Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Defense Starts Here: Page 2 of 20

More Administrator Time

In the past, you could secure a desktop by blocking all incoming connections and limiting outgoing ports to a few well-defined services (such as Port 80 for Web access). But this method is obsolete. Today, Trojan horses (hostile code typically disguised as or hidden in benign applications) can initiate outbound connections that look like legitimate traffic. For example, sensitive data can be encoded and hidden inside an HTTP request. To a network analyzer, a Trojan uploading your financial-data spreadsheets may resemble normal Web traffic. To get around this problem, the desktop firewall's central server must grant individual applications permission to access the network. These permissions comprise part of the firewall's security policy.

Methods of populating and configuring the permitted applications vary by product. Some products offer a scanning tool that's uploaded to the server; others let a clean client system learn and report back the available applications. All the products we tested compute MD5 hashes, or fingerprints, to protect the network from modified or overwritten applications. If the application being launched has a different hash from what the server dictated, the application is denied network access. This way, infected Internet programs (viral or Trojan) and renamed applications (such as a Trojan masquerading as iexplore.exe) will send up red flags.

Four of the products we tested--the exception is Symantec's Client Security--also offer component control; that is, they extend control capabilities to .DLL and other library files, which Trojans can also attack. A library is a small file of compiled code, such as a Windows .DLL file, that contains functions an application may wish to access. The firewall calculates an MD5 hash of each library, exactly as it does for the applications.

The administrator creates a list of allowed applications, libraries and MD5 hashes as part of the security policy. Compiling and maintaining these lists and hashes require a significant time investment (see "Beyond the Initial Expense").

Because protection is a desktop firewall's top concern, we used two programs-- FireHole and TooLeaky --to challenge and test each firewall's application-blocking abilities. These programs work by interjecting DLLs and Windows hooks into Internet Explorer. FireHole and TooLeaky got through each of the firewalls until we enabled component control; clearly, application control is insufficient to protect your network.