There is a wide variety of pro’s and con’s about Desktop Firewalls. The main problem is, that a normal user has no idea which tools should get access to the internet, and which should not.
Checkpoint offers a quite mighty piece of Software to solve this problem, named ‘Integrity‘, originating from the ZoneAlarm Desktop firewall that Checkpoint bought some time ago.
Along with that Client, there comes the Integrity server, and within lies the biggest part of the systems power.
This server is responsible for the management, the creation and the deployment of the policies enforced on the desktop clients. These policies can enforce restrictions on OSI Layer 4, based on IT addresses and ports, nothing new. But in addition, there’s the chance to restrict the Software on the clients on an application basis.
Based on a checksum, a file name or whatever, only ‘good’ programs are allowed to access the internet, or even ale allowed tu run. For example, if there’s a file sharing client active, Integrity Client can close this, prevent it’s access to the Internet, or isolates the whole client from the company’s network. It can also have an eye on the Windows Hotfixes, or make decisions based on the kind and freshness of the Anti Virus Solution.
But all this is a lot for an Administrator to handle, an therefore, Integrity provides solution to help him with the software management. At first, every client reports the programs trying to connect to somewhere to the server, so the Administrator can see what kind of software is hanging around in his network, and make decisions what to restrict. A second nice feature is the chance to set up reference clients. All the Software on this clients is regarded as ‘good’, an can be used on other systems with the same restrictions as on that reference machine. So the Administrator has only to keep one machine up to date.
In times where notebooks and PDA’s are getting more and more common, and employees are often working with their machines in different, sometimes untrusted networks, this s a good way to not only keep an eye on the interface to the outside world, but also deal with the traffic inside a network.
There’s a lot more of interesting features in the Integrity Bundle, so if you’re interested you’re welcome to leave a short comment, maybe I’ll do a part 2, or even a more thorough how-to.
