Home Forums Firewall Necessity?

For HIPAA security purposes we've been urged to purchase a [small] Business Class Firewall with Intrusion Protection. Such as the Sonicwall TZ 205 or Cisco 5500.

Currently we have Malwarebytes on the server(p2p). I know windows has a firewall and so does our router.

Can somebody explain if a hardware firewall is really necessary because from what I have researched they run for a few hundred bucks AND then their is a yearly service fee for updates/maintenance? Is that something I can do just as I run our Antivirus and Windows update every week, etc?

Any help is appreciated.

The cheap little routers you get from Best Buy and Staples may have a firewall, but they are woefully inadequate.

* They lack advanced logging. A more advanced firewall can keep a log of all traffic to and from your network. So when you start getting login attempts from China, you'll know about it.

* They lack unified defense. If one of your users visits an infected website and opens up a virus or something, the more advanced firewalls can take it out BEFORE it gets to the user's computer.

* They lack advanced filtering. Some on this forum have complained about workers surfing Facebook all day. A more advanced firewall can block such sites on-the-fly.

While Windows does have it's own firewall, and it's a good one, it's only meant to protect the machine its on, not the entire network. And even so, it will not protect against attacks directed at published services on that computer.

I realize that purchasing a more advanced firewall is something you never considered. Believe me, I've had doctors yell at me for suggesting the idea. However, any security expert will tell you that security is best in layers and that your Internet gateway is your very first line of defense. And in my experience, is almost always the first thing most skimp out on.

JamesNT

Great points.

HIPAA does not make any specific technical requirements for security. So it is not absolutely required. One of the benefits of running an EMR that is non-cloud is that the majority of your traffic is offline.

The biggest difference between a router firewall and a hardware firewall is that they operate on a different core assumption. Routers firewalls/cheap firewalls 'allow' by default and firewalls 'deny' by default.

Most firewalls do not work out of the box for that reason. They need to be configured to allow access. However, knowing exactly what is needed to go in and out can be confusing for even IT professionals. I've been to several offices with SonicWalls only to see that they are configured exactly the same as a consumer router which defeats the point of buying a 1000 dollar router/firewall.

Agreed with Sandeep and James. $200 to $500 is nothing. A Cisco ASA 5505 is a nice little firewall. Most good firewalls allow everything out and deny everything in as Sandeep mentions. So you have to open ports 443, 987 if you need SharePoint, etc. And, of course, 8080. The Cisco RV 042G is a little cheaper but is able to block IPv6 traffic.

Hardware firewalls not only block certain traffic they stealth your system by blocking certain ports. Just for fun, open port 3389, the number one port hackers look for and look at the logs James talks about. There could by thousands of attempts especially if you don't limit password attempts. At that point, it is only your username and password stopping the outside world from accessing your network. Since most people use admin as their username, then a brute force attack using a dictionary shouldn't take long. The reason not to use actual words as a password even if they are random.

So close port 3389 (which should be closed by default), make the username, cupcake, the the password "8gHy%$22}" with only three to five attempts, you should be all set.

I have an ASA 5505 and except for free firmware, I don't pay anything else annually. I think SonicWall is different. You pretty much have to have a firewall and with static IPs, they really aren't that hard to configure. Most, if not all, allow you to use a wizard. Then there is port forwarding, which is only difficult if you have nothing to forward.

I think the only thing is the terminology such as public and private side, default gateway, public default gateway, subnets, etc. All of this is in the long edition of the PDF manual. But, with the right IP and DNS addresses from your ISP, most techies on here should be able to log in and configure it.

Thanks guys.

Well I've setup various routers with Static IP addresses before. So if its similar to that I should be able to configure it myself. In regards to the ports, I think it sounds great that everything is denied by default. I'll just figure out the ports that need opening until everything works properly. I know AC has (had?) certain exceptions that need to be made in Windows firewall. We don't have Sharepoint, etc.

