Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Are Desktop Firewalls Overkill?

CmdrTaco posted about 4 years ago | from the not-in-my-office dept.

Security 440

Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"

cancel ×


Sorry! There are no comments related to the filter you selected.

stating the obvious... (5, Insightful)

digitalderbs (718388) | about 4 years ago | (#33663212)

why not both?

Re:stating the obvious... (4, Informative)

Java Pimp (98454) | about 4 years ago | (#33663278)

Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.

Re:stating the obvious... (1)

rs1n (1867908) | about 4 years ago | (#33663486)

This is only true if your desktop firewall actually filters out something that the server-based solutions do not. There is often-times a lot of overlap, so that the desktop filters are made redundant.

Re:stating the obvious... (5, Insightful)

The Clockwork Troll (655321) | about 4 years ago | (#33663562)

Yes, this is why I lock the doors on my automobile but I leave the ignition key on the dashboard, and leave the glove compartment open and unlocked!

Finally someone who sees things as I do!

Also, first car analogy.

Re:stating the obvious... (2, Interesting)

kestasjk (933987) | about 4 years ago | (#33663672)

We're talking about having firewalls installed on desktop machines as well as having firewalls installed on server and gateway machines. Any network admin or person with an ounce of intelligence realizes this is just common sense.

You seem to be talking about having "desktop firewalls" and "server firewalls" running on the same machine, i.e. two firewall systems on the same machine, which is of course only going to lead to problems.

An important distinction to make clear because it sounded like you think desktop machines' firewalls are made redundant by server machines' firewalls, which they are definitely not.

Re:stating the obvious... (1, Insightful)

Anonymous Coward | about 4 years ago | (#33663718)

The enemy within. If your network is large enough you will have holes whether you like it or not. You will have a vendor who needs a vpn connection to debug something; you will have a customer for whom the only way to provide remote service is to have them vpn through *your* firewall in a phone-home scenario. If those outside the firewall systems are compromised then those desktop filters may not be so redundant.

Re:stating the obvious... (4, Insightful)

postbigbang (761081) | about 4 years ago | (#33663994)

There is no such thing as a secure perimeter, especially when the majority of attacks come with in "secure perimeters". Jon Honeyball is an idiot, and PC Pro just dropped another notch. His heavily caveated article doesn't have the common sense that God gave to a goose.

Each and every device that's connected in a network is potentially infected, rogue, and looking for others to maim. Every machine needs to be evaluated separately for its risk profile, as he mentions-- but you simply can't remove device security in the belief that other firewalls or services will do the unerring job of controlling the safety of a network. Run, don't walk, away from the concept of secure perimeters.

Re:stating the obvious... (4, Insightful)

KarrdeSW (996917) | about 4 years ago | (#33663748)

There is often-times a lot of overlap, so that the desktop filters are made redundant.

This is only true if your company never has anybody bring in a USB Flash Drive which could have potentially been infected on their home computer or on another company's system.

Re:stating the obvious... (3, Informative)

omglolbah (731566) | about 4 years ago | (#33663808)

It does help block the spread of a myriad of things internal to the network though.
Personally I have seen the damage done to the office network at work due to a worm that came in through usb-sticks...

While antivirus didnt detect the bugger the thing couldnt spread to other machines due to the firewalls on individual machines blocking the vulnerable service.

Re:stating the obvious... (1)

Michael D Kristopeit (1887500) | about 4 years ago | (#33663892)

This is only true if your desktop firewall actually filters out something that the server-based solutions do not.

you mean like network traffic from compromised machines on the local network behind the firewall?

Re:stating the obvious... (1)

Hatta (162192) | about 4 years ago | (#33663620)

Layers are good, but desktop firewalls are the wrong solution. Instead of blocking ports, just don't open them in the first place.

Re:stating the obvious... (1)

0123456 (636235) | about 4 years ago | (#33663810)

Layers are good, but desktop firewalls are the wrong solution. Instead of blocking ports, just don't open them in the first place.

So then, how do I allow a few of the Linux machines on my network to access my server and none of the Windows machines? I either put another firewall box between the server and the network or I put a firewall on the server.

Re:stating the obvious... (1)

mcgrew (92797) | about 4 years ago | (#33663942)

TFA agrees: "I don't recommend you do this, but it's useful to know that you can should you decide to install some third-party protection scheme... Even so, and this is the big issue, I'm a total advocate of the layerd-onion approach to security within a company..."

