Use XP Firewall with Router & Firewall?

john

Splendid
Aug 25, 2003
3,819
0
22,780
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Is it recomended to turn on and use the XP Firewall on workstations
even if our network sits behind a router with it's own Firewall? Will
this cause problems? Until the last XP service pack, I only used the
XP firewall when connecting from home or on the road. Now all
connections are firewalled by default.
Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On 8 Mar 2005 09:43:46 -0800, john@destinytours.com (John) wrote:

>Is it recomended to turn on and use the XP Firewall on workstations
>even if our network sits behind a router with it's own Firewall? Will
>this cause problems? Until the last XP service pack, I only used the
>XP firewall when connecting from home or on the road. Now all
>connections are firewalled by default.
>Thanks.
Leave it on. It's low overhead and it wont cause any
problem in this situation.
Some people run two software FW's such as the built-in
and Zonealarm - that raises a bigger concern in my mind.
Dave
 

peter

Distinguished
Mar 29, 2004
3,226
0
20,780
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Not wise to use two, they could conflict. Turn off Windows Firewall.

--
Peter.
Toronto, Canada.
XP Home SP2.
P4 @ 3.0ghz, 160gb HDD, 1.0gb DDR.
"John" <john@destinytours.com> wrote in message
news:b81576f1.0503080943.50e84409@posting.google.com...
> Is it recomended to turn on and use the XP Firewall on workstations
> even if our network sits behind a router with it's own Firewall? Will
> this cause problems? Until the last XP service pack, I only used the
> XP firewall when connecting from home or on the road. Now all
> connections are firewalled by default.
> Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 8 Mar 2005 12:48:58 -0500, "Peter"
<Peter@discussions.microsoft.com> wrote:

>Not wise to use two, they could conflict. Turn off Windows Firewall.

He said "router" firewall and XP firewall. That is fine, and wise.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

In news:Ohb0bcAJFHA.3332@TK2MSFTNGP15.phx.gbl,
Peter <Peter@discussions.microsoft.com> typed:

> Not wise to use two, they could conflict. Turn off Windows
> Firewall.


No, it's not wise to run two software firewalls because of the
possibility of conflicts, but the hardware protection the router
offers can't conflict with the software protection of the Windows
firewall.

However the Windows firewall offers little or no extra protection
over what the router offers. Both protect you against incoming
attacks but do nothing about monitoring outbound traffic, and
stopping rogue programs trying to call home. Fot that reason, I
do recommend running a software firewall in adition to the
router, but not the Windows one. Almost any of the third-party
firewalls will add such extra protection. Personally I use the
free version of ZoneAlarm in addition to my router.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup


>> Is it recomended to turn on and use the XP Firewall on
>> workstations
>> even if our network sits behind a router with it's own
>> Firewall? Will this cause problems? Until the last XP service
>> pack, I only
>> used the XP firewall when connecting from home or on the road.
>> Now
>> all connections are firewalled by default.
>> Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

No conflicts! This would help in stopping any WORM virus that may get thru.
You can run a hardware firewall (router & firewall) and a software firewall
(SP2's).


"Peter" <Peter@discussions.microsoft.com> wrote in message
news:Ohb0bcAJFHA.3332@TK2MSFTNGP15.phx.gbl...
> Not wise to use two, they could conflict. Turn off Windows Firewall.
>
> --
> Peter.
> Toronto, Canada.
> XP Home SP2.
> P4 @ 3.0ghz, 160gb HDD, 1.0gb DDR.
> "John" <john@destinytours.com> wrote in message
> news:b81576f1.0503080943.50e84409@posting.google.com...
>> Is it recomended to turn on and use the XP Firewall on workstations
>> even if our network sits behind a router with it's own Firewall? Will
>> this cause problems? Until the last XP service pack, I only used the
>> XP firewall when connecting from home or on the road. Now all
>> connections are firewalled by default.
>> Thanks.
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 8 Mar 2005 13:15:37 -0700, "Ken Blake"
<kblake@this.is.an.invalid.domain> wrote:


>However the Windows firewall offers little or no extra protection
>over what the router offers. Both protect you against incoming
>attacks but do nothing about monitoring outbound traffic,

XP SP2 Firewall has stately inspection so it does.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Windows Firewall does *not* offer outbound protection.

