Why Use a Host-Based Firewall?
Enterprises commonly use perimeter-based firewall systems to protect systems on internal and service networks. Practical experience shows that this approach to protecting networks is often insufficient, for various reasons. Corporate firewalls installed on the perimeter of the network often have to handle a large number of protocols and services, and are difficult to configure correctly. Also, they do not protect against threats such as malicious mobile code (for example, viruses and worms) that somehow make it onto internal networks. Consequentially, many corporate networks are plagued by the latest crop of computer viruses, even though these networks are protected by firewalls and virus filters. Lastly, perimeter-based security does not protect against threats from inside a corporate network.
Host-based firewalls offer improved protection against the previously mentioned threats, and software is widely available for many systems. Linux systems support a kernel-based packet filter that is a suitable tool for constructing host-based firewalls. However, constructing a good set of rules that adequately protects a host is not trivial.
Host-based firewalls have the following advantages:
Protection Against Firewall Failure Adding another firewall of different design is helpful in case the primary firewall fails, because most likely the attack or problem that causes the primary firewall failure will not affect the host-based firewall similarly. Multiple firewalls do not offer increased protection against attacks directed at vulnerabilities in applications or operating systems.
Simplicity Configuring a host-based firewall is usually far simpler than configuring a perimeter firewall, because the host usually requires support for just a few protocols in order to function. Simplicity makes verification of the rule set simpler as well. (Complexity is the enemy of security.)
Protection Against a Wider Number of Threats The host-based firewall can protect against threats originating from within a corporate network, and can help mitigate the risks of badly configured software on a host.
Specificity A host-based firewall can be tuned to support a single set of applications and to block everything else. Perimeter firewalls are usually configured with a rule set designed to support many applications, and consequentially are much more likely to have exploitable weaknesses.
We acknowledge one disadvantage of host-based firewalls is that they often require specific configurations, depending on the application programs hosted. It is time consuming to configure host-based firewalls on many different servers. In some cases, it may not be practical to provide individualized configurations for every host.