Firewall and IDS architecture setup for SMBs

Firewalls and intrusion detection systems (IDS) are essential parts of a small or medium-size business's (SMB) network and its security. With the number of attacks on SMBs on the rise, a robust system is equally important for an SMB as it is for a large enterprise. And despite the challenges of recent Web and application-level attacks, a strong perimeter defense of firewalls -- as old-fashioned as it may sound -- is still necessary to protect your SMB.

But with tighter budgets and smaller staffs, you need to carefully plan where to place and set up these important network tools. As with other IT projects, the key to keeping costs and maintenance in check is careful planning.

Here are some best practices for setting up and administering a network firewall and IDS for an SMB:

The basic firewall architectures can be assembled at a reasonable cost, even for SMBs. These are dual firewalls and bastion host firewalls.

A dual firewall consists of two firewalls with bastion hosts in between. One of the two firewalls faces the Internet and is the external interface of your network, and the other is the gateway between your internal network and the demilitarized zone (DMZ), the protected portion of your network between the two firewalls. The DMZ has the advantage of being accessible to both your internal network and the external Internet, while -- as the name DMZ implies -- being a protected zone carefully restricting traffic between the two. Don't skimp on the added protection of cushioning your DMZ between two layers of firewalls. And don't be put off by the seemingly added expense of the three parts of a dual firewall.

Bastion hosts are hardened servers with limited access and unneeded services turned off. They are proxy servers, each a firewall in its own right, and each one should host only one service needed by your network. In other words, set up a separate bastion host for each such service, such as one for Simple Mail Transf

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for the midmarket Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Risk assessment frameworks easy to employ Midmarket regulatory compliance management: Don't let your guard down Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

er Protocol for your e-mail and another, say, for HTTP for your Web servers.

Network segmentation

Before setting up your firewall system, carefully plan how to segment your network. Think about the following: the number of offices requiring network and Internet access; the geographic dispersal of your offices; and how your different departments should be separated. Your marketing department shouldn't have the same network and Internet access as your IT team or accounting department. Each may require different firewall rules.

Though segmentation is important, if your organization isn't large enough to firewall off individual networks, your firewall system should be installed in a physically secure central location. Sounds like a single point of failure? Yes, it could be. But set up clusters to provide redundancy and failover in case of an outage or other calamity.

Set up dedicated IDS servers on network segments, rather than on individual hosts, both in the DMZ itself and inside your internal network on the other side of the screening router demarcating the interior border of the DMZ. This checks your traffic twice, on both sides of your firewall, and verifies that the firewall is doing its job.

Tips for administering a firewall

Vendors that offer affordable firewalls for small or medium-sized businesses include Juniper Networks Inc., SonicWALL Inc., NetScreen and Check Point Software Technologies Ltd. They're all nimble enough for small players and can be set up as part of a dual firewall system. Cisco PIX also offers a line of firewalls for the smaller enterprise. On the IDS side, Nessus and Snort are two popular products that are lightweight enough for small networks but strong enough to have stood the test of time.

Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security, which has more details about basic firewall and IDS architectures.