Re:stating the obvious... (0)

Anonymous Coward | about 4 years ago | (#33664068)

Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.

Desktop firewalls can do many things that router acls can't - identify the source of the traffic.

For example, let's say that you need to have quicktime (spit) installed on your desktop for some reason. Apple installs all sorts of crap with quicktime. What does all this crap do? Is big brother Steve spying on you? Codec download? It doesn't matter what it's doing - the desktop firewall will report that it is trying to connect and you can allow or deny that traffic based on ip address AND the program generating the traffic.

And when you try to watch a streaming video with quicktime, clearly quicktime needs to connect to the internet for that, so you can allow that traffic.

So you could have your web browser be able to connect to Apple's website, but quicktime isn't.

All sorts of programs phone home or try to do mysterious things behind your back - with a desktop firewall, you can identify & selectively allow/deny this traffic.

Re:stating the obvious... (4, Insightful)

somersault (912633) | about 4 years ago | (#33663312)

Seconded. This was going to be my exact comment.

It's like saying "We don't need seatbelts anymore - we have airbags!"

Funny you should mention that... (4, Insightful)

denzacar (181829) | about 4 years ago | (#33663512)

I was given that very advice recently while strapping on the seat-belt.
From a nurse, no less.

And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...

Re:Funny you should mention that... (1, Insightful)

Anonymous Coward | about 4 years ago | (#33663752)

Those aren't too bad.

What scares the daylight out of me is when people say "I can drive, you know."

Because they are always the ones who can't.

Re:Funny you should mention that... (1)

somersault (912633) | about 4 years ago | (#33664076)

Indeed. I actually have a high standard of driving, but I also prefer my passengers to wear their seatbelts ;)

No matter how well someone drives, it only takes some other idiot who can't drive to cause an accident. If you are observant then hopefully you can reduce the risk of any accident actually being serious, but still, the risk is always there. This is why I don't have a motorbike.

Re:Funny you should mention that... (1)

alta (1263) | about 4 years ago | (#33663956)

With the way I drive, I feel insecure not having a seatbelt. Hell, I should get a 5point harness...

At least I've never done this with my pathfinder []

Re:stating the obvious... (1)

rs1n (1867908) | about 4 years ago | (#33663600)

No, there is enough of a distinction between the functions of an air-bag and a seat belt that actually warrants having them both. A seat belt will keep you inside your car as opposed to flying through the windshield. An air bag protects you from smashing up hard against the dash, but it will likely not keep you inside your car should your car overturn, roll, or you get hit so hard you would normally fly through w/out a seat belt. On the other hand, a desktop firewall and a server-based firewall has too much of an overlap in terms of their function.

Re:stating the obvious... (1)

JustNilt (984644) | about 4 years ago | (#33664010)

Great points. It's often overlooked that a seat belt also keeps the driver secured in the seat in case of sudden stops, swerves, etc. This keeps them in control of the vehicle when they may otherwise be thrown around the cabin. This protects not only the driver and their passengers but others on the road.

Likewise, a properly configured firewall does more than simply block incoming worms. They can help prevent an infection from spreading beyond the local machine as well as other network management, depending on the needs.

Re:stating the obvious... (1)

somersault (912633) | about 4 years ago | (#33664140)

They do, but some devices inside your network may not be capable of running their own firewall.

At work we do generally rely on a firewall on the main router rather than on individual machines, but that means that if a device behind the firewall is compromised then it basically has free reign on the whole network, which isn't the best situation.

Re:stating the obvious... (0)

Anonymous Coward | about 4 years ago | (#33664098)

"How can you trust a man who wears both a belt and suspenders? The man can't even trust his own pants." --Frank

Re:stating the obvious... (2, Insightful)

socsoc (1116769) | about 4 years ago | (#33663402)

No kidding, desktop firewalls protect against threats on your internal network. They aren't a replacement, but a complement to your border protection.

Re:stating the obvious... (1)

raventh1 (581261) | about 4 years ago | (#33663542)

Especially when you have broken services/daemons sitting in the open running vital public services, you should definitely use multiple layers.

For general users, going beyond the standard windows firewall really isn't that necessary if you have a decent NAT (which I assume most everyone does these days still on ipv4)

Only rely on trust when you need access to things. Don't leave your fly open.

Re:stating the obvious... (1)

CAIMLAS (41445) | about 4 years ago | (#33664128)

They are a necessity in a scenario where the most active threat is actually sitting at the computers in question.