My only question is that if the configured Firewall is placed behind the existing Router, will I need to change any settings in the Router? Such as the port forwarding and Static IP configurations since the Firewall will be configured for that already.

Most firewalls are also routers. You would likely not have to change them twice. 61067 (I think the AC port) is an internal port that wouldn't be changed on the external firewall. The external firewall is just to keep outside traffic from accessing your network. Example, AC client needs to access AC database via 61067.

Even though everything is denied by default, you would likely not have any issues leaving it that way. It is only certain ports that would need access like https (443) and http for web traffic. Special ports such as 3189 and 987 for RDP and SharePoint would need to be opened. That said, with 2008 servers and up, you have gateways which allow RDP to securely bypass the router. This makes things MUCH, MUCH safer. SharePoint you probably don't need. The last good example is if you had Exchange and you didn't use POP3. Say you used the infinitely better SMTP. You would have to open port 25. So basically 443 and 80 would be the only two. Keep in mind that those ports are open when you access them. So, if you access Yahoo.com, port 80 will be open but only to Yahoo.

Say you bought a Cisco RV042G, this is a router/firewall like most. All you would need with static IPs (7 but can only use the middle 5m -- if you purchased 5 -- a good number), then you will need your main outside IP, your outside default gateway, your subnet, usually 255.255.255.248 (for public subnet -- inside usually 255.255.255.0), your DNS numbers of your ISP (have to have). Your private or inside default gateway is the subnet, usually 192.168.1.1, but it can be 0.1 or 16.1 -- many but must match the default gateway of your clients.

If your router (firewall) has a wizard, it is simple. If you do use a server, there are a couple of more steps and your DNS servers would be on the server. Hugely imperative for a good network.

That RV042G looks almost perfect (No wireless, despite the recommendations against it & no USB port).
With the RV042G I'll be able to throw out our current router, right?

We don't use Exchange. The only ports we'd need in our current p2p setup is for RDP. And the http ports. By "Web traffic" do you mean plain old internet browsing? That is blocked by default? We need at least eligibility websites (Availity, Navinet, etc.).

Soon we hope to convert to ACitC so I'll be able to shut down the RDP port.

We have one static IP address. Are you saying we need 7? I'm confused about that statement.

Josue,

I think Bert has a typo in port number, the default RDP port is 3389. We always choose a random high port on the external side of the firewall (say 23456), and port forward that inward to 3389. It makes it much harder to locate the RDP port to attack it. In the event of a scanning attack, most good firewalls will recognize port scanning and start dropping the traffic.

If you haven't purchased a firewall yet, I would recommend you consider a Watchguard.

They have a very approachable interface for end-users in addition to the standard command line interface. Their support in assisting you in configuring what you want is also very talented.

You can get the base firewall and support and optionally the additional functionality that has already been mentioned.

barcarfan,

To be honest, I don't see this as something you can do yourself unless you have a decent amount of networking skill. While Bert has done a great job of covering some of the networking aspects, let's look at things from more of a HIPAA standpoint which is what your original question asked about. Can you configure a firewall to:

1. Track what websites your users visited in the last 48 hours.

2. Block undesirable websites (e.g. facebook) and redirect users to a warning page stating that such access is blocked and also log the attempt to access such site.

3. Block external IP addresses such as all those from China.

4. Inspect all traffic that is going through a published port to look for known hacking attempts (i.e. there are hacks that can be used against a terminal server that a firewall can detect and stop before it reaches the server).

This is what you original question is talking about.

Sandeep mentioned that "HIPAA does not make any specific technical requirements for security. So it is not absolutely required" While the HIPAA security rule doesn't give a 10 step checklist, it does give guidelines that are expected to be followed. The reason for this approach is that the government accepts that fact that it may now know exactly how your setup is or what technologies/vendors you are using. Thus, it gives guidelines that can be a little vague sometimes.

