Security

10 things you should look for in a desktop firewall

These days, a personal firewall is a key part of the desktop security equation. IT pro Rick Vanover suggests a number of factors to keep in mind as you evaluate various desktop firewall products.

This article is also available as a PDF download.

A desktop firewall is part of your first line of defense for implementing solid security and ensuring compliance. And there's no shortage of options--just take a look at the 50+ products discussed on the Firewallguide.com reviews page. As you decide on the best technology for your needs, here are a few factors to keep in mind.

#1: Granularity

It's sometimes easy to assume that you have the best solution because the solution is right there in front of you. Take the operating system firewall. Windows Firewall for Windows XP and Windows Vista offer a nice price (free), integration and management through Group Policy, and a decent feature set. Although Windows Firewall for XP lacks the granularity available with other products, it might be the right solution for the SOHO or cost-conscious environment.

The Vista version of Windows Firewall includes sophisticated features that give you more granular control, such as protecting against outbound propagation of security threats with its configuration. For details on the Vista firewall's capabilities, see "Get an in-depth look at Vista firewall's advanced configuration features."

#2: Integration with VPN connectivity

Some products allow basic firewall functionality built into the VPN client used by remote users. Such a product might serve as your firewall on the client as well. One example is Check Point's VPN-1 SecureClient, which has an integrated firewall element that can have policy-based configuration for firewall rules.


Best practice

Allow the policy to be managed locally or passed via a password so that users can support themselves if you wish. Although not applicable to all situations, there may be occasional business needs to disable security rules for certain users. Consider a way, either with a password or remote method, of disabling a password to temporarily allow such a connection.


#3: Protection against user modifications

Make sure your firewall has a mechanism to prevent users from circumventing the firewall configurations. You'd be surprised what average users can find out now, thanks to Google and Wikipedia. Of course, if your firewall policies aren't too constraining, users will be less likely to try to tamper with the configuration.


Best practice

Don't use two firewalls at once. A common misconfiguration is to use a commercial firewall and the native operating system equivalent (perhaps inadvertently) at the same time. Be sure, in the case of Windows XP, that you set Group Policy Objects (GPOs) to ensure that Windows Firewall is disabled if you're using a commercial product for the desktop firewall space.


#4: IPSec policies

It may be tempting to create a granular security policy for your infrastructure that includes a desktop firewall, antivirus scanning, malware/adware/spyware blocking, and possibly an IPSec policy at the client level (and server and physical layers as well). An IPSec policy, in the example of Windows XP in the Active Directory domain configuration, allows great management and detailed configuration for the protocol stack. But such disparate configurations and systems may make it difficult to respond in an agile fashion to an outbreak or implement other quick changes to adjust the technology to the situation.

#5: Security diversity

For the desktop, the two most important technology elements for securing the systems are most likely the antivirus package and a personal firewall. As you evaluate firewall options, consider using a different brand from your antivirus suite. Should a key vulnerability, failure, compromise, or similar risk render one of these two items useless at a suite level, it would be reassuring to know that the other part of your security strategy could be immune to this risk.

#6: Configuration control

In times past, you simply had to guard against the outside. Now, you have to guard against the inside as well. So when selecting a product, determine whether you can allow certain types of traffic (needed for business operations) from certain subnets or during certain timeframes or up to certain defined bandwidth levels. These types of questions are relevant to the granularity of the solution. For the enterprise desktop firewall (especially for remote users), you should seek the highest level of functionality through policy-based configuration to protect these systems from attack. A policy-based configuration will be the best tool to dynamically adjust the configurations as threats and business rules change, enforce configurations, and ensure total compliance.

#7: Environmental standardization

Make sure you have a standardized desktop environment for consistent manageability and behavior for the firewall product, as some products may not have the same feature set on different operating systems--or may not be available at all. And back to making a case for a policy-based configuration, you can consistently configure your systems and deploy your firewall configuration this way. A thorough strategy on the desktop firewall will allow you to offer a strong protection point to the systems, usually the first level of protection for the systems when configured correctly at the protocol level. Bear in mind, however, that this can take away some functionality that your users may be accustomed to having on the client space. (Between the lines, this reads: You can find out what they're doing that they should not be doing because it does not work now--P2P, rogue wireless, etc.)

#8: Data management

Firewall products can easily overwhelm local (or remote) storage resources with logging or packet debugging data. Carefully consider what's required to be logged and how much of it to retain. Consider again a policy-based management configuration that may allow you to dynamically adjust logging as needed.

#9: Outbound protection

It's not unthinkable that a desktop computer could be the originator of a worm outbreak, virus, or other security risk. If a product has protection for outbound filtering (at the port level), you can protect against re-propagation of risks even if a true fix is not available. Also, such protection can block certain scanning, peer to peer, or other contraband activities that a desktop system may be trying to initiate.

#10: Consistency

The only thing worse than having no firewall solution for the desktop environment is every desktop having a different configuration for a firewall solution. Strive to achieve a consistent configuration (final plug for policy-based configuration) that works with your security policy, business functionality requirements, connectivity risks, and users.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

12 comments
kloska
kloska

Does anybody have any suggestions for good Desktop firewalls? There are a ton out there. I was a fan of Sygate, but I refuse to go the Symantec route. Thanks

sumanium
sumanium

Don't use 2 firewall solutions at the same time? Why?

JodyGilbert
JodyGilbert

Has your organization standardized on a desktop firewall solution that offers everything you need? What other features or considerations would you add to this list for those evaluating firewall products?

TheGooch1
TheGooch1

I have tried both of them, and for some reason they do not understand "allow all connections to/from network 10.0.0.x". I think I entered this rule 20 times into both programs, and my computer still could not connect to my home Windows domain controller to authenticate my username/password. I had to turn the firewall off to do that. So, if someone has a software firewall that they know will not have the same issue, please post it!

Jpesker
Jpesker

I just read yesterday at this link about different magazine's reviews on firewalls some credible, some not, about their favorites: http://www.consumersearch.com/www/software/firewalls/reviews.html A jumping off point for those who need a different firewall, and so far, Outpost Firewall is doing its job FOR ME, we have to let you decide, because lets face it, they all have their good points and some bad points too (especially for P2P applications, you have to let the whole world into your PC because you have to share, and the hackers love this about Firewalls and P2P sharing. But, anyways, moving on to the Firewalls. Some of the favorites from the magazine link above are: 1) Outpost

deepsand
deepsand

The greatest danger in running 2 firewalls on a single machine is that each will attempt to be the the final authority, with the possible result that there will be an ocassion when each will consider the other to be an interloper who is trying to subvert your machine, so that a deadly embrace ensues.

Kjell_Andorsen
Kjell_Andorsen

Mainly because if you configure one firewall properly you shouldn't ever need a second one, and having a second one can cause all sorts of conflicts and issues. It means if you have an issue you have to verify settings in two programs instead of one. To me it just seems like a potential administrative nightmare with little to no added benefit

b4real
b4real

Simply put, you can have overlapping rules that can make troubleshooting 'fun'. Just to clarify, we mean two firewalls installed on the same system at once - not two firewalls within your client environment.

Stephen.Dubos
Stephen.Dubos

Would you run two antivirus solutions on the one machine? Conflicts, more administritive work-theres lots of reasons.

deepsand
deepsand

I've yet to find a Swiss Army knife that could perform all of it's intended functions as well a could tools specialized for each task. From experience, I find that security suites are no exception in this regards. If I must use a suite, in order to get the best-of-breed re. a particular function, I disable all other functions on that suite.