A desktop firewall is part of your first line of defence for implementing solid security and ensuring compliance. As you decide on the best technology for your needs, here are a few factors to keep in mind.
1. Granularity
It's sometimes easy to assume that you have the best solution because the solution is right there
in front of you. Take the operating system firewall: Windows Firewall for
Windows XP and Windows Vista offers a nice price (free), integration and
management through Group Policy, and a decent feature set. Although Windows
Firewall for XP lacks the granularity available with other products, it might
be the right solution for the SOHO or cost-conscious
environment.
The Vista version of Windows Firewall includes sophisticated features that give you more granular control, such as protecting against outbound propagation of security threats with its configuration.
2. Integration with VPN connectivity
Some products allow basic firewall functionality built into the VPN client used by remote users. Such
a product might serve as your firewall on the client as well. One example is
Check Point's VPN-1 SecureClient, which has an integrated firewall
element that can have policy-based configuration for firewall rules.
3. Protection against user modifications
Make sure your firewall has a mechanism to prevent users from circumventing the firewall
configurations. You'd be surprised what average users can find out now, thanks
to Google and Wikipedia. Of course, if your firewall
policies aren't too constraining, users will be less likely to try to tamper
with the configuration.
4. IPSec policies
It may be tempting
to create a granular security policy for your infrastructure that includes a
desktop firewall, antivirus scanning, malware/adware/spyware blocking, and
possibly an IPSec policy at the client level (and server and physical layers as
well). An IPSec policy, in the example of Windows XP in the Active Directory
domain configuration, allows great management and detailed configuration for
the protocol stack. But such disparate configurations and systems may make it
difficult to respond in an agile fashion to an outbreak or implement other
quick changes to adjust the technology to the situation.
5. Security diversity
For the desktop,
the two most important technology elements for securing the systems are most
likely the antivirus package and a personal firewall. As you evaluate
firewall options, consider using a different brand from your antivirus suite. Should a key vulnerability, failure,
compromise, or similar risk render one of these two items useless at a suite
level, it would be reassuring to know that the other part of your security
strategy could be immune to this risk.
6. Configuration control
In times past, you
simply had to guard against the outside. Now, you have to guard against the
inside as well. So when selecting a product, determine whether you can allow
certain types of traffic (needed for business operations) from certain subnets
or during certain timeframes or up to certain defined bandwidth levels. These
types of questions are relevant to the granularity of the solution. For the
enterprise desktop firewall (especially for remote users), you should seek the
highest level of functionality through policy-based configuration to protect
these systems from attack. A policy-based configuration will be the best tool
to dynamically adjust the configurations as threats and business rules change,
enforce configurations, and ensure total compliance.
7. Environmental standardisation
Make sure you have a standardised desktop environment for consistent manageability and behaviour
for the firewall product, as some products may not have the same feature set on
different operating systems -- or may not be available at all. And back to making
a case for a policy-based configuration, you can consistently configure your
systems and deploy your firewall configuration this way. A thorough strategy on
the desktop firewall will allow you to offer a strong protection point to the
systems, usually the first level of protection for the systems when configured
correctly at the protocol level. Bear in mind, however, that this can take away
some functionality that your users may be accustomed to having on the client
space. (Between the lines, this reads: You can find out what they're doing that
they should not be doing because it doesn't work now -- P2P, rogue wireless,
etc.)
8. Data management
Firewall products can easily overwhelm local (or remote) storage resources with logging or packet
debugging data. Carefully consider what's required to be logged and how much of
it to retain. Consider again a policy-based management configuration that may
allow you to dynamically adjust logging as needed.
9. Outbound protection
It's not unthinkable that a desktop computer could be the originator of a worm outbreak,
virus, or other security risk. If a product has protection for outbound
filtering (at the port level), you can protect against re-propagation of risks
even if a true fix is not available. Also, such protection can block certain
scanning, peer to peer, or other contraband activities that a desktop system
may be trying to initiate.
10. Consistency
The only thing worse than having no firewall solution for the desktop environment is every
desktop having a different configuration for a firewall solution. Strive to achieve
a consistent configuration (final plug for policy-based configuration) that
works with your security policy, business functionality requirements,
connectivity risks, and users.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
