May 23 2007

Desktop Firewalls

Protect your network against itself.


Photo: Forrest MacCormack
Thayer Lodging Group takes a dual-prong approach to firewalls, says Vice President of IT Mike Uwe Dickersbach.

During the past 10 years, there has been a growing trend toward more aggressive network and end-user security. System administrators and information technology staff members have no shortage of threats to defend against — from relatively passive threats, such as phishing and malware to more malicious threats, such as botnet attacks and self-propagating worms.


The latter can cripple your company financially without warning, without mercy — and more disturbingly, without provocation or end-user interaction. All it takes is one compromised machine being brought inside the network to undermine even the best traditional perimeter defenses, prompting numerous IT shops to take a hard look at implementing a redundant, desktop and/or notebook PC firewall on user machines.

While desktop firewalls are an emerging trend, running a notebook firewall is the de facto standard. “Anyone on the same wireless network as you has an unblocked connection to your computer,” says Larry Pable, a senior IT specialist at IBM. “Whether it’s a curious neighbor kid connecting to your home wireless network, another guest in the same hotel, or someone sitting in the corner of the coffee shop, the threats can be peers on your local network, and it’s important to protect yourself.”

Microsoft Windows XP and Vista operating systems include a built-in firewall, but some organizations won’t want to rely on this alone to keep desktops safe. Consider this: Windows XP’s firewall was successfully compromised and disabled on some fully patched XP machines last October. If it came with Windows, you can be sure it is a favorite target of hackers and script kiddies.

Like many businesses, Thayer Lodging Group in Annapolis, Md., takes a dual-prong approach — using the firewall built into Windows for desktops while deploying a separate firewall for external machines.

“We have to look at costs versus usability and the impact on both the corporate IT environment and at the end user, and determine which combination gives us the balance,” says Mike Uwe Dickersbach, vice president of IT at Thayer. The company relies on the firewall built into Windows XP to defend desktops, but runs a McAfee firewall on notebooks.

“It’s an added level of protection for notebooks,” Dickersbach says. “We turn the Windows firewall down to a bare minimum and a separate firewall on notebooks because they are constantly subjected to various networks.”

Applying a third-party solution, you add a layer of “security through obscurity” because to bring the firewall down, malicious code will have to be engineered against whatever specific software you are using. That broad-side-of-a-barn target, which was once a standard Windows component, has suddenly become a needle in a haystack.

Do Your Homework

So, how do you decide whether to introduce a desktop firewall into your IT environment? First, determine how much you are willing to spend to get a higher level of protection. There are freeware client solutions available and many of their developers expect to subsidize losses with support fees, while commercial products often come with free technical support or comparably cheaper support subscriptions.

Second, determine whether your company needs a highly customizable firewall or a “set it and forget it” option that hides client machines. While a solution that allows for centralized deployment and costs more may look astronomically more expensive in an organization with several hundred clients, the scalability of such a solution may more than make up for the cost if it saves your company valuable employee time and help-desk resources.

Symantec Client Security is a popular commercial software firewall because of its comprehensive antivirus/firewall/spyware combination. Client Security also integrates into POP3 e-mail clients for attachment scanning, offers customizable adware/spyware policies, and supports centralized deployment, management and policy administration. Symantec’s LiveUpdate also assures that users are always up to date on their virus and security threat definitions.

Another offering to consider is Trend Micro’s OfficeScan, which provides many similar features to Symantec Client Security, including a firewall, spyware blocker and antivirus protection. Like Symantec Client Security, OfficeScan offers centralized management and support for remote administration. OfficeScan brings some unique features to the table, such as support for Trend Micro Outbreak Prevention Services, a proactive security solution that allows administrators to enact behavioral lockdown initiatives networkwide to stop the spread of new viruses and worms during those critical initial stages of new outbreaks before definition files are available to clean the threat.

Also worthy of mention is McAfee Total Protection, which offers the same core components as its competitors, with an emphasis on ease of installation. Administrators can e-mail a link to users anywhere on the network and have the client installed with a single mouse click. McAfee Total Protection also features desktop host intrusion prevention — a firewall solution that not only blocks ports, but also integrates signature and behavioral scrutiny into its firewall policy. That feature makes it one of the most intuitive firewall clients on the market.

Check Point’s ZoneAlarm has evolved considerably during the past several years, and the latest version, ZoneAlarm Internet Security Suite is the most ambitious to date. This solution offers the firewall, antivirus and antispyware protection you’d expect, with unique enhancements, such as auto-learn, spyware site blocking and registry monitoring. ZoneAlarm ISS retails for less than many of its competitors, but beware: This suite is self-contained and does not support centralized management or remote administration. Because of this, ZoneAlarm ISS is probably best suited for small businesses where scalable administration isn’t a major requirement.

Growing Pains

Whatever solution you choose, you will need to be prepared for growing pains. If you choose to implement a centralized security solution with a common firewall access policy, it may be a good idea to test it on a small group and build a database of trusted behaviors and program activities before rolling it out companywide. The first few weeks that you run any software firewall solution, you will likely be prompted dozens of times by that program, asking you if you want to allow an activity whenever network access is involved.

There are several programs that you will inevitably be asked about — some several times. The most common “suspects” are e-mail clients, such as Lotus Notes and Outlook; virtual private network (VPN) clients; FTP services/clients; Internet browsers; remote connection clients; software that automatically checks for updates, such as Adobe Reader or Java; and even some Wi-Fi utilities.

As a general rule, if it wants to talk to the Internet, you should take a good look at it. And the longer you train the software before creating a centralized policy, the fewer calls you will have coming into your help desk once that policy is in place.

IT Takeaway

In addition to training the software, you will also want to train your employees so they have a basic understanding of how to troubleshoot and correct firewall/policy issues. Expect certain questions and prepare your answers, as follows:

• “I have a window asking me if I want to allow ‘X’ application to access the Internet. How do I respond?”
• “I already have a firewall on my home network. Should I disable this one when I take my notebook home?”
• “How do I find out what ports I need to open for my custom application to run?”
Jason Holbert is a Tier II desktop support technician at Harcros Chemicals, a chemical distributor, based in Kansas City, Kan.