Are Desktop Firewalls Overkill?

Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"

stating the obvious...

[digitalderbs]

why not both?

I guess he's not heard of defense-in-depth then...

[Zocalo]

I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?

Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...

Re:stating the obvious...

[somersault]

Seconded. This was going to be my exact comment.

It's like saying "We don't need seatbelts anymore - we have airbags!"

Desktop firewalls are necessary

[teridon]

Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P

Defense in Depth

[rotide]

Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.

Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.

"Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."

Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here

Re:Hardly Overkill

[drinkypoo]

Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?

The desktop firewall is completely necessary. It is, however, also inadequate.

Re:Flash drives, tarballs, &c.

[pushing-robot]

It doesn't. And that's why enterprise computers are so good at spreading worms; as soon as one PC behind the firewall gets infected they all fall.

Seems like a rather silly article, as most medium-large business I've encountered already shut off desktop firewalls since the hassle of managing a firewall on every machine often outweighs the risks.

Re:stating the obvious...

[socsoc]

No kidding, desktop firewalls protect against threats on your internal network. They aren't a replacement, but a complement to your border protection.

Re:stating the obvious...

[rs1n]

It's system resources that could be better put to use, however little (that gets used by the desktop firewall) this may be. My personal reason for not really caring for Windows' built-in firewall setup is that there is almost no configuration beyond clicking a button that says "turn on" or "turn off" the feature and a list in which you can add program exceptions. The problem with a completely configurable firewall is that most users don't know what the hell they have to do to set up good rules. On the other hand, having merely a button that says "turn on the firewall" just doesn't cut it either because you have absolutely no control over what is being blocked. Where's the happy medium?

Re:stating the obvious...

[sdnoob]

Because the typical computer USER doesn't know squat about network or system security.

Defense in depth

[TopSpin]

The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

Funny you should mention that...

[denzacar]

I was given that very advice recently while strapping on the seat-belt.
From a nurse, no less.

And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...

Re:Machine firewalls == symptom of bad design

[Zero__Kelvin]

"A machine firewall does what...it protects the computer from the listening ports that the OS allowed ITSELF to open."

Sure it does that, but it does a lot more. For example, I might want to allow ssh access from one, a few, or all systems on my internal LAN, but block them from the other side of the DMZ. Just how do you propose to do that without a firewall local to the machine.

"And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning."

Right. A secure building is already secure. What the hell do I need locks for? I guess I'll remove them.

Re:stating the obvious...

[The Clockwork Troll]

Yes, this is why I lock the doors on my automobile but I leave the ignition key on the dashboard, and leave the glove compartment open and unlocked!

Finally someone who sees things as I do!

Also, first car analogy.

Re:Desktop firewalls are necessary

[0123456]

And then the virus disables the desktop firewall so it can spread. What's your point?

How is a virus on someone else's machine going to disable the firewall on my machine?

Re:stating the obvious...

[Anonymous Coward]

The enemy within. If your network is large enough you will have holes whether you like it or not. You will have a vendor who needs a vpn connection to debug something; you will have a customer for whom the only way to provide remote service is to have them vpn through *your* firewall in a phone-home scenario. If those outside the firewall systems are compromised then those desktop filters may not be so redundant.

Re:stating the obvious...

[KarrdeSW]

There is often-times a lot of overlap, so that the desktop filters are made redundant.

This is only true if your company never has anybody bring in a USB Flash Drive which could have potentially been infected on their home computer or on another company's system.

Re:Funny you should mention that...

[Anonymous Coward]

Those aren't too bad.

What scares the daylight out of me is when people say "I can drive, you know."

Because they are always the ones who can't.

Part of the problem with PC security....

[QuietLagoon]

... is that people, like this Jon Honeyball guy, who do not have a clue about computer security, are telling people how computer security should be done.

.
As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.

Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.

Re:Defense in depth

[hodet]

While I agree this is pretty straightforward there are no stupid questions. Anyone that instills that atmosphere in our meetings is equally a liability. This was a "dumb" question that has been well answered by many posts, including the first part of your answer.

Re:stating the obvious...

[postbigbang]

There is no such thing as a secure perimeter, especially when the majority of attacks come with in "secure perimeters". Jon Honeyball is an idiot, and PC Pro just dropped another notch. His heavily caveated article doesn't have the common sense that God gave to a goose.

Each and every device that's connected in a network is potentially infected, rogue, and looking for others to maim. Every machine needs to be evaluated separately for its risk profile, as he mentions-- but you simply can't remove device security in the belief that other firewalls or services will do the unerring job of controlling the safety of a network. Run, don't walk, away from the concept of secure perimeters.

How about an application level firewall...

[CajunArson]

I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.

Re:Funny you should mention that...

[IndustrialComplex]

Indeed. I actually have a high standard of driving, but I also prefer my passengers to wear their seatbelts ;)

No matter how well someone drives, it only takes some other idiot who can't drive to cause an accident. If you are observant then hopefully you can reduce the risk of any accident actually being serious, but still, the risk is always there. This is why I don't have a motorbike.

