Problem solve Get help with specific problems with your technologies, process and projects.

Firewall architectures for SMB networks

This tip offers best practices for setting up and administering a network firewall and IDS for an SMB, keeping in mind tight budgets and smaller staffs.

While SMBs still need essential network security equipment such as firewalls and intrusion detection systems, these organizations are often limited by tight budgets and smaller staffs. This tip, reposted courtesy of, offers value-added resellers (VARs), security consultants and systems integrators best practices for setting up and administering a network firewall and IDS for an SMB.

More network security tips for channel professionals
Visit for more network security tips and expert advice specifically tailored for value-added resellers, security consultants and systems integrators.

Firewalls and intrusion detection systems (IDS) are essential parts of an SMB's network and its security. With the number of attacks on SMBs on the rise, a robust system is equally important for an SMB as it is for a large enterprise. And despite the challenges of recent Web and application-level attacks, a strong perimeter defense of firewalls -- as old-fashioned as it may sound -- is still necessary to protect your SMB.

But with tighter budgets and smaller staffs, you need to carefully plan where to place and set up these important network tools. As with other IT projects, the key to keeping costs and maintenance in check is careful planning.

Here are some best practices for setting up and administering a network firewall and IDS for an SMB.

The basic firewall architectures can be assembled at a reasonable cost, even for SMBs. These are dual firewalls and bastion host firewalls.

A dual firewall consists of two firewalls with bastion hosts in between. One of the two firewalls faces the Internet and is the external interface of your network, and the other is the gateway between your internal network and the demilitarized zone (DMZ), the protected portion of your network between the two firewalls. The DMZ has the advantage of being accessible to both your internal network and the external Internet, while -- as the name DMZ implies -- being a protected zone carefully restricting traffic between the two. Don't skimp on the added protection of cushioning your DMZ between two layers of firewalls. And don't be put off by the seemingly added expense of the three parts of a dual firewall.

Bastion hosts are hardened servers with limited access and unneeded services turned off. They are proxy servers, each a firewall in its own right, and each one should host only one service needed by your network. In other words, set up a separate bastion host for each such service, such as one for Simple Mail Transfer Protocol for your email and another, say, for HTTP for your Web servers.

Network segmentation

Before setting up your firewall system, carefully plan how to segment your network. Think about the following: the number of offices requiring network and Internet access; the geographic dispersal of your offices; and how your different departments should be separated. Your marketing department shouldn't have the same network and Internet access as your IT team or accounting department. Each may require different firewall rules.

Though segmentation is important, if your organization isn't large enough to firewall off individual networks, your firewall system should be installed in a physically secure central location. Sounds like a single point of failure? Yes, it could be. But set up clusters to provide redundancy and failover in case of an outage or other calamity.

Set up dedicated IDS servers on network segments, rather than on individual hosts, both in the DMZ itself and inside your internal network on the other side of the screening router demarcating the interior border of the DMZ. This checks your traffic twice, on both sides of your firewall, and verifies that the firewall is doing its job.

Tips for administering a firewall

Keep all databases, or other systems with confidential customer information, tucked away inside your internal network and not in your DMZ. The same goes for any encryption keys or other mission-critical internal systems you wouldn't want exposed to the outside world.

Use your networking staff to administer your firewalls and IDS if you don't have a dedicated information security team. Setting up firewalls is part of a day's work for networking types, and they should already have the appropriate skills without having to look for dedicated security professionals. Set up paging on your IDS to alert networking staff members of intrusion attempts and possible incidents.

Establish firewall rules as a joint effort between the business and IT (or networking) staff. Make sure they work for everyone and aren't too restrictive or too open. Policies must include what types of applications and traffic are allowed into and out of your network through your firewalls.

Have regular audits and log reviews to tune up your perimeter defenses and see if there are patterns in the types of attempted intrusions.

Vendors that offer affordable firewalls for small or medium-sized businesses include Juniper Networks Inc., SonicWALL Inc., NetScreen and Check Point Software Technologies Ltd. They're all nimble enough for small players and can be set up as part of a dual firewall system. Cisco PIX also offers a line of firewalls for the smaller enterprise. On the IDS side, Nessus and Snort are two popular products that are lightweight enough for small networks but strong enough to have stood the test of time.

About the author
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP, specializing in Web and application security, and the author of
The Little Black Book of Computer Security, which has more details about basic firewall and IDS architectures.

This tip originally appeared on


Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.