Firewalls & Employee Internet Usage Monitoring
A good overall security strategy to defend your company’s computer
network is to have multiple layers of protection.
Having a good firewall is a very important component of the
overall design. In the past,
a firewall’s main function was simply to block the entry points so that
outsiders could not access your network unknowingly.
Now they do much more to protect your network from all that lurks
on the internet.
The device that your internet service provider (ISP) gave you to permit
users to connect to the internet is probably not enough these days.
Most likely it only does NAT (network address translation) which,
while better than nothing, basically hides internal IP addresses.
ISP’s will call it a ‘firewall’ but it’s only a start.
Broadly speaking there are three levels of protection in firewalls:
basic packet filtering, stateful inspection, and deep packet inspection.
Basic packet filtering looks only at the transmission source and
destination information in the header of a packet (smallest unit in a
inspection goes further in that it tracks the outgoing packets and makes
sure the incoming packets truly relate to what was requested.
Deep packet inspection (DPI), sometimes known as application
layer filtering, examines all of the data in the packet, not just the
header, to see if it makes sense for that packet to be using the set of
ports and protocols it wants given the end application that requested
the data. Firewalls with DPI
are less likely to be “spoofed” – tricked into believing that a request
is valid. With the
considerable decrease in the cost of DPI technology, every company that
cares about its data or productivity should use it.
Additional features are making firewalls even more beneficial.
Many now offer options such as anti-virus, anti-spyware, content
filtering, and intrusion detection.
The first two features are straightforward – add a layer to stop
the viruses and spyware as they are knocking on your door.
More and more frequently we have requests from clients asking if it is
possible to limit specific employees to just the web sites that are
necessary for carrying out the workers’ duties.
The answer to this question is yes.
popular firewall device for small businesses made by Sonicwall is called
the TZ170 which, depending on options, goes for about $425 to $1,000 and
is fairly representative of the devices available today.
The TZ170 is a firewall capable of stateful inspection, DMZ’s,
and VPN. Sonicwall offers an
option that includes deep packet inspection, a standard content filter
(about 12 categories), and one year service.
The DPI option allows you to block applications such as music
sharing or instant messaging.
This option supports white lists and black lists, allowing your
IT department to add or remove sites that end users can visit.
It is also possible to track which site your users have been
visiting through Sonicwall’s View Point software.
Sonicwall offers a more sophisticated content filter in the CSM2200.
This device is used in conjunction with a firewall.
The main advantage of this device is that it offers more
categories to filter on; more advanced control of users, groups of users
and websites; and offers bandwidth management.
Bandwidth management allows you to see if employees are using the
company internet connection to stream music or play online games.
The CSM2200 (50 users) with one year of updates goes for around
$2,275. Additional years
cost anywhere from $300 and up depending on user count and service