Network Computingwww.networkcomputing.com

Let's face it, whether they're in hotel rooms or at airports, on a broadband connection or dialing into an ISP, your remote users are vulnerable to a variety of attacks. Since remote users are extensions of your network, your network is vulnerable as well. While desktop firewalls are a necessary evil for your traveling users, those firewalls may not be applicable in all situations.

Corporate desktop firewalls must be centrally manageable so administrators can monitor and modify access-control rules. End users shouldn't need to understand network security to get their jobs done. Centralized control and configuration removes the end user from the management process and places that responsibility where it belongs: in the hands of an experienced administrator. Support for multiple policies and the grouping of users are critical features to ease management burdens.

Bear in mind, however, that installing desktop firewalls on employees' home PCs means your support staff gets ownership of those PCs. You can easily double your helpdesk calls whenever Junior can't get the latest game to run because your firewall blocked access. Desktop firewalls belong on the company-owned -- and company-controlled -- hardware.

The desktop firewalls that provide the best security features not only block access to network protocols but restrict application access to them as well. For example, a policy that both defines the full path to Microsoft's Internet Explorer and allows only that application access to HTTP and HTTPS would limit the kind of damage a virus or Trojan could do. Sure, if an attacker gets access to the desktop, all bets are off. But desktop firewalls with application control provide better protection than firewalls alone.

Collocated Firewalls

Collocated firewalls are a new breed of firewall aimed at the hosted service provider space. Unfortunately, the xSP market has been hit hard by the tech bust. These firewalls are targeted at reducing the amount of hardware taking up valuable rack space by virtualizing several firewalls -- some vendors claim 100 or more -- on one hardware platform. When we got rolling on our testing back in August, only two vendors offered multitenant firewalls: NetScreen Technologies and Lucent Technologies. You'll find our review of these platforms online.

The distinguishing feature of multitenant firewalls is the ability to completely segregate one customer from another on shared hardware. Each customer is partitioned off and maintains its own configuration and set of security policies. Every aspect of the firewall, including tiered management, can be tailored to each customer. For example, an xSP could offer a split-management service, where the customer and the service provider share management duties.

Likewise, strong report-generation and -dissemination capabilities are important so the service provider can examine traffic patterns across all its managed firewalls while also customizing reports specific to each customer.

Finally, integrating firewalls into an existing network is tricky at best, depending on the installation requirements. Transparent installations, where no reconfiguration is needed, provide the simplest and most flexible solution. In a hosted environment where everything is shared, support for 802.1Q VLANs (virtual LANs) is necessary to keep customer traffic separated.

Support for 802.1Q support varies, but we favor more flexible and robust implementations. Lucent's 802.1Q support is unmatched in that packets can be retagged when sent back out onto the network, and security policies can be applied to VLAN tags as well as IP addresses, which means more flexible policy building. Note, however, that issues with some switches allow traffic to hop VLANs, so make sure your switches are configured properly.

The drive to increase bandwidth, reduce equipment purchases and minimize maintenance makes a compelling argument for multitenant firewalls. At a hardware-only cost of $84,995 for a Lucent Brick 1000 multitenant firewall, for example, you would break even replacing eight Brick 201 boxes at $8,995 each. Beyond eight, the cost of each additional firewall would drop proportionally.

Are you nervous about putting all your eggs in one basket? You're not alone. High availability, not only of the hardware but of the management station, is critical to ensure uptime and customer satisfaction.