Standards in Desktop Firewall Policies

If you have ever been involved in managing a host-based firewall solution for your organization then you know what a headache it can be. Possibly the most difficult task is maintaining the desktop firewall policy, so that users are capable of performing their daily work, without the interference that these applications are known to cause.

Security Focus has a great article outlining standards in desktop firewall policies. If you have experience running a program of this nature, or are endeavoring to commence one, then this is a must read.

The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events.

The trick to a good desktop firewall policy is to provide a balance between security and the networking requirements of the applications needed by the organization. It’s possible the organization may not yet have a complete knowledge of these requirements. This should make the first attempt to define a standard/global policy interesting, depending on the level of protection one is trying to provide and the situation or environment the desktops may be in.

The articles does not talk about the various products available, only about the basic theory behind managing and maintaining a desktop firewall policy. If you are looking towards defense in depth then host-based firewalls might be a good direction to go, which makes this a much more important read than you might have initially though.

Mac OS X Firewall

Just because there is no abundance of security exploits available for Mac OS X does not negate the value of running a host based firewall. Doing so is another precautionary measure in the event that a vulnerability does surface some time in the future. OS X comes with a built-in firewall, much like Windows XP Service Pack 2, that will aid in securing the workstation from malicious attacks.

OS X’s built-in firewall lacks the flash and sizzle of other firewall applications. It has no multi-colored gauges breaking down network traffic by type, and no alerts, beeps, or buzzes to warn of impending danger. But it’s there if you want it, running silently in the background and monitoring incoming traffic for potential danger.

The only “problem” with the OS X firewall is that by default it only pays strict attention to incoming packets. To have the firewall handle outbound connections you must get down and dirty with the command-line. In the event that you are infected with malicious code that attempts to make outbound connections originating from your Mac then, by default, you are out of luck.

The use of the built-in firewall to block malicious inbound packets is a good beginning. Hopefully Apple will take the outbound connection issue in to consideration and improve upon their already decent offering.