Tom
"Connected" <connected@somewhere.here> wrote in message
news:qjes21d75qqb0jmcsbm46ktplm8uu9ctsm@4ax.com...
| On Tue, 8 Mar 2005 13:15:37 -0700, "Ken Blake"
| <kblake@this.is.an.invalid.domain> wrote:
|
|
| >However the Windows firewall offers little or no extra protection
| >over what the router offers. Both protect you against incoming
| >attacks but do nothing about monitoring outbound traffic,
|
| XP SP2 Firewall has stately inspection so it does.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

In news:qjes21d75qqb0jmcsbm46ktplm8uu9ctsm@4ax.com,
Connected <connected@somewhere.here> typed:

> On Tue, 8 Mar 2005 13:15:37 -0700, "Ken Blake"
> <kblake@this.is.an.invalid.domain> wrote:
>
>
>> However the Windows firewall offers little or no extra
>> protection
>> over what the router offers. Both protect you against incoming
>> attacks but do nothing about monitoring outbound traffic,
>
> XP SP2 Firewall has stately inspection so it does.


Sorry, but that's wrong. XP's firewall, with or without SP2, is
incoming only.

--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

John wrote:
> Is it recomended to turn on and use the XP Firewall on workstations
> even if our network sits behind a router with it's own Firewall? Will
> this cause problems? Until the last XP service pack, I only used the
> XP firewall when connecting from home or on the road. Now all
> connections are firewalled by default.
> Thanks.



SP2's Firewall's most important virtues, I think, are it's improved
compatibility with internal LANs and its configurability via group
policies. Now, there's a simple, cheap tool that system admins can use
to protect the LAN workstations from that occasional - but not rare
enough - fool who manages to bypass the perimeter firewall and manually
install some malware that could then spread throughout the LAN via
shared drives.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Running a "software" and "hardware" firewall is perfectly legit, and highly
recommended if behind the "hardware" firewall you have a network (as in a
home network) as it protects the computer from the remaining computers on
the network should one of them happen to become infected.

--
Star Fleet Admiral Q @ your service!
"Google is your Friend!"
www.google.com

***********************************************

"John" <john@destinytours.com> wrote in message
news:b81576f1.0503080943.50e84409@posting.google.com...
> Is it recomended to turn on and use the XP Firewall on workstations
> even if our network sits behind a router with it's own Firewall? Will
> this cause problems? Until the last XP service pack, I only used the
> XP firewall when connecting from home or on the road. Now all
> connections are firewalled by default.
> Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 8 Mar 2005 18:22:48 -0600, "Tom Pepper Willett"
<tompepper@mvps.org> wrote:

>Windows Firewall does *not* offer outbound protection.

Oh, well, I don't use it anymore anyway.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 8 Mar 2005 18:37:24 -0700, "Ken Blake"
<kblake@this.is.an.invalid.domain> wrote:


>Sorry, but that's wrong. XP's firewall, with or without SP2, is
>incoming only.

Yea, yea, I've been told ten times already.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 08 Mar 2005 19:47:57 -0700, Bruce Chambers wrote:
[snip]
> SP2's Firewall's most important virtues, I think, are it's improved
> compatibility with internal LANs and its configurability via group
> policies. Now, there's a simple, cheap tool that system admins can use
> to protect the LAN workstations from that occasional - but not rare
> enough - fool who manages to bypass the perimeter firewall and manually
> install some malware that could then spread throughout the LAN via
> shared drives.

Got news for you, but if you're in a LAN and using the SP2 firewall it's
already setup to allow access to shares and will not protect your computer
while it's in a LAN/Domain.