Desktops, regardless of their type, should be on their own networks with means to filter/actively block traffic, if at all possible. They should also have individual firewalls which inhibit any incoming connections and block unapproved traffic going out.

With as easy as it has become for a Windows workstation to be infected, doing anything else is asking for infosec breaches.

Re:stating the obvious... (2, Insightful)

rs1n (1867908) | about 4 years ago | (#33663428)

It's system resources that could be better put to use, however little (that gets used by the desktop firewall) this may be. My personal reason for not really caring for Windows' built-in firewall setup is that there is almost no configuration beyond clicking a button that says "turn on" or "turn off" the feature and a list in which you can add program exceptions. The problem with a completely configurable firewall is that most users don't know what the hell they have to do to set up good rules. On the other hand, having merely a button that says "turn on the firewall" just doesn't cut it either because you have absolutely no control over what is being blocked. Where's the happy medium?

Re:stating the obvious... (1)

aster_ken (516808) | about 4 years ago | (#33663572)

On Windows XP this is certainly true, but both Windows Vista and Windows 7 have a more sophisticated firewall configuration tool under Administrative Tools. Since the article also talks about server operating systems, I should note that Windows Server 2003 SP1 and later also include this tool.

Re:stating the obvious... (2, Insightful)

sdnoob (917382) | about 4 years ago | (#33663454)

Because the typical computer USER doesn't know squat about network or system security.

Defense in depth (5, Insightful)

TopSpin (753) | about 4 years ago | (#33663476)

The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

Re:Defense in depth (2, Informative)

Anonymous Coward | about 4 years ago | (#33663724)

I had to search for "defense in depth". No one else mentions this at this point.

It's obvious, the more obstacles for an attack, the better.

Desktop firewalls have evolved from only being packet filters. Some have stateful inspection, some have HIDS functionality (e.g. allow firefox.exe with md5sum "X" from being executed) and are now increasingly combined with Antivirus/antimalware software.

Depending on them is dangerous, but all together from a layering of defense mechanisms that either stop or slow down an attack, giving you enough time to react if possible.

Re:Defense in depth (1)

mlts (1038732) | about 4 years ago | (#33663840)

Maybe this is a good argument for having NICs that have hardware firewalling. This way, Windows can be left wide open, but unless the hardware configuration utility is explicitly run to open ports on the NIC, nothing will be able to get in, except perhaps ping, and if done right, the hardware card would handle that [1], and not let that touch the OS at all. Couple this with an outgoing rule to block port 25 out so if the laptop does get rooted, it won't turn into a spam server, and that is a decent security solution on the road.

More advanced NICs could even have code to check for malware in flight, offer dynamic IP blackholing, and other features. This way, the OS security is less of an issue.

[1]: It could go as far as having a NAT and abstracting all network function, so no matter what the real configuration is, Windows on the laptop thinks it has a dynamic IP, while the IP stack on the NIC takes care of answering anything incoming from remote.

Re:Defense in depth (2, Insightful)

hodet (620484) | about 4 years ago | (#33663898)

While I agree this is pretty straightforward there are no stupid questions. Anyone that instills that atmosphere in our meetings is equally a liability. This was a "dumb" question that has been well answered by many posts, including the first part of your answer.

Re:stating the obvious... (4, Interesting)

Gadget_Guy (627405) | about 4 years ago | (#33663524)

The article started to address this, but failed miserably.

One group will undoubtedly be saying "there's no harm in running both client- and server-side firewalls, so why even contemplate the heresy of turning off the built-in Windows firewall?" You would of course be right, except for one thing - it's actually quite hard to turn off the built-in firewall

Ah, what? The reason for not turning off the firewall is that it is hard to turn off the firewall? That makes no sense at all. It also doesn't seem too hard to me. In Win7, type firewall into the start menu search box and click on Windows Firewall. From there, choose "turn firewall on or off".

The reason for leaving the firewall on is to give a last line of defence if someone gets around the server protection. It also acts as a barrier when idiots decide to add an unauthorised wireless access point onto the network.

Re:stating the obvious... (1)

fwarren (579763) | about 4 years ago | (#33663744)

The problem lies with the fact that dial-up users were getting owned. People on broadband were able to rely on the firewall in their cable/DSL modem.

What Microsoft should have done is have a security policy where the firewall is turned on and off with a dial up connection.

