[ale] Good windows firewall ?

Geoffrey esoteric at 3times25.net
Mon Jun 21 09:57:28 EDT 2004 

Vincent Fox wrote:
>>>It's called a Layered Defense.
>>
>>I am familiar with the concept.  Point is, we're talking a home network 
>>here, if I recall.  There are differences.  Still, there are other 
>>solutions that create a 'layered defense' or 'rings of security' as I 
>>noted in a previous email, which don't require a software firewall on 
>>every client.
> 
> 
> My home network has a software firewall on every machine.
> I dunno, maybe I find your resistance strange.

We'll have to agree to disagree, as I find such solutions a poor balance 
  between effort and security.  You will never have a completely secure 
computer as long as it simply exists.

> I find turning
> on a basic software firewall in Linux, or enabling the XP one
> to be easy and so worth the small amount of time it takes that
> I don't even think about it.

And you have faith in the XP firewall?  So do you run insecure tools 
within your 'intranet?' (telnet...)


>>Certainly every client machine at GA Tech does not have a software 
>>firewall installed?  Of those, how many are properly configured?
> 
> 
> I dunno about EVERY client machine, not responsible for all of them.

Seems a waste of time if you can't insure all clients are covered.

> 
> Of the ones I admin in the PLM lab, every Solaris and Linux and Windows
> box was recently patched AND had some sort of firewall enabled locally
> on that box.  On the Solaris side it took me a few minutes to
> run pkg-get to install ipfilter, configure a minimal ruleset, 
> and reboot it.

I'm sure you're the exception to the rule.  I'll suggest you'll find 
that the majority of large networks are not secured in such a way.

> 
> *snip*
> 
> 
>>Well, I've never had anyone drop a laptop on my network.  You don't 
>>apply the same security solutions to a business network that you do to a 
>>home network.  Again, you have to assess the risks.
> 
> 
> I have room-mates. The Korean guy has had several infections other
> places and then brings his laptop home and boom problem. Your situation
> may vary, but I think it not unlikely that at SOME point during a year
> MOST home networks have a guest machine that may get connected
> when they are not at home to supervise.

Knowing what you know about him, he should be banned from your network. 
  I do not permit such access to my network.  I have a standalone 
network of untrusted machines, but that's just one of my 'playgrounds.'

My brother did visit once with his windows XP laptop.  We did verify 
that the machine was clean prior to attaching to my network.  The same 
would apply to any other 'unknown' system.

> 
> If you have no room-mates or spouse or children, or generally just do
> not allow anyone other than yourself in your house, I guess you have
> nothing to worry about so why not just run unpatched systems with no
> firewall and no antivirus, etc. I know people running unpatched NT4 systems
> behind a simple hardware NAT firewall and that works for them because
> they rigidly ensure no other machines are ever on that network.

I do have a spouse as well as a daughter.  People do frequent my home, 
but they do not find their way to connecting computers to my network. 
My wife's windows machine does have virus software protection, but no 
windows firewall.  It does sit behind at least two such devices.  My 
daughter's dual boot Linux/windows box has no network connectivity when 
booted to windows.

> I think the beginning of this thread started with who could suggest
> a good Windows firewall, so that's what I answered, eh what?

Sure, as did I.

-- 
Until later, Geoffrey                     Registered Linux User #108567
Building secure systems in spite of Microsoft

More information about the Ale mailing list