S 5.91 Use of personal firewalls for clients

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Personal firewalls control and prevent any access to clients using connected IT networks and/or from clients to these networks. Depending on the type of network service and the direction of connection establishment, the personal firewall of the client may permit or reject establishment of communication. For example, a personal firewall may be configured in such a way that all connections established from the client are permitted and all requests coming from the outside are blocked.

Personal firewalls may work according to different principles:

• Stateless personal firewalls decide whether the connection is permitted or rejected based on features such as source and destination addresses or ports of the data packets transmitted during communication. The sender and/or destination address and the port number of the service are mainly used for this. Stateless personal firewalls may often be bypassed using prepared packets.
• Stateful personal firewalls also take into account previous packets within the framework of their decision. For example, a context-sensitive (stateful) personal firewall may put a packet to be checked in the context of a connection and only permit the packet if the connection itself is admissible. Packets not matching the connection context are rejected.
• Application firewalls may check the network traffic on the basis of the application that wants to establish a connection. For this, the application firewall has a white list containing the applications authorised to communicate. Applications not contained in the white list are not allowed to establish or receive any connections using the network.

Many operating systems are already equipped with a personal firewall. The firewall often only requires activation and varyingly comprehensive features are available depending on the operating system. Additionally, diverse third party manufacturers offer security solutions ("security suite") containing a personal firewall, amongst other things. The personal firewalls integrated into the operating system are often less comprehensive and less convenient when compared to the security suites. On the other hand, these integrated solutions can be activated immediately and no additional costs are incurred for purchasing. If a personal firewall is to be used, it must be decided whether the integrated personal firewall or a solution offered by a third party manufacturer is to be used; simultaneously operating both variants is to be avoided.

Application environments

Using personal firewalls as the only safeguard for protecting a government agency's and/or company's network against attacks from the internet is insufficient. Using personal firewalls as the only safeguard has the following disadvantages:

• All clients directly connected to the internet must be hardened specifically, i.e. the potential vulnerabilities of the operating system must be eliminated, because the client is not protected by other IT systems such as security gateways.
• As with any software used in a decentralised manner, managing and analysing the log files of the personal firewalls is time-consuming.

It should be checked on which clients and under which general conditions a personal firewall is to be used. Since clients are protected by a security gateway in a LAN, using personal firewalls on the clients can be avoided as a matter of principle. The use of personal firewalls should be checked in the event of higher protection requirements.

Mobile IT systems such as laptops must be protected against attacks from the internet by a restrictively configured personal firewall if they are connected directly to the internet.

Likewise, personal firewalls should be installed on internet PCs, i.e. on computers exclusively provided for using the internet and without any connection to the government agency's and/or company's network.

However, due to the manifold scope of functions of the different variants of personal firewalls and their complexity, competent administration must be ensured in doing so; the users should not be allowed to configure the firewall themselves or to make any changes to its settings.

Personal firewalls as a part of a security suite

Meanwhile, personal firewalls are offered by numerous manufacturers. Their use is sometimes even free for private users. However, licenses must normally be acquired in commercial or official environments. Personal firewalls are often tested in specialist magazines. The results of these tests may be helpful when selecting a product suitable for the purpose at hand.

In order to complement a central security gateway (firewall), using personal firewalls as part of the security suite may make perfect sense. In principle, it is possible to use comprehensive security suites of third party manufacturers containing a personal firewall in order to perform the inspections for malware that may be transferred via email, Java, ActiveX, or similar mechanisms on the clients. For this, mechanisms such as sandboxing can be used to restrict the access of applications transferred from the internet to the local system (Java, ActiveX, etc.). These, often comprehensive, security suites are used to decentralise the task of checking for malware, relieving the firewall system. Another advantage is that the problem of filtering encrypted data on the firewall can be avoided.

Configuration

The following aspects should be taken into consideration when configuring and operating a personal firewall:

• The filter rules should be set as restrictively as possible. Here, the following principle is applicable: Everything not expressly permitted is forbidden. It is recommendable to allow the establishment of outgoing connections only for applications and services approved for this. Based on the IP address of the destination system, the port number of the required service, and the accessing application and/or service, the following accesses established by the client may be restricted and/or permitted:
• access to file and print servers
• access to the internet for the browser using the security gateway
• access to the email and calendar servers for the email and calendar application
• access to update servers in the local network in order to update operating systems, applications, and particularly the anti-virus program
• communication to the central logging service for all services and applications logging messages, if there is one.
  
  Incoming connections should be restricted to the services required and server systems used for remote maintenance, software distribution, system update, and monitoring.

• Upon initial configuration, the filter rules of the personal firewall should be tested as to whether the allowed events are permitted and forbidden events are prevented.
• The proper configuration of the filter rules should be checked sporadically, unless the installation of the client is deleted regularly and re-installed based on a hard disk image, e.g. for internet PCs.
• If the product used provides for this option, the rules of the personal firewall should also be assigned to specific programs. This way, it may be detected or prevented that another client program establishes or accepts connections to computers on the internet than the ones intended.

• Since many of the test mechanisms of a personal firewall are based on current findings, patches and/or updates released by the manufacturer must be installed regularly. In doing so, it must be ensured that the files required for this are obtained from a trustworthy source, for example directly from the manufacturer.
• The personal firewall must be configured in such a way that the users are not pestered by numerous warnings they are not able to interpret.
• If the product used provides this option, security-relevant events should be logged. The logged data should be evaluated regularly by competent personnel. The information in S 2.110 Data protection guidelines for logging procedures must be taken into consideration.

Some products provide the option of starting out with a very restrictive basic configuration and subsequently refining the settings during live operations. In this case, the user will see a prompt as to whether an event is admissible every time a security-relevant event occurs which there is no unambiguous rule for yet. The access of a certain installed program to the internet is one example for such a security-relevant event. Based on the user's answers, the personal firewall will incrementally determine the desired configuration, e.g. the filter rules.

The advantage of this incremental configuration is that the complexity of administration can be reduced. However, the fact that the users are normally not able to assess offhand whether or not a certain event is admissible constitutes a disadvantage. Therefore, the incremental configuration of the personal firewall may only be recommended if the users are provided with precise specifications as to how they are to answer the program's queries or if this is performed under the supervision of an administrator, e.g. via phone queries.

Review questions:

• Is there a concept regarding the use of personal firewalls?
• Have the filter rules of the personal firewall been configured as restrictively as possible?
• Is the proper configuration of the personal firewall's filter rules checked regularly?
• Are patches and/or updates released by the manufacturer for eliminating security-relevant vulnerabilities of the personal firewall installed?
• Has the personal firewall been configured in such a way that the users are not pestered by warnings they are not able to interpret?