One of the most common solutions is installing standalone firewall software on the remote user's desktop. Yet, while tech leaders have nearly 30 firewall products (see partial listing below) from which to choose, pulling a solution off the shelf is likely the easiest part of the project. The pain comes with deployment and user adoption. In this article, we'll review some alternative approaches in which firewall functions are integrated with other devices, such as antivirus scanning, ad blocking, or a VPN client.
Deployment issues still a problem
Many new personal firewalls were developed and launched by dedicated Internet security companies, while others were built by traditional enterprise security vendors initially focused on antivirus products. Despite the range of products available, persistent deployment and management issues are still causing tech leaders headaches.
Several new tools are addressing firewall deployment complications by automating many tasks that a user must perform during installation. For instance, one common approach by firewall vendors is to offer a user several levels of security instead of requiring the user to grant or deny access on an application-by-application, or IP port-by-port basis. The goal of this multiple-level approach is to have the firewall make certain assumptions about which IP ports should be open and which applications require Internet access.
At the low-security level, the software might simply turn off extensions like file- and print-sharing on a remote PC and just monitor for hacker attempts to invade the machine. At the high-security end of the spectrum, the firewall could block external access to all IP ports, including commonly used ones for such programs as e-mail and file transfers.
Yet, even with today's simpler-to-configure firewall software, CIOs face another challenge: user adoption.
Management and adoption challenges
-How do you force people to use firewalls?" asked William Perkins, director of IS at a Midwest insurance company. -We've got many home users. Some we have lots of control over; some we don't."
Perkins says that there are basically two types of remote users. The first is one who connects to the company from home with a company-issued PC. This user is likely a permanent telecommuter or someone who splits workweek time between home and the office. The second type is the user who works from a home-based computer to occasionally access the company network and corporate applications.
CIOs typically need to develop vastly different remote security policies to manage both types of users, since the IT control level will differ between them.
With a corporate-owned computer, a CIO can insist that the machine have a personal firewall installed and that the firewall's configuration is set to the corporate standard. In contrast, a CIO likely won't be able to issue this mandate to the second type of user as strongly, since the machine in question is a home-owned, personal computer. While tech leaders could decree that any remote user seeking corporate access must have a firewall installed and configured according to certain specs, it's impossible to ensure that the requirements have been met without a physical visit to the computer site.
Begin your search with this product list
If you're in the market for a firewall product, you'll have several to choose from. It may be best to begin your search by visiting the leading products and vendor links below:
- ZoneAlarm, Zone Labs
- Sygate, Sygate Technologies
- BlackICE PC Protection, Internet Security Systems
- PC Viper, Source Velocity
- eSafe Desktop, Aladdin Knowledge Systems
- Kerio Personal Firewall, Kerio Technologies
- Tiny Personal Firewall, Tiny Software
- Internet Connection Firewall, Microsoft (built into Windows XP)
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
8%
1%
It's not hard!
Install a "server" (even a spare P75 with 64M of RAM running NT4 Workstation), throw on something like Winroute Pro, close all ports, proxy everything that needs to go outbound, open up an incoming port to be forwarded for every services that needs incoming connections (ie VPN).
I've been using this method for over 6 months and it works great.