The real firewall strategy

Microsoft's latest strategy for security advises "use an Internet firewall." The company then suggests using a "hardware" or "software" firewall. So, which one of the two should you choose?

The answer is both, and here's why:

Hardware firewalls are your first line of defense. Most of the latest worms blast out billions of packets and clog up networks. A software firewall, which sits on your PC, will stop your PC from getting infected, but it won't keep this traffic off your network. However, a hardware firewall, which is installed at the perimeter, will. Plus, if you have lots of PCs and various excuses for not keeping some of them patched, a hardware firewall will help to prevent worms from reaching these vulnerable PCs. Hardware firewalls also protect against many other threats and typically perform Network Address Translation, which is also very useful.

Unfortunately, you also need a software firewall installed on each PC because worms are going to get past the perimeter firewall, and once they do, only firewall software (and of course, patched PCs) will save you.

Part of the problem is that worms these days have multiple attack vectors. They attack you via open TCP/IP ports, and they also spread via e-mail and web pages. Although the more expensive firewalls can inspect SMTP/IMAP protocols and strip out any Java or ActiveX they find, some spread without scripts by tricking users into installing them.

The other part of the problem

    Requires Free Membership to View

    Login

is that odds are many of your users are mobile. If your sales staff or executives take their laptop to an infested customer's office and plug into the infected network, as soon as they return home, every vulnerable PC on your network will get infected and your perimeter firewall can't help because the worm is already inside.

Therfore, Microsoft's strategy should really be:

  1. Use a hardware firewall at the perimeter and KEEP IT PATCHED
  2. Use a software firewall on each PC and UPDATE IT REGULARLY
  3. Patch your Windows PCs quickly
  4. Use anti-virus software on your e-mail server and each PC and update it regularly.

Thomas Alexander Lancaster IV is a consultant and author with more than 10 years experience in the networking industry, focused on Internet infrastructure.


This was first published in November 2003

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top