I run a few windows boxes on a LAn at home to share an internet connection, one is a master always on, has a firewall, anti virus/trojan, all the essentials, I am wondering would I need a a firewall on the slave machines too?
Printable View
I run a few windows boxes on a LAn at home to share an internet connection, one is a master always on, has a firewall, anti virus/trojan, all the essentials, I am wondering would I need a a firewall on the slave machines too?
No but it helps and couldn't hurt. ;). You can get free Firewalls for Windows products are one of the three following (assuming they haven't changed):
Outpost
Tiny Firewall
ZoneAlarm
i thought that running multiple copies of the same FireWall just uses extra resources?
I could be wrong, most of the time i am! but what would be the benefit of this? or would you try and run different firewalls? what about an IDS?
[edit]
cool link from uhu http://www.tldp.org/HOWTO/Firewall-HOWTO.html#toc3
[/edit]
It only uses the resources on the slave machines (user machines). From what I've understood from K of C is that these machines are Windows boxes. They should have AntiVirus on them but it couldn't hurt to have a host-based FW on them. Often, the host-based FWs have IDS built into them. ;)
Couldn't hurt.
Usually it is sufficient to protect your LAN with one firewall placed on the machine which is connected to the internet or directly behind it.
Some examples showing several firewall architectures you can find here: http://www.tldp.org/HOWTO/Firewall-HOWTO-3.html
I hope this helps
I have the same setup. 5 PC's sharing an Internet connection through a cable modem. I have a Win2K server with 2 NIC cards set for Internet connection sharing. I use the Pro version of Zone Alarm because the free version does not support ICS. I also use NAT just for an additional level of comfort.
I use firewalls and anti virus on all the machines.
Just ask yourself:
. is everyone who uses these machines as security conscious as you?
. does anyone on the LAN ever download files and forget to virus check them?
. are there ever any new Trojans that your anti virus program hasn’t caught up with yet?
. if one machine on the LAN gets compromised, can it spread to the rest of the LAN?
. are you SURE your server can’t be compromised and be used to infect your LAN?
Very well put IKnowNot... :)
This is what I use @ home:
4 PC's (XP) and 6 VM's (2000,98,SuSE8,Novell6,Solaris9x86,&XP)
CableModem to NAT (My router has the option to log to a couple of software firewalls) to SonicWall to ZAP (ZoneAlarmPro) but only on one PC is ZAP because I have dedicated this PC to be my "Internet" PC but all the other PC's have NAV therefore I am not worried about WAN traffic compromising my nitwit :)
My SonicWall 75 is probably a bit of overkill but configuration is always the key in a home LAN environment...there's my 2 cents
Have fun :)
Alright thanks for the replies guys, it has been very useful.
Quote:
Originally posted here by IKnowNot
I use firewalls and anti virus on all the machines.
Just ask yourself:
. is everyone who uses these machines as security conscious as you?
. does anyone on the LAN ever download files and forget to virus check them?
. are there ever any new Trojans that your anti virus program hasn’t caught up with yet?
. if one machine on the LAN gets compromised, can it spread to the rest of the LAN?
. are you SURE your server can’t be compromised and be used to infect your LAN?
@IKnowNot
You are right asking these questions. I agree with you, that *every* client, as far as it is driven by a Mircosoft-OS, has to be virus-protected. But I think you shouldn't intermix virus-protection with a firewall.
A well configured firewall is designed to protect a whole LAN from unwanted connections to and from the Internet. The advantage is, that one central firewall can be maintained by qualified persons aka sysadmins. I wouldn't trust all users to be able to configure their personal firewalls accordingly. As soon as they want to share music or something else they would open port by port. So installing a personal firewall on our users desktops and workstations would be meaningless and just burning their resources.
In fact on our laptops a personal firewall is installed though. That is because they are mobile and move to environments (hotels etc.) which can't be protected by us.
You might ask now, why we don't limit the laptop-users rights to not be able to configure their personal firewalls themselves. Most of them are IT-Consultants working at our customers all over Europe. Because of this they must have the possiblity to install and configure their needed applications (databases etc.). In addition to it they should at least have a basic knowledge concerning computer security and they are advised to act accordingly.
I want to summarize: In a plain LAN *one* dedicated firewall is sufficient and advantageous. If you have mobile users with laptops additional personal firewalls should be used. And as in real live: you can't be absolutely sure. There is always remaining a "rest-risk" (correct englisch?). One of my tasks as a sysadmin is to minimize it.