IT Pro Briefing: How To Secure Desktop PCs With Personal Firewalls
The hard part is picking the right combination of protection products for the desktop and understanding the trade-offs between convenience, security, and simplicity.
March 24, 2007
Personal firewalls aren't a luxury anymore. As more users roam with their laptops in and out of corporate networks, it's easy for their devices to become infected. This has prompted companies to look for ways to shield them from the continual attacks raging across the Internet.
Yes, continual attacks. A recent study from the University of Maryland Clark School's Center for Risk and Reliability and Institute for Systems Research finds that attackers attempted to breach the average Internet-connected computer every 39 seconds. "Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections," says Michel Cukier, the author of the study and an engineering professor at the school. The computers in Cukier's study were attacked, on average, 2,244 times a day.
The old days of simply getting a virus via e-mail seem benign compared to today's security risks. "Threats haven't relented," says Richard Weiss, director of endpoint security product marketing at CheckPoint Software. "We've seen a very clear change in the kinds of attacks. It isn't a bunch of script kiddies, but now very sophisticated and professional hackers who are trying to make money by breaching enterprise security and getting confidential information." Trojan applications are now four times as prevalent as viruses and worms reports antivirus software vendor Sophos. That's double the ratio from the first half of 2005.
Traveling laptops connect to different local networks, both wired and wireless. "They're networks over which corporate IT has no control," notes Monte Robertson, a consultant at Software Security Solutions, an independent security reseller. Companies need to start protecting mobile devices, including laptops and PDAs, with the same layered approach that they use to protect their corporate networks, Robertson says.
Personal Firewalls Checklist
Do inventory of Windows versions of remote users first to understand potential population dynamics | |
Collect typical Internet-based applications that these users will be running | |
Test two or three third-party personal firewalls with this collection of OS versions and typical applications | |
Examine firewallleaktester.com results for your selected products | |
If more protection required, begin to examine more expensive total endpoint security products from Juniper and others |
Two Basic Approaches
The hard part is picking the right combination of protection products for the desktop and understanding the tradeoffs between convenience, security, and simplicity that result from these choices. There have been two basic approaches by security vendors, and until recently, these have been fairly distinct product lines.
One approach is to sell a hardware appliance for perimeter protection that works in conjunction with software for each desktop. These appliances are available from a wide range of vendors, including CheckPoint, Cisco, Juniper, and Symantec. The advantage of this approach is that a single vendor handles both perimeter and desktop security. On the flip side, though, companies might not get the features that best suit their needs.
A second choice is to use a security suite of software that works in conjunction with an enterprise gateway or centralized antivirus solution. Examples of these kinds of products include:
The advantage of this method is that users don't need to install or configure anything on their own; the enterprise suites (or in the case of Windows Live, a Web-based service) manage their own updates. This means that the attack signature databases are automatically updated centrally so the protection stays current. A downside of this approach is that these solutions are often compromises that don't have best-of-breed protection, and exploits can slip through. In addition, they don't always support older versions of Windows.
IT managers are finding that neither of these approaches can handle unmanaged PCs such as those used by home workers or guest workers that aren't full-time employees. "IT managers discovered several years ago with the Blaster attack that traditional antivirus and intrusion-detection systems were simply not getting the job done," says Weiss.Windows Firewall Weaknesses
The biggest weak spot with either approach is relying on the built-in Windows (or Mac OS) personal firewall. The "personal" label is to distinguish it from the corporate firewalls that protect the entire enterprise network from attacks. The personal versions run on individual desktops only.Relying on built-in personal firewalls supplied by the OS isn't good security practice, because it's easy for users to turn off these firewalls (either inadvertently or purposely) and forget to turn them back on. And for users of older OS versions, particularly with Windows XP and earlier, the built-in firewalls offer unsatisfactory protection, and even a false sense of security.
For example, Windows XP didn't have its own built-in firewall when it was first released, and only since Service Pack 2 has it been included with the OS. However, the XP firewall only protects inbound and not outbound connections, meaning that any potential infection that somehow finds its way to a user's hard drive can proceed to take control over that machine and use it to send out attacks or participate in a botnet. "A critical layer of computer security is protection from outbound attacks -" where sensitive information leaves the computer," says Robertson.
"SP2 did patch a lot of vulnerabilities and made XP stronger and Internet Explorer much more secure," says Igor Pankov, product marketing manager for Agnitum. "But SP2 didn't do much to increase overall corporate security, because every bit of malware can send personal data outbound."
Vista and the Windows Live OneCare managed service offering both have their own firewalls that are somewhat more capable. But the Vista firewall by default protects only inbound connections. It can be configured for outbound protection as well, although this isn't simple to do and certainly beyond the capabilities of the average user. "Vista is inherently more secure than previous Windows versions, but it isn't the silver bullet," says Shane Coursen, a senior technical consultant with Kaspersky Labs. Agnitum has its own review of the issues with Vista's firewall.
