Adding to David's definition, just want to comment that a firewall can
create a demarcation point between two subnets within a private network,
where the levels of trust are not homogeneous. So basically, what I'm
trying to say is that a firewall isn't just something (HW or SW) to separate
an organization's network from the outside world. It can be used internally
to compartmentalize portions of an internal network based on distinct
sensitivity levels and risks
a.
Albert Oriol, CHE, CISSP
The Children's Hospital, Denver
(303) 861 6094
"Knowledge is the most democratic source of power"
-- Alvin Toffler
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 08, 2002 8:54 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; Debbie R. Linger
Subject: Re: Questions on firewalls
REF: Firewall
Here is my definition:
FIREWALL: A device that creates a demarcation point between a private local
area
network (LAN) and a public wide area network (WAN). Firewalls can provide
1) either
packet filtering capabilities to deny or permit various TCP/IP packets, or
2) can act as
an application proxy that permits or denies certain application-oriented
communications
(such as HTTP, SMTP, FTP, etc.). The firewall's configuration can create a
"demilitarize
zone" (DMZ), that creates a boundary between the public WAN and private
LAN.
An "appliance" firewall is a device specifically marketed to be used for
the above stated
purpose. The appliance firewall can be considered a stand-alone piece of
hardware and
software. These firewalls are self-contained devices that operate as a
"black box".
However, the firewall application is a software application embedded in
many routing
components, that are configured with firewall capabilities turned on.
Example, a Cisco
router can have access control lists implemented, which is the
configuration of embedded
software. Here again the firewall appears as a stand-alone black box.
Thinking of a firewall as "software" is generally incorrect and can get you
into trouble.
True, some purists will argue that it is nothing more than software; but,
not in the managerial
sense. From a HIPAA compliance perspective I would suggest that it should
be thought of
in the "black box" context.
"Policies and procedures" can not accomplish a firewall function.
Firewalls can implement
these policies; but, policies alone do nothing to filter packets or
applications. Think of
the firewall as the device that implements the polices.
David Sweigert, M.Sci., CCNA, CISSP
State IT Security Policy Officer
Department of Administrative Services
http://www.ohio.gov/itp
"HIPAA Office
Assistant DHS" To: [EMAIL PROTECTED]
<[EMAIL PROTECTED] cc: "Debbie R. Linger"
<[EMAIL PROTECTED]>
us> Subject: Questions on
firewalls
08/08/2002 10:09
AM
May I please have answers to the following questions at your earliest
convenience?
1.) What is the definition of a firewall?
Is a firewall an actual piece of software or can it be accomplished
by Policies and Procedures and limited access?
2.) Can one facility be considered as a health plan and a health provider?
Is it a requirement that they are considered
one or the other?
Thank you for your help,
Theresa Sack
HIPAA Office Assistant
[EMAIL PROTECTED]
(701) 328-1479
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI Board
of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board
of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
CONFIDENTIALITY NOTICE: The information contained in this message is legally
privileged and confidential information intended only for the use of the
individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any release,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify
the author immediately by replying to this message and delete the original
message.
Thank you.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
