November 14th, 2003, 12:04 AM
Multiple firewalls on same network?
Do you need firewalls for each computer on the network? (like Zone Alarm Pro) I know you need anti virus for each, but what about firewalls? I did a search but didnt find what I needed.
November 14th, 2003, 12:08 AM
Its smart to have Firewalls on all your boxes. Not to mention atleast a router with NAT
Routers built without NAT serve no protection.
DEFINITION:Network address translation(NAT) is used to remap IP #'s from one address range to another range of network addresses. For TCP and UDP, this also can include the port numbers. The IP#'s/port #'s are changed when a packet is going out through an interface and IP Filter matches it against a NAT rules.
Packets coming back in the same interface are remapped, as a matter of course, to their original address information.
I USE SUPER SECURITY MEASURES LIKE
DEFINITION: SmoothWall is a best-of-breed Internet firewall/router, designed to run on commodity Intel (or compatible) PCs, and to give an easy-to-use administration interface to those using it.
(suggestion)And speaking of configuration. Minimal amount of services you use on a XP comp, the less choices for the kiddies. I'll just share with you the registry entry I created over at www.blackviper.com (excellent resource by the way). I think the guy is a genus in my opinion.
November 14th, 2003, 12:10 AM
It's not totally necessary if your router has a built-in firewall, but it is a good idea. Of course, if your firewall is not configured properly then it won't make much difference, because you're screwed anyway. Personally, I have a hardware firewall in my router and I don't run any other software firewalls on the individual computers. I used to use the free version of zone alarm but I got tired of having to click allow even though every time I would set a rule, it just wouldn't remember it. I would say if you want to put up a firewall on each computer, go for it, you will be a little more secure, as long as you configure it properly.
November 14th, 2003, 12:18 AM
It's a practical step. Yet another layer of security can't be a bad thing... No one can argue against having more security.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
November 14th, 2003, 12:19 AM
Just a couple of thoughts based on what I have seen/experienced NOT technical knowledge
Your servers/network certainly need firewall protection. Some people use more than one, as they seem more tolerant of eachother than AV products, however, each one represents a system overhead so you slow things down.
As for individual client boxes, this would very much depend on where you are.
You have two basic sorts of enemy..............the ones outside and the ones within. The server firewalls should protect your intranet, or they are not doing their job.
If you are in a school/college , you may need an internal wall to protect the teaching staff from the predatory acts of unscrupulous students? also from crap that they have unleashed on the community due to their selfish, ignorant and antisocial behaviours.
"How do I get through the Sysadmins' block on prOn/gaming/hacker websites".......if you don't believe me just read through a few of the older threads on this site.
I guess my answer for now is that some individual machines might need an independent firewall, but keep it simple like the User
November 14th, 2003, 01:55 PM
H3r3tic: try sygate. Its alot better in my book.
November 14th, 2003, 02:05 PM
That's what I here zombiemann, but I don't use any software firewall anymore, I just trust the one in my router.
November 14th, 2003, 02:40 PM
I only use software firewalls on remote user machines. Besides NAT I do some additional port forwarding at the gateway (Cisco). The firewall attached to the router handles everything else. My biggest problem with software firewalls is that the user will look at the logs and call me saying someone is hacking their PC. -normal network traffic is sometimes reported by the firewall as SYN, ACK, etc. attacks.
nihil has the most important solution description - Keep it simple for the user.
November 14th, 2003, 03:21 PM
Hey thanks for the good information and going out and beyond my question.
November 14th, 2003, 05:02 PM
I guess it's really going to depend on the type of network you are talking about. If you are talking a personal/home network then sure, a firewall on every machine is not a bad idea... even a built in "firewall" on a router isn't a bad thing either.
But if you are talking about a business network, then I would have to say no to having a firewall on every machine. For one the overhead would be tremendous, then configuring and maintaining those firewalls would be overkill. For a "real" network you will want a "real" firewall, something like Checkpoint FW-1 or TNG, something that allows stateful packet inspection, rules that can be set at a MAC/IP/protocol level which you can't do with things like Zone Alarm or the built in firewalls that come with home DSL/Cable routers. Also, in a corporate environment there will almost always be more than one firewall on a network (especially if you have a DMZ set up).
All firewalls are going to be software one way or another... unless you are flipping dip switches somewhere to reflect what rules are in effect then you are going to be using a software interface of some sorts to add those rules. Checkpoint offers stuff like firewall appliances which is hardware you buy from them that runs FW-1, or you can put FW-1 on a stand alone machine or even get a plug in for some of the better switches out there like Nokia (BIG-IP, TETRA)...
I have a meeting I have to go to right now, but I'll come back in a bit and finish off my thoughts on this post
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.