Re:stating the obvious... (1)

e065c8515d206cb0e190 (1785896) | about 4 years ago | (#33663794)

Because it has a cost if you do it properly.
And the gain on top of your point-of-entry firewall is only marginal.

Re:stating the obvious... (2, Funny)

alta (1263) | about 4 years ago | (#33663982)

I prefer using desktop traffic to restrict ports 1-65535 tcp/udp outbound on the client machines. It helps keep them focused.

Hardly Overkill (1)

geminidomino (614729) | about 4 years ago | (#33663214)

I prefer the phrase "completely inadequate."

Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

Re:Hardly Overkill (1)

nizo (81281) | about 4 years ago | (#33663308)


So I shouldn't turn on my firewall when I am in a coffee shop? Assuming I only use ssh and ssl, theoretically with my firewall in place I couldn't care less what kind of nastiness is floating all around me.

Re:Hardly Overkill (2)

somersault (912633) | about 4 years ago | (#33663336)

Kind of like Wolverine? Cool!

Re:Hardly Overkill (1)

Lunix Nutcase (1092239) | about 4 years ago | (#33663368)

Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

So it's a second layer of defense for your internal organs? That's a bad thing, how?

Re:Hardly Overkill (4, Insightful)

drinkypoo (153816) | about 4 years ago | (#33663372)

Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?

The desktop firewall is completely necessary. It is, however, also inadequate.

Re:Hardly Overkill (2)

Zero__Kelvin (151819) | about 4 years ago | (#33663646)

"Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body."

The Slashdot user name "BadAnalogyGuy" is already taken ... and at the risk of being modded down, might I suggest learning about computer security before pretending you understand it on Slashdot?

Not if you're surfing porn. (0)

Anonymous Coward | about 4 years ago | (#33663220)

'nuff said.

Flash drives, tarballs, &c. (1)

Poodleboy (226682) | about 4 years ago | (#33663222)

So how does this protect users against infected flash drives, downloaded tarballs, &c.?

Re:Flash drives, tarballs, &c. (1)

0racle (667029) | about 4 years ago | (#33663276)

How does a desktop firewall protect them from that?

Re:Flash drives, tarballs, &c. (0)

Anonymous Coward | about 4 years ago | (#33663426)

It doesn't, but by preventing the infection from getting out of the computer, they keep the other users from being affected by this user's stupidity.

Desktop firewalls serve two purposes: keeping external bad people out by blocking incoming connections, and keeping the results in by blocking outgoing ones.

Re:Flash drives, tarballs, &c. (4, Informative)

Imagix (695350) | about 4 years ago | (#33663598)

When the person who sits next to you gets infected, your desktop firewall still defends against his machine attempting to infect yours.

Re:Flash drives, tarballs, &c. (0)

Anonymous Coward | about 4 years ago | (#33664110)

And your desktop is running vulnerable services on ports open to the rest of the network WHY exactly? Network config fail.

Re:Flash drives, tarballs, &c. (1)

Lunix Nutcase (1092239) | about 4 years ago | (#33663290)

It doesn't. That would be the point of an antivirus/malware scanner.

Re:Flash drives, tarballs, &c. (4, Informative)

DJ Jones (997846) | about 4 years ago | (#33663328)

Not to mention network attacks that originate inside your NAT. For example: that dumb ass down the hall who keeps clicking on viagra links in his emails.

What are you going to do? Put a hardware firewall on every cord?

Re:Flash drives, tarballs, &c. (1)

Rich0 (548339) | about 4 years ago | (#33663438)

No, but you could put one in every switch. I suspect that this is the kind of solution being advocated. If every packet is virus-scanned/filtered/etc by the switch, then the risk of an outbreak is much lower.

The problem comes with wireless users who roam - I think that PC-based solutions make sense there.

Re:Flash drives, tarballs, &c. (2, Insightful)

pushing-robot (1037830) | about 4 years ago | (#33663382)

It doesn't. And that's why enterprise computers are so good at spreading worms; as soon as one PC behind the firewall gets infected they all fall.

Seems like a rather silly article, as most medium-large business I've encountered already shut off desktop firewalls since the hassle of managing a firewall on every machine often outweighs the risks.

Re:Flash drives, tarballs, &c. (1)

smash (1351) | about 4 years ago | (#33663610)

Seems like a rather silly article, as most medium-large business I've encountered already shut off desktop firewalls since the hassle of managing a firewall on every machine often outweighs the risks.

Most medium-large business IT staff are idiots. That doesn't make them right.

