[ale] Good windows firewall ?

Geoffrey esoteric at 3times25.net
Sun Jun 20 20:38:23 EDT 2004 

Jonathan Glass wrote:
>>Any of the stock Linux firewalls will work for 'both Linux and Windows.'
>>  Smoothwall, ipcop, Coyote...
>>
>>Depending on the services offered, you can get by with such a low end
>>machine, but running things like snort along on the same box is going to
>>require more hardware/memory.
>>
>>It really makes no sense to have firewall software running on 2+
>>machines if they all have access via the same connection.  One firewall
>>to protect them all. :)
>>
>>If you really want to get into it, get Bob Toxen's book and build your
>>own. :)
>>
>>--
>>Until later, Geoffrey                     Registered Linux User #108567
>>Building secure systems in spite of Microsoft
>>_______________________________________________
> 
> 
> Here I must disagree.  The more protection the better.  If you can run
> firewall software on each of your client computers, and on the edge of the
> network, then you are that much better off.  That's actually the focus of
> my latest research paper, titled "The Penguin, The Demon, and The Onion:
> Using Open Source Software to Create Defense in Depth for Information
> Systems".  :)
> 
> Good luck to you.

I'd be interested in your paper if it will be published publicly.  I 
will agree that a 'Defense in Depth' is a good solution. (I for one have 
  more than one firewall protecting my home network).  It sounds similar 
to Bob Toxen's 'rings of security' solution.  I suspect the reference to 
'The Onion' is a similar idea.

I see a couple of scenarios here.  The original poster, I believe was 
refering to a small home network.  In such a situation it might be 
possible to keep a primary firewall and separate software firewalls on 
each computer properly configured and up-to-date.  You have to look at 
the risk.  Most home users are not likely to be subject to individual 
hack attempts, and those that are, are likely running no firewall.  It's 
the old scenario of keeping yourself more secure than your neighbor.  If 
a thief is looking for a car to steal at the mall, he'll likely pass 
over the one that has all the doors locked, for the one with the keys in 
the ignition.  You can't and don't have to make your network impervious, 
but you can make it more secure than the majority of dsl users out there.

It's like the old 'two hikers and bear joke.'  Hiker A doesn't need to 
out run the bear, he just has to out run Hiker B.

Another possible scenario is the business network.  You're just not 
going to have the man power to keep every desktop computer firewall 
properly configured and up-to-date.  In corporate environments I've seen 
multiple levels of protection, along with properly defined subnets. 
Obviously you'll have firewalls between the internet and your corporate 
network.   Along with those, you'll likely have multiple DMZs and even 
firewalls internally keeping different parts of the corporate network 
separated.  It is highly unlikely you'll find firewall software running 
on every client.  It's just not possible to keep up with such a 
configuration.

-- 
Until later, Geoffrey                     Registered Linux User #108567
Building secure systems in spite of Microsoft

More information about the Ale mailing list