Security

A firewall for every laptop: How to protect your network and still allow remote users

VPNs can punch a hole in your network security, putting you at risk of a hacker attack, as Microsoft and other companies have learned the hard way recently. Here?s how one security-conscious company is mitigating this risk.


Any time a remote user accesses your network, it poses a security risk, yet many companies do no more than install password protection and cross their fingers.

But that’s a risk Jay Dybdahl, the information security manager for Lutheran Brotherhood, a Minnesota-based insurance and finance company, knew his firm couldn’t take. The company has more than 2,000 users across the country—many with high-speed access cable connections—dealing with sensitive financial information. Dybdahl knew that his company couldn’t afford to sidestep security, so he recently completed a pilot project to test whether it was practical and effective to place firewalls on individual laptops. This summer, he plans to place firewalls on all field computers.

In this article, we’ll discuss:
  • The pilot project.
  • The company’s full-scale implementation plans.
  • Lessons for other companies considering a similar project.

Conducting the pilot project
It wasn’t hard to convince executives that the company needed to place firewalls on each field computer, Dybdahl said, especially since many field agents were using VPNs on high-speed connections.

 “It was not difficult to make the case for it,” he said. “Given the risks that are involved in connecting through the Internet, it was just assumed that we would have to have, as a best practice, security [measures] in place. If you don’t want your systems compromised and you want this type of connection, then a personal firewall for a remote user is a must.”

After gaining the approval of company executives, Dybdahl then went in search of the right firewall vendor to ensure the actual implementation would go smoothly.

Dybdahl had two requirements for a firewall vendor:
  • They must have a proven product.
  • They must operate in a Windows 2000 environment.

The company began its search by testing a few products to determine which one would fit the business needs best and whether it could be integrated with the company’s Windows 2000 environment. For the pilot project, Dybdahl chose BlackICE’s Defender firewall. The cost for installation was about $50 per machine, he said.

The firewalls were deployed on 200 field laptops that, via DSL or broadband cable, used a VPN to connect to the company’s network. (Those who connect with a dial-up were not chosen for the pilot, but those employees do use secure ID cards.)

But rather than doing a mass deployment, Dybdahl chose to gradually install the firewalls on a machine-by-machine basis. “It was not a burdensome effort to deploy this,” he said. “We really didn’t encounter a great deal of difficulty when we deployed these, other than just minor things. We installed quite nicely—not a problem.”

Full-scale implementation
The pilot project showed that deploying the firewalls on individual machines one-by-one was effective. However, for the actual implementation, Dybdahl will simplify the full rollout by coinciding it with replacing the field users’ old laptops with new machines. Instead of installing the software individually, the firewalls will be preconfigured and installed as part of the ghost image placed on each machine before it’s given to the user. This will prevent users from tampering with the firewall settings. Further, the firewalls will now be installed on all computers—even those where users connect via dial-up, which includes the 400-plus users that rely on VPN technology.

Regardless of the changes in the real rollout, Dybdahl was certain of one thing: “When we build this image, we are going to thoroughly test it before we put it on the machines,” he said.

When TechRepublic interviewed Dybdahl in early 2001, he had not determined whether he would continue with Black Ice Defender or choose a different vendor’s product. However, he expected the per-machine cost to remain about the same. Generally, firewall vendors provide first-year support but require clients to purchase support the second year, which generally runs about 20 percent of the total cost, Dybdahl said. Since Lutheran Brotherhood plans to use these computers for two years, the added tech support costs will bring the per-machine price to approximately $60 per machine, he added.

Lessons learned
Because Lutheran Brotherhood field representatives are transmitting sensitive personal and financial data over the Internet, investing in individual firewalls was an easy decision, Dybdahl said.

“Each company has to assess what the risks are, how much risk they’re willing to assume, and how much risk they want to mitigate by deploying software such as this,” he said.

What can you take away from Dybdahl’s experience? If you’re considering a similar project, remember these guidelines.
  • To make the business case for such a project, explain the risks that allowing remote users to connect to your system over the Internet can pose to the integrity of your system. (For more on making a business case for security, see "Eight tips for justifying security infrastructure investments.")
  • There are pros and cons to every product. Ask for demonstrations and test different products before committing. “You have to bring in copies of each [product] and evaluate it based on your business needs and your environment,” Dybdahl said.
  • Install the firewall as part of the computer’s ghost image—preferably when you update your equipment.
  • Consider using a token-based ID for dial-up. This provides an extra layer of authentication.

Want to share your own pilot project?
TechRepublic is always looking for stories from the IT trenches. E-mail us about your interesting pilot project or case study.

 

Editor's Picks