Why small businesses need firewalls

I have been spending time this week at a small media company called Mercury Labs. Despite their name, they don’t normally test anything, but ironically that is what I have been doing there. I was testing a bunch of integrated network security devices for Network World.  These devices cover what is called unified threat management, but you can think of them as network firewalls with additional features, such as the ability to scan incoming and outgoing traffic for viruses and spam, blocking phishing URLs, and being able to set up a secure virtual private network connection when you are on the road.  I’ll call them advanced firewalls here for convenience.

I have a long history of testing these tools. Almost seven years ago, one of the Techtarget publications had me looking at them for larger enterprises, and I went out to the central IT department at Stanford University to put them through their paces. This time around, I wanted to find a small business site for the tests that I was going to be doing for Network World. That’s why I was over at Mercury this past week.

They have about 10 Macs connected to an Apple Airport, which is the center of their network, providing IP addresses, wireless connections and a shared hard drive to the entire office. The Airport is attached to a cable modem and the Charter broadband network.

Wait a minute. Don’t you need a firewall if you are going to connect your network to the badass Internet? Yes, and Mercury knew they were taking chances. A firewall is just the basic separation that keeps the bad guys from getting inside your network and causing havoc. That is why they were the perfect testing site. They were vested in my review and what I would find out about these products and their specific needs.

Interestingly, it isn’t just small businesses that don’t have firewalls. When I arrived at Stanford, the central network didn’t have any either. Partly that was because of some odd notion of academic freedom, but back then they realized they had to get better protection. Ironically, while I was doing my tests there we saw someone try to reach out from Germany one morning. Luckily, they had other defenses that prevented them from doing any damage, but it emphasized the reason why I was there testing these products. And coincidentally, when we brought up the advanced firewalls at Mercury, we could see all the network traffic where folks were continually scanning and looking for ways to enter their network too. It was a sobering illustration of why these products are essential.

When I first arrived on scene, I went into their phone closet where I tried to suppress a gasp. Yep, this was your typical small business: part storage room, part cable jungle, and mostly a mess. It was clear that trying to figure out the network topology was going to be a challenge, and my first act was to leave everything alone.

Inside the closet were two small gigabit switches from DLink that looked like they had been around since the days of DOS. This worried me, but since things were working, I wasn’t too concerned. Yet.

One of the vendors that were part of the test insisted on sending a product engineer to help with my testing, and I am sure glad that he was there. When we cut over to his device instead of the Airport, things initially went south. Turns out we found a bug in their firmware. Once that was fixed, all of the wireless Macs were quickly brought up on the network behind the new firewall. But the wired Macs had trouble connecting. It took a few reboots later before we got everyone back on board. It was ironic that the wireless portion of their network was easier to bring up than their wired portion. That was thanks to the wonky cabling in the closet.

So what are some takeaways from this experience?

If you are running gigabit Ethernet to your desktops, make sure your cable plant is up to snuff. Part of my problems had to do with the older cables used to connect things in their wiring closet. There is a difference between Cat5 and Cat5e, especially if you want to run the faster networks these days. Make sure you are using the right cables.

Disconnect any unused wired ports in your office.  This is just basic security practice, but bears repeating. And if your wiring contractor hasn’t done so, you should label your ports in the walls and in your closet so you can track things down more easily.

Understand the limitations of your core network gear, including switches, routers, firewalls, and wireless access devices. Your network installer should explain these things in terms that you can understand.

Have a separate guest network with the appropriate security measures. The Mercury folks were using the Airport guest network features, which were bare bones. One of the reasons they wanted to go to the advanced firewall was to provide better protection from their frequent guests and contractors who were going to be connecting in their offices.

Oh, and what happened with my review for Network World? Well, you will have to wait and read about it in their pages. I can tell you that I learned some interesting things about all the products that I tested.

8 thoughts on “Why small businesses need firewalls

  1. Thanks for the story and even more for the help. It was fun to take a break from building public relations for technology cos and getting to focus attention on our own infrastructure. We are no longer the shoemaker’s children with no shoes, now we are committed to this investment for ourselves.

  2. This critical piece of a business’s layered security is often left in the closet and ignored. Not a good idea in today’s environment. Looking forward again to your timely and informative article!

  3. Good evening David,

    Thanks for a very revealing article. It gave me much to think about when my start-up expands to a central office. Currently the company, Rockhound Boring Products, LLC, has four partners, each working out of their home and/or private office. My question is, Is there a relatively easy and less expensive way for all of us to communicate via our computers? We are currently having our websites created so is there a way we can accomplish this through our site? Thanks again for you blogs. I really enjoy them and learn a lot.

    Chuck Lee
    Partner- Secretary/Treasurer
    Rockhound Boring Products, LLC
    314-791-3564

  4. Gigabit switches could not have been around since the days of DOS. DOS was almost gone by the time 100Mbps Ethernet hit the scene. A little hyperbole doesn’t hurt, though. As the Irish say, “Never ruin a good story with the truth!”

