Where Personal/Desktop Firewalls FitinaNetwork
Personal and desktop firewalls are frequently overlooked as security devices that should
be implemented on a network. BlackHat 2004 had a keynote speaker introduce the
concept of the de-perimeterization of the network. The problem he pointed out was that
today's applications require so many ports to be opened in the network firewall to
function properly that the network firewall almost does not need to exist in the first place.
Although I disagree that the network firewall does not need to exist, the basic idea that
we cannot rely on networkfirewalls alone to protect resources is a sound one. After all, a
network firewall can only control traffic that passes through it. If an attacker can gain
control of a system on the other side of the firewall, he potentially has unfiltered and
unrestricted access to launch attacks from the compromised system to all other systems,
rendering the network firewall useless as a defense mechanism.
Consequently, it is a good idea to incorporate firewall technologies on the servers
themselves, giving you the ability to control traffic at the point closest to the data that you
need to protect: the server network interface card (NIC). Because the firewall is running
on the server itself, you can implement the most restrictive filtering rules possible,
literally permitting only the traffic specifically required by the applications running on
the server.
As illustrated in Chapter 4
, "Personal and Desktop Firewalls," there are a number of ways
to implement personal firewalls, ranging from built-in utilities such as Windows Firewall
for Windows-based systems and IP filter for UNIX- and Linux-based systems to third-
party firewall applications such as Trend Micro, ZoneAlarm, and Cisco Security Agent
(CSA).
When determining the appropriate personal firewall to use, you must consider a few
elements. First, you need to determine whether you need to control both inbound and
outbound traffic with the personal firewall. Many built-in firewalls enable you to control
inbound traffic, which is typically the most important traffic to manage; however, the
ability to control outbound traffic can be an important defense strategy to prevent the
spread of worms. For example, if the personal firewall will not allow the worm to
communicate on a port, it can effectively prevent the worm from spreading.
Second, you need to consider whether the personal firewall needs to include IDS/IPS
functionality. Because the personal firewall exists closest to the application and data that
needs to be protected, it makes for a great location to implement an IDS/IPS. One of the
biggest weaknesses of network-based IDS/IPS is that the sheer volume of data that must
be processed is too great for the IDS/IPS to effectively filter and report on. When
implemented as a component of the personal firewall, however, the IDS/IPS can be
configured around the very specific traffic that is necessary for the applications running
on the server, making it much easier to filter traffic with the IDS/IPS (because only the
traffic required by the applications running on the server should be allowed).
Finally, you need to consider what will be necessary to provide for centralized
management and reporting on your personal/desktop firewalls. It is one thing to manage a
handful of perimeter network firewalls. When you start talking about implementing and
needing to manage, maintain, configure and report on thousands of firewallsin an
environment, however, the issues around centralized management and reporting become
significant problems. Consequently, it is extremely important to look in detail at the
enterprise-level capabilities of these products. A good personal/desktop firewall for a
home user is not necessarily going to be a good solution for 10,000 desktops in an
enterprise.
. start talking about implementing and
needing to manage, maintain, configure and report on thousands of firewalls in an
environment, however, the issues around. centralized
management and reporting on your personal/desktop firewalls. It is one thing to manage a
handful of perimeter network firewalls. When you start