Network Security – Should Software Firewalls be Used on PCs?
Network security is a touchy subject, especially among different network administrators. With this particular facet of the subject, I’ve heard the argument boiled down to this question: How much can you truly trust the machines inside your network?
The answer for a great many network admins: Not much! It is a safe answer, and rightly so; you never know when a rogue trojan horse is going to worm its way into your network and try to phone home a vulnerability or take over other machines on the network. It is a wise precaution to assume that machines on your network cannot be trusted and to take steps to guard against them. For many network administrators, this step takes the form of software firewalls: they are considered a second form of defense if a hardware firewall has been breached, and many organizations will make them an integral part of their images or base machine configurations.
Having a software firewall on each workstation is good idea in theory, but there is a significant problem with 3rd software firewalls in an enterprise-level network: namely, they hinder normal network activity and cause mysterious, hard-to-diagnose problems. Often, software firewalls are configured by default to block ports like , causing network disconnects and inability to access critical file shares. If these firewalls become corrupted and/or are infected by a virus, it is often almost impossible to restore connectivity to the machine, forcing a reformat, repair install, or re-image.
]]>
The answer to this question is seemingly quite obvious: Configure the software firewalls so they don’t do that. Any network admin worth their salt will make sure that their image ships with a firewall configured properly to allow any necessary ports through, and they will provide a measure of security and stability while still not impeding any legitimate network activity.
The problem with these software firewalls is that they often have no centrally managed solution. If a new service on the network requires more ports to be opened, software like ZoneAlarm and other 3rd party firewalls must be configured at each machine individually. Barring that, a new image has to be pushed out with the updated firewall configuration; both solutions are time-consuming, inefficient, and cumbersome at best.
Furthermore, many of the services provided by a 3rd-party software firewall solution can be provided by built-in firewall solutions, like the Windows Firewall. Additionally, Windows Firewall can be controlled by Active Directory group policy, enabling new firewall rules and additions to be pushed out quickly and easily to the entire domain. This advantage is a huge one over the 3rd-party decentralized model; since it offers the same type of protection with a better system of management.
In the end, you can’t trust your hardware firewall to be your only point of failure. You should assume that any machine on your network can be compromised at any time and plan accordingly. This plan, however, probably shouldn’t include 3rd-party software firewall solutions. Their lack of centralization and inability to be as flexible as necessary means that you should probably look to other solutions to secure your network from the inside; either different methods of network configuration or in-built firewall solutions with greater central management should be used to ensure your network operates smoothly and efficiently.
Want to learn more? Boris Tulman writes for Good Networking (goodnetworking.com), a hot new blog that offers computer networking tutorials, networking tips and best practices. Looking for a good networking tutorial? Please visit Good Networking and find what you are looking for!
Source: ArticlesBase.com