A firewall is one of the tools used to secure a computer network. A firewall can prevent unwanted access to departmental systems while preventing local systems from attacking systems on other networks (on the other side of the firewall). Firewalls require on-going monitoring in order to ensure that they do not unnecessarily restrict access to important computer resources while preventing unwanted access and to ensure that the firewall is operating as expected.
Firewall logs should also be reviewed regularly in order to evaluate traffic patterns including denied connections. Installing and operating a firewall to protect a departmental LAN is only one of many criteria that Network Administrators need to consider when determining the security requirements of their environment. A complete security assessment will help identify other areas of vulnerability. The open source firewall developed by I+TS is based on a widely accepted technique called packet filtering. Each packet going through the firewall is evaluated against rules set by the administrator and is either passed along or rejected. The firewall logs its activities to help the administrator understand whether there has been an attempted attack.
To reduce administrative costs this firewall can be administered locally (from the console) or remotely (using a secure connection). It can also be configured to watch a particular computer for new rules. No firewall can prevent malicious people from exploiting known vulnerabilities in software (as buffer overflow exploits and worms do). This firewall is no different. What it does is to ensure that the traffic entering and leaving the secured LAN is talking to the correct applications on the correct computers. A crucial point about this firewall is that it uses a low-level approach to configuration; the administrator must analyze his or her needs at the level of ports and packet types in order to choose the required permissions.
Commercially available products can simplify some configuration task by allowing the administrator to simply choose from a set of applications to be allowed/disallowed but these products typically cost many thousands of dollars. However adding this functionality to the I+TS developed firewall would be hugely expensive.
The open source firewall available to all departments on campus. I+TS also provides a service to assist departments in performing security evaluations of their networks.