[ale] Good windows firewall ?

Jonathan Glass jonathan.glass at ibb.gatech.edu
Sun Jun 20 20:59:18 EDT 2004


> Jonathan Glass wrote:
>>>Any of the stock Linux firewalls will work for 'both Linux and Windows.'
>>>  Smoothwall, ipcop, Coyote...
>>>
>>>Depending on the services offered, you can get by with such a low end
>>>machine, but running things like snort along on the same box is going to
>>>require more hardware/memory.
>>>
>>>It really makes no sense to have firewall software running on 2+
>>>machines if they all have access via the same connection.  One firewall
>>>to protect them all. :)
>>>
>>>If you really want to get into it, get Bob Toxen's book and build your
>>>own. :)
>>>
>>>--
>>>Until later, Geoffrey                     Registered Linux User #108567
>>>Building secure systems in spite of Microsoft
>>>_______________________________________________
>>
>>
>> Here I must disagree.  The more protection the better.  If you can run
>> firewall software on each of your client computers, and on the edge of
>> the
>> network, then you are that much better off.  That's actually the focus
>> of
>> my latest research paper, titled "The Penguin, The Demon, and The Onion:
>> Using Open Source Software to Create Defense in Depth for Information
>> Systems".  :)
>>
>> Good luck to you.
>
> I'd be interested in your paper if it will be published publicly.  I
> will agree that a 'Defense in Depth' is a good solution. (I for one have
>   more than one firewall protecting my home network).  It sounds similar
> to Bob Toxen's 'rings of security' solution.  I suspect the reference to
> 'The Onion' is a similar idea.
>
> I see a couple of scenarios here.  The original poster, I believe was
> refering to a small home network.  In such a situation it might be
> possible to keep a primary firewall and separate software firewalls on
> each computer properly configured and up-to-date.  You have to look at
> the risk.  Most home users are not likely to be subject to individual
> hack attempts, and those that are, are likely running no firewall.  It's
> the old scenario of keeping yourself more secure than your neighbor.  If
> a thief is looking for a car to steal at the mall, he'll likely pass
> over the one that has all the doors locked, for the one with the keys in
> the ignition.  You can't and don't have to make your network impervious,
> but you can make it more secure than the majority of dsl users out there.
>
> It's like the old 'two hikers and bear joke.'  Hiker A doesn't need to
> out run the bear, he just has to out run Hiker B.
>
> Another possible scenario is the business network.  You're just not
> going to have the man power to keep every desktop computer firewall
> properly configured and up-to-date.  In corporate environments I've seen
> multiple levels of protection, along with properly defined subnets.
> Obviously you'll have firewalls between the internet and your corporate
> network.   Along with those, you'll likely have multiple DMZs and even
> firewalls internally keeping different parts of the corporate network
> separated.  It is highly unlikely you'll find firewall software running
> on every client.  It's just not possible to keep up with such a
> configuration.
>
> --
> Until later, Geoffrey                     Registered Linux User #108567
> Building secure systems in spite of Microsoft


At Tech, we have a site-license for Zone Alarm, and it has features to
make enterprise management possible.  Students are strongly encouraged to
install Zone Alarm on all desktops.  I recommend that they take it a step
further and run Windows IPSEC firewalls, too.

I do agree with the idea of evaluating risk.  However, I was thinking that
if the original poster was able to install and manage firewall software,
then they'd probably be able to learn how to properly secure their
individual machines through the process.  Afterall, if you deploy a good
*nix firewall to protect you from the 'Net, then you have the time to play
with your Windows firewall software until you get a good configuration.

I consider a NAT-only firewall a first line of defense, and a method of
giving yourself more time to learn the other firewall technology, thus
making you more secure overall.

My personal philosophy:  The more you know...
-- 
Jonathan Glass
Systems Support Specialist II
IBB/GTEC
Office: 404-385-0127
Cell: 404-444-4086



More information about the Ale mailing list