When you look at your firewalls and security policy, it's helpful to learn two new terms: "client-protecting" and "server-protecting."
When a firewall sits between the Internet and users browsing the Web, that constitutes "client-protecting." For example, if a user tries to go to a malware site, and the firewall blocks the malware from being downloaded, that's client-protecting behavior.
At the other end of the spectrum is "server-protecting," which means that the firewall is protecting your servers from attack or infection. For example, if someone tries a known SQL injection attack on your web server -- whether it is vulnerable or not -- and the firewall IPS blocks it, that's server protection.
The reason we need these terms is that you configure your firewall very differently depending on whether you are protecting clients or servers. In fact, the configurations and requirements are so different, that you should consider having different firewalls for your servers and for your clients. That's not always the right answer, but it can simplify things dramatically, because you can focus on what you are protecting and where the vulnerabilities are.
The problem comes in when you are trying to mix client-protecting and server-protecting configurations in the same box. Some firewalls don't let you apply protections in different ways to different types of traffic. Sometimes it's just very confusing to keep straight whether the firewall is protecting clients or servers, because documentation and configuration tools are very commonly ambiguous about which direction things are flowing. And sometimes it's a cost question: when you pay subscription fees for services such as antivirus and intrusion prevention, it may be less expensive to pay for just what you want to protect on two smaller systems, rather than a single larger one that has to have every protection turned on for every user.
If you only have a few visible servers on the Internet, such as an email server and an "intranet"-style Web server or VPN gateway, then you are mostly client-protecting. In that case, two firewalls may be overkill, and you can probably accomplish what you need to do with a single system.
But if you have a pile of servers providing Web content, e-commerce, and other public services out to Internet users, you'll want to think hard about separating those servers and their firewall and Internet connection from the one that allows your end users to do Web browsing, instant messaging, and other work and non-work related Internet access. This has a number of benefits.
For example, a user who is intentionally or unintentionally saturating your Internet connection or the UTM firewall won't impact traffic to your e-commerce or websites if the connections and firewalls are separate. If something goes wrong and there's a denial-of-service attack against your web servers, which can slow or halt firewalls by filling session tables, then end-users will still be able to get their job done because their firewall won't be locked up. Conversely, if your end users become infected with a Trojan horse and their PCs are turned into attack machines, when they lock up their firewall, it won't affect incoming traffic to the server side of the house.
There's no rule that you should always follow -- and separating out functions too much can lead to a different problem, a proliferation of firewalls that become a management nightmare. However, these guidelines may help you make the best decision for environments of 10 to 1,000 users:
- If your network is entirely client-protecting, or is client-protecting with just a few incoming services, such as email, then one firewall (or a pair of firewalls configured as a high-availability pair) is probably all you need.
- If your network has a combination of lots of clients and lots of servers in the same buildings, all providing open access to Internet users for applications such as Web serving and e-commerce, then you should consider separate firewalls and possibly separate Internet connections.
- If your business is heavily Internet-focused, where a huge portion of your employees are using the Internet constantly, or a large amount of your revenue is dependent on Internet e-commerce, then you definitely want to use multiple sets of firewalls, each configured in high-availability mode, and multiple connections to provide both reliability and scalability.
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
Send comments on this technical tip to firstname.lastname@example.org.
This was first published in March 2009