Using a Host Based Firewall
Even if you have a hardware router, you could still benefit from a host based firewall on each of your computers. Host based firewalls also go by the familiar name of “personal firewall.” You already have a pretty good one built in if you have installed Service Pack 2 on your Windows XP computer. However, the built-in Windows Firewall lacks some features that some of the other third-party firewalls, such as ZoneAlarm or McAfee have.
So why do you need a host-based firewall anyway? Three words: Defense-in-Depth! A basic tenet of computer security is that no one measure will be able to prevent every type of attack. But having a variety of measures (layers) in place will be able to stop most of them. You have a router at the perimeter, you keep your patches up to date, you use antivirus and anti-malware solutions, and you have a host based firewall in place to intercept all other traffic. Here is an example: I have a Linksys router performing firewall duties at my perimeter. However, looking at my McAfee firewall logs I see that certain events got through, but were intercepted and stopped by my host based firewall.
Some of the added features of the other third-party products are the ability to more granularly configure program exceptions for allowed behavior, configure outbound as well as inbound blocking, and collect event log information. As far as the inbound events, the Windows Firewall allows you to configure applications and ports to allow. But as far as outbound events, the Windows Firewall won’t be able to allow configuration of those until Windows Vista hits the streets.
Installing a host based firewall doesn’t come without some complexity. You are going to have to be a little patient while the firewall is learning. It will alert and prompt you many times when something is trying to go outbound, and you will have to tell it to remember whether or not each item is acceptable. Likewise, on the inbound events, most firewalls will just outright block them, but will alert you. You will then have to see what it is and make appropriate configuration adjustments. Once you have done all this for several days, however, you will find that the alerts are les and less frequent, and the firewall will be pretty low maintenance after that. You will also need to keep your firewall up to date, just like your antivirus software and patches.
Defense-in-depth is a vital necessity for keeping your computer and your data safe. Host based firewalls will add to your other protective measures and help keep the threats minimized.
SANS Handler Diary Article
No comments:
Post a Comment