Personal firewalls

Q: Is there a value to integrating personal firewalls into my wireless LAN? – Eric, New York

A: Before addressing the integration of a firewall into a WLAN, let’s consider what a firewall accomplishes. A true firewall builds upon Layer 3 network security to incorporate higher layers of protection, all the way up to Layer 7. It analyzes application messages to determine what traffic to accept or deny, and integrates with intrusion prevention and anti-virus features to prevent a single location from compromising an entire network. This is vital to thwarting common application layer attacks on Internet applications like e-mail, Web and DNS.

When addressing personal firewalls in a WLAN environment, there are two main issues to consider: One, what is the functionality being provided by the “firewall”? Two, what is it protecting you against?

You need to check when a WLAN vendor offers a “firewall” in their products. Is true Layer 3-7 packet analysis taking place, or is the device just performing stateful packet inspection at the network/transport layer? If the latter, it is not a firewall – it’s more like Access Control Lists (ACL) on steroids.

It examines all connections originating within the wireless network and creates a list of these flows. Any packets originating from an outside network (for example, the wireline network) must belong to a connection that originated within the trusted network for it to pass through the WLAN device. By inspecting all TCP/UDP port numbers and flows, a WLAN system can protect against some basic (and uncommon) forms of attack, such as TCP SYN attacks (which hackers generally launch against Web sites like Yahoo!). However, it does not address the bulk of threats that a tried-and-true firewall protects against, such as Trojan horses, viruses, spyware, etc. As these common application-layer attacks are much more of a risk to enterprises, we would be leery about deploying a WLAN system that touts a “firewall” functionality that doesn’t prevent against security concerns addressed by a true firewall.

If you are concerned about protecting critical corporate resources from SYN attacks, you should consider placing a stateful firewall between your servers and your entire network, since a wired connection is also a good point for a malicious user to launch an attack against a server.

Also, WLAN devices with stateful packet inspection only protect the wireless network from the wired network. Since most enterprises consider its wireline network a “trusted” network, it’s questionable what value these stateful packet inspectors are providing. If your wireline LAN is not trusted, then you have bigger security problems beyond your wireless network. In this instance, your time is best spent exploring authentication and encryption schemes to protect your LAN.

You should also consider a client software application that will protect your wireless users, even when connected to a foreign wireless network, such as airport hot spots or coffee-shop networks.