their internal systems to the Internet. In doing so, these systems become accessible to external sources and, therefore, vulnerable to attacks. Organizations are also subject to the costs that such connections require, including payments to an Internet service provider (ISP) and investments in technologies that can protect their information systems. Firewalls are software- or hardware-based devices that can be deployed between networks to protect an organization from external or internal attacks. For example, consider a stock trading firm, which makes money by taking a percentage of each financial transaction. The firm’s credibility could be shaken if investors find that their ability to buy or sell stocks, whenever they want, is impaired by a poor network design that overloads the financial transaction system with unnecessary information. The risk posed by such a scenario can be minimized by using a firewall to ensure that the only information going to and from a financial system relates to transactions and all other information is screened out. Further information about design and deployment of both firewall and proxy services may be found at the following URLs:
| • | For detailed security information on the Microsoft Window Server 2003, refer to the “Windows Server 2003 Security Center” document at the following URL: |
| • | For information on Microsoft Internet Security & Acceleration Server firewall and Web cache product, refer to the following URL: |
| • | For a free e-mail notification service that Microsoft uses to send to subscribers information about the security of Microsoft products, visit the Microsoft Security Notification Service Web site at the following URL: |
| • | The SANS (SysAdmin, Audit, Network, and Security) Institute security resources are available at the following Web site: |
| • | The Computer Emergency Response Team (CERT) organization records and publishes security alerts and a center for security expertise at the following URL: |
| • | For information on Microsoft Internet Security & Acceleration Server firewall and Web proxy product, refer to the following URL: |
Blueprint
This blueprint provided a practical process for the successful selection of firewall and proxy service products. This process covers all aspects of the firewall and proxy service designs, including the various evaluation and classification processes required to reach a solution. No firewall is 100 percent safe: the only way to ensure that your network cannot be attacked electronically from the outside, is to implement an air gap between it and all other systems and networks. The result would be a secure network that is virtually unusable. Firewalls enable you to implement an appropriate level of security protection when connecting your network to an external network, or when joining two internal networks. The firewall strategies and design processes outlined in this blueprint should be considered only part of an overall security strategy, because a strong firewall is of limited value if there are weaknesses in other parts of the environment. Security must be applied to every component of the network, and a security policy that addresses the risks inherent in the environment must be defined for every component. For information on conducting risk assessment of services in the data center and developing mitigation strategies for those risks, refer to the Security Architecture Blueprint.
Planning Guide
Security is critical in today’s business world, and the CDC design provides a firewall and proxy-cache solution that is reliable and secure. By providing a public facing firewall for all inbound services such as Web and application services and an additional firewall for outbound services, the CDC site is protected from Internet attacks. By aggregating all the employees and CDC site users and fixing them between the firewalls placed on the perimeter edge (ISA Server computers) and at the internal edge (Cisco FWSMs) of the network, the CDC design is protected against internal attacks. Using an internal proxy to relay Internet requests to an external proxy integrated with the perimeter firewall also adds additional security and ensures a scalable solution.
Build Guide
This guide presented the installation and configuration information for two service solutions in the design. These solutions were firewall services and proxy and cache services. Both of these solutions had an internal and a perimeter element to the design so the configuration of each has been covered. This guide also provided information about the testing methodologies and processes that were carried out for the firewall services and proxy and cache services in WSSRA. Test cases and test results were also discussed. All the bugs found were resolved and testing went as expected.
Operations Guide
This guide helps the readers understand the extent of operations guidance that is available for the firewall services discussed in WSSRA. This guidance has been tested in a WSSRA environment and the project team deferred to this guidance as the authoritative source of operations content.