Network administrators have used firewall technology for years to protect networks from external attack. Most admins would agree with security experts, however, that a single layer of defense is seldom adequate. You want to provide as many barriers as possible to a potential hacker. Another strategy is to protect each workstation on the private network with individual firewalls.
Microsoft has taken steps toward making this security design easy to implement by integrating a personal firewall into Windows XP. The problem is that the Windows XP firewall leaves a lot to be desired and chances are not all of your workstations are running Windows XP anyway.
One way to solve this problem is by using 3Com NICs that contain embedded firewalls. By doing so, you gain the benefit of having an integrated hardware-based firewall on each PC. The 3Com system also provides an embedded firewall policy server that allows the administrative staff to centrally manage up to a thousand workstations and laptops with the embedded firewall NICs.
Why use embedded firewall NICs?
With so many security products available, you might wonder why embedded firewall NICs are such a great option. To really understand what makes embedded NICs so great, you must stop and think about a traditional "secure" system and where the weaknesses are in it.
Suppose for a moment that you’ve got a 1000-node corporate network consisting of file and print servers, Exchange servers, ISA servers, Web servers, and a whole lot of Windows XP workstations. In this type of network, you would likely be using ISA Server as a perimeter firewall. ISA Server would block all traffic from the outside world except to a few designated servers, over some specifically designated ports. For example, the ISA server might permit HTTP traffic over port 80 that was designed for your Web server, but would block all other Web server traffic.
On the inside of the network perimeter, we’ll assume that you have downloaded all of the latest security patches for your servers and workstations. We will also assume that all of the Windows XP machines are running the Windows XP personal firewall.
At first, this sounds like a relatively secure environment, but it does have its weaknesses. First, let’s look at the Windows XP workstations. The problem is that whether you are using the personal firewall software that comes with Windows XP or other third party personal firewall software, the personal firewall is software-based and is at the mercy of the operating system.
Although there are some fairly secure personal firewalls out there, a software-based security solution is usually easier to compromise than a hardware-based solution because software can be modified. Furthermore, the software-based firewall depends on the underlying operating system. If you can disrupt the communications between the operating system and the firewall then you have effectively disabled the firewall.
In fact, back when Windows XP was first released, I saw a demo in which someone at a Microsoft conference had come up with a way of remotely terminating any process that was running on a Windows XP box. Since personal firewall software runs as a process, it would be theoretically possible to remotely shut down a software-based personal firewall. Since that time there have been a lot of security fixes for Windows XP, but there’s always the chance that your own network may be missing the security fix that addresses this particular issue or that there may be other ways of remotely terminating a process.
Another problem with software-based firewalls is that they place an additional burden on the system’s CPU. By the time that a user’s PC is running Windows, an antivirus package, and a few applications, there are often few resources left for running anything else. Why place an additional burden on the workstations by adding personal firewall software when there’s a hardware-based alternative?
The other problem with software-based personal firewalls is management. If you have hundreds of PCs running personal firewall software, how do you really know that all of the PCs are using the correct settings and that no one has modified or disabled the firewall? If you need to globally change a personal firewall setting, how do you do so in an efficient manner?
3Com’s embedded firewall solution fixes these problems by placing the firewall directly on the workstation’s NIC. The most obvious benefit to using firewall embedded NICs is that they are tamper resistant. Each NIC has an onboard RISC microprocessor that handles all firewall security functions for the card. The embedded firewall is pretty much immune to Internet attacks, end user actions, and malicious code.
The onboard microprocessor performs all of the tasks that you would usually associate with a firewall, such as blocking PINGs, and preventing access by unauthorized protocols or access over unapproved ports. The card even protects against packet sniffing and IP spoofing. Of course the individual security settings are up to you. Each card can be configured to use moderate protection appropriate for machines on your private network or hardened to offer the highest level of protection that’s necessary for protecting Internet gateways and VPN end points. Of course all of this protection is designed to be completely transparent to the end user.
While it's great that each NIC supports a range of security levels, you may be wondering how you set the security level or ensure that the security remains set to the appropriate level. Earlier in the article, I mentioned that there was a server product that could be used to centrally manage the embedded firewalls. Any time that a machine with an embedded firewall attaches to the network, it looks for this server. The server contains policies that tell the embedded firewalls what security level to use.
My favorite thing about the way that this works is that the system is designed so that if a PC comes online and can’t find the policy server, the NIC can be configured to automatically implement the maximum level of security until the policy server becomes available once again. This means that someone couldn’t disable all of your embedded firewall security by simply taking the policy server offline.
