The hardware firewall that stands between the enterprise and the savaging hordes on the Internet fulfills an obvious need. But companies also need internal firewalls, both to protect against the accidentally induced virus or worm and against the depredations of rogue, disgruntled, or just plain crooked employees.
Although it's possible - and in some cases desirable - to install hardware firewalls between parts of a large enterprise, placing personal-firewall software on employee workstations is a great alternative solution that's easy to implement. Microsoft Corp. includes a very limited personal firewall with Windows XP, and a free version of Zone Alarm from the Zone Labs Inc. Web site is available via download. Symantec Corp. and McAfee also make a variety of desktop firewall products.
But those personal firewall products lack any form of management. Left to their own devices, your employees may be able to install some level of protection, but that leaves administrators with no means of making sure workstations are actually protected and no way of ensuring that the company's personal-firewall policies are enforced.
Enter Integrity. Zone Labs has combined the solid personal firewall you get with Zone Alarm with centralized management that lets administrators control most aspects of how the client firewall works, down to a surprisingly granular level.
In its simplest form, Integrity 2.0 consists of a server, which can also be the management console, and a client, which must reside on a separate computer. Both the client and server machine must run Windows. There are two versions of the client available: Integrity Flex, which closely resembles Zone Alarm Pro and provides firewall operation when the computer is away from the corporate network. Integrity Agent, a much less robust client, can be completely invisible to the user on the client computer.
In addition to client computers and the Integrity server, you will need a SQL database server, such as Oracle 8.1 or Microsoft SQL Server 2000, available on your network. Although you can install the database on the same platform as the Integrity server, Zone Labs claims you'll enjoy better performance if you put it on a separate machine. Integrity 2.0 also works with Cisco VPN 3000 concentrators to enforce security policies on remote clients.
Installing the Integrity server and clients entails simply popping the CD into the drive and making the appropriate install choices. We did not experience any problems along the way, although installing the server requires some basic knowledge about your network, such as where to find the database server. You will also need to decide which client, the Agent or Integrity Flex, each user is going to get.
Once Integrity is installed, you'll need to proceed through a series of steps to define users and groups. You'll need this information later when you set policies. From there, you can decide which programs on client computers have Internet access (Integrity provides a scanning feature that handles most of this). Next, you'll need to visit the Policy Studio to set up global, group, and user policies. You can get as granular as you're likely to want, including being able to block specific Web sites or to prevent specific programs from accessing the Internet.
The management console runs on a browser, so you don't need to work from the server itself (although you can if you wish). You control major functions by clicking on the left side of the screen to reveal a detailed menu on the right side. The screens controlling each feature are well designed and easy to follow, but because of Integrity's flexibility you will find you have a lot of choices to sort through.
Once running, Integrity provides plenty of feedback. You can examine the operations of the enterprise as a whole, with charts and graphical reports; look at groups; and even monitor the operations of a single client computer. If you have an urgent need to make a policy change, for example to combat the potential arrival of a new worm, you can push policy changes to the clients in the enterprise.
We were impressed by Integrity 2.0, but it wasn't all a bed of roses. The most significant issue is that Integrity only supports Windows. If you have a heterogeneous enterprise, you'll have to find something else to handle the personal-firewall needs of your Linux, Macintosh, and Unix computers, which will add more complexity than you may want.
We also found that the Integrity client slows down the process of browsing for another computer on a Microsoft network, even when access to that computer is allowed. This seems to be restricted to browsing Microsoft shares, but it may not matter to you, as many enterprises already disable this feature of Windows.
Whether Zone Labs Integrity 2.0 is for you depends on your enterprise. But we found it to be a well-executed, well-designed solution for companies that need internal firewall protection, and we're inclined to believe that this applies to nearly every company. It's easy to install, deploy, and administer, and it provides solid protection. And because it ties the personal firewalls of all of your Windows clients to one management point, it greatly eases the work for your network administrators. We just wish it supported more than just Windows.