[ale] Good windows firewall ?

Geoffrey esoteric at 3times25.net
Mon Jun 21 07:42:41 EDT 2004


Vincent Fox wrote:
>>It really makes no sense to have firewall software running on 2+ 
>>machines if they all have access via the same connection.  One firewall 
>>to protect them all. :)
> 
> 
> It's called a Layered Defense.

I am familiar with the concept.  Point is, we're talking a home network 
here, if I recall.  There are differences.  Still, there are other 
solutions that create a 'layered defense' or 'rings of security' as I 
noted in a previous email, which don't require a software firewall on 
every client.

Certainly every client machine at GA Tech does not have a software 
firewall installed?  Of those, how many are properly configured?

I would like to see a real world example where a large organization, 
whether that is a corporation or an educational facility has such a 
policy in place.

> 
> Example:
> I have an IPCop box as my home router which is also a NAT/firewall of course.
> 
> I *still* run iptables on any local Linux boxes, and on Windows I use
> the XP firewall at minimum, or the CA Armor suite.

I do not have a firewall running on every box in my network.  I have 
multiple firewalls with a dmz.  I'm not going to attempt to maintain a 
firewall on every box on my network.  Simply a difference of opinion.

> 
> I am familiar with all too many security incidents where the dependence
> on the One Big Security Device bites you in the ass. It can be a case of
> a Maginot Line where you *think* you have a good firewall, but someone
> finds a way around it and bingo they are inside your green network.
> Or it can be a simple case of someone brings a compromised laptop
> into your green. This is pretty common.

Well, I've never had anyone drop a laptop on my network.  You don't 
apply the same security solutions to a business network that you do to a 
home network.  Again, you have to assess the risks.

I highly doubt you'll find any large corporation who has firewall 
software running on every desktop.  It's just not possible to maintain 
such a scenario, regardless of the tools available.

Smaller businesses might have such an approach, but I personally don't 
recommend it.

I am not saying that a single firewall is an acceptable solution, but I 
don't think there are a lot of situations where running a software 
firewall on every client is feasible.

-- 
Until later, Geoffrey                     Registered Linux User #108567
Building secure systems in spite of Microsoft



More information about the Ale mailing list