MS recommends users firewall all connections on a LAN?

[Sooner Al]

In light of the recent advice by Microsoft to firewall *ALL* connections on a LAN to protect the
networked PCs from other infected PCs, how does one enable ICF on the private LAN NIC of an ICS box?

From the FAQ...

http://www.microsoft.com/security/protect/firewall.asp

****************************************
Q. Should I enable the Internet Connection Firewall on all computers on my home network?

A. Yes. If you have multiple network connections on any of your computers, you should turn on
ICF for each connection. When you turn on the firewall for each network connection, it can interfere
with file and print sharing and prevent your computer from finding other network devices. To allow
these types of uses, you can manually open network ports. When network ports are left open, the
protection provided by ICF for your computer is reduced.

****************************************

Note this answer by Ken Wickes, MSFT, awhile back...

http://groups.google.com/[email protected]#link3

So, what to do other than to run a third-party firewall on that one interface?

 

[Ron Lowe]

In light of the recent advice by Microsoft to firewall *ALL* connections on a LAN to protect the
networked PCs from other infected PCs, how does one enable ICF on the private LAN NIC of an ICS box?

[...]


Hmm, you spotted that too.

This question was raised during the request for feedback on this article.
I'm not aware of any satisfactory official response on how you are meant to
perform F+P sharing with every interface firewalled, other than a vague
commect that normal LAN functionality may be compromised. A linked article
shows how to make holes in the firewall, but does not explicitly tell how to
enable F+P sharing.

IMHO, the advice is bad, and does not consider the various network
configurations.

Typically, you want f+p sharing to be permitted between LAN machines, but
closed to the Internet.
ICF does not permit this distinction.

For that reason, I still recommend NOT enabling the XP firewall on an
internal LAN connection, in spite of what the article says.

If you want to firewall an internal LAN connection in addition to the
firewalling provided by NAT, then I'd suggest you use a 3-rd party product
like ZoneAlarm, where you can define a local zone and permit F+P sharing on
the local zone.

 

[Sooner Al]

I agree with your thoughts... I posted this mainly as a mechanism to get a discussion going...

Thanks...

--
Al

Please post *ALL* questions and replies to the news group for the mutual
benefit of all of us...Unsolicited personal emails are *NOT* answered.

In light of the recent advice by Microsoft to firewall *ALL* connections on a LAN to protect the
networked PCs from other infected PCs, how does one enable ICF on the private LAN NIC of an ICS box?

[...]


Hmm, you spotted that too.

This question was raised during the request for feedback on this article.
I'm not aware of any satisfactory official response on how you are meant to
perform F+P sharing with every interface firewalled, other than a vague
commect that normal LAN functionality may be compromised. A linked article
shows how to make holes in the firewall, but does not explicitly tell how to
enable F+P sharing.

IMHO, the advice is bad, and does not consider the various network
configurations.

Typically, you want f+p sharing to be permitted between LAN machines, but
closed to the Internet.
ICF does not permit this distinction.

For that reason, I still recommend NOT enabling the XP firewall on an
internal LAN connection, in spite of what the article says.

If you want to firewall an internal LAN connection in addition to the
firewalling provided by NAT, then I'd suggest you use a 3-rd party product
like ZoneAlarm, where you can define a local zone and permit F+P sharing on
the local zone.

 

[Ken Wickes [MSFT]]

With all the panic surrounding the blaster and friends viruses there
probably is going to be some conflicting information. Since the XP firewall
doesn't allow itself to be turned on on the ICS private connection the point
is somewhat moot. I'm not sure what the effect would be if you could,
whether it would interfere with ICS or not.

As for the linked articles, opening the listed ports should allow the
already enabled file and print sharing to function. However since the
blaster virus spread via the F&P ports, there are trade off to be made.

--

Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

I agree with your thoughts... I posted this mainly as a mechanism to get a discussion going...

Thanks...

--
Al

Please post *ALL* questions and replies to the news group for the mutual
benefit of all of us...Unsolicited personal emails are *NOT* answered.

In light of the recent advice by Microsoft to firewall *ALL*

connections
on a LAN to protect the

networked PCs from other infected PCs, how does one enable ICF on the private LAN NIC of an ICS box?

[...]


Hmm, you spotted that too.

This question was raised during the request for feedback on this article.
I'm not aware of any satisfactory official response on how you are meant to
perform F+P sharing with every interface firewalled, other than a vague
commect that normal LAN functionality may be compromised. A linked article
shows how to make holes in the firewall, but does not explicitly tell how to
enable F+P sharing.

IMHO, the advice is bad, and does not consider the various network
configurations.

Typically, you want f+p sharing to be permitted between LAN machines, but
closed to the Internet.
ICF does not permit this distinction.

For that reason, I still recommend NOT enabling the XP firewall on an
internal LAN connection, in spite of what the article says.

If you want to firewall an internal LAN connection in addition to the
firewalling provided by NAT, then I'd suggest you use a 3-rd party product
like ZoneAlarm, where you can define a local zone and permit F+P sharing on
the local zone.