For example, under HIPAA's security rule you must have Access Control.


So let's say that you buy the cheapo $100 firewall and you open port 3389 (terminal server) to the Internet. As Bert mentioned, your poor little Terminal Server is left to defend itself. As the hackers of the world send password guess after password guess, sure, your server may thwart them all but you'll most certainly notice a slowdown in performance. What we in the biz call a Denial of Service Attack. Your server is spending so much time telling people "Access Denied" that is doesn't have time to do legitimate work. With a good firewall, you can detect and block those IP address from the Internet. Those hackers won't even see the server anymore - they won't see anything, in point of fact. And your hardware firewall can drop the hackers connections so fast you won't notice a slow down in speed.

You must also have Audit Controls.


A good firewall can audit Internet activity when you need it to and can maintain in-depth logs for a long time (say, past three days or something). That means auditing traffic leaving your network AND attempting to enter it.

I could go on, but I think the point is made. To answer the obvious question my company uses the Juniper SRX Series Security Services Gateway. But that is one very serious firewall - not recommended for the faint of heart or anyone afraid of a command line interface. Sonic Walls are good and have a GUI that most people can live with.

Talk to your IT person. See what he recommends. If you have further questions about his recommendations, post here. Bert, Sandeep, Indy, myself, and others will be happy to help.

JamesNT

barcarfan,

One static IP address should be enough for your needs.

JamesNT

Some have left out a few things. In the past and still many ISPs will only give out groups of 7 or 8 IPs. Since the first IP is the network ID and the last is the broadcast address, you are liable left with five. Given the shortage of IpV4 addresses, ISPs started to give out 1 IP. It isn't always, "I'll take three please." Your subnet on the public side will usually be 255.255.255.248. Subtract this from 255.255.255.255 + 1 (first number counts), and that is how many IPs which make up the subnet. Deduct two and that is how many usable IPs you have.

It would be good to check with your ISP as to bundles and pricing. I started with one, then added a VoIP, then added an isolated wireless network, and I am down to two. Yes, you can use a VLAN and yes you can use the guest on the wireless, but I prefer it this way.

That is true, but most SMB firewalls aren't that good. Router firewall plus software firewall usually gets you enough protection in a small practice. None can really stop a large scale DDoS attack. Usually if there are that many requests, it's more likely someone is trying to bring your network down than hack you. Using NLA with RDP also works really well. (One of the reasons we recommend SBS RWA so strongly. In that case you only need port 443 open and for someone to connect, they need to be part of the right active directory group and local group on the remote machine with NLA.

Using a non-default port is one of the best ways to prevent hack attempts. When people use 3389 as the RDP port, you can see hundreds of attempts to get in; however, if you change the port, that number is near zero.

A VPN is another common solution to this issue. You can keep all the ports the same, but have an authentication gateway which will block users after a certain number of attempts.

Firewalls are great and all if you know how to use them and they are configured properly. If you try to setup something like a sonic wall on your own for the first time, you'll be in for a long ride.

If you understand this post, then you don't need to read it. If you have to read it to understand it, you need to hire an IT.

Still waiting for "Google translate" for IT. You paste the IT-ese passage on the left, and English comes out on the right.
No offense to the IT people who are being helpful here... I know we docs also speak a language that can be tough to translate at times.

This this is bad. This is all based on a GUI interface. Wasn't too long ago when it was mostly CLI. Try opening a port or do port forwarding with multiple commands.

And when one little thing didn't work, and your eyes were burning after five hours of staring at line after line, you would copy and paste the config and upload it to the Internet AFTER hopefully deleting all the IP addresses or identifying demographics. There hopefully five or six fresh pair of eyes who built Ciscos for a living could find the error.

Lol I reread what I posted. I used way too many acronyms and abbreviations.

But anyways, best policy is don't expose things to the Internet that are unnecessary.

ZyXEL ZyWALL makes some affordable units. It's also a router.