What are the pros and cons for having just my IPS turned on but have the Firewall feature off on my Symantec Client Security software?
I'm about to deploy this client to a large amount of machines but don't want to constantly manage the firewall ports for our huge list of network applications that might be blocked unintentionally. The firewall would probably be swiss cheese with all the ports and servers I'm going to have to allow to have my users successfully working on my network so I figure it wouldn't matter if that part is turned off.
Won't the IPS software portion successfully thwart attacks that are attempted on the machine regardless of the firewall functionality? Is that protection good enough?
There are people in this group that will tell you that everything you install on any computer, that could protect it, is bad and will only lead to your machine being exploited. The same group will tell you that you only need Windows XP Firewall for complete protection and that nothing works better and has a better chance of protecting you.
I would suggest that you contact Symantec Support and ask them the same questions you posted here so that you can get a real answer.
Well, it is really not one of the best ideas you could have to protect a machine with software that runs on exactly this machine.
Show me one (just one) post that suggests this.
The op wants to protect a bunch of machines. Assuming that these are all in the same network, why for god=B4s sake would you want to protect them with any piece of software running on the individual machines? Apart from licensing cost, this would be an admin=B4s nightmare. Install (and administer) one packet filter at the edge, and the job is done. At least if the local machines can trust each other. Otherwise you have a serious prblem anyway.
Because they're not behind our network perimeter firewall and IPS when users take their laptops home. Sure, they're protected with our network appliances when tunneling in via VPN but it's another story when they're out in the field.
It's already done. The post was intended for mobile users away from the protected network.
Just do not allow them to access the internet other that using the vpn and your corporate internet access. And don=B4t give them local admin privileges, no matter how loud they cry. I agree that this may be hard, once the user is a c executive.
Force them to use the protected network and prevent any other access to public networks.
In most cases you can't allow only VPN access, you have to give them=20 access to some network in order for the VPN to get out/connected, and=20 that's the problem.
While many solutions can be run with users as limited accounts, some=20 users will require administrator level accounts, and that's just the way=20 it is.
Both levels of users need protected, and the OP want's to provide the=20 protection they need.
We manage 30+ companies, all with different business types, different=20 users, and I can't think of a single case where we were able to issue a=20 laptop and completely restrict them to accessing only the Company via=20 VPN where they didn't first have to have some form of network connection=20 to get there to start with - in fact, there is no way for them to VPN=20 into their companies without a network connection as none of them do=20 dial-up any more.
Most of the "Nightmare" you talk about is actually simple, if the=20 computers are part of a domain, all you have to do is Push the=20 software/config out from the server to each workstation/laptop, it takes=20 a couple clicks and that's about it. We can roll out hundreds of AV=20 installs in minutes in a typical network, and Symantec makes this easy.
Many people that setup VPN connections also leave them OPEN, too OPEN,=20 meaning they leave them open enough to drive a truck through. Others=20 secure a VPN connection and only allow terminal services through.
Not everything can fit your experience.
--=20
snipped-for-privacy@rrohio.com remove 999 in order to email me
Hiding_elephant, If you are concerned about you laptop users and VPN connections you may want to look at SSL VPN, layer 2-7 protection. There are a few flavours out there, Nokia secure access systems, Juniper(my fav), FS networks, Aventail networks,
Array networks and AEP networks just to name a few. You have to take a serious look at what you are cover, mid size, enterprise, TCO and you also want to complement currently technologies that you have in place.
IMHO & HTH, Greg
hid> > The op wants to protect a bunch of machines. Assuming that these are
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.