This article is also available as a PDF download.
A desktop firewall is part of your first line of defense for implementing solid security and ensuring compliance. And there's no shortage of options--just take a look at the 50+ products discussed on the Firewallguide.com reviews page. As you decide on the best technology for your needs, here are a few factors to keep in mind.
It's sometimes easy
to assume that you have the best solution because the solution is right there
in front of you. Take the operating system firewall. Windows Firewall for
Windows XP and Windows Vista offer a nice price (free), integration and
management through Group Policy, and a decent feature set. Although Windows
Firewall for XP lacks the granularity available with other products, it might
be the right solution for the
#2: Integration with VPN connectivity
Some products allow basic firewall functionality built into the VPN client used by remote users. Such a product might serve as your firewall on the client as well. One example is Check Point's VPN-1 SecureClient, which has an integrated firewall element that can have policy-based configuration for firewall rules.
Allow the policy to be managed locally or passed via a password so that users can support themselves if you wish. Although not applicable to all situations, there may be occasional business needs to disable security rules for certain users. Consider a way, either with a password or remote method, of disabling a password to temporarily allow such a connection.
#3: Protection against user modifications
Make sure your firewall has a mechanism to prevent users from circumventing the firewall configurations. You'd be surprised what average users can find out now, thanks to Google and Wikipedia. Of course, if your firewall policies aren't too constraining, users will be less likely to try to tamper with the configuration.
Don't use two firewalls at once. A common misconfiguration is to use a commercial firewall and the native operating system equivalent (perhaps inadvertently) at the same time. Be sure, in the case of Windows XP, that you set Group Policy Objects (GPOs) to ensure that Windows Firewall is disabled if you're using a commercial product for the desktop firewall space.
#4: IPSec policies
It may be tempting to create a granular security policy for your infrastructure that includes a desktop firewall, antivirus scanning, malware/adware/spyware blocking, and possibly an IPSec policy at the client level (and server and physical layers as well). An IPSec policy, in the example of Windows XP in the Active Directory domain configuration, allows great management and detailed configuration for the protocol stack. But such disparate configurations and systems may make it difficult to respond in an agile fashion to an outbreak or implement other quick changes to adjust the technology to the situation.
#5: Security diversity
For the desktop, the two most important technology elements for securing the systems are most likely the antivirus package and a personal firewall. As you evaluate firewall options, consider using a different brand from your antivirus suite. Should a key vulnerability, failure, compromise, or similar risk render one of these two items useless at a suite level, it would be reassuring to know that the other part of your security strategy could be immune to this risk.
#6: Configuration control
In times past, you simply had to guard against the outside. Now, you have to guard against the inside as well. So when selecting a product, determine whether you can allow certain types of traffic (needed for business operations) from certain subnets or during certain timeframes or up to certain defined bandwidth levels. These types of questions are relevant to the granularity of the solution. For the enterprise desktop firewall (especially for remote users), you should seek the highest level of functionality through policy-based configuration to protect these systems from attack. A policy-based configuration will be the best tool to dynamically adjust the configurations as threats and business rules change, enforce configurations, and ensure total compliance.
#7: Environmental standardization
Make sure you have a standardized desktop environment for consistent manageability and behavior for the firewall product, as some products may not have the same feature set on different operating systems--or may not be available at all. And back to making a case for a policy-based configuration, you can consistently configure your systems and deploy your firewall configuration this way. A thorough strategy on the desktop firewall will allow you to offer a strong protection point to the systems, usually the first level of protection for the systems when configured correctly at the protocol level. Bear in mind, however, that this can take away some functionality that your users may be accustomed to having on the client space. (Between the lines, this reads: You can find out what they're doing that they should not be doing because it does not work now--P2P, rogue wireless, etc.)
#8: Data management
Firewall products can easily overwhelm local (or remote) storage resources with logging or packet debugging data. Carefully consider what's required to be logged and how much of it to retain. Consider again a policy-based management configuration that may allow you to dynamically adjust logging as needed.
#9: Outbound protection
It's not unthinkable that a desktop computer could be the originator of a worm outbreak, virus, or other security risk. If a product has protection for outbound filtering (at the port level), you can protect against re-propagation of risks even if a true fix is not available. Also, such protection can block certain scanning, peer to peer, or other contraband activities that a desktop system may be trying to initiate.
The only thing worse than having no firewall solution for the desktop environment is every desktop having a different configuration for a firewall solution. Strive to achieve a consistent configuration (final plug for policy-based configuration) that works with your security policy, business functionality requirements, connectivity risks, and users.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.