Disclaimer: This information comes from sources that cannot be verified. As such, make no assumptions about its completeness or accuracy. We endeavor to keep this information up to date as much as possible. Feel free to send comments/ updates to the Security News Editor.

Do you need an intranet firewall?

Some IS managers are looking to install firewalls in order to secure interdepartmental communications

By Joe Paone

Although firewall vendors maintain that their products are just as appropriate for internal network deployment as they are for securing a company's Internet gateway, they have to admit that few firewalls are currently purchased for internal use.

Using firewalls to police traffic between departments may seem redundant--a security task that could be handled better by cheaper means, including packet-filtering routers, directories, network segmentation, and authentication servers and access-control methods such as Kerberos and digital certificates.

But, armed with the knowledge that more IT security problems come from within one's organization than from the Internet, an increasing number of network managers seek to control, secure, and manage their intranet connections as tightly as possible.

"I've heard the arguments that intranet firewalls are unnecessary, and I just don't agree," says Steve Lopez, director of networking at the National Board of Medical Examiners in Philadelphia. "I think intranet firewalls are a definite must."

The board's network handles not only the standard sensitive data--such as human resources and financial information that most companies must secure--but also functions as the infrastructure through which graduate school examinations for medical students are designed and written. As a result, Lopez is vigilant when it comes to the integrity and security of the network's traffic and servers.

"You have no idea what's coming in and out of each department," he says. "With intranet firewalls, I have much tighter security and control."

Lopez says these firewalls enhance other security technologies such as authentication and authorization by providing effective, centralized management and control of departmental connections. "They give me logging capabilities that I can export, keep, and maintain, and they allow me to establish a time frame for access at the point of entry."

In contrast, routers filter IP addresses, not users. "Firewalls go past the physical layer and up to the network layer," NBME's Lopez says.

Pros vs. cons
In other environments, however, intranet firewalls can be overkill.

Jim Hurley, director of operating environments at the Aberdeen Group Inc., a market-research consultancy in Boston, says companies should consider whether they have the staff to manage the firewalls and the management data and granularity they provide.

"People have been segmenting networks using IP filters for a long time, and they are still doing it," Hurley says. "If you use firewalls, who's going to manage all of that stuff?"

Despite the complexity they add, there are times when intranet firewalls make sense. For example, they could be effective when a branch office or department wants its own connection to the Internet or is connecting to other offices through a Virtual Private Network (VPN).

"One reason to use distributed firewalls throughout the enterprise is so branch offices can surf the Net without having to go through an encrypted connection back to the enterprise firewall," says Tony Rosati, vice president of business development and marketing at TimeStep Corp. in Kanata, Ontario, which offers VPN devices that come with built-in firewalls from Check Point Software Technologies Ltd.

New on the market
In the past, it was rare for vendors to address intranet firewall concerns with their products in any depth. IS managers who want these functions have often taken the initiative themselves, acquiring standard firewall technology and adapting it to their intranets.

But as more IS managers realize the importance of intranet security and convince upper management to increase their budgets for that security, firewall vendors are sure to produce increasingly specialized intranet versions.

Recently, for example, CyberGuard Corp. announced IntraNT, a firewall designed specifically for securing intranets; the company expects to begin shipments by the end of this year.

IntraNT offers proxies for workgroup applications running on Microsoft Windows NT, such as Lotus Notes and Oracle Corp. SQL*Net.

The proxies allow authentication and integrity of data, but they hide intranet system addresses and user names in mail and news headers. The product includes the most widely used Internet-related application proxies, such as HTTP (HyperText Transport Protocol), ftp (File Transfer Protocol), and telnet.

Network managers may be concerned that intranet firewalls can be network bottlenecks. In the case of CyberGuard's product, network managers interested in improving performance can turn the proxies off and use the firewall simply to perform packet filtering. But doing so negates most of the unique firewalling capabilities and essentially leaves you with a costly router. Further displaying intranet-related characteristics, the CyberGuard firewall has an option that provides security for holes in Windows NT when it acts as a network OS.

Although it is untested in production environments, development of IntraNT provides an outline of features that network managers should look for in evaluating an intranet firewall.

Potential customers should ask firewall vendors what their products can do at the intranet level now and what they will be able to do in future releases. Then build in extra time for when those new versions will actually be functional. But in any case, this concept is something else to think about in Internet-influenced environments.