Desktop Firewalls

Decisions, Decisions

Before you choose a desktop firewall, determine whether you need a consumer- or enterprise-class model. Both provide similar security capabilities, but enterprise-class firewalls add centralized management and policy distribution. InfoExpress, Sybergen Networks and Securitae Corp. all sell centrally managed firewalls. Other vendors, including Internet Security Solutions (ISS) and ZoneLabs, offer both enterprise and consumer versions of their products.

If you have only a few users or need a firewall for your own machine, a consumer-class firewall might do the trick.

But tattoo this to your eyelids: End users should not have rights to modify firewall settings. Most centrally managed products offer ways to lock down policies. ISS's BlackICE PC Protection, for example, lets you install the product without a GUI.

Some firewalls let you override a policy. Sygate Technologies' Sygate Secure Enterprise Solution, for example, lets you create exceptions for individual users. Other products, such as those from InfoExpress, supply override passwords you can give a user if he or she needs to open a port or turn off the firewall. These special circumstances must be administrator-approved.

Once the firewall is in place, you need to decide how much information the end user should receive. Should he or she receive alerts on all possible attacks--and be inundated with information--or should he or she be left in the dark?

Some firewalls send out alerts simply to show they're functioning. For example, a ZoneLabs ZoneAlarm firewall I once used told me my router was trying to ping my machine. Well, hot damn, glad that security breach was averted! On college campuses, copious alerts can lead to equally copious phone calls from students making accusations like "Your SNMP-based network-management software just hacked my AOL account!" A good rule of thumb is to limit user notifications to serious threats.

Two other considerations: Most enterprise-class firewalls require a database for log files. Do you have licenses and experts in MS SQL or Oracle? Will you need a separate database server, or can you run the database on the policy server?

Also, pricing varies widely. Most vendors charge on a sliding scale and offer discounts for bulk buys. You may have to pay extra for a management server, too. And you'll need to budget resources for maintenance, user training and support.

Application Control

Some Desktop firewalls provide only port/IP blocking, but the best offer additional application controls to help you catch Trojans. Trojans are sneaky--they can send data to a remote server with HTTP to Port 80 or use any of the other common Internet protocols, which means port blocking is not sufficient. With application controls, you can specify which programs are granted network access. Products with this feature usually provide some form of application-integrity testing as well.

Let's say, for example, an MD5 checksum from a clean executable is fed to the desktop firewall. If the user tries to run a modified version of the program--such as a hack Trojan or a virus embedded into iexplore.exe--the checksums won't match and the firewall will deny the program access. Note, though, that this feature can cause an administrative headache: You'll need to maintain a list of approved programs and checksums.

Some desktop firewalls offer more application-control and file-integrity features. InfoExpress' CyborArmor, for instance, lets you control program spawning--you can set a batch script to execute when run from Eudora but not from Outlook.

Even with application control, though, Trojans can be injected into DLLs or running processes. DLL-integrity checking is the next big step, and vendors are working on this capability.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at [email protected].A desktop firewall won't prevent viruses or malicious code from doing damage, and it won't remove the hostile code. You need antivirus software for infection prevention and clean-up, and a VPN to transmit data safely. But setting up and managing all three kinds of products can be a major undertaking that calls for three separate management platforms. Fortunately, some vendors are working to create suites of integrated firewall, VPN and antivirus products.

Consolidation is a growing security trend reflected in the rash of corporate acquisitions and in vendors taking a one-size-fits-all approach to product development. You get more functionality at lower cost, but each component might not be the best in its class. Still, we have seen some moderate and intelligent moves toward multiple functionality in desktop protection. F-Secure, for example, is making a suite that lets you manage firewalls and antivirus programs from one interface. And InfoExpress' products can detect when a VPN tunnel is up and alter its firewall policy accordingly. Check Point Software Technologies bundles a personal firewall into its VPN client. Such integration will be a major differentiator in the future.