--
spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Leythos wrote:
> On Tue, 08 Mar 2005 19:47:57 -0700, Bruce Chambers wrote:
> [snip]
>
>> SP2's Firewall's most important virtues, I think, are it's improved
>>compatibility with internal LANs and its configurability via group
>>policies. Now, there's a simple, cheap tool that system admins can use
>>to protect the LAN workstations from that occasional - but not rare
>>enough - fool who manages to bypass the perimeter firewall and manually
>>install some malware that could then spread throughout the LAN via
>>shared drives.
>
>
> Got news for you, but if you're in a LAN and using the SP2 firewall it's
> already setup to allow access to shares and will not protect your computer
> while it's in a LAN/Domain.
>


It's not 100% effective, but it's still better than nothing. It
depends upon the specific type of threat, of course. Things like
Blaster, Welchia, and Sasser, that are not spread via network shares,
get stopped.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 08 Mar 2005 20:10:00 -0700, Bruce Chambers wrote:

> Leythos wrote:
>> On Tue, 08 Mar 2005 19:47:57 -0700, Bruce Chambers wrote:
>> [snip]
>>
>>> SP2's Firewall's most important virtues, I think, are it's improved
>>>compatibility with internal LANs and its configurability via group
>>>policies. Now, there's a simple, cheap tool that system admins can use
>>>to protect the LAN workstations from that occasional - but not rare
>>>enough - fool who manages to bypass the perimeter firewall and manually
>>>install some malware that could then spread throughout the LAN via
>>>shared drives.
>>
>>
>> Got news for you, but if you're in a LAN and using the SP2 firewall it's
>> already setup to allow access to shares and will not protect your computer
>> while it's in a LAN/Domain.
>>
>
>
> It's not 100% effective, but it's still better than nothing. It
> depends upon the specific type of threat, of course. Things like
> Blaster, Welchia, and Sasser, that are not spread via network shares,
> get stopped.

I agree, but the poster specifically implied that the SP2 firewall would
stop the spread of nasties that use file sharing.

--
spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Leythos wrote:
> On Tue, 08 Mar 2005 20:10:00 -0700, Bruce Chambers wrote:
>
>
>
> I agree, but the poster specifically implied that the SP2 firewall would
> stop the spread of nasties that use file sharing.
>


Good point. I'll need to reword that one, won't I?


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 08 Mar 2005 20:19:28 -0700, Bruce Chambers wrote:
>
> Leythos wrote:
>> On Tue, 08 Mar 2005 20:10:00 -0700, Bruce Chambers wrote:
>>
>> I agree, but the poster specifically implied that the SP2 firewall
>> would stop the spread of nasties that use file sharing.
>
> Good point. I'll need to reword that one, won't I?

I've actually taken to disabling the firewall service on every workstation
inside a network that we've setup security for. I've found the FW to be
nothing but a pain in a secure network.

--
spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Tue, 08 Mar 2005 19:47:57 -0700, Bruce Chambers

> SP2's Firewall's most important virtues, I think, are it's improved
>compatibility with internal LANs

There may be a shadow over that, given recent concerns about how File
and Print Services can be erroneously mapped to the whole Internet.


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

cquirke (MVP Windows shell/user) wrote:

>
>
> There may be a shadow over that, given recent concerns about how File
> and Print Services can be erroneously mapped to the whole Internet.
>
>
>


A possibility, if there's no perimeter defense in place. Why does
every silver lining have to come with a dark cloud? ;-}


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

John wrote:
> Is it recomended to turn on and use the XP Firewall on workstations
> even if our network sits behind a router with it's own Firewall?
> Will this cause problems? Until the last XP service pack, I only
> used the XP firewall when connecting from home or on the road. Now
> all connections are firewalled by default.

Bruce Chambers wrote:
> SP2's Firewall's most important virtues, I think, are it's
> improved compatibility with internal LANs and its configurability via
> group policies. Now, there's a simple, cheap tool that system admins
> can use to protect the LAN workstations from that occasional - but
> not rare enough - fool who manages to bypass the perimeter firewall
> and manually install some malware that could then spread throughout
> the LAN via shared drives.

Leythos wrote:
> Got news for you, but if you're in a LAN and using the SP2 firewall
> it's already setup to allow access to shares and will not protect
> your computer while it's in a LAN/Domain.

