SMB Networks / Security /

Feature: Firewalls reach out

By Deborah Radcliff
Computerworld, 03/26/01

Last December, a bank in Southern California received a call from an online customer asking why one of the bank's computers was trying to hack into his system. It turned out that the machine doing the hacking belonged to the bank's president and had been remotely commandeered by an employee. The president called Conqwest Inc., a Holliston, Mass.-based IT security services firm, which is now rolling out firewall software across the bank's 125 internal desktop, laptop and remote computers.

Until recently, companies thought antivirus and virtual private network (VPN) technologies would keep remote worker connections safe. But as more workers have been accessing the Internet through broadband services such as cable modems, exposure to hacking attacks through those machines has increased. In October, for example, a hacker broke into a Microsoft Corp. employee's home computer and exploited the VPN connection to penetrate the company's internal network.

At the time of the Microsoft hack, only 15 percent of 300 security professionals surveyed used any type of firewall to protect remote workers' machines, even though 38 percent of the reported attacks originated from those machines, according to a report released by Cupertino, Calif.-based security software vendor Symantec Corp.

Some managers are tackling this threat by requiring firewalls on all desktops and laptop computers, both inside and outside the corporate LAN.

"You can have a bodyguard at the front door with a bunch of people beating up on [him], and eventually, [he] will get overwhelmed. Or you can teach everyone karate so they can protect themselves," says Bill Hancock, chief security officer at Exodus Communications Inc., a Santa Clara, Calif.-based Internet service provider.

But these firewall products are still evolving, and IT managers face a multitude of features in personal firewall software programs and hardware devices. For example, some new products allow for centralized monitoring and policy enforcement for remote desktop firewalls, while others may be less sophisticated but easier to use. Still others offer different configuration options depending on an employee's role or whether the remote computer is being used for personal or business use.

Protecting Both Ends

Exodus has deployed CyberwallPlus-SV firewall software from Waltham, Mass.-based Network-1 Security Solutions Inc. on 25 key servers. The company has also installed ZoneAlarm Pro firewall software from San Francisco-based Zone Labs Inc. on 1,000 internal PCs. Exodus plans to install ZoneAlarm Pro on 3,000 computers used by internal, mobile and home workers.

CyberwallPlus-SV is an industrial-strength firewall capable of protecting clustered multiprocessing machines, something Hancock says his personal firewall can't do. Cyberwall installs at the kernel level, hardening it against common attacks and, more important, veiling the machine's identity. If hackers can't tell what the machine is, they can't get at it using common exploits associated with those machines, like sendmail if it's a mail server, or Internet Explorer if it's a Web server, Hancock explains. And CyberwallPlus-SV stands up better to Java and ActiveX mobile code-based attacks than personal firewalls, he adds.

But for individual desktops and remotely connected machines, Hancock says he wanted a less-expensive filtering firewall device that he could centrally manage. CyberwallPlus-SV had no such offering at the time, so he chose ZoneAlarm Pro, which has less-robust features but is cheaper and easier to manage.

"If you run ZoneAlarm Pro in a mission-critical environment, it will not hold up under certain applets and hacking tools. The same thing applies to BlackIce and other personal firewalls," he says.

Hancock adds that while ZoneAlarm was easy enough to install, it snagged on legacy applications and blocked some executable programs from leaving the internal network. "Zone doesn't work well with unusual applications," he says.

But after some initial network interruptions, the firewall has proved strong enough to stand up to common exploits launched at individual computers, like port scans that go after vulnerable services, and Trojan horses such as Back Orifice, he adds.

Hancock says he likes ZoneAlarm's central management server, which assimilates reports and alerts from desktop and remote workers' machines, making it easier to separate systematic attacks from simple port probes and false alarms. He also praises its ability to tailor security settings based on a user's role in the company. "The security needed by a businessperson is different than that of our network architects. ZoneAlarm is very nice about these distinctions," Hancock says.