The tradeoffs between a more capable personal firewall and ease-of-use issues have created a market for replacements to the built-in Windows firewall, something that IT managers can recommend for all remote users and others that come and go from their campus networks.Third-Party Personal Firewalls
As a result, a third approach is now being used more frequently: combining a stronger personal firewall on each desktop with either a centralized security appliance or a suite of security software. This is the essence of dozens of endpoint security products that are now appearing on the market from vendors such as Cisco, Consentry, Juniper, Lockdown Networks, and Mirage Networks. They all employ a device that monitors the state of each network device and ensures that it's running with some kind of protective measures, including a personal firewall.But these endpoint solutions are expensive and take a great deal of time to deploy. A good alternative is to choose a third-party personal firewall to strengthen all Windows desktops, from vendors such as Check Point Software's Zone Labs, Panda Software, Prevx, and others as shown in the summary table below:
Product | URL | Major features |
---|---|---|
Panda Software Client Shield 2006 | Windows 98/2000 support, enterprise licenses | |
Zone Alarm Internet Security Suite v7.0, CheckPoint Integrity | Free (firewall only) and paid versions; suite includes IM protection and antivirus/spyware | |
Prevx v1.0 | Free prevention but $25/yr for remediation | |
Jetico Personal Firewall v1.01 | Free, Win98/2000 | |
Agnitum Outpost Pro v4.0 | 64-bit Windows and Win98/2000; includes anti-malware/spyware | |
Kaspersky Internet Suite v6.0 | 64-bit and Vista support; includes anti-malware/spyware |
Third-Party Personal Firewall Products
The benefit of using these products is that they're tuned to protect the desktop and can often do a better job of keeping zero-day exploits from infecting other users across an enterprise network.
One experience is typical. Telecommunications VAR Tele-Verse had been using Symantec's Norton antivirus product to protect its 20-plus Windows 2000 desktops about nine months ago, when one of them got infected with a virus that spread throughout the entire company. "It took us the better part of a day to try to find something that could eradicate this virus, even though we had the latest updates of Norton on all of our machines," says Scott Rendell, operations manager for Tele-Verse. "Finally, we found Prevx and tried it on one machine. We were astounded at how easily it worked and how quickly it found the problem and quarantined the virus. We haven't had any outbreaks since then."
Prevx constantly checks for new signature updates and also has heuristics that monitor virus-like behavior of applications. Some other third-party personal firewall products have begun incorporating similar techniques, and security researchers are spending more time examining ways to block malware without requiring specific signatures.Figuring out the best personal firewall isn't simple, and IT managers will need to test with a wide variety of desktop configurations and applications before making any recommendations. The tradeoffs are in terms of what these products can protect vs. how hard they are to use in daily computing tasks. "The challenge is in minimizing the management burden of additional software for additional desktop protection," says Check Point's Weiss. "Enterprises have reached their limit on how many different pieces of software they want to support."
There are a few independent test labs that determine the efficacy of personal firewalls, and one of the more thorough is the Firewall Leak Tester. It puts over a dozen different products through a battery of tests to determine if the firewalls can stop particular types of attacks from doing any damage. IT managers can evaluate these tests and determine the relative strength of each product offering.One of the surprises from these tests is the difference in efficacy between the free and paid versions of Zone Alarm, one of the older personal firewalls around. The free version blocked only four out of the 27 different potential exploits, while the paid version could handle nearly 20 out of 27.
The top performer of the latest round of tests is the Jetico personal firewall, one that seems to stop just about anything, at least according to Firewall Leak Tester's results. While the Jetico product is freely available, it isn't the easiest product to configure, and IT managers will need to spend some time setting it up and tuning it for each user. Our tests found it difficult to set up, especially for users with multiple Internet-facing applications beyond just simple Web browsing and e-mail.
Two other top performers in these leak tests are Agnitum's Outpost Pro firewall and Kaspersky Labs' Internet Suite, both of which are commercial products that have been around for several years. Both integrate personal firewalls with antivirus and anti-spyware protection. Kaspersky supports Vista along with older Windows versions.
Several vendors have begun to offer their personal firewalls as part of an overall integrated security solution for companies, either for delivering better endpoint security or just to combine their disparate personal and enterprise product lines. Examples of this strategy include Symantec with its Client Security line of products, Check Point Software's Integrity, and Kaspersky's Open Space Security. All three combine capable personal firewalls with overall enterprise management tools.No matter which product you choose, it's important to get started evaluating personal firewalls soon. "Laptops should have the best-in-class security solutions for antivirus, anti-spyware, and firewalls," says Software Security Solutions' Robertson. "It's time to start thinking about requiring a personal firewall as an essential tool for the remote user."
You May Also Like