Bruce Chambers wrote:
> It's not 100% effective, but it's still better than nothing. It
> depends upon the specific type of threat, of course. Things like
> Blaster, Welchia, and Sasser, that are not spread via network shares,
> get stopped.

Leythos wrote:
> I agree, but the poster specifically implied that the SP2 firewall
> would stop the spread of nasties that use file sharing.

Bruce Chambers wrote:
> Good point. I'll need to reword that one, won't I?

Leythos wrote:
> I've actually taken to disabling the firewall service on every
> workstation inside a network that we've setup security for. I've
> found the FW to be nothing but a pain in a secure network.

We enable the firewall using group policies and limit file & printer sharing
access to a few machines in the domain - mainly servers and certain
administrators machines. This limits accessibilitry to the individual
workstations shares to only a few machines and complete prevents one
authenticated user from mapping shares on another users PC and effectively
stops the spread of most worms UNLESS one of the few machines that are
allowed access to the workstations in the domain get infected, which is much
less likely than the users themselves getting infected.

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Shenan Stanley wrote:

>
> We enable the firewall using group policies and limit file & printer sharing
> access to a few machines in the domain - mainly servers and certain
> administrators machines. This limits accessibilitry to the individual
> workstations shares to only a few machines and complete prevents one
> authenticated user from mapping shares on another users PC and effectively
> stops the spread of most worms UNLESS one of the few machines that are
> allowed access to the workstations in the domain get infected, which is much
> less likely than the users themselves getting infected.
>


We also limit file and print sharing to only those workstations where
there is no other economically feasible work-around.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Sat, 12 Mar 2005 09:58:41 -0700, Bruce Chambers
>cquirke (MVP Windows shell/user) wrote:

>> There may be a shadow over that, given recent concerns about how File
>> and Print Services can be erroneously mapped to the whole Internet.

> A possibility, if there's no perimeter defense in place.

"Depth" means not assuming perimeter defences will hold, and thus
planning what to do when these are breached. De facto scopes are your
friend; hardening against PC to PC spread within LAN is guud.

>Why does every silver lining have to come with a dark cloud? ;-}

Hmm... I think blurring LAN and Internet awareness is a very serious
matter, especially where F&PS are concerned, and especially when the
OS is dumb enough to have hidden writable shares exposing the startup
axis and OS, and with known names at that. Win9x wasn't *that* dumb.

We had this problem in Win9x, but in a different way. That OS was
dumb enough to bind everything to everything by duhfault, whenever
network settings were nudged. It was quite common to do something or
other, then find IPX, NetBEUI and TCP/IP bound to both LAN and DUN,
with F&PS bound to all of the above.

Seems like the more things change, the more they stay the same?


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin (More info?)

What everyone seems to be forgetting in this discussion is that Windows
Firewall has a "start-up filter". Which means that it protects the computer
in the time window before the system has started all applications (like your
software firewall...). A normal firewall is usually turned on at the end of
the boot-up process which leaves the computer vunerable in this time window.
You can turn the firewall off with GPO's and keep the "start-up filter"

"Yves Leclerc" wrote:

> No conflicts! This would help in stopping any WORM virus that may get thru.
> You can run a hardware firewall (router & firewall) and a software firewall
> (SP2's).
>
>
> "Peter" <Peter@discussions.microsoft.com> wrote in message
> news:Ohb0bcAJFHA.3332@TK2MSFTNGP15.phx.gbl...
> > Not wise to use two, they could conflict. Turn off Windows Firewall.
> >
> > --
> > Peter.
> > Toronto, Canada.
> > XP Home SP2.
> > P4 @ 3.0ghz, 160gb HDD, 1.0gb DDR.
> > "John" <john@destinytours.com> wrote in message
> > news:b81576f1.0503080943.50e84409@posting.google.com...
> >> Is it recomended to turn on and use the XP Firewall on workstations
> >> even if our network sits behind a router with it's own Firewall? Will
> >> this cause problems? Until the last XP service pack, I only used the
> >> XP firewall when connecting from home or on the road. Now all
> >> connections are firewalled by default.
> >> Thanks.
> >
> >
>
>
>