The conventional firewall sits between the trusted (internal) and the untrusted (Internet) networks, where it filters inbound and outbound traffic to provide safe access to and from the Internet.
But ubiquitous network access from inside and outside companies has necessitated an additional type of firewall -the host-resident firewall. Host-resident firewalls include personal firewalls for remote users, firewall agents for workstations and application-server resident firewalls.
A multitude of host-resident firewalls when centrally configured and managed is called a distributed host-resident firewall.
Like conventional firewalls, host-resident firewalls work by restricting traffic through the implementation of access control rules. They also add, in some implementations, host-resident intrusion detection and prevention. Access control rules are used to determine what type of traffic is allowed for which destinations, and when. In the case of personal firewalls, implementing the rules can be as simple as declaring a security level of high, medium or low.
In the case of server-resident firewalls and workstation firewall agents, access is typically much more granular than with personal firewalls. The granularity enables the implementation of specific corporate security policies that are typically defined to the protocol level, and lets network administrators see precisely what rules are being implemented.
Conventional firewalls rely on topology to work. They restrict traffic at a specific point in order to control and examine everything coming in and going out. In an active e-business environment, this can result in a bottleneck. Server-resident firewalls, on the other hand, distribute firewall security across multiple processors, providing virtually unlimited scalability. At the same time, they eliminate the single point of failure presented by the conventional perimeter firewall.
Distributed firewalls provide central policy definition and security monitoring. Policy definition should typically include the ability to push policy to hundreds or thousands of end users’ hosts or application servers and to have the firewall agent work as a background service. Security monitoring typically includes log aggregation and analysis, firewall statistics and fine-grained remote monitoring of individual hosts, if needed.
Server-resident firewalls are a subset of centrally managed, distributed firewalls. They let ASPs, ISPs and companies with large server farms secure their critical servers. Although host-resident firewalls incur some CPU loading, the workload is distributed across members of a server farm, minimizing performance impact – an important feature in an e-business environment. Host-resident firewalls provide security against users with “insider access” and allow host-specific security configurations.
Host-resident firewalls harden infrastructure servers against attacks, compensating for the inherent security weaknesses of all network operating systems.
Information and application servers can be hidden from unwanted user access by silently dropping incoming connection attempts. File, Web, mail and database servers can be run in this stealth mode. If a server can’t be seen, it can’t be attacked.
The most common use for host-resident firewalls is to secure Internet servers. Servers thus hardened can be deployed behind a perimeter firewall or in front of it. A company may opt for a second layer of firewalling on Web servers behind the perimeter firewall due to the sensitive nature of the information they contain (credit card numbers, medical histories and the like).
However, in environments where performance is paramount, you may decide to harden Web servers and deploy them as Internet-facing “bastion” hosts. Simple Mail Transfer Protocol, HTTP and FTP servers can be secured in this way. In ASP/ISP environments, entire server farms can be protected without a perimeter firewall.
Conventional firewalls are only involved with traffic at the network perimeter. An important advantage of host-resident firewalls is that they filter internetwork traffic regardless of its origin.
Fogel is president and CEO of Network-1 Security Solutions. He can be reached at fogel@network-1.com.