Network Computingwww.networkcomputing.com

What's the moral of the story? It doesn't matter how good your main lines of defense are if your own employees usher in the enemy themselves.

Today's battles pit security administrators against hackers. For every virus scanner deployed, malicious new software programs--called Trojans, for that oversized horse--appear, hidden in e-mail attachments and innocent applications. Companies can spend time and money on firewalls to build a strong fortress around the network's perimeter, yet hackers find smaller and smaller holes to exploit.

Where are the most obvious network holes? They are right where history would predict: within the fortress itself. They are in the laptops of traveling employees, who are not as security conscious as the administrators would prefer. Remote users work outside of their offices and away from the locked-down systems, and have constant broadband access, often staying connected to the unprotected Internet for days at a time without the security or encryption associated with a VPN (virtual private network) connection. As such, every laptop is a small extension of the LAN, and Trojans can invade the LAN through them.

Imagine, for example, a finance department's laptop being attacked by the Trojan known as Back Orifice (see "In Through the Back Door.") and having all its keystrokes logged. When the notebook is reattached to the corporate enterprise network, a hacker can gain access to a company's bank-account numbers.

It's not uncommon to hear stories of hacking attempts being made by inside personnel; employees are not necessarily trustworthy across the board. There is always the possibility of false purchase orders being created, extra paychecks being issued or even bribes being offered by competitors. Insiders can attack virtually unprotected machines, making their way into payroll departments and disclosing sensitive information, such as executive salaries, or implementing simple DoS (denial of service) attacks on important servers. And insiders have several advantages: They can acquire knowledge of the network, can maintain more contacts that can be socially engineered and, most important, are already behind the firewall.

Cutting off all Internet traffic for mobile users is no more helpful than taking away their battery chargers. Many staff members use their laptops not only to access information, but for other purposes, such as chatting with a spouse via instant messaging on long business trips. Some staffers work at home and let their children play networked games. Take these perks away from your employees and watch morale--and those extra hours spent on work that's so conveniently done at home--evaporate.

Personal firewalls can help prevent problems. Using filtering, packet monitoring, port blocking and application control, an IT department can greatly reduce the risk of internal attacks as well as invasion through remote systems. Note, however, that such firewalls are not a complete solution and should be used in addition to any existing security measures. You can't eliminate your antivirus program just because a firewall vendor claims to defend against Trojan attacks. In all our tests, with just one port open, we were able to take over a machine by using Back Orifice. Getting a Trojan onto someone's computer isn't hard, either--all it takes is a silly dancing-pigs e-mail attachment with the Trojan tacked on. A Trojan can also be loaded via floppy disk in about 20 seconds, during lunch or after hours. How many employees lock their terminals when they go to the rest room?

Personal-Firewall Lineup

We evaluated personal firewalls and accompanying management software from F-Secure Corp., InfoExpress, Network ICE Corp. and Sybergen Networks. We also invited Biodata Information Technology, Network Associates and Network-1 Security Solutions to participate, but their products were too early in development to be tested.

All the software we tested works basically the same way: An individual agent is installed on every client machine. These agents do the firewalling and send status reports. Meanwhile, a back-end server (or more than one server) maintains a database of hack attempts and distributes new policy files. Determining the server size needed to handle the load is a bit tricky, though. If every log file is 40 KB and is uploaded by 5,000 people every hour, your server and network must be able to handle at least 200 MB per hour. But keep in mind that software updates can be a few megabytes, and hundreds of simultaneous downloads of those could really hurt a server.

Each product has its strengths and weaknesses, so its suitability will depend on your network's needs. We took the stance of a corporation ready to roll out 5,000 personal firewalls. Our evaluation focused on user management, updating, logging and reporting, policy-file creation, and protection. All the firewalls can prohibit users from editing their settings and remain pretty well hidden--and the less noticeable the firewall, the less users will be tempted to try to bypass it. F-Secure Distributed Firewall 5.0 and InfoExpress' CyberArmor Suite Enterprise Personal Firewall 1.1 are the most apparent, with an icon appearing in the task bar. Network ICE's BlackICE Pro 2.0.23 shows up in the task list but allows the GUI to be completely removed from the client machines. Sybergen Mobile Workforce Solution doesn't have any indicators that the firewall is active except when it runs the client GUI program, making this personal firewall the least intrusive.

