There was a certain simplicity to old-style warfare. The opposing troops would line up facing each in their colored uniforms and fire on command. Battles could only take place on certain designated days. There was no question about who was the enemy, where the front line was or when you were under attack.
Protecting a data center once had that same simplicity. You just locked the door.
But now IT security resembles modern guerilla warfare. You never know when you will be attacked or from what quarter. Apparently friendly messages contain viruses and worms.
But the worst part is that there is no front line. Your defensive perimeter no longer stops at your gateway server. It extends out to employees’ home computers, their laptops, PDAs and smartphones any of which can be attacked in their own right or which can carry a dangerous payload into headquarters through a VPN.
It’s not enough, therefore, to have a perimeter firewall. One must reside on every remote computing device as well.
“Right not we are seeing companies using PDAs as play things rather than depending on them for enterprise use,” says Gartner, Inc. vice president John Pescatore. “We tell clients that if anyone has a PDA with a wireless card, they need to be running a firewall on it.”
Controlling the Chaos
As anyone who has run desktop support knows, installing a piece of software on a device isn’t enough. To begin with, people can get very curious, especially about things they don’t understand. Users often go poking around among their workstation settings or download a piece of software from the Internet and then call in to find out why their computer doesn’t work as well as it used to.
So, companies have learned to lock down workstations and hide any controls from the users. Then, once that is done, there is still the little matter of automating the distribution of that unending stream of software patches to keep the system secure. Just as you wouldn’t try to manage more than a few workstations by sneaker net, neither do you want to try to individually manage a bunch of personal firewalls.
“The first wave of rolling out personal firewalls was done without central management,” says Pescatore. “They were just giving them out to users but they found that they were turning them off or misconfiguring them.”
One of the problems was that people expect to use these devices for personal as well as business activities when they are out on the road. When they found that the firewall was blocking their favorite game, well you can guess which they decided to do without.
But a new class of centrally managed personal firewalls has emerged that addresses these issues. They hide the firewall from the user so he can’t shut it off or make any changes to any preset policies. While the firewall you use on your home computer probably has a little screen that pops up asking permission whenever a new application tries to access the Internet or when an external site is banging away on one of your ports, you don’t want end users to decide who can come into a device which can access the corporate network.
“Users will just say ‘yes’ to everything,” says Pescatore. “You have to centrally manage them so they are invisible to the users.”
Don’t Kill Yourself
Several personal firewall vendors including Network Associates, Inc. (Santa Clara, Calif.), Sygate Technologies, Inc. (Cupertino, Calif.), Symantec Corp. (Cupertino, Calif.) and Zone Labs, Inc. (San Francisco) now offer enterprise versions of their products.
While the exact features of these tools may vary from one vendor to another, generally speaking these consist of client firewalls and server software. Administrators use the server software to remotely install, update and configure the firewalls. When remote devices then try to log into the network they are first sent to the central firewall server which verifies that the client device is running updated antivirus software and has its firewall properly configured. If not, it corrects any errors it discovers before sending the device to the authentication server.
When selecting such a product, Pescatore advises that companies choose one that allows different sets of policies depending on how the device is connecting to the network.
“People use laptops in many ways — in a docking station at the office, cable modem at home, wireless hot spots at airports and dial up whenever nothing else is available,” he explains. “Firewalls need different policies for different types of connections.”
Le Mars, Iowa-based Wells’ Dairy, Inc., a privately held $700 million dollar dairy processor which sells ice cream nationwide under the Bluebunny brand, uses Cisco enterprise firewalls and Sygate personal firewalls on its 400 laptops.
“We can have multiple policies per user per machine per location,” says network architect Jim Kirby. “These fluidly change as the machine moves from location to location.”
He uses the port firewall and basic intrusion detection system on the laptops. When the computers are outside the network, the firewall blocks all incoming traffic except for the VPN. It also only allows human-driven output from the computer so spyware and Trojan horses can’t report home. There are no screen icons to let the users know that the software is running or what it is doing. If they went into the task manager they would see it listed as one of the processes running, but would still have no way to shut it off.
Tight security is indispensable in any firewall, but the management features are what Kirby likes best.
“The central control is the best feature they’ve got,” he says. “It is designed from the ground up with the enterprise in mind and how that applies to host protection.”
With 400 laptops to keep constantly updated, doing the job manually would have been an impossibility.
“If you have more than ten devices you need a central control console,” he advises. “You will kill yourself any other way.”