Do we really need a firewall on our desktops?

22 Sep 2010
Computer padlock

Jon Honeyball asks whether a client firewall is necessary when you're sat behind a server

Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks.

However, risk assessment is all about identifying and managing risks, while system administration is about choosing trade-offs (and I don’t mean “dodgy shortcuts”). System administrators have to balance the cost and time to make some changes against the expected rewards in money, time or reliability. So here’s my contentious question: should you be running firewalls on your desktop and server machines?

I can sense you backing away already, stuffing your hands in your pockets and mumbling “uh oh, this is too radical”. Yes, it may be radical, but it’s worth doing as a thought experiment: should you be performing IP filtering (for that’s what a firewall does) on machines inside your network?

The biggest screw-ups tend to happen when someone makes assumptions that turn out to be false, or a really bad idea

One group will undoubtedly be saying “there’s no harm in running both client- and server-side firewalls, so why even contemplate the heresy of turning off the built-in Windows firewall?” You would of course be right, except for one thing – it’s actually quite hard to turn off the built-in firewall, and that set me thinking about the way we do layered security inside an organisation. The biggest screw-ups tend to happen when someone makes assumptions that turn out to be false, or a really bad idea. Their logic might have been good and the intention honourable, but not every angle was covered.

I’m reminded of that Windows SQL worm that hit many networks a few years ago under the name of SQL Slammer. What was interesting about it was the havoc it wreaked on certain major banks’ security – you may recall that some Windows-based ATMs crashed at one bank, while at another they discovered the infection had entered via a VPN tunnel from a trusted third-party company. It turned out this VPN tunnel was wide open and allowed access straight into their server room.

I’d rather have security baked right into my network design than scattered willy-nilly around my desktops and servers. For example, there’s much to be said for separating your machine room from your desktop computers with a robust firewall, through which all client/server traffic is routed. You’d then have a boundary router (more likely several) in place to protect the desktops from the outside world, and perhaps even firewalls between various sections of your business’ desktop population. Think of these as layers of an onion, where you can also divide each layer to separate out similar sections into their own managed spaces.

Small number of gatekeepers

If you’re still wondering why I’d suggest this, well, it seems to me that there’s much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.

And before anyone cries, “what about our laptops?”, let me point out that any portable device taken outside the company needs special consideration anyway. What data is held on it? Does that really need to be on it? Is it encrypted? What happens if it’s left on the back seat of the proverbial cab? What happens if you create business-critical data on this laptop; how do you ensure it gets properly replicated back to the office network? And how do you ensure such a device is protected while connected to public IP, perhaps in a coffee shop with dozens of other users on the same subnet?

Of course, such a device needs proper firewall protection, which will be different from the default settings you might have been running in the office. Your laptop needs to be aware that it’s no longer in touch with the mothership, so close the shutters. Windows’ built-in distinction between Home, Work and Public is a start, but you might want to look at third-party software firewalls that are more savvy about the location status of the laptop. And while doing that you might want to disable the Windows Firewall that’s built into Windows 7, Vista and Server 2008.

Disabling this firewall isn’t easy, and if you’re going to do it you need to ensure that a grown-up is holding the scissors. This TechNet article walks you through the steps, starting with this advice: “Because Windows Firewall with Advanced Security plays an important part in helping to protect your computer from security threats, we recommend that you don’t disable it unless you install another firewall from a reputable vendor that provides an equivalent level of protection.” I agree, but I’ll add that you don’t have to install another firewall on this computer – it might be out on the network.

There are basically three ways to disable the firewall: you can issue the NetSH command “netsh advfirewall set profiles state off” where profiles is one of AllProfiles, CurrentProfile, DomainProfile, PrivateProfile or PublicProfile; you could use the Firewall Control Panel program and hit the “Off (not recommended)” button; or you could use the Advanced Security MMC snap-in by right-clicking on “Windows Firewall with Advanced Security on Local Computer” and going to Properties, where for each of the Domain Profile, Private Profile and Public Profile tabs you can switch off the firewall (or you can do it via Group Policy).

I don’t recommend you do this, but it’s useful to know that you can should you decide to install some third-party protection scheme. I won’t be doing this on my network, because I prefer to keep the default security in place. Even so, and this is the big issue, I’m a total advocate of the layered-onion approach to security within a company, as far too many businesses operate a wide-open policy between the various parts of their internal network infrastructure, and it’s a real wake-up call when this thinking is shown to be incomplete.