Desktop Security

Our comprehensive desktop-security plan is four-pronged, consisting of software firewalls, encrypted channels, antivirus tools and user education. In fact, before you buy a single security item, you must have a user-education program and a system to enforce and maintain it.

The Always-On Alternative

Applications or drivers that run on the end user's PC--software firewalls--usually act as a kernel shim. The software intercepts the data being passed between the kernel and network card drivers, inspecting all network traffic passed through it.

There are two major types of software firewalls: port blockers and application blockers. Port blockers, which include the built-in Windows 2000/XP firewall and the IPtables on Linux, work just like gateway or Internet firewalls and can block communications only to or from specific TCP/UDP ports.

Regrettably, port blockers are useless on the desktop. For one thing, you'd have to open a wide range of ports for a user to take advantage of his or her most common applications. What's more, these firewalls can't distinguish between Internet Explorer and a hostile program sending traffic over Port 80.

Windows XP SP2 includes bug fixes, safeguards against hostile Web downloads and improved default settings. These may make your XP desktops safer, but they're not enough to keep users from making poor security decisions. And SP2 will do nothing to enhance security for Windows 2000. A low-end PC with Linux and IPtables loaded on it makes an excellent free gateway firewall for perimeter security. But for the desktop, we strongly recommend using an application-blocking firewall, such as ZoneAlarm or Sygate Personal Firewall Pro. For less than $50 a seat, these products offer excellent value.

Unfortunately, these firewalls ask on-screen if a particular application may have permission to access the Internet. Uneducated users tend to click "OK," leaving your system vulnerable to hostile code. On the upside, application blockers can detect some Trojan horse applications, protect themselves from being terminated by rogue programs, perform limited intrusion detection and shun the IP address of an attacker while performing privacy data scrubbing.

Many desktop-firewall vendors offer both free and commercial versions of their products. Be sure to check the features. Usually, the free version has less functionality and lacks centralized management, rendering it less than ideal. Business use of the free version may require a commercial license anyway.

In addition to their consumer-centric, single-machine firewalls, Sygate and ZoneLabs make centrally managed versions. They cost around $70 a seat--and you'll need to factor in administration time. Still, they give the administrator central control over application access rather than letting the end user decide.

Making the Internet Safe

Data sent across the Internet isn't safe from eavesdropping. Roaming users connecting across hotel broadband, Wi-Fi hotspots or any other location outside the network may have their data intercepted or altered en route. Therefore, you need to encrypt all data that flows over someone else's network.

VPNs are the best way to do this (for an in-depth look at affordable VPN access, see "Don't Open the Door for Strangers,"). Windows 2000/XP and Mac OS X have built-in VPN support on the client, but you need to buy a VPN gateway, which you can get from Symantec and other vendors for as little as $1,000. VPN gateways are often included in an all-in-one security appliance. Large units for big organizations are available from the infrastructure players. Cisco Systems makes one of the least expensive, at $20,000 for 1,500 users.

We've yet to encounter a free VPN gateway solution that's easy to use and maintain--the open-source community has taken a few stabs at it, with unexciting results. The biggest open-source VPN project, Freeswan, recently announced that it has ended development.Keep Out

Antivirus software is critical for desktop security. Computer Associates, Sophos, Symantec and Trend Micro all offer AV products for less than $35 a seat; we're unaware of any free Windows AV products for commercial use. Because antivirus technology is mainly reactionary and dependent on signatures, recently created attacks and viruses may slip past the AV scanner. Fortunately, AV software requires virtually no maintenance beyond regular signature updates.

AV offerings from CA, Symantec and Trend Micro provide centralized quarantining of files and reporting. Some suites let you centrally distribute viral definitions instead of requiring you to grab them off the vendor's site, thereby saving you bandwidth. Check out the simplest AV suite, including the consumer-grade versions. These products may require a subscription fee to access virus-definition updates, so keep in mind potential recurring costs. CA and Sophos both offer free updates for life.

Buy-InIn the end, all the security in the world won't beat out proper user education. Your antivirus software is useless if your user turns it off because it messes up "frog in a blender" games. Make sure user education is part and parcel of your desktop-security plan, or you'll spend more time eliminating pervasive intruders than simply preventing them from entering.

Maintaining centrally managed security policies can be a full-time endeavor, which makes outsourcing so attractive. Check out comprehensive outsource packages--antivirus, VPN, firewall and reporting--but be sure to ask providers these questions:

* What will signature updates cost?

* What will software updates and major new releases cost?

* What happens if you stop subscribing to the service? Does the AV software stop working?* How can I access reports for forensic purposes?