A Matter of Discrimination

The ability to discriminate between types of sessions is especially important when dealing with home users' personal machines, say analysts. "The employee-owned computer is a big issue for most of our clients today. It's pretty hard to say, 'You have to put this personal firewall on your home PC,' and your kid starts screaming that he can't download Napster or AOL," says John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn. "So you need some type of tie-in with the VPN client that says the company's firewall policy only kicks in when connecting for company purposes."

Most personal firewalls offer some of these distinctions, says Hancock, who uses such a feature on ZoneAlarm. Pescatore praises the CyberArmor personal firewall suite by Los Altos, Calif.-based InfoExpress Inc. for its ability to discriminate between home use, inbound connectivity to the corporate LAN and outbound connectivity from inside the LAN to the Internet.

That ability is one reason Bell Canada International Inc. in Montreal is rolling out InfoExpress on 3,000 portable computers and plans 22,000 installations on internal machines by the end of the year.

"We need a tool that can accommodate the user need while protecting the corporate asset, and it has to be able to accomplish this with minimum interruption to the user," says William G. O'Brien, associate director of systems security technology at Bell Canada. "The InfoExpress firewall allows us to set different parameters, dependent on what mode the user is in. For example, as soon as the user activates their VPN client, the software changes from the standard Internet filter set to a predetermined VPN filter set. When the VPN is turned off, the firewall automatically reverts to Internet mode."

The personal firewalls and central management server were easy to install, O'Brien says, but he warns that one mistake configuring the central management server operating system (such as outdated patches, default passwords, or vulnerable services like FTP) can render the firewall manager ineffective. And the server needs to be fast enough to accommodate an early-morning log-in rush, he says.

O'Brien says he looked at nine firewalls before settling on CyberArmor because of its easy end-user interface and the fact that the central manager leaves nothing up to the end user. As a user logs in to the network, CyberArmor quickly scans that machine's security settings and can also push out changes to security settings dictated by the administrator. "The user never even knows anything is going on," O'Brien says.

Some companies are going a step further by requiring a second, stationary filtering hardware device at home and remote offices. And while hardware firewalls from vendors like Seattle-based WatchGuard Technologies Inc. and Santa Clara, Calif.-based NetScreen Technologies Inc. aren't portable, some managers say they want extra protection for home PCs.

Internet security firm Conqwest combines San Mateo, Calif.-based Network Ice Inc.'s BlackIce Defender firewall software for its 25 local employee laptops and three remote sites with NetScreen-5, a stationary firewall/VPN appliance from NetScreen Technologies.

Conqwest CEO Michelle Drolet says she needed to provide "rock-solid" security for home users while giving them mobile desktops for the road. BlackIce has the strongest intrusion detection available at the desktop level, Drolet claims. But, like Hancock, she says she doesn't think it can filter inbound packets to her level of comfort.

"We need to absolutely guarantee that nobody can get into our machines and exploit the encrypted tunnel back to our office," Drolet says. She adds that she likes Network Ice's centralized reporting of alarms, because the configuration window has helped administrators sort incoming alarms from false alarms.

What Form Will Firewalls Take?

While analysts predict that the market will ultimately consolidate into a single desktop security product or suite that includes intrusion-detection tools, a firewall, a VPN and antivirus protection, there's no consensus on just how this will be accomplished. Already, almost every personal firewall offers VPN capabilities. Vendors are merging and partnering to bundle mixed products into one integrated product. And some companies, like InfoExpress and Symantec, are taking the suite approach.

But then there's the debate over where these host-based firewalls will wind up - as hardware, software or something more like a network adapter, according to analysts. That's why many IT managers say they'll just wait a while before deploying host-based firewalls, in spite of the risks.

"We have a project under way right now to speed up access for our home-based workers. To do so, we know they're going to need firewalls on their computers," says Pat Hymes, manager of the distributed computing team for the information security division at First Union Corp., a financial institution in Charlotte, N.C. "We've piloted some programs, but we're not ready to jump in. The technology's too new."