How are those relevant? (0)

Anonymous Coward | about 4 years ago | (#33663480)

A firewall doesn't give any protectiong against those, either... It's the antivirus software that should take care of those. Evem of you meant "Okay, but suppose that an infection manages to bypass the centralized firewall and get into the network AND antivirus doesn't remove it, what then?" but I don't think that it is such a problem. Assuming that centralized firewalls are implemented properly (as opposed to some absurdly horrible "Lan of 500 computers and a single firewall between their gateway and the internet" solution), it shouldn't be able to spread far within the network and should be located quickly. It might even be preferrable to a situation where a desktop is infected but the infection is hidden from the network by a working desktop firewall.

But yeah. Obviously the main benefit of desktop firewalls is the ease of customization. Each computer can - if necessary - be whitelisted for some type of traffic that most of the computers shouldn't have. That can be done with a centralized solution, too, but is usually somewhat more complicated.

I dunno. Perhaps we'll get rid of this distinction if all this cloud-buzz actually gets us somewhere.

Re:Flash drives, tarballs, &c. (0)

Anonymous Coward | about 4 years ago | (#33663536)

It doesn't, but neither does Windows Firewall.

Re:Flash drives, tarballs, &c. (1)

Poodleboy (226682) | about 4 years ago | (#33663580)

Good question. It seems to me that a "firewall" in the normal sense of the thing that allows connections only on particular ports using particular protocols will not protect against such infections, but I got the impression from the article that the author was using the term more loosely than that. His example of the SQL Slammer suggests this, because presumably it arrives through acceptable firewall (in the strict sense) doors...

Re:Flash drives, tarballs, &c. (1)

alta (1263) | about 4 years ago | (#33664056)

You don't have to worry about tarballs. If you get one of those, BP will pay to have it removed. Or rather our government 'heavy' will lean on BP until something is done about it...

Been doing that since day one. (0)

Anonymous Coward | about 4 years ago | (#33663238)

In my experiences deal with corporate IT, the windows firewall does far more bad then good. It's better to have one Firewall with the appropriate policies then X that may or may not be correct. I thought everyone did this.

Re:Been doing that since day one. (3, Informative)

smash (1351) | about 4 years ago | (#33663576)

In your experiences with corporate IT, your corporate IT staff have thus been incompetent.

Windows firewall is configuration via group policy, with multiple profiles for both inside and outside of your network. Your perimeter firewall will NOT save your network from some arse-clown plugging in an infected box. It will NOT save your laptop from being infected whilst in use at a wifi hotspot.

It will also not protect your network from some idiot plugging in an unsecured Wifi access point, or for that matter hopping onto a machine left logged in and unlocked.

The perimeter firewall mitigates the bulk of the threats to your corporate network sure, but if you have nothing else to protect your internal hosts, you're leaving yourself open to getting screwed, big time.

Re:Been doing that since day one. (0)

Anonymous Coward | about 4 years ago | (#33663642)

In my experiences deal with corporate IT, the windows firewall does far more bad then good. It's better to have one Firewall with the appropriate policies then X that may or may not be correct. I thought everyone did this.

Well since the Windows Firewall is fully configurable via group policy, there is no reason why you would have multiple Windows Firewall configurations on a properly configured network. I thought everyone did this.

Re:Been doing that since day one. (1)

Joe U (443617) | about 4 years ago | (#33664102)

The only time I don't set up a firewall group policy is for micro-domains. If you have under 3 workstations but several servers. (Very small hosting company, SQL, Mail, Web x 3, File, lots of contractors, almost no in-house users).

Just because it's easy to use Windows wrong, doesn't mean you get to blame Microsoft, the system is a tool, use it properly.

I guess he's not heard of defense-in-depth then... (4, Insightful)

Zocalo (252965) | about 4 years ago | (#33663282)

I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?

Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...

Re:I guess he's not heard of defense-in-depth then (1)

KhabaLox (1906148) | about 4 years ago | (#33664154)

so why wouldn't you use one if you have the budget and know how?

Those are two pretty big ifs for a lot of SMBs, including the one where I'm responsible for this stuff. I got my job because I was the most computer savvy person in the office (not saying much), and I managed to convince that my ability to write elementary macros in Excel and simple SQL queries made me qualified to manage a ~40 workstation, 4 server network. God help me if anything serious happens.

It also means... (1)

Ynsats (922697) | about 4 years ago | (#33663294)

...that you have uninterrupted flow of shared network resources on your network. Unless, of course, permissions are set up to prevent that.

