Where Personal/Desktop Firewalls Fit in a Network

Personal and desktop firewalls are frequently overlooked as security devices that should be implemented on a network.
Nội dung trích xuất từ tài liệu:
Where Personal/Desktop Firewalls Fit in a NetworkWhere Personal/Desktop Firewalls Fit in a NetworkPersonal and desktop firewalls are frequently overlooked as security devices that shouldbe implemented on a network. BlackHat 2004 had a keynote speaker introduce theconcept of the de-perimeterization of the network. The problem he pointed out was thattodays applications require so many ports to be opened in the network firewall tofunction properly that the network firewall almost does not need to exist in the first place.Although I disagree that the network firewall does not need to exist, the basic idea thatwe cannot rely on network firewalls alone to protect resources is a sound one. After all, anetwork firewall can only control traffic that passes through it. If an attacker can gaincontrol of a system on the other side of the firewall, he potentially has unfiltered andunrestricted access to launch attacks from the compromised system to all other systems,rendering the network firewall useless as a defense mechanism.Consequently, it is a good idea to incorporate firewall technologies on the serversthemselves, giving you the ability to control traffic at the point closest to the data that youneed to protect: the server network interface card (NIC). Because the firewall is runningon the server itself, you can implement the most restrictive filtering rules possible,literally permitting only the traffic specifically required by the applications running onthe server.As illustrated in Chapter 4, Personal and Desktop Firewalls, there are a number of waysto implement personal firewalls, ranging from built-in utilities such as Windows Firewallfor Windows-based systems and IP filter for UNIX- and Linux-based systems to third-party firewall applications such as Trend Micro, ZoneAlarm, and Cisco Security Agent(CSA).When determining the appropriate personal firewall to use, you must consider a fewelements. First, you need to determine whether you need to control both inbound andoutbound traffic with the personal firewall. Many built-in firewalls enable you to controlinbound traffic, which is typically the most important traffic to manage; however, theability to control outbound traffic can be an important defense strategy to prevent thespread of worms. For example, if the personal firewall will not allow the worm tocommunicate on a port, it can effectively prevent the worm from spreading.Second, you need to consider whether the personal firewall needs to include IDS/IPSfunctionality. Because the personal firewall exists closest to the application and data thatneeds to be protected, it makes for a great location to implement an IDS/IPS. One of thebiggest weaknesses of network-based IDS/IPS is that the sheer volume of data that mustbe processed is too great for the IDS/IPS to effectively filter and report on. Whenimplemented as a component of the personal firewall, however, the IDS/IPS can beconfigured around the very specific traffic that is necessary for the applications runningon the server, making it much easier to filter traffic with the IDS/IPS (because only thetraffic required by the applications running on the server should be allowed).Finally, you need to consider what will be necessary to provide for centralizedmanagement and reporting on your personal/desktop firewalls. It is one thing to manage ahandful of perimeter network firewalls. When you start talking about implementing andneeding to manage, maintain, configure and report on thousands of firewalls in anenvironment, however, the issues around centralized management and reporting becomesignificant problems. Consequently, it is extremely important to look in detail at theenterprise-level capabilities of these products. A good personal/desktop firewall for ahome user is not necessarily going to be a good solution for 10,000 desktops in anenterprise.