[ale] Good windows firewall ?

Ronald Chmara ron at Opus1.COM
Mon Jun 21 17:56:14 EDT 2004


On Jun 21, 2004, at 7:41 AM, Geoffrey wrote:
> Vincent Fox wrote:
>>> It really makes no sense to have firewall software running on 2+ 
>>> machines if they all have access via the same connection.  One 
>>> firewall to protect them all. :)
>> It's called a Layered Defense.
> I would like to see a real world example where a large organization, 
> whether that is a corporation or an educational facility has such a 
> policy in place.

Wells Fargo has just such a division (can't say more without violating 
NDA). The basic policy is that every device which can be exploited is 
protected with all reasonable tools available for that device. All 
servers, laptops, and desktops run with encrypted hard drives or 
partitions (in case of theft), firewall software, virus scanning, 
monthly password changes, strong password policies, auto-logoff, etc.

Key word being "reasonable". Simple firewalls like Black ICE take 
almost no administration, just like simple virus scanners take almost 
no administration.

> I highly doubt you'll find any large corporation who has firewall 
> software running on every desktop.  It's just not possible to maintain 
> such a scenario, regardless of the tools available.

Well, I think this idea (only a few firewalls per network) was more 
viable a few years ago.... At one point in time, it was considered 
totally unreasonable to have virus scanning software installed on all 
machines. Now, it's not unusual for every desktop in a network to have 
some form of virus scanning enabled, in addition to traffic scanners, 
and/or service based scanners (such as Amavis). As exploits increase, 
security to meet that threat also increases.

> I am not saying that a single firewall is an acceptable solution, but 
> I don't think there are a lot of situations where running a software 
> firewall on every client is feasible.

I think you both have valid points, and the key difference is 
complexity. Firewalls that take more than a few seconds per month of 
administration are not good choices for each end client machine, but 
fairly simple firewalls on every end client are trivial to implement. 
While they don't offer the same level of burliness as a well configured 
edge or core firewall, they still offer some additional protection in 
cases of an internal threat.

-Bop



More information about the Ale mailing list