I run a hard firewall and gateway at home as well as MAC address access so I can keep others off of my wired and wireless networks without having to compromise the ease of use a home network should allow. It's nice being able to have a media center with data files, and attached carousel drives so I can actually watch any movie or listen to any music from any spot in my house. To do that easily and with little hassle, I got rid of all of my soft firewalls. It also means that I have a remote or two laying around instead of stacks and stacks of DVD cases, CD cases or MP3 players and rats nests worth of dongles, audio/video input cables and such laying around and cluttering up the place. Less junk for the pets and kids to chew on, yank on or destroy as well.

Re:It also means... (1)

DarkXale (1771414) | about 4 years ago | (#33663674)

You make it seem as if firewalls don't permit this with as little hassle. I've got a nice 16 port switch at home connected with a solid wireless router just to bring the 30 or so different devices that needs connectivity to the Internet, the local network server (particularly the TV playback device), and each other. They do so fluently, with no hassle, despite soft firewalls in place. And as a bonus, the system isn't nearly as easy to break down in the event of a compromised system - e.g. one of the kid's friends computer... and they're still capable of accessing each other and the server files in standard manners.

Re:It also means... (1)

Ynsats (922697) | about 4 years ago | (#33664108)

No, I don't make it seem that way. You have a different solution in place and take exception to my comments and are projecting your thoughts on me. I said it makes it easier to not have to deal with it. I am happy with my level of protection on my network with the method I employ. What makes it easier is not only that I don't have to deal with any errors or connectivity problems between network resources over conflicting firewalls but I also do not have to deal with updating and maintaining every single soft device I have.

See, I do network and system security for a living. I deal with threat mitigation all day, every day. Sometimes all night and on weekends as well. I really don't want to do it on my home network as well. So my solution works for me and affords me the ease of use that something as simple as a refrigerator or a coffee marker does. It does what I need it to do, it does it automatically, has a fair amount of safety built in, I don't have to think about it and if it has an issue, it tells me it needs my help.

If your complex solution affords you a piece of mind that you feel you cannot get any other way then good for you. My post is not a detraction of your configuration but rather a voicing of support for the OP's configuration because mine is similar. Don't make it more than it is.

Desktop firewalls are necessary (4, Insightful)

teridon (139550) | about 4 years ago | (#33663340)

Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P

Re:Desktop firewalls are necessary (1)

The MAZZTer (911996) | about 4 years ago | (#33663540)

And then the virus disables the desktop firewall so it can spread. What's your point?

Re:Desktop firewalls are necessary (2, Insightful)

0123456 (636235) | about 4 years ago | (#33663650)

And then the virus disables the desktop firewall so it can spread. What's your point?

How is a virus on someone else's machine going to disable the firewall on my machine?

Defense in Depth (5, Insightful)

rotide (1015173) | about 4 years ago | (#33663352)

Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.

Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.

"Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."

Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here

What a moron (1, Informative)

Anonymous Coward | about 4 years ago | (#33663356)

This guy apparently never heard the words "defense in depth."

I run both. (0)

Anonymous Coward | about 4 years ago | (#33663366)

What about when you are on your AirCard and not behind the Network with the Firewall appliances and all? So you should be completely exposed to all that is out there on the internet. What if you are connecting to a network at a Clients location, You are not sure what they have for protection in place.

Multiple layers of security == good. (1)

grub (11606) | about 4 years ago | (#33663380)

Assume Joe User brings in an infected USB stick and his local AV misses the new bug. A desktop firewall on other machines could prevent it from spreading to them (if designed to spread through the network.)

At work we're putting L3 ACLs on our switching gear to help with that risk but I wouldn't want to disable firewalls via a GP just yet.

Machine firewalls == symptom of bad design (4, Interesting)

HBI (604924) | about 4 years ago | (#33663394)

A machine firewall does protects the computer from the listening ports that the OS allowed ITSELF to open.

A simple correspondence list of listening port to application would have killed this issue dead at the beginning. Of course, then people would ask why so much crap needs to be open by default on Microsoft operating systems. For added hilarity, the OS now allows applications to insert their own machine firewall exceptions.

And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.

Re:Machine firewalls == symptom of bad design (2, Insightful)

Zero__Kelvin (151819) | about 4 years ago | (#33663558)

"A machine firewall does protects the computer from the listening ports that the OS allowed ITSELF to open."

