Firewalls & Employee Internet Usage Monitoring 

A good overall security strategy to defend your company’s computer network is to have multiple layers of protection.  Having a good firewall is a very important component of the overall design.  In the past, a firewall’s main function was simply to block the entry points so that outsiders could not access your network unknowingly.  Now they do much more to protect your network from all that lurks on the internet.

     The device that your internet service provider (ISP) gave you to permit users to connect to the internet is probably not enough these days.  Most likely it only does NAT (network address translation) which, while better than nothing, basically hides internal IP addresses.  ISP’s will call it a ‘firewall’ but it’s only a start.

     Broadly speaking there are three levels of protection in firewalls: basic packet filtering, stateful inspection, and deep packet inspection.  Basic packet filtering looks only at the transmission source and destination information in the header of a packet (smallest unit in a transmission).  Stateful inspection goes further in that it tracks the outgoing packets and makes sure the incoming packets truly relate to what was requested.  Deep packet inspection (DPI), sometimes known as application layer filtering, examines all of the data in the packet, not just the header, to see if it makes sense for that packet to be using the set of ports and protocols it wants given the end application that requested the data.  Firewalls with DPI are less likely to be “spoofed” – tricked into believing that a request is valid.  With the considerable decrease in the cost of DPI technology, every company that cares about its data or productivity should use it.

     Additional features are making firewalls even more beneficial.  Many now offer options such as anti-virus, anti-spyware, content filtering, and intrusion detection.  The first two features are straightforward – add a layer to stop the viruses and spyware as they are knocking on your door.

     More and more frequently we have requests from clients asking if it is possible to limit specific employees to just the web sites that are necessary for carrying out the workers’ duties.  The answer to this question is yes.

     One popular firewall device for small businesses made by Sonicwall is called the TZ170 which, depending on options, goes for about $425 to $1,000 and is fairly representative of the devices available today.  The TZ170 is a firewall capable of stateful inspection, DMZ’s, and VPN.  Sonicwall offers an option that includes deep packet inspection, a standard content filter (about 12 categories), and one year service.  The DPI option allows you to block applications such as music sharing or instant messaging.  This option supports white lists and black lists, allowing your IT department to add or remove sites that end users can visit.  It is also possible to track which site your users have been visiting through Sonicwall’s View Point software.

     Sonicwall offers a more sophisticated content filter in the CSM2200.  This device is used in conjunction with a firewall.  The main advantage of this device is that it offers more categories to filter on; more advanced control of users, groups of users and websites; and offers bandwidth management.  Bandwidth management allows you to see if employees are using the company internet connection to stream music or play online games.  The CSM2200 (50 users) with one year of updates goes for around $2,275.  Additional years cost anywhere from $300 and up depending on user count and service level.



                                                                           Copyright 2013 Beachwood Systems Consulting, Inc.    *    216-823-1800