Netgear portscanning me?

Now speak after me: - D M Z - host pro tec tion

If these servers had been properly patched they would not have been affected.

Anyway, we'll try it again: - D M Z - host pro tec tion - I P sec

Host-based packet filters are usually only used on machines that sometimes get connected directly to the Internet (Laptops, usually).

The only other instance of "double-firewalling" I know off in the industry is a firewall with a DMZ between two packet filters - not to be confused with any "desktop firewall".

"Desktop firewalls" usually are a support nightmare, as they prevent IT from doing maintenance on the machines quite often (especially if the user managed to screw around with the rules again), and offer no real benefit for normal workstations.

Juergen Nieveler

Double firewalling (hardware + software) is recommended by US-CERT:

The correct use of a proper hardware firewalling device like

Wolfgang

nice joke, but, sorry, between your opinion and US-CERT opinion I prefer the second.

John

That links are for home users, though - not business users.

Major difference.

Juergen Nieveler

Yes, but is defense in depth less important for business users? I think the contrary. Moreover there are also the inside attacks. At Last: National Security Agency (NSA) ?The 60 Minute Network Security Guide"

Pag.12: "The following section addresses recommendations for securing network perimeter routers and firewalls. These devices remain a first line of defense that can serve to limit the access a potential adversary has to an organization's network."

Pag.30: "Included in Windows XP Service Pack 2 and Windows Server 2003 is Windows Firewall, a host-based firewall used to restrict unsolicited in- bound traffic to a computer. Windows Firewall settings can be configured locally on a host, or, preferably via Group Policy. The following are recommendations regarding the use of Windows Firewall: ? Enable Windows Firewall. ? Windows Firewall configurations should be pushed down via Group Policy within a domain if possible. In general, do not allow local administrators to disable/enable the firewall or make changes"

John

Businesses that are security-concious prefer to control access to the LAN in the first place - with an unknown MAC you can't even connect to the switch, or plug your computer into a socket in the wrong office.

Those are a real problem, but not one a desktop firewall can prevent.

If you remove unnecessary services on the workstations there's even less chance of attack ;-)

Also, speaking as somebody who had to roll out a centrally managed McAfee- Firewall - it's a hell of a lot of work to make sure that a) the firewall works, b) the user cannot tamper with it, and c) everything else still works, too...

Juergen Nieveler

Aha, this is the real problem!

John

Defense in depth does not imply using "Personal Firewalls". It should imply configuring machines so, that firewalls are not neccessary at all, and then afterwards filtering at the network boundery additionally.

The Windows-Firewall can be used for Windows, because Windows has the design flaw to offer network services even if none are wanted to be there.

It's the second best option compared with shutting down unwanted services. Unfortunately it's second best because there are attacks possible with a packet filter, which are not possible if there is no such service.

Yours, VB.

Yep. But I intend to solve this, as soon as I've finished calculating Pi, feed the whole world, stop global warming and stop all wars ;-)

Juergen Nieveler

Would it not be more simple to change the firewall brand? :-)

I advise you to read this:

"Firewalls can help or hurt, so plan carefully"

"Firewalls: Friend or Foe?"

John

Corporate decision - world peace will be much easier to achieve, unless the current rumours are true... we might get to change to a different firewall soon, and it's going to be the built-in one from MS :-(...

Juergen Nieveler