| |
Description A firewall is an electronic barrier designed to keep computer hackers, intruders, or insiders from accessing specific data files and information on a utility's computer network or other electronic/computer systems. Firewalls operate by evaluating and then filtering information coming through a public network (such as the internet) into the utility's computer or other electronic system. This evaluation can include identifying the source or destination addresses and ports, and allowing or denying access based on this identification.
There are two methods used by firewalls to limit access to the utility's computers or other electronic systems from the public network:
- The firewall may deny all traffic unless it meets certain criteria; or
-
The firewall may allow all traffic through unless it meets certain criteria.
A simple example of the first method is to screen requests to ensure that they come from an acceptable (i.e., previously identified) domain name and Internet Protocol address. Firewalls may also use more complex rules that analyze the application data to determine if the traffic should be allowed through. For example, the firewall may require user authentication (i.e., use of a password) to access the system. How a firewall determines what traffic to let through depends on which network layer it operates at and how it is configured. Some of the pros and cons of various methods to control traffic flowing in and out of the network are provided in Table 1. Table 1: Pros and Cons of Various Firewall Methods for Controlling Network Access | Method | Description | Pros | Cons | | Packet Filtering | Incoming and outgoing packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded. There are two type of packet filtering: static (the most common) and dynamic. | Static filtering is relatively inexpensive, and relatively little maintenance is required. It is well-suited for closed environments where access to or from multiple addresses is not allowed. | Leaves permanent open holes in the network; allows direct connection to internal hosts by external sources; offers no user authentication; method can be unmanageable in large networks. | | Proxy Service | Information from the internet is retrieved by the firewall and then sent to the requesting system and vice versa. In this way, the firewall can limit the information made known to the requesting system, making vulnerabilities less apparent. | Only allows temporary open holes in the network perimeter. Can be used for all types of internal protocol services. | Allows direct connections to internal hosts by external clients; offers no user authentication. | | Stateful Pattern Recognition | This method examines and compares the contents of certain key parts of an information packet against a database of acceptable information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. If not, the information is discarded. | Provides a limited time window to allow packets of information to be sent; does not allow any direct connections between internal and external hosts; supports user-level authentication. | Slower than packet filtering; does not support all types of connections. |
Attributes and Features Firewalls may be a piece of hardware, a software program, or an appliance card that contains both.
Advanced features that can be incorporated into firewalls allow for the tracking of attempts to log-on to the local area network system. For example, a report of successful and unsuccessful log-in attempts may be generated for the computer specialist to analyze. For systems with mobile users, firewalls allow remote access in to the private network by the use of secure log-on procedures and authentication certificates. Most firewalls have a graphical user interface for managing the firewall.
In addition, new Ethernet firewall cards that fit in the slot of an individual computer bundle additional layers of defense (like encryption and permit/deny) for individual computer transmissions to the network interface function. These new cards have only a slightly higher cost than traditional network interface cards. Cost The cost of firewall systems varies depending on the complexity and level of protection provided. Basic firewalls begin at around $50 and can be installed on a single machine in a few hours by a knowledgeable computer user. A typical small network system of hardware and software designed for a system of 10-50 computers would cost approximately $1,000-$1,500 and would require an initial installation and configuration time of between 8-40 man-hours by an information technology specialist. Larger systems will have additional costs for more software license fees, hardware equipment capable of handing more traffic, and increased installation and testing time for additional workstations. Vendors
Disclaimer: The information provided in this guide does not constitute an endorsement by the Environmental Protection Agency of any non-Federal entity, its products or its services. In addition, EPA does not endorse the vendors and products listed on this site. EPA is publishing lists of vendors on this site in an effort to further public awareness of vendors identified as possible contacts for further information and possible purchase of the different types of security equipment. The Agency has selected the listed vendors on that basis. The list of vendors is not a complete list, and EPA does not endorse the products or services of these vendors. Zone Labs
1060 Howard Street
San Francisco, California 94103
(415) 341-8200
www.zonelabs.com
| Cisco Systems
170 West Tasman Dr.
San Jose, California 95134
(800) 553-6387
www.cisco.com
| Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, California 95014
(408) 517-8000
www.symantec.com
| Lucent Technologies
600 Mountain Avenue
Murray Hill, New Jersey 07974
(888) 426-2252
www.lucent.com
| Sygate Technologies
6595 Dumbarton Circle
Fremont, CA 94555
(510) 742-2600
www.sygate.com
| Net Screen Corporation
805 11th Ave., Building 3
Sunnyvale, California 94089
(408) 543-2100
www.netscreen.com
| SonicWALL
1143 Borregas Avenue
Sunnyvale, California 94089
(408) 745-9600
www.sonicwall.com
| Sun Microsystems
4150 Network Circle
Santa Clara, California 95054
(800) 786-0404
www.sun.com
| Check Point Software Technologies
Three Lagoon Drive, Suite 400
Redwood City, California 94065
(650) 628-2000
www.checkpoint.com
| 3Com Corporation
5500 Great America Parkway
Santa Clara, California 95052
(800) 638-3266
www.3com.com
| SMC Networks
38 Tesla
Irvine, California 92618
(800) 762-4968
www.smc.com
|
|
