Choosing a Personal Firewall for Enterprise PCs using Windows XP

Microsoft Windows and Internet Explorer are two of the most common applications used in businesses worldwide. As a result, hackers and online criminals often target them for their malicious activities, jeopardizing business continuity and productivity. Microsoft has released a new version of Microsoft Windows XP called Service Pack 2 (SP2) that contains many security enhancements including a personal firewall. While this demonstrates Microsoft's effort to strengthen the security of its OS and applications, our testing shows that these improvements do not provide adequate protection for endpoint PCs. In fact, solely relying on the Windows Firewall could provide enterprises with a false sense of security. Check Point recommends security administrators and enterprise IT organizations consider the following security features when evaluating personal firewall solutions for the enterprise.

See how the new Windows Firewall compares

Endpoint Security - Does the firewall offer complete protection?

Look for these security features to provide comprehensive protection for your endpoint PCs:

Inbound Protection: Stateful firewall opens PC ports only for authorized network traffic and blocks network intrusion attempts; port stealthing hides endpoint PCs from port scans.
Outbound Protection: Program control prevents unauthorized applications and malicious code from capturing and sending enterprise data to hackers.
Email Protection: Quarantines suspicious email attachments and prevents outbound address book hijacking.
Custom Security Zones: Mitigates risk with ability to segment network traffic and restrict access on trusted LANS while maintaining high security for Internet connections.

The Windows Firewall is designed to address only one class of vulnerability-the kind of vulnerability that led to MS Blast (or Blaster) and SQL Slammer. The Windows Firewall controls inbound, but not outbound, communications. It only prevents applications from communicating as servers; it doesn't prevent outbound application communications. While preventing applications from listening to the Internet at large would have prevented the spread of SQL Slammer, it does nothing to stop Trojan horses from "calling home" - transmitting personal data or opening remote-control "back channel" communications.

In addition, the Windows Firewall does not have the flexibility to trust or block individual hosts, subnets, and IP addresses. While it can differentiate local subnets from the Internet at large, it trusts all subnets, jeopardizing security by subjecting users to any risks on public and semi-public networks like cable connections, public access wireless, and enterprise networks.

Vulnerability Protection - Can the firewall protect itself?

Hackers try to disable security measures like personal firewalls and antivirus software when they design malware or when they identify a target PC. This is another critical area where hacker-proofing makes a difference in endpoint security.

Disabling Protection: Can an attack disable the firewall? Your personal firewall needs to be "hardened" against disabling attacks.
Tamper Resistant: Can hackers change the personal firewall's configuration, so that it appears to behave correctly, but in fact, has stopped protecting the PC?
Application Spoofing: Can a host, or a host application, fool the firewall into behaving as though an unapproved application is approved, through re-naming, replacing or duplicating the application name?

Hackers can subvert the limited feature set of the Windows Firewall; they can even turn off Windows Firewall remotely, using the Windows Management Interface. In addition, it's subject to application spoofing as it doesn't authenticate applications using signatures, fingerprinting, or code signing. It's important to find a personal firewall that can protect itself as well as the PC.

Manageability - Does the firewall have appropriate policy management tools for a distributed enterprise environment?

Enterprises must manage hundreds - if not thousands - of endpoint PCs with multiple applications. When dealing with security policies for thousands of enterprise endpoints, look for these capabilities for powerful, flexible management:

Granularity of Firewall Rules: Ability to control many parameters including ports, protocols, source and/or destination addresses.
Flexible Policy Creation and Assignment: Apply default or customized policies based on any number of criteria: by users, machines, groups, IP addresses, connection types, or locations.
Application Inventory Aggregation: Enterprise-wide inventory of all PC applications that attempt network access.
Powerful Forensic Tools: Centralized logging and reporting capabilities to assess the security health of the network.

The Windows Firewall offers few configuration parameters and cannot support the granular security needs that enterprises demand. It cannot specify policies based on users, IP addresses, or even location (LAN, VPN, or wireless). The simplistic mechanism for adjusting settings for users is called Group Policy Objects.

In addition, the Windows Firewall blocks all listening applications by default. This would include legitimate applications unless they are added to the permissions list, resulting in reduced productivity and increased support calls.

The Windows Firewall doesn't provide IT with the information needed to ensure the security health of the network. It only provides the ability to log in at each client with no ability to aggregate the results or centralize the data.

Compliance - Does the security solution provide compliance tools?

Good endpoint security solutions need to enforce policy compliance. Any endpoint that fails to meet security policy requirements must be quarantined from the corporate network. Without policy enforcement, companies risk infection and compromises to their enterprise networks.

To ensure comprehensive policy enforcement, look for these capabilities:

Comprehensive enforcement criteria (running and up-to-date), including
- Antivirus o Security patches
- Service Packs
- Files
- Registry keys
- Other conditions
Enforcement of the presence or absence of a parameter
Enforcement on endpoints independent of access (LAN, remote access, and wireless.)
Integration with all leading gateway vendors (IPSec VPN, SSL VPN, 802.1x/EAP-enabled switches, wireless access points, etc.)
Centralized enforcement reporting

Windows XP SP2 does not include any tools for enforcing compliance, which means that any endpoint—even if it violates security policy -- is allowed access to the network, threatening the security of the enterprise network and every PC on that network. Moving forward, Microsoft has announced plans for an enforcement architecture called Network Access Protection (NAP) that will be available in the future.

Remediation - Do users and IT benefit through remediation tools?

When users are out of compliance with policy, effective remediation ensures that quarantined PCs can be brought into compliance again, quickly and easily.

To ensure effective remediation, look for these capabilities:

Integrated compliance resources
Centrally managed, customizable alerts and resources
Centralized enforcement and remediation reports

Windows XP SP2 does not offer any integrated remediation tools for the enterprise; there is no easy access to compliance resources that IT can configure and manage. Microsoft's remediation strategy revolves around its SMS offering.

Personal Firewalls for Enterprise Environments
Evaluating personal firewalls for enterprise environments, and finding the right, comprehensive solution-one that protects both PCs and the enterprise networks that connect those PCs-means evaluating desktop protection and the additional safeguards that come with enterprise-class management, compliance and remediation. The Windows Firewall does not provide the kind of robust, enterprise class capabilities that the Integrity Product Family provides for enterprises.