This is part 2 of a 3-part series on how you can quickly secure your system with a Linux-based SOHO firewall. In this segment, the author guides you through product selections for your particular needs and discusses hardware and software costs, including some that are often overlooked.
Protecting Both Ends
Small office, home office firewall products, unfortunately, are still evolving. As a result, IT managers face a multitude of features in SOHO firewall software programs and hardware devices. For example, some new products allow centralized monitoring and policy enforcement for remote desktop firewalls, while others may be less sophisticated but easier to use. Still other products offer different configuration options depending on an employee's role or on the particular use -- personal or business -- of the remote computer.
Santa Clara, Calif.-based ISP Exodus Communications, for example, has deployed CyberwallPlus-SV SOHO firewall software from Network-1 Security Solutions of Waltham, Mass., on 25 key servers. The company also has installed ZoneAlarm Pro SOHO firewall software from San Francisco-based Zone Labs on 2,000 internal PCs. Exodus plans to install ZoneAlarm Pro on 4,000 computers used by internal, mobile and home workers.
CyberwallPlus-SV is an industrial-strength SOHO firewall capable of protecting clustered multiprocessing machines. It installs at the kernel level, hardening the machine against common attacks and, more importantly, veiling that machine's identity. If hackers can't tell what the machine is, they can't get at it using common exploits associated with certain types of machines, such as sendmail if it's a mail server or Internet Explorer if it's a Web server. Also, CyberwallPlus-SV stands up to Java and ActiveX mobile code-based attacks better than SOHO firewalls.
But for individual desktops and remotely connected machines, most users want a less-expensive filtering SOHO firewall device that could be managed centrally. Network-1 Security Solutions has no such offering, so some users are choosing ZoneAlarm Pro, which has less-robust features but is cheaper and easier to manage.
While ZoneAlarm is easy enough to install, it snags on legacy applications and blocks some executable programs from leaving the internal network. Zone doesn't work well with unusual applications and, if you run ZoneAlarm Pro in a mission-critical environment, it will not hold up under certain applets and hacking tools. (The same thing applies to BlackIce and other SOHO firewalls.) But, after some initial network interruptions, the SOHO firewall has proved strong enough to stand up to common exploits launched at individual computers, including port scans that go after vulnerable services and Trojan horses such as Back Orifice.
ZoneAlarm's central management server assimilates reports and alerts from desktop and remote workers' machines, making it easier to separate systematic attacks from simple port probes and false alarms (as well as its ability to tailor security settings based on a user's role in the company). The security needed by a businessperson is different than that of network architects.
A Matter of Discrimination
The ability to discriminate between types of sessions is especially important when dealing with home users' SOHO machines. The employee-owned computer is a big issue for many companies today. It's pretty hard to say to employees, "You have to put this SOHO firewall on your home PC," and then have them come back and say their kids are screaming about the inability to download Napster or AOL. So, you need some type of tie-in with the VPN (virtual private network) client that says the company's SOHO firewall policy only kicks in when employees connect for company purposes. Most SOHO firewalls offer some such distinctions.
The CyberArmor SOHO firewall suite from InfoExpress of Los Altos, Calif., for instance, is praised by industry analysts for its ability to discriminate between home use, inbound connectivity to the corporate LAN and outbound connectivity from inside the LAN to the Internet. That ability is one reason Montreal-based Bell Canada International is rolling out InfoExpress on 4,000 portable computers and planning 33,000 installations on internal machines by the end of 2001.
InfoExpress' SOHO firewall allows Bell Canada to set different parameters depending on what mode the user is in. For example, as soon as the user activates his or her VPN client, the software changes from the standard Internet filter set to a predetermined VPN filter set. When the VPN is turned off, the SOHO firewall automatically reverts to Internet mode.
The SOHO firewalls and central management server are easy to install. But one mistake configuring the central management server operating system, such as outdated patches, default passwords or vulnerable services like FTP, can render the firewall manager ineffective. And, the server needs to be fast enough to accommodate an early-morning log-in rush.
Bell Canada looked at nine SOHO firewalls before settling on CyberArmor because of its easy end-user interface; the central manager leaves nothing up to the end user. As a user logs in to the network, CyberArmor quickly scans that machine's security settings. It also can push out changes to security settings dictated by the administrator. The user never even knows anything is going on.
Some companies are going a step further by requiring a second, stationary, filtering hardware device at home and remote offices. And, while hardware SOHO firewalls from vendors like Seattle-based WatchGuard Technologies and NetScreen Technologies of Santa Clara, Calif., aren't portable, some managers say they want extra protection for home PCs.
For its 36 local employee laptops and three remote sites, Internet security firm Conqwest combines the BlackIce Defender SOHO firewall software from San Mateo, Calif.-based Network Ice with NetScreen-5, a stationary SOHO firewall/VPN appliance from NetScreen Technologies. In other words, companies need to guarantee absolutely that nobody can get into their machines and exploit the encrypted tunnel back to their offices.
BlackIce has the strongest intrusion detection available at the desktop level. Another plus is Network Ice's centralized reporting of alarms. The configuration window helps administrators sort incoming alarms from false alarms.
REPORTS
ANALYTICS
Follow 
