A network manager can follow a few logical steps to ensure he or she is getting the most firewall protection for the money. First, decide just how secure you need your network to be. For example, a network with access to financial transaction systems warrants more restrictive security precautions than one with access to office planning do cuments. Be clear about what you're protecting, what its value is and what type of damages would be incurred if a hacker gained access to your internal network.

The Shopping List The National Computer Security Association (NCSA) has defined what a good firewall should be capable of (see www.ncsa.com/fpfs/fwct20. html) and has certified firewall products that meet its criteria (www.ncsa.com/fpfs/fwindex.html). In addition to looking at the NCSA's findings, you'll need to consider four major issues when selecting a firewall.

· Remote management. Being able to monitor the firewall from your desk or home office and have it notify you of significant events as they occur is not just convenient--it's important. Additionally, if your network has to accommodate multiple secure connections to external networks in geographically dispersed locations, remote management is a must. Without remote management, changing passwords and implementing new security policies can be burdensome. However, enabling remote management can open a hole into your network. Simple Network Management Protocol (SNMP) or telnet management of the firewall device may be fundamental, but proprietary remote management mechanisms are substantially more secure.

We recommend a firewall device that supports both in-band and out-of-band management. In-band is usually delivered via a GUI, using part of the production network bandwidth. Out-of-band is usually a command-line interface that can be accessed over a dial-up modem.

· Hardware or software. Firewalls come as complete hardware and software packages, or as software-only solutions that you install on a computer dedicated to the job. Some vendors argue that setting up Windows NT or Unix in a secure fashion is a complex task and that firewall software installed on a computer with poor operating system-level security doesn't make for a secure firewall. These vendors will try to sell you a total hardware and software package that may use a proprietary operating system. The ven dors' claims have some truth, but the choice comes down to how comfortable you are with your ability to set up a secure operating system.

We prefer proprietary operating systems on a combined hardware and software platform, since these are generally more secure and can be optimized for performance.

· Session tracking. Controlling connection-oriented protocols like TCP is easier than controlling User Datagram Protocol (UDP), a connectionless protocol (see "Peeling Away Communication Layers"). To get answers to Domain Name System (DNS) queries and other services that use UDP, you must allow packets (with port numbers higher than 1,023) that use UDP into your network. Once you've done so, it can be difficult to track whether other incoming packets are part of a legitimate conversation between internal and external machines, or if they have been generated by a hacker trying to hijack a conversation.

Newer firewall products, like AbirNet's SessionWall, let you track a nd control individual sessions c ommunicating through the firewall. This is usually achieved by the firewall tracking source port numbers from within the internal network and dropping packets that are destined in-bound for port numbers other than those tracked.

· Network design. The design of your network will dramatically affect your firewall's efficacy. "Sample of Secure Internet Connection" (at left below) shows how a secure firewall connection can be implemented using multiple firewall devices. Of course, you can use just one device to firewall a network, but doing so will provide less security.

To download an Adobe Acrobat .pdf format version of the Firewalls Buyer's Guide charts, click here.