The security policy server contains the policy settings for each PC, but it isn’t designed to simply act as a static policy repository. Instead, the policy server is designed to allow you to place PCs into groups based on the PC's function. When it becomes necessary to update the security policy, you can simply apply the update to the appropriate group, and the update will be applied to every PC in the group. For example, if you needed to blacklist a specific IP address, you could do so at the policy server and the updated blacklist would be propagated to all of the computers with the firewall embedded NICs.
Since each embedded NIC can be configured for a variety of security levels, I wanted to break down a typical network and explain the appropriate method of implementing embedded NICs for a variety of machines.
A shared server is a server that acts as a file, print, or application server to internal employees, but also services external business partners. Shared servers represent a special security challenge since you are dealing with internally and externally accessible data. Shared servers can benefit from an embedded NIC firewall because traffic can be regulated by IP address. For example, you could block external data access to everyone except the IP addresses of your business partners. If the shared server also happens to be a VPN end point, the embedded firewall NIC can also help to protect that end point.
Internally accessed servers
Even if a server is only accessed internally, you can benefit from the added security of an embedded firewall NIC. The embedded firewall NIC can block all but specifically required ports and protocols. This makes it much more difficult for one of your company’s employees to use a hacker tool against the server.
Sensitive information servers
A sensitive information server is similar to an internally accessed server except that it contains sensitive data that is usually accessed by only a small percentage of the company’s employees. As with an internally accessed server, an embedded firewall NIC can help secure the server by blocking unauthorized ports and protocols. However, the embedded firewall NIC can take security a step further by allowing access only to specific PCs by looking at the PC’s MAC address.
Public kiosks or guest stations
Public kiosks and guest PCs present a significant security challenge because the people who will be using them are absolutely untrustworthy. Usually these machines allow access to the Internet or to a corporate intranet, but usually to nothing else. In such an environment, an embedded firewall NIC can be extremely valuable because it can easily deny the PC from accessing any network resources except for those that you specifically approve for untrusted users.
Furthermore, you can create a guests group on the policy server that controls access to these machines. You can then configure enhanced intrusion detection and logging for the guest machines. This will help you to be quickly alerted should someone attempt to hack your network by sitting down at a guest terminal.
Contractor desktop PCs offer similar challenges to guest PCs and kiosks except that contractors require access to specific network resources. Generally speaking, contractors are not company employees and are therefore untrusted. However, you must grant them access to sufficient resources for them to do the job that you are paying them to do.
Again, the embedded firewall NIC can be used to severely limit what the contractor desktop machine has access to, and can be configured to look for intrusion attempts coming from these desktops.
User workstations would usually involve the least security of any of the devices that I have discussed. Unless you work in a highly sensitive environment or have a reason not to trust your employees, the users workstations would generally not be guarded as heavily as servers, guest machines, and contractor machines. This doesn’t mean that you would want to leave these machines completely unprotected though. You could use the embedded firewall NIC to implement a good hygiene policy for your users. A good hygiene policy means blocking common threats like IP spoofing and port sniffing.
The embedded firewall policy server
I recommend configuring the policy server the same way that you would configure a sensitive information server. I also recommend placing the policy server in a location where it can be easily monitored. That way if one of your PCs or servers does detect an intrusion attempt, you can be notified immediately. You can then update the security policy to blacklist the IP address, port, or protocol. You may then propagate your security policy update across your entire network almost immediately.
As you read about the benefits of NICs with embedded firewalls, I’m sure that you can see how they may be used to enhance security. The problem is that these NICs can be expensive, and they take some time to install. Therefore, you probably won’t be able to switch your entire network over to using embedded NICs in one night or one weekend. Because of this, compatibility and coexistence becomes an issue. You’ll be happy to know however that each 3Com embedded NIC is 100 percent 802.3 backward compatible. The embedded NICs will work with existing routers, hubs, NICs, and other devices on your network with no problems.
Pricing for the embedded firewall NICs and related products seems to vary depending on where you purchase the products. A PC card with an embedded firewall costs just over $200 or about $3,800 for a 20 pack. The PCI version costs about $2,300 for a 10 pack, although prices on the Internet vary widely.
The 3Com embedded firewall policy server costs around $1000 and supports up to 1,000 clients. Keep in mind though that the server product includes software only. You will still require a computer with an embedded firewall NIC to host the server software. You can find out more about 3Com embedded firewall products by visiting 3Com’s Web site.