Originally posted here by IKnowNot
I use firewalls and anti virus on all the machines.
Just ask yourself:
. is everyone who uses these machines as security conscious as you?
. does anyone on the LAN ever download files and forget to virus check them?
. are there ever any new Trojans that your anti virus program hasn’t caught up with yet?
. if one machine on the LAN gets compromised, can it spread to the rest of the LAN?
. are you SURE your server can’t be compromised and be used to infect your LAN?

@IKnowNot

You are right asking these questions. I agree with you, that *every* client, as far as it is driven by a Mircosoft-OS, has to be virus-protected. But I think you shouldn't intermix virus-protection with a firewall.

A well configured firewall is designed to protect a whole LAN from unwanted connections to and from the Internet. The advantage is, that one central firewall can be maintained by qualified persons aka sysadmins. I wouldn't trust all users to be able to configure their personal firewalls accordingly. As soon as they want to share music or something else they would open port by port. So installing a personal firewall on our users desktops and workstations would be meaningless and just burning their resources.

In fact on our laptops a personal firewall is installed though. That is because they are mobile and move to environments (hotels etc.) which can't be protected by us.

You might ask now, why we don't limit the laptop-users rights to not be able to configure their personal firewalls themselves. Most of them are IT-Consultants working at our customers all over Europe. Because of this they must have the possiblity to install and configure their needed applications (databases etc.). In addition to it they should at least have a basic knowledge concerning computer security and they are advised to act accordingly.

I want to summarize: In a plain LAN *one* dedicated firewall is sufficient and advantageous. If you have mobile users with laptops additional personal firewalls should be used. And as in real live: you can't be absolutely sure. There is always remaining a "rest-risk" (correct englisch?). One of my tasks as a sysadmin is to minimize it.