Blocking with Personal Firewalls
Personal firewalls have really taken off in the last year. Numerous products are available, and they all have their own claims as to why they are the best product on the market. But do these products work? More importantly, do they work well in an enterprise environment?
First, personal firewalls can help mitigate the risk of remote access, but they do not provide a complete solution. Many of these products do not protect completely against Trojans such as BackOrifice or malicious Java or ActiveX content. Personal firewalls should be only one component of a remote access security solution, combined, at a minimum, with antivirus software and appropriate browser security.
Two main groups of personal firewalls exist: those that are standalone applications and those that are "agents" and that can be managed from a central server. The main difference between the two groups is control and logging. Does the company want control of the security policy configuration on the remote system and want to be able to monitor what attacks and probes are being launched against machines? Or, is the company content with the application just being there, running in the background? Each group has pros and cons; the decision needs to be made before looking for a specific solution to implement. (Note: Vendors generally provide both options, a standalone firewall application and the ability to centrally manage deployments.)
Standalone Personal Firewalls
The most popular standalone personal firewall applications are Zone Alarm, Black Ice Defender (now part of ISS), and Norton Personal Firewall. Other available products include Tiny Personal Firewall, McAfee Personal Firewall (formerly Signal9 ConSeal), PGP Desktop Firewall, and Sygate Personal Firewall (formerly Sybergen Secure Desktop).
These applications are ideal for a small environment, but they do not scale for use in an enterprise. The application must be installed and individually configured for each machine, a difficult proposition in today's work environment, where employees can work out of the office several weeks at a time. The company then loses control of the policy configuration because the end user could easily alter the configuration or completely disable the application, leaving a false sense of security for the corporate network. Additionally, administrators cannot receive real-time alerts or log information from these applications.
Centrally Managed Personal Firewalls
The second group, centrally managed personal firewalls, communicate with a central server for policy changes, application updates, and event logging. Several also allow policies to be locked so that users cannot modify them. Several also run as agents in the background, completely transparent to the user. The well-known products in this category include Black Ice Agent with ICEcap Manager (now part of ISS) and CyberArmor by InfoExpress. Other available products include F-Secure Distributed Firewall, Zone Labs' Integrity, and Sygate Secure Enterprise.
These products are better suited for the enterprise than the standalone applications because they allow ongoing monitoring and policy configuration by administrators with little end user involvement. However, they all still have a few issues that need to be ironed out before they can be fully effective in an enterprise environment. Many products identify the system to the management server by network information such as IP address or DNS name. This is troublesome for those with dynamic IPs in their broadband access or connect to various networks, such as a corporate LAN and broadband Internet, with different IP addresses. With a dynamic IP address on remote access systems, the management server cannot locate the end user system, disabling centralized management capabilities.
Communications between the agent and the management server are not always secure, allowing network sniffers to pinpoint remote access systems and develop more targeted attacks. F-Secure does not encrypt its communication, suggesting that the user should implement the VPN+ client. Even if the communications are encrypted, the process implemented in the application might not be ideal. Some products encrypt communications with an administrator-defined preshared key that is used for all agents. If the key is compromised, an attacker can modify the security policy of all the remote systems.