Decisions, Decisions

Before you choose a desktop firewall, determine whether you need a consumer- or enterprise-class model. Both provide similar security capabilities, but enterprise-class firewalls add centralized management and policy distribution. InfoExpress, Sybergen Networks and Securitae Corp. all sell centrally managed firewalls. Other vendors, including Internet Security Solutions (ISS) and ZoneLabs, offer both enterprise and consumer versions of their products.

If you have only a few users or need a firewall for your own machine, a consumer-class firewall might do the trick.

But tattoo this to your eyelids: End users should not have rights to modify firewall settings. Most centrally managed products offer ways to lock down policies. ISS's BlackICE PC Protection, for example, lets you install the product without a GUI.

Some firewalls let you override a policy. Sygate Technologies' Sygate Secure Enterprise Solution, for example, lets you create exceptions for individual users. Other products, such as those from InfoExpress, supply override passwords you can give a user if he or she needs to open a port or turn off the firewall. These special circumstances must be administrator-approved.

Once the firewall is in place, you need to decide how much information the end user should receive. Should he or she receive alerts on all possible attacks--and be inundated with information--or should he or she be left in the dark?

Some firewalls send out alerts simply to show they're functioning. For example, a ZoneLabs ZoneAlarm firewall I once used told me my router was trying to ping my machine. Well, hot damn, glad that security breach was averted! On college campuses, copious alerts can lead to equally copious phone calls from students making accusations like "Your SNMP-based network-management software just hacked my AOL account!" A good rule of thumb is to limit user notifications to serious threats.

Two other considerations: Most enterprise-class firewalls require a database for log files. Do you have licenses and experts in MS SQL or Oracle? Will you need a separate database server, or can you run the database on the policy server?

Also, pricing varies widely. Most vendors charge on a sliding scale and offer discounts for bulk buys. You may have to pay extra for a management server, too. And you'll need to budget resources for maintenance, user training and support.

Application Control

Some Desktop firewalls provide only port/IP blocking, but the best offer additional application controls to help you catch Trojans. Trojans are sneaky--they can send data to a remote server with HTTP to Port 80 or use any of the other common Internet protocols, which means port blocking is not sufficient. With application controls, you can specify which programs are granted network access. Products with this feature usually provide some form of application-integrity testing as well.

Let's say, for example, an MD5 checksum from a clean executable is fed to the desktop firewall. If the user tries to run a modified version of the program--such as a hack Trojan or a virus embedded into iexplore.exe--the checksums won't match and the firewall will deny the program access. Note, though, that this feature can cause an administrative headache: You'll need to maintain a list of approved programs and checksums.

Some desktop firewalls offer more application-control and file-integrity features. InfoExpress' CyborArmor, for instance, lets you control program spawning--you can set a batch script to execute when run from Eudora but not from Outlook.

Even with application control, though, Trojans can be injected into DLLs or running processes. DLL-integrity checking is the next big step, and vendors are working on this capability.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Write to him at mdemaria@nwc.com.