Firewalls can help or hurt, so plan carefully

In a previous article, we talked about the importance of patch management in an enterprise network and the various options you have to deploy those patches in companies of various sizes. This week we'll look at another element of information security that has gotten a lot of attention of late: the firewall.

Deploying a firewall for your corporate network used to be a fairly simple matter: Just put a big expensive firewall between your internal network and the rest of the world, and you were good to go. But laptops, handheld devices and wireless networking have changed all that. Now many network attacks actually come from inside of a corporate network. If a visiting salesman or someone checking in from a remote office is using a virus-infected PC, because of the fact that he has access to your internal network means he can bypass the firewall at the border of your network, allowing the virus to spread within your internal network. This is the weakness of so-called perimeter firewalls: Most of them aren't capable of protecting your network from itself; that is, to defend against an enemy that was able to simply walk through the front door.

Does this mean that perimeter firewalls have no value, then, and shouldn't be deployed on your network? Far from it. Just like with patch management, it's important to have a philosophy of defense in depth when protecting your internal systems: The perimeter firewall is an important piece of the puzzle, but it is only a single piece.

Another important factor to consider is the host-based firewall. Unlike a perimeter firewall, which is usually a single large, monolithic device protecting your entire network, host-based firewalls reside on individual devices like desktop workstations or servers and are concerned with protecting only that particular computer. Host-based firewalls are also typically software-based rather than a hardware device, involving a firewall program that runs in the background while the computer user goes about her usual business.

So how does a host-based firewall protect your individual computer? Let's say you open your Web browser and go to the TechTarget Web site. What's happening under the covers at this point is that your local computer is connecting to the TechTarget Web server and making a request for a resource, in this case the TechTarget homepage. TechTarget's Web server then responds to that request by providing a copy of the HTML page. A host-based firewall comes into play by keeping a record of all requests that you've made from your local computer and uses those records to respond to any traffic you receive from remote computers.

Now, since you requested the TechTarget homepage, a response from the TechTarget Web server is one that the firewall was expecting, so it allows the traffic to pass through. But if a hacker tries to initiate his own connection to your computer to install a piece of spyware or other malicious software, your firewall will realize that the incoming traffic doesn't match anything that you've requested. As a result, the incoming traffic will be blocked, preventing hackers from connecting to your computer and installing their malicious wares.

As an aside, from my description you may have detected what a host-based firewall will not protect you against. Host-based firewalls, by and large, monitor incoming traffic and defend against it; they don't control what types of outbound connections someone can make. So if you're looking to restrict your desktop workstations from being able to launch AOL Instant Messenger, as an example, you should look at a different type of product such as a proxy server.)

You have a number of options when selecting a host-based firewall for your enterprise computers. Some important factors to consider are configurability and scalability -- ideally you want to be able to configure and manage all of your clients' firewall configurations from a central location.

One of the most appealing of the host-based firewall options is actually built right into the Windows operating system. Windows XP Service Pack 2 includes the Windows Firewall, which provides built-in host-based firewall protection. Using Active Directory and Group Policy Objects, you can define the kinds of traffic that can and cannot be sent to your entire network. Or you can create granular access control rules to apply only to particular subsets of your client base. If deploying XP Service Pack 2 is not an option for your organization, you can look at third-party vendors such as Symantec Corp., Sunbelt Software Inc. or ZoneLabs LLC for managed firewall solutions.


10 tips in 10 minutes: Windows IT management

  Introduction
  Tip 1: The long-range plan for 64-bit hardware
  Tip 2: A Window into interoperability
  Tip 3: Third-party software: Do you need it?
  Tip 4: Buy 64-bit now; you won't regret it
  Tip 5: Maintaining a secure Active Directory network
  Tip 6: Firewalls can help or hurt, so plan carefully
  Tip 7: Weak passwords can make your company vulnerable
  Tip 8: Keys to finalizing your Active Directory migration
  Tip 9: Network safety relies on reaction time to Patch Tuesday
  Tip 10: Make friends with your security auditors


Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valued Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at [email protected].

Read more on IT risk management