Where PersonalDesktop Firewalls Fit in a Network

Where Personal/Desktop Firewalls Fit in a Network

Personal and desktop firewalls are frequently overlooked as security devices that should be implemented on a network. BlackHat 2004 had a keynote speaker introduce the concept of the de-perimeterization of the network. The problem he pointed out was that today's applications require so many ports to be opened in the network firewall to function properly that the network firewall almost does not need to exist in the first place. Although I disagree that the network firewall does not need to exist, the basic idea that we cannot rely on network firewalls alone to protect resources is a sound one. After all, a network firewall can only control traffic that passes through it. If an attacker can gain control of a system on the other side of the firewall, he potentially has unfiltered and unrestricted access to launch attacks from the compromised system to all other systems, rendering the network firewall useless as a defense mechanism.

Consequently, it is a good idea to incorporate firewall technologies on the servers themselves, giving you the ability to control traffic at the point closest to the data that you need to protect: the server network interface card (NIC). Because the firewall is running on the server itself, you can implement the most restrictive filtering rules possible, literally permitting only the traffic specifically required by the applications running on the server.

As illustrated in Chapter 4, "Personal and Desktop Firewalls," there are a number of ways to implement personal firewalls, ranging from built-in utilities such as Windows Firewall for Windows-based systems and IP filter for UNIX- and Linux-based systems to third-party firewall applications such as Trend Micro, ZoneAlarm, and Cisco Security Agent (CSA).

When determining the appropriate personal firewall to use, you must consider a few elements. First, you need to determine whether you need to control both inbound and outbound traffic with the personal firewall. Many built-in firewalls enable you to control inbound traffic, which is typically the most important traffic to manage; however, the ability to control outbound traffic can be an important defense strategy to prevent the spread of worms. For example, if the personal firewall will not allow the worm to communicate on a port, it can effectively prevent the worm from spreading.

Second, you need to consider whether the personal firewall needs to include IDS/IPS functionality. Because the personal firewall exists closest to the application and data that needs to be protected, it makes for a great location to implement an IDS/IPS. One of the biggest weaknesses of network-based IDS/IPS is that the sheer volume of data that must be processed is too great for the IDS/IPS to effectively filter and report on. When implemented as a component of the personal firewall, however, the IDS/IPS can be configured around the very specific traffic that is necessary for the applications running on the server, making it much easier to filter traffic with the IDS/IPS (because only the traffic required by the applications running on the server should be allowed).

Finally, you need to consider what will be necessary to provide for centralized management and reporting on your personal/desktop firewalls. It is one thing to manage a handful of perimeter network firewalls. When you start talking about implementing and needing to manage, maintain, configure and report on thousands of firewalls in an environment, however, the issues around centralized management and reporting become significant problems. Consequently, it is extremely important to look in detail at the enterprise-level capabilities of these products. A good personal/desktop firewall for a home user is not necessarily going to be a good solution for 10,000 desktops in an enterprise.