Firewall Best Practices: Egress Traffic FilteringToo many firewalls and access routers implement lax egress (outgoing) traffic handling policies. They allow hosts access to virtually any services outside their firewall without considering the consequences. Generally speaking, organizations should be as concerned with the origins and kinds of Internet-directed traffic as they are with incoming requests. More...
What does Windows Firewall Actually Do?
It's possible that no software upgrade has ever received as much and as contradictory attention as Windows XP Service Pack 2 (SP2). Before you decide what role Windows Firewall can play in your network, use this article to help you sort the myths from realities; learn what Windows Firewall offers; and consider ways it can help your organization improve client system security. More...
Who's rattling my doorknob, and why...
Routine examination of firewall logging activity is an important task, even for small business firewall admins. Look at your firewall log over the past several weeks, and compare what you're seeing to what I'm observing as the most common probes. More...
What's that Entry in My Log?
Logs from Internet firewalls are vital sources of information. They provide a chronology of events that serves two purposes. First, logs provide a good picture of normal user behavior: what applications they use and when, where they visit, and how frequently. This information can help you determine how efficiently your Internet bandwidth is being used or whether it's being misused. It can help you confirm that the outgoing security policy you seek to enforce is correctly implemented. More...
Firewalls and DSL
This article relates a true story of a small business operator's experience with DSL, and how consumer information regarding personal firewalls sometimes misleads small business operators into falsely concluding they do not need SOHO firewalls. More...
Stepping Up to Windows XP: What to Expect at Your Firewall
Default installations of Windows XP (Home and Professional Editions) boot with a number of services that are not necessary for correct operation in home and many enterprise offices. These excess services can cause a few problems. This article helps you find and disable some XP services you might be better off without. More...
Routing and Your Firewall
If firewalls are inserted in network topologies without a complete reassessment of routing, intra- as well as internet communications can be disrupted. These two articles may help you consider what it means from a routing perspective to drop a firewall into your network, and could help you stop a routing mistake before you make it.
Isolate Your Wireless Network on External
Whether your employees connect from home over dial-up, cable modem or DSL; from a hotel's cable network; or from a LAN or WLAN from an Internet cafÈ or from anywhere in your office building or campus, every mobile computer poses a security risk. All of them must be treated as untrusted systems until they prove otherwise. Consider the most conservative method of connecting client computers to your trusted network: through the External, or public, interface on your firewall. More...
Comparing Firewalls to the Maginot Line
Bob Frankston's essay, Firewalls: The New Maginot Line, claims that firewalls are of themselves not a sufficient solution; that firewalls (generically) create a false sense of security, and that additional measures, placed closer to assets at risk (my term) are required to improve security. Using the term "firewall" generically rather damages the analogy. More...
Is http/80 your firewall's outbound ANY port?
Reviewing logs when you introduce a new application to your internal networks is always a good idea. By reviewing logs, you learn that some applications are well-documented and well-behaved, and use a well-known port as the gods intended. Increasingly, however, application developers are bending the rules, all in the name of ease of deployment and plug-and-play. More...
Use VLANs to Get More from Your Firewall
Virtual LANs (VLANs) break apart large networks into smaller pieces that are easier to maintain. Extending VLANs into your firewall takes this modularity to the next level. Instead of binding firewall policies to physical interfaces, VLANs can bind policies to virtual interfaces, maintaining independent rules for each logical workgroup.More...
Interdepartmental Firewalls: Where to Put Them (and Why)
The most common use of firewalls today is to enforce a security policy between an organization and the Internet. A less common but important use of firewalls is to enforce a security policy between departments, business units, or in very large organizations, between the "core" organization and its acquisitions, divestitures and joint ventures. More...
De-perimeterization is a crock...
"De-perimeterization" is popular among the VPN, application protection, and web services communities. It's another in the never-ending stream of labels that marketing wonks invent to distinguish what they are trying to sell from what everyone else is selling. It's a dumb and inaccurate term that only serves to confuse buyers, More...
Do I want a SOHO firewall or NAT box?
A post on the firewall-wizards mail list asked whether a small office firewall offered more security than a NAT device. The ensuing thread reveals a lot about how difficult it is to characterize small office security and access products into these simple categories. One thing I'm very confident in stating is that All firewalls do NAT, but not all NAT devices do firewalling... More...
How and When to use 1:1 NAT
NAT describes any of the several forms of IP address and port translation. Use NAT to stretch the number of computers able to work off of a publicly routable IP address, and to hide the private IP addresses of hosts on your LAN. In this article, we'll examine 1:1 NAT, distinguish it from other NATs, and explain when and how to use it. More... by David Piscitello
A number of the above articles were written for Watchguard Technologies' Live Security Service, and Watchguard products are frequently mentioned. The general discussion of the topics considered is applicable to other firewalls with similar feature sets.
Firewall Mailing Lists, FAQs and Other Resources like this page
Firewall Wizards: Security Mailing List
Fred Avolio's Security Articles, Presentations, and Papers
CSI Firewall Product Search Center maintained by Rik Farrow
Personal Firewall Day
IETF Firewall Working Group
CERIAS - Firewalls Page
Internet Firewalls: FAQs
Firewalls Forensics FAQ
Free Firewalls Configuration guide
ICSA Firewalls Buying Guide
General Firewall Resources
Windows Firewall Resources