Hardware-based PC firewalls: Securing the last unprotected area of the network

Just how secure is your network? Chris van Niekerk, country manager of 3Com SA, asks the question many IT managers ask themselves daily. He highlights the security risks facing companies today, despite the fact that they may have secured their network`s perimeter with a strong corporate firewall.

Unfortunately, in today`s society, the individuals who pose some of the greatest threats to major corporations are individuals who are trusted enough to have the keys to the security doors which are supposed to protect the company`s data.

Employees, telecommuters, strategic vendors, temporary employees and business partners require access to most networks today - the same networks that include sensitive customer data and financial records.

Given the critical need to keep everyone productive and still protect your company`s intellectual property, it`s no wonder so many IT managers are feeling insecure about network access.

The Internet has changed the way people work, communicate, collaborate, buy and sell. Business trends, such as outsourcing and telecommuting, further complicate a corporation`s security challenges. Controlled access between corporate networks is often the most practical, cost-effective way to enable business partnerships. But allowing partners deep into the corporate network blurs the distinction between inside and outside access.

The traditional security paradigm of "assuming connections inside the perimeter firewall are safe and connections outside the firewall are suspect," is not enough to protect a company`s digital assets. Today`s enterprise networks need security that extends from the server to all its end points, whether they`re inside or outside the corporate perimeter.

Conventional perimeter firewalls only protect the perimeter of the corporate network. They filter and audit traffic as it crosses the boundary between the LAN inside the company and the Internet outside. However, they`re not designed to safeguard connections within the LAN.

This type of network is particularly vulnerable to a targeted attack. For example, a hacker targets machines that have inside access to the corporate LAN. Once they`ve gained control of such a machine, they use it as a launching pad to break into other systems.

The obvious way to improve security in a building would be to create keys and locks for each room inside it. Similarly, the latest generation of security solutions distributes firewall functions to desktop, notebook and server PCs across the network.

Embedding firewalls throughout the company gives users easy access to information - without opening the rest of the network to a potential invasion. With this type of end-to-end security, it wouldn`t matter whether users connect through intranets, extranets, VPNs or remote access.

It also helps prevent an intrusion at a single end point from progressing further into the network or a public login from being used to break into a restricted-access machine.

Many organisations are becoming more distributed with networks that include branch offices, partners, telecommuters and remote workers. As networks become increasingly distributed, network security must adjust to meet the changing nature of the network. Embedding hardware security at each of these new end points quickly becomes a viable option to ensure a consistent, sound security policy across the distributed network.

Software-based solutions - such as personal firewalls - are simply not tamper-resistant enough. These solutions are only as secure as the operating systems of the servers or PCs where they reside.

Once the operating system is compromised, the software security solution is effectively rendered useless. End-user action or even a malicious script delivered via e-mail can easily disable software security products. It`s even possible for "friendly" applications running on the host computer to inadvertently turn off security software to eliminate a driver conflict. Once these software solutions fail, the end system is left vulnerable.

Worse yet, the rest of the network is at risk of penetration from this inside-the-LAN launching pad.

Perimeter firewall appliances or gateways offer superior tamper-resistance because their security functions are handled by hardware processors, not software.

But these devices are limited to boundary protection. A NIC-based firewall solution extends this functionality beyond the perimeter and distributes it to network end points. It provides both bypass- and tamper-resistance. Security enforcement happens at the PC but is handled by the firewall hardware, separate from the host system - which makes it nearly invulnerable to malicious code or hacker attacks.

Even in the unlikely event that an attacker thoroughly penetrates and takes control of a firewall-enabled host, they can`t go anywhere. They can`t turn off or go around the embedded hardware firewall and progress further into the network.

As distributed networks expand, the ability to centrally monitor and manage the security infrastructure becomes critical. Just as it would be preferable for a security guard to lock and unlock any door from his security base station, rather than walk from room to room with a giant keychain, so does it provide significant benefits for companies to configure and manage network security from a central control console.

A central control console enables IT administrators to easily regulate network security to fit changing business needs and maintain better control over user access. Security policies can be created and enforced for a specific machine (payroll server) or for a group of machines (all Web servers).

One of the greatest challenges IT managers face with a distributed network is enforcement of security policy. Security that is controlled from a remote server is very difficult to turn off at the end points, especially if it is hardware embedded on the individual machine. IT administrators can be confident that once they deploy the appropriate security across the network, users and systems are safeguarded - and will stay that way.

A hardware-based firewall security solution at the PC level also protects telecommuting users who access the corporate LAN from home. PCs in the home are particularly vulnerable to hackers because most residential Internet services operate over open connections, with no added security.

Unfortunately, the number of attacks occurring on home PCs is rising as hackers discover these easy targets. In many cases, hackers aren`t going after personal files, but are simply using the computers to gain access to corporate networks. Securing these remote access endpoints with NIC-based firewalls helps protect the rest of the corporate network from risky Internet connections.

As hackers and virus writers become more expert, network security products must evolve to stay ahead of them. PC-based, hardware firewalls add an essential layer of tamper-resistant, distributed protection to any smart security solution.

Firewall hardware can be easily integrated into notebooks, desktops and servers at the factory to deliver secured systems right off the shelf. Security-conscious corporate customers should ask their PC manufacturers if they offer firewall-enabled systems to secure the last unprotected are of the network: the personal computer.