We wanted to see how easily you could create different policies for different groups of people, an important administrative task. For example, you might want your company's engineers to be able to set up FTP servers to distribute new builds of software. At the same time, you might want all marketing people to be able to set up Web servers to display HTML documentation. In large installations, the more flexible the software, the easier it will be to cater to different needs within the organization. All the products we tested let administrators create groups, and F-Secure Distributed Firewall offers a very simple method for editing subgroups and individual nodes.

Regarding telecommuters, we looked at how the management server deals with dynamic IP addresses and movement across different networks. BlackICE Pro is tied heavily to the IP address, while the CyberArmor solution assigns an ID number to each computer and tracks the machine through that number instead. This lets a user travel across different networks and have dynamic IP addresses but still be tracked correctly by the administration software. Tracking is important; you wouldn't want to have policy files downloaded to someone in the wrong group or the software to report hacking attempts in marketing when it really occurred on an engineer's computer.

We evaluated how well each program reports hacking attempts and whether it overloads the security administrator with information. BlackICE Pro lets the administrator assign a priority level to each attack type. This makes it easy to filter out lower-level attacks, such as port scans, and focus on more serious threats, like Trojans. CyberArmor allows alarm conditions to be set; lower-level intrusions go into the log file but don't trigger an alarm.

We also tested the firewalls against port scanners, DoS attacks and Trojans. We wanted to see how quickly we could update all clients to ignore traffic from the hacker's IP address; updates that take more than a few minutes give hackers time to use to their advantage.

None of the firewalls tested was able to protect completely against Back Orifice 1.20, which has been out for more than two years. Even with the firewalls, we were able to get this Trojan to report back the entire contents of a computer, lock up or reboot the machine, or even kill the firewall program, leaving the system completely unprotected. We did not test for Visual Basic scripts or viruses, nor did we install a virus scanner, which leads us to emphasize: A firewall alone is not enough protection against Trojans. A good antivirus program is essential and under normal conditions would have caught Back Orifice or any other Trojan.

Of the products we tested, the only one truly ready for remote users is InfoExpress' CyberArmor Suite, our Editor's Choice pick. CyberArmor refers back to the administration server through a generated ID number, while the other products use network information, such as IP address and DNS name. CyberArmor can thus easily be used on laptops that travel across multiple networks, where IP addresses or domain names may change. In addition, CyberArmor can identify different network environments and have different policy files activated in certain conditions. It also has the most protection capabilities, with bidirectional port blocking and application control. The three other products are fine for protecting workstations inside the LAN from internal attacks but aren't suitable for deployment on mobile users' laptops. Of those three, F-Secure Distributed Firewall gets our nod for internal use. The software's user management is the best among our tested products and makes it very easy to set up policies that limit one group from communicating with a different group.

Network ICE's BlackICE Pro has the best reporting capabilities, providing clear information on what attacks are occurring and from where they're coming. User management is difficult, however, and the firewall doesn't offer any ICMP (Internet Control Message Protocol) blocking or application control. Finally, Sybergen Mobile Workforce Solution is geared toward administrators who can trust their users to control settings and preferences, and, as with BlackICE Pro, user management isn't easy. The Sybergen firewall requires administrators to assign users to groups manually, so this package would work best for installations with a small number of clients.

The biggest problem with most of these personal-firewall products--InfoExpress' CyberArmor Suite being the exception--is their reliance on network information when communicating with the management server. Fortunately, as this is a relatively new market, other vendors (including those in this review) will probably move toward a generated-ID system and away from tracking by IP address.

Now that laptops have become little satellite LAN links, those links should be secured. Personal firewalls can help lessen some of the risks associated with today's mobile work force. After all, the next time an employee totes his laptop to Apollo's Gyro House and Cybercafé for lunch, he could be bringing back more than a tasty pouch of lamb.