Seatbelts also serve a secondary purpose to preventing injury. They keep you in a position to still operate the vehicle.

Accident occurs no seatbelt: The driver will probably be thrown from the seat, or jarred from the proper driving position. As a result, the vehicle is out of control from the moment that the driver lost contact with the wheel. This could increase the number of vehicles involved in the accident, injure others, or further damage the driver's vehicle if a secondary impact occurs.

Prior to accident no seatbelt: In attempting to avoid an accident, the driver could be forced from their seat during a swerve, as a result, they may not be able to avoid the accident at best, at worst they could exacerbate the accident as they are now out of control of their vehicle.

Outgoing firewall: Yes. Incoming firewall: why?

[kc8jhs]

The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?

An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.

Re:stating the obvious...

[meloneg]

Well, most corporate networks are a lot more like those garages at some apartments. I have my own garage door. I can lock it. But, there is no wall between my car and my neighbors car.

If I can absolutely trust everyone of my neighbors (current and future and maybe past, if they kept a key), I don't need to lock my car.

Stupid...

[Bert64]

Many networks are exactly as the article describes, no firewalls on desktops or individual servers and instead relying entirely on the border firewall connecting the company lan to the internet...
What this means however, is that a single rogue employee, rogue wireless access point, mobile device or laptop, or an exploit which penetrates the border firewalls (browser based, email based etc) results in a catastrophic breach as it becomes trivial to compromise everything once you get behind the main firewalls.

Now don't get me wrong, desktop firewalls are a nasty crutch too - desktop machines should _NEVER_ be offering services to the network, especially by default, and therefore shouldn't need a firewall to block access to these services... The fact that windows comes with several services listening by default on a workstation configuration (msrpc, smb, etc) is just stupid, the fact these services are a pain to disable even more so, and the fact people would rather hide these services behind a firewall instead of turning them off is just laughable - if noone needs to access them they shouldn't be running at all, not hiding behind a firewall.

Ideally your network should have a secure and well monitored gateway to the internet, as well as a secure and well monitored gateway between servers and workstations (and if possible treat the workstations as totally untrusted and make them use a vpn)...
The workstations themselves should expose no services to the network, or at most expose a single admin service which can only be reached from a predefined management network.

The firewalls should be for logging rather than filtering, on the basis that if a service doesnt need to be accessed it shouldnt be listening, not relying on a firewall to block it.

Servers should only expose their intended services to the client lan, admin services should be separated from client services.

Re:stating the obvious...

[Anonymous Coward]

Ohh, ok. So when one of your machines gets taken over, and starts attacking other machines on your network, behind the network firewall, the server solution protects your other machines from the exploited one exactly how? Yeah, thought so.

Re:Flash drives, tarballs, &c.

[Dayze!Confused]

As was stated earlier, those ports should just be closed to begin with. The only thing it really does is prevent outgoing traffic. As long as the ports are not open there is nothing on the outside that can open the ports. The way things would get infected would be by traveling through a port that is already open on all systems, thus a firewall is useless because that port already allows traffic and there would be a corresponding rule in the firewall to allow this traffic. Unless you are doing packet inspections for viral traffic it's not going to prevent it.

Warning klaxons sounding:

[zooblethorpe]

The only people that pay attention to that rag is PHB's or really really dumb executives.

... and that's precisely why it's dangerous.

You and I might know enough to find TFA's assertions ridiculous, possibly even amusing in how wrong they are. But you and I don't control corporate policy (assuming that the reader of this is not a PHB). Any media spouting non-news raises the risk that someone will take that non-news for reality and begin making decisions based on that view. Even obvious parody like the Onion has caused its share of kerfuffling among the confused and less-informed, and let's not forget War of the Worlds. The danger is even greater with media like PC Pro that has at least some semblance of being real news (including in this category the opinion statements of apparent experts, as Honeyball here is presented by PC Pro).

Cheers,

Bad idea

[GWBasic]

This is a bad idea for two reasons:

1. Notebooks need protection in public networks like coffee shops and airplanes.
2. Someone can still bring a virus onto a network through a download, USB key, or a rouge device.

(Now, I didn't read TFA.) It's important that devices on a network have some form of resiliency. A firewall will certainly prevent DDOSes and can help prevent malicious behavior from entering a network, but there's so many ways to get around a firewall that it just can't be the only solution. For example, "anti-virus" on a firewall might block sites known to spread viruses, but it still won't prevent someone from downloading a random zip file with a virus.

Re:Hardly Overkill

[geminidomino]

...The firewall on the machine is an effective part of an overall strategy...The desktop firewall is completely necessary. It is, however, also inadequate.

That was my entire point. That's why I said "inadequate" and not "useless".

It drives me nuts that Microsoft will put a goddamn HTML rendering engine in the kernel, but apparently decent packet filtering is better left to the likes of *hock-ptooey* ZoneAlarm et al.