Sure it does that, but it does a lot more. For example, I might want to allow ssh access from one, a few, or all systems on my internal LAN, but block them from the other side of the DMZ. Just how do you propose to do that without a firewall local to the machine.

"And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning."

Right. A secure building is already secure. What the hell do I need locks for? I guess I'll remove them.

Re:Machine firewalls == symptom of bad design (0)

Anonymous Coward | about 4 years ago | (#33663806)

Just how do you propose to do that without a firewall local to the machine.

All traffic goes through your router(s). I'm sure you're bright enough to figure out how to configure it.

Re:Machine firewalls == symptom of bad design (1)

Zero__Kelvin (151819) | about 4 years ago | (#33663880)

"All traffic goes through your router(s). "

You might want to look up the term ethernet hub []

Re:Machine firewalls == symptom of bad design (1)

chill (34294) | about 4 years ago | (#33664060)

Do they still make these? And what would be the reason for not spending the extra $5 and getting an ethernet switch [] ?

Might be overkill (1)

nizo (81281) | about 4 years ago | (#33663400)

If you can control every network connection behind your main firewall, and every machine, and can verify they are all always patched and malware free at all times. Of course laptops that travel around and places where anything can be plugged in pretty much make this impossible.

Conficker spread via admin shares on Windows (0)

Anonymous Coward | about 4 years ago | (#33663420)

One of the ways the Conficker worm spread on Windows was via admin shares. It is also a technique used by other malware.

Having a centrally managed firewall between the Internet and the Intranet is fine but you need protection against malware spreading if it gets onto the Intranet.

Whatever, it just doesn't work. (3, Interesting)

h00manist (800926) | about 4 years ago | (#33663432)

In order to get a terminal which does something as simple as read all websites, it has to support a ton of bloated technologies, which more or less forces you to run some expensive bloaty OS, with a bunch of other protections. Gigabytes of support libraries to display a page. Websites are supposed to be universally readable. Thankfully now mobile devices are popular and low-powered, perhaps now the universal-readable concept and argument will gain more strength over the most-visual-selling argument.

idiot journo doesn't understand network security (1)

smash (1351) | about 4 years ago | (#33663434)

... film at 11.


Defense in depth (5, Informative)

Urban Garlic (447282) | about 4 years ago | (#33663450)

The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.

But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.

Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.

It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.

Re:Defense in depth (1)

omglolbah (731566) | about 4 years ago | (#33663952)

Working in the process control industry I can attest to firewalls sometimes being a pain in the ass...

But I am more than willing to live with having to open a port every leap year.. I've done it once in 2 years and the firewall is not that permissive of stuff...

And I run all kinds of crud on the machine.. ModbusTCP simulators, serial server connections on odd ports, PLC programming tools over tcp/ip and various other odds and ends.. Most of it is whitelisted already, but on the odd chance that it isnt I whitelist it (once in 2 years...) and send an email to support asking them to whitelist said app. Works quite well and hardly destroys productivity.

Not anywhere near as much as a nasty worm infestation does... hate those >.

Yes, you should. (1)

Anonymous Coward | about 4 years ago | (#33663508)

It's called defense in depth. [] You don't want a config screw up on your main firewall to put all of your computers at risk.

More work (0, Flamebait)

MahariBalzitch (902744) | about 4 years ago | (#33663530)

Having an end user using any additional security software that is not managed by the enterprise is just asking for a headache.

A complete solution with a caveat (1)

Kalidor (94097) | about 4 years ago | (#33663554)

Generally, I view the software firewall as adding a final all around security strategy to the protection afforded by your hardware firewall, but there's a catch. Hardware firewall is there for prevention and mostly to block "bad stuff " from coming in and occasionally from going out. The software firewall is more of an alert system. Generally, I find it more useful for being alerted to opening up potential attack vectors than anything. If you run a program that opens up some ports you are alerted to it and it makes you think (assuming you have the background and proper information) on whether or not you really want that port opened. Additionally, it might alert you earlier if you've managed to actually catch "bad stuff" and tell you it's time to format.

All that said, it means that for the average user it's useless. For them it would need to be run in transparent mode with all suspicious actions sent to someone that can actually interpret them.

That said, if you are on a foreign network, something is better than nothing. Frankly, in the case of foreign networks, I try to always make use of a small hardware firewall/router/wifi AP that I keep in my laptop case as my primary treat the software firewall as an alerter/backup.