    ANYONE cabling these days should use CAT6 or CAT6a or even fiber to allow for 10Gbps speeds. You may think it is overkill, but you don’t want to touch your cable plant for 10+ years if you can possibly help it. My rule is to “gold plate” your cable plant. Do a really good job on it. Document it well. Label the ports and the cables. Make sure it meets the relevant specification with testing. Draw as much data and electrical connectivity to an area to allow for any conceivable future growth as redoing it later is very disruptive and expensive. Anyone who cheaps out on their cable plant tends to regret it.

    I disagree. Keep all your network ports “hot” if you can, so you can plug something in as needed. Having to get someone to go into a locked closet can be a real inconvenience. If they are in your office anyway, they could just disconnect another machine and plug in so you aren’t gaining any real security.

    Of course, multiport firewalls providing “service networks,” or different classes of service for each port based on policies you set, are needed for businesses. The firewall/UTM devices also need to support many more simultaneous connections and higher bandwidth, even under severe load from encryption/decryption and packet inspection rules. Firewalls/UTMs *interior* to the larger network may be needed to form point to point VPNs, offload processing, or separate more secure regions of the network. Many businesses try to get away with residential class firewall/UTMs and have unpleasant experiences. I like firewalls that can support multiple connections out to the Internet or a WAN with rules to optimize the links and multiple service network zones for Internet accessible servers, contractors, and the production LAN.

    Most Microsoft and other trained technicians won’t do well configuring a firewall. Get professional help.

    Don’t think the firewall/UTM will protect you from everything or that it will do everything you should be doing. Spam blocking, web filtering, bandwidth management, link optimization, and other features may be unavailable, poorly implemented, cost too much in overhead, be deficient in functionality, or have other detriments.

    One thing firewall/UTM products are *not* is endpoints for a communication. This is *not* true of the IPAD Secure Server I’ve been running on my network for years. And, no, you won’t find it in your Network World set of firewalls. It is a true endpoint for anti-spam, e mail, FTP, DNS, CIFS, Web, Telnet, list services, web and e mail router, and other services as well as being a multiple service network firewall.

    There are many ways to deal with security issues, but the most important issue is to educate both the internal IT staff, if any, and the end users. They have to know and support what you are doing because good security is *not* a magic pill or a firewall/UTM. It is policy, procedure, goals, standards, management, products, training, implementation, support, and end user buy in. Security is a process, not a one time event. It is a new way to live (more safely).

    Lastly, security is all about creating layers of protection, and the last layer is an informed staff. If something is out of the ordinary or threatens safety, they need to be able to identify it and know where to go to get help.

  5. BTW–The story you have isn’t unusual. Many cable plants would make a spider cry. “Neglected” networks make guys like me cry, too. Many of them are like this. People will do something “when they get around to it” = never.

    Perhaps you should promote the idea that people need to take regular and professional care of their computers and networks. We get the oil changed on our cars like clockwork, but do we do the equivalent with our computers, our networks, and our data? We have a silly idea (fostered by the industry) that everything is simple if it has a graphical user interface and anyone can be their own support. Well, I’m OK with band-aids, but I don’t operate on myself. It isn’t a failing to ask for help, it’s smart! Admit that you are incompetent in many areas of your life and you will be happier. I must be the greatest father ever, because my son isn’t even a teenager (he’s 7), but for years he has considered me a mortal embarrassment and a complete idiot. Wow! I’m years ahead of my time.

    Oh, and you *are not* safe. Something *will* happen to you. Perhaps it already has and you don’t know it! Most people like to feel safe, so security is something everyone wants, but no one wants to implement or pay for. And, if it works, how do you know? It may be difficult to see something *not* happening. So, most people get really serious about security, like backup, after a disaster. The only way to get around this is often to talk to someone like me who might scare you a bit. You buy insurance, right? The first thing a life insurance salesman does is kill you. Then he says, “Now what?”

    If you feel uncomfortable now, perhaps you don’t need to talk to a therapist, but to someone who can deal with your fears about weak security.

  6. I look forward to your NW review, David.

    To comment on something Tony said:

    > Keep all your network ports “hot” if you can, so you can plug something in as needed.

    If you can plug in, so can anyone else. To see why this could be really harmful to your business, lookup “pen test drop box”.

    > Having to get someone to go into a locked closet can be a real inconvenience.

    Hopefully you’re using manageable switches, on which your admin can enable/disable the necessary port from their desk.

    > If they are in your office anyway, they could just disconnect another machine and plug in so you aren’t gaining any real security.

    This is the reason for using port security on a switch, to limit the number of ethernet addresses it will accept before locking out a port.

    • Evang, I’ve been in environments where you don’t energize a port unless it is needed. But, that isn’t enough. Someone could just unplug a device and plug another one in. For that, you need to have MAC filtering. In most environments, the convenience factor of being able to connect is of great value to the business. Non-production ports could be set up as being on an “untrusted” network segment. If you really were paranoid, you could have everyone on the network communicating via SSL or some other form of encryption where they have to log in first. The pain of implementing these more invasive types of security means that they will often be circumvented. Also, the IT maintenance costs are very high, so management won’t like it. Security is always a balance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s