The problem he pointed out was that today's applications require so many ports to be opened in the network firewall to function properly that the network firewall almost does not need to
Trang 1Where Personal/Desktop Firewalls Fit in a Network
Personal and desktop firewalls are frequently overlooked as security devices that should
be implemented on a network BlackHat 2004 had a keynote speaker introduce the
concept of the de-perimeterization of the network The problem he pointed out was that today's applications require so many ports to be opened in the network firewall to
function properly that the network firewall almost does not need to exist in the first place Although I disagree that the network firewall does not need to exist, the basic idea that
we cannot rely on network firewalls alone to protect resources is a sound one After all, a network firewall can only control traffic that passes through it If an attacker can gain control of a system on the other side of the firewall, he potentially has unfiltered and unrestricted access to launch attacks from the compromised system to all other systems, rendering the network firewall useless as a defense mechanism
Consequently, it is a good idea to incorporate firewall technologies on the servers
themselves, giving you the ability to control traffic at the point closest to the data that you need to protect: the server network interface card (NIC) Because the firewall is running
on the server itself, you can implement the most restrictive filtering rules possible,
literally permitting only the traffic specifically required by the applications running on the server
As illustrated in Chapter 4, "Personal and Desktop Firewalls," there are a number of ways
to implement personal firewalls, ranging from built-in utilities such as Windows Firewall for Windows-based systems and IP filter for UNIX- and Linux-based systems to third-party firewall applications such as Trend Micro, ZoneAlarm, and Cisco Security Agent (CSA)
When determining the appropriate personal firewall to use, you must consider a few elements First, you need to determine whether you need to control both inbound and outbound traffic with the personal firewall Many built-in firewalls enable you to control inbound traffic, which is typically the most important traffic to manage; however, the ability to control outbound traffic can be an important defense strategy to prevent the spread of worms For example, if the personal firewall will not allow the worm to
communicate on a port, it can effectively prevent the worm from spreading
Second, you need to consider whether the personal firewall needs to include IDS/IPS functionality Because the personal firewall exists closest to the application and data that needs to be protected, it makes for a great location to implement an IDS/IPS One of the biggest weaknesses of network-based IDS/IPS is that the sheer volume of data that must
Trang 2be processed is too great for the IDS/IPS to effectively filter and report on When
implemented as a component of the personal firewall, however, the IDS/IPS can be
configured around the very specific traffic that is necessary for the applications running
on the server, making it much easier to filter traffic with the IDS/IPS (because only the traffic required by the applications running on the server should be allowed)
Finally, you need to consider what will be necessary to provide for centralized
management and reporting on your personal/desktop firewalls It is one thing to manage a handful of perimeter network firewalls When you start talking about implementing and needing to manage, maintain, configure and report on thousands of firewalls in an
environment, however, the issues around centralized management and reporting become significant problems Consequently, it is extremely important to look in detail at the enterprise-level capabilities of these products A good personal/desktop firewall for a home user is not necessarily going to be a good solution for 10,000 desktops in an
enterprise