Reining in Personal Firewalls

Computerworld - It's tough enough defending the IT perimeter against spyware, viruses, worms and unauthorized intrusions. But no matter how good their defenses are, companies still risk getting hurt by those they trust most: remote workers. "If anyone wants to attack, all they have to do is drop in a Trojan [horse] and wait for the person to log in," says Dennis Peasley, information security officer at furniture maker Herman Miller Inc. in Zeeland, Mich.

Personal firewalls help, but stand-alone versions don't always protect the corporate LAN adequately. For example, Peasley initially installed ZoneAlarm from San Francisco-based Zone Labs Inc. on 900 laptops. But the distributed personal firewall installations were difficult to monitor and maintain. Peasley now uses Zone Labs' newer, server-based Integrity software to centrally manage those remote personal firewalls. "With any new system we install, the main cost is not the cost of the software, but the cost of managing it," he says. "Centralized management cuts those costs."

Stand-alone personal firewalls don't work well for corporate LAN access because end users have access to the software and tend to misconfigure it or shut it off entirely, and administrators face problems supporting and installing updates. Because the update process is time-consuming, administrators may avoid updates altogether, leaving unpatched clients open to new vulnerabilities.

"I've seen personal firewall software that was individually installed on several large computer systems, and it always becomes a mess," says Kevin Beaver, president of Principle Logic LLC, an information security consulting firm in Kennesaw, Ga. "Configurations and patches were inconsistent, and the administrators spent way too much time on the 'sneaker net,' going around to remedy problems."

The best centrally managed personal firewall systems won't let end users disable the local firewall software or change the settings, says John Pescatore, an analyst at Gartner Inc. in Stamford, Conn. "Users will just say yes to everything, so you have to centrally manage them in a way that is invisible to the client," he says.

Some tools also integrate with antivirus and virtual private network (VPN) software. Pescatore says two of the more advanced products in this arena, Integrity and Sygate Secure Enterprise, from Sygate Technologies Inc. in Fremont, Calif., include a back-end server that can act as a gateway through which remote-user access can be controlled (see diagram, next page).

Peasley uses that feature on his Integrity firewall system. The end user connects to the Cisco VPN 3030 concentrator, which directs the user session to the Integrity server to authenticate the client, checks that the client's antivirus software is up to date and provides any necessary updates before allowing access to the network.