Establishing Digital Trust: Don't Sacrifice Security for Convenience
If you have a business and you have a network, you probably also have a firewall in place to protect it. (If you don't, stop reading this article right now and go get one.)
Of course, a network firewall can only protect those devices that are actually on the network, and if your employees' computers consist of desktop machines then that's not a problem. On the other hand, if some or all of your employees use notebook computers outside your premises, their systems and the data on them are at considerable risk from hacking.
A personal software firewall can help guard against this kind of threat, but that approach has a couple of significant weaknesses. First, a typical software firewall relies on its operator to make security decisions often-uninformed ones that can lead to incomplete or ineffective security. Moreover, chances are this type of firewall won't recognize and adapt its security settings to new networks as the operator moves from one networked location to another.
The Senforce Portable Firewall Plus 2.5 takes a different approach as it aims to address these shortcomings. For starters, it relieves your mobile employees from any responsibility (or control) over the firewall, and allows you (or an administrator-to-be-named-later) to create in advance different firewall policies for the various network scenarios your employees could encounter. Therefore, an employee can travel from, say, work to the local coffee establishment to home and anywhere in between, and the firewall installed on the machine will automatically adapt to an appropriate configuration each time the person's location changes. (For example, turning off Windows file sharing when on a public network typically found at a wireless hot spot.)https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Installing SPF+ on a client machine is a straightforward affair. Once installed, it can't be uninstalled or even temporarily disabled by anyone other than the administrator, which prevents an employee from trying to circumvent it for convenience. Out of the box, SPF+ defines three standard locations Home, Work and Alternate. With a couple of clicks, the administrator can tell SPF+ which network is which, and there's also an Unknown category for any network that doesn't fall into one of these three locations. A tray icon indicates what network you're currently using.
The default security policy included with SPF+ provides some basic protection, but the real strength is in using the included (but separate) SPF+ Policy Editor to create a customized and comprehensive firewall policy of your own. Although you can choose to install SPF+ Policy Editor directly on the machine you wish to create a policy for, it's best to do so elsewhere and then transfer the policy created to one or more computers. This is not only more convenient (especially if configuring policy for more than a handful of machines) it improves security by eliminating the chance that the policy will be modified locally, since you can't do so without the Policy Editor software.
One rather significant caveat: We initially ran into considerable trouble getting the Policy Editor application to run properly. An unknown malfunction prevented us from creating a new policy on the first two machines we installed Policy Editor on, and uninstalling and re-installing of the software didn't help. Not even Senforce's technical support team could figure out the problem. We were finally able to get the Policy Editor working when we installed it on a third computer.
When it works, the Policy Editor is a powerful, flexible tool for configuring the kind of access you want for your portable computers. The first step involves defining several network environments by specifying one or more identifying characteristics (like IP address ranges or servers) for each. Then, by associating a network environment to a particular location like Home or Work, the firewall identifies the network it's connected to and adjusts it's security settings accordingly.
|Testing, Testing If you can get the Policy Editor to work on your PC, you'll be able to create custom polices that will protect your notebook as you move it from one network to another.|
The SPF+ Policy Editor includes a large number of already-defined rules relating to different types of common network traffic like e-mail, Web browsing, and Windows file sharing.
It also offers pre-configured entries that let you prohibit the use of common applications including instant messaging and peer-to-peer file sharing software. Creating additional rules for custom network traffic or programs is a straightforward task.
In addition to straightforward rules governing network and application usage, you can use the Policy Editor to define more advanced conditional rules like preventing the use of removable media when outside the office or preventing the system from connecting to unauthorized wireless access points. You can also do things like have the firewall check for the existence of anti-virus software and/or a recent set of virus definitions before allowing network access. (In the latter case, the employee will retain enough access to go online and update their definitions.)
Some Assembly Required
But although potent, the SPF+ Policy Editor isn't entirely intuitive to use. The process of associating numerous rules to various network environments and locations takes time to master. It can be easy to miss a step that could cause an intended rule to not take effect. Also, you'll need a reasonable level of networking expertise to use the Policy Editor effectively, so if you're not an IT person or don't have one, you may need to call in some outside help. Senforce provides decent documentation and says that a forthcoming version 3.0 update expected in March will (among other enhancements) provide a wizard-like interface for policy creation that should simplify the process. The good news is that once you create a policy, it takes the form of a single small file, which can be easily copied on to the computer where it will automatically take effect. This lets you make on-the-fly client policy changes simply by copying over an older policy file.
Another caveat: while the SPF+ Policy Editor lets an administrator create and store as many different policies as desired, any policy is automatically exported to a file with a filename of policy.sen, which can't be changed. This inability to give policy files descriptive names could cause confusion if you plan to have more than one policy deployed at a time.
Available as an unrestricted 30-day trial download, Senforce SPF+ requires Windows 2000 or XP and Internet 5.0 or later. A single-user version costs $39.99, and volume purchases for five to 50 people reduces that cost between two and five dollars per seat.
There's no question that protecting your mobile computers and their data with Senforce Portable Firewall Plus will, at least initially, require more time and effort than slapping an ordinary software firewall on those same systems. Then again, once properly configured the Senforce Portable Firewall Plus will provide better protection for those systems that regularly go beyond your reach. If you have mobile employees to protect and access to IT help of some kind, SPF+ should provide them with the flexibility they want without compromising the security you need.
Pros: Allows an administrator to create an adaptive mobile firewall that users can't circumvent
Cons: Policy Editor may not work on some computers; creating policy isn't easy for non-IT people
Joe Moran spent six years as an editor and analyst with Ziff-Davis Publishing and several more as a freelance product reviewer. He's also worked in technology public relations and as a corporate IT manager, and he's currently principal of Neighborhood Techs, a technology service firm in St. Petersburg, FL. He holds several industry certifications, including Microsoft Certified Systems Engineer (MCSE) and Cisco Certified Network Associate (CCNA).
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|