Err, what? (4, Informative)

Penguinisto (415985) | about 4 years ago | (#33663560)

Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.

Journalists... (1)

Kidbro (80868) | about 4 years ago | (#33663574)

And this, ladies and gentlemen, is why John Honeyball is writing about IT, rather than actually solve any problems with it.
That, or possibly the other way around. It's hard to judge cause and consequences.

But, lest anybody be confused, there is no single point where security is not a concern. The only way to reach adequate (heh) security is to stop all components from doing more than they need, rather than just one. A functioning such approach pretty much obsoletes the need for specific "security devices" such as firewalls (although they may be nice to have as an extra safety net). Any approach which relies solely on specific security devices leaves you vulnerable as soon as you have failed to predict an attack from a direction they do not block - and there will always be one of those.

Hasn't changed since Walls were invented (1)

RivenAleem (1590553) | about 4 years ago | (#33663586)

Ever since man invented the wall, first around his own house, then around the village and eventually around an entire city, they have still kept locks on their doors (where available)

If something penetrates the outer defence you need to keep yourself secure in your own dwelling, and you also need to have some security against a threat from within.

Firewalls should be on every PC capable of storing information separate from the server (so, a dumb terminal needs no security beyond logon scripts etc)

The End.

Personal Hygene (0)

Anonymous Coward | about 4 years ago | (#33663680)

Desktop firewall is to protect you from the other idiots in the office and their zombiePCs

Part of the problem with PC security.... (4, Insightful)

QuietLagoon (813062) | about 4 years ago | (#33663756)

... is that people, like this Jon Honeyball guy, who do not have a clue about computer security, are telling people how computer security should be done.

As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.

Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.

Only if all desktops run Linux (0, Flamebait)

flyingfsck (986395) | about 4 years ago | (#33663768)

Firewalls were pretty much invesnted to protect Windows machines. They are still required for that task.

Only takes one (0)

Anonymous Coward | about 4 years ago | (#33663782)

Would you put your desktops on the Internet with no firewall?

It's basically the same thing. One infected machine basically nullifies your outer firewall that's "protecting" all your desktops. Running no firewall on a machine means you trust all the machines within that segment of your network. Desktop machines get infected all the time. You shouldn't trust them. That's why all machines should be running with some sort of protection.

WRT the article, yes, you should have many many gatekeepers. Some gatekeepers you pay more attention to, sure. There's nothing wrong with having lots of gatekeepers. Its like saying "We lock the gates to the city at night. There's no reason to have a lock on your front door."

You can't trust everyone all the time. Just the way it is.

Defense-in-Depth (1)

lymond01 (314120) | about 4 years ago | (#33663884)

Other posters have pointed out the obvious. What if your LAN firewall is breached? What if there's a rogue computer brought into your network? Rogue flash drive? Or just Rogue? She could absorb all your powers and then you wouldn't be IT. You'd be just. like. everyone. else.

One of our departments runs egress filtering on their desktops -- only certain applications and external ports can be accessed: 80, 22, 443, etc. If a computer gets infected by a new virus, it can't jump from computer to computer nor take advantage of other systems with non-normal open ports on or off the network.

Desktop Firewalls are Useless (1)

MrTripps (1306469) | about 4 years ago | (#33663936)

I have yet to actually find an instance where a desktop firewall helped in any way. Mostly they just get in the way of things and create another piece of software that has to be naggingly trained and updated.

short answer? (1)

erroneus (253617) | about 4 years ago | (#33663980)


There are all sorts of nasty things that can be done unless incoming IP access is filtered. Worms are spread in this way.

If you aren't using a door, leave it closed.

Server machines, maybe. Desktop machines, no (1)

jorgander (1647371) | about 4 years ago | (#33664078)

The first thing I do when setting up my Windows PC is turn off the firewall and other unnecessary features like anti-virus or system restore. I back up any files I want on a weekly basis and simply format and rebuild my PC should it become compromised. I get a new PC every 2-3 years, and have never had to restore it due to a virus or other such infection.

My work PC, however, is a different story. IT maintains strict control of the computers and has all kinds of security crapware installed. You can't navigate around windows explorer without it taking a second or two (in some cases, longer) to display contents of directories and open files. System startup takes forever - when I get to work in the morning I'll turn the computer on and go to the cafeteria to get breakfast... sometimes it *still* isn't responsive by the time I get back.

How about an application level firewall... (4, Insightful)

CajunArson (465943) | about 4 years ago | (#33664130)

I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?