Can firewalls conflict?

[William Pine]

I'm deciding whether to enable Windows Internet Firewall simultaneously with
my existing firewall. What are the pros and cons for running them both?

If anyone knows, please respond regarding both XP Home SP1, which I run now,
and XP Home SP2, which I've yet to install.

Thanks.

Bill

 

[Kent W. England [MVP]]

William Pine wrote on 24-Sep-2004 10:11 PM:

I'm deciding whether to enable Windows Internet Firewall simultaneously with
my existing firewall. What are the pros and cons for running them both?

If anyone knows, please respond regarding both XP Home SP1, which I run now,
and XP Home SP2, which I've yet to install.

Nuttin' but inexplicable problems will ensue. Best to use one or the other.

 

[Guest]

I agree with Kent. We have had nothing but problems when trying to use > than
one firewall either on our servers or client machines. One only! That's my
advice.

 

[PsyB]

This wholly depends on what you expect from the firewall and what you
are referring to as a firewall - hardware or software. Let's address the
first part. If you want minimal intervention then Windows XP firewall is
a great idea. If you would rather know exactly what is talking and when
- and only secure certain programs to communicate - then you should use
another firewall such as ZoneAlarm, Kerio or Tiny. Also know that the
firewall in SP1 is no great prize for the end user. It lacks much
configurability, at least by means of the GUI. SP2 adds a lot more
configurability both by GUI and through the command line. Neither is an
adequate first line of defense if you are on a high speed connection. In
fact I wouldn't count on any software firewall as a first line of
defense on a high speed connection. Using two software firewalls
together can cause almost as much potential for security failure as
having none at all. Since you have to configure each software firewall
to trust the other, if an exploit appears in one or the other, one
firewall can be used to breach the other firewall. Using a software
firewall behind a hardware router, on the other hand, is a good idea -
most manufactures will even suggest which software firewall should be
used as a second line of defense behind their router. In this case,
Windows XP SP1 or SP2 firewall is adequate, though if you want to be
asked about each program accessing the Internet, you should consider
something like the ones I mentioned above.
-=[PsyB]=-

 

[Mike H]

Microsoft include the XP firewall such that when users first connect to the
net, they have at least some protection.. it will stop incoming nasties but
has no control over what goes out.. the same applies to the SP2 firewall..
it is more configurable than previous versions, but is still essentially
there to provide protection when one first connects to the internet..
hardware firewalls as found in routers also only protect against incoming
and make no attempt to stop anything going out.. when running a router and a
software firewall, you will notice that the software firewall records NO
incoming events at all.. it is, however, stopping outgoing stuff..

A third party firewall is recommended as it will warn you if your computer
attempts to connect to the outside world in a way that might compromise you
and your computer AND prevents incoming nasties.. You need only run one
firewall.. use a software firewall such as Zonealarm.. its free and it
works.. make it so.. engage.. just do it..

 

[Kent W. England [MVP]]

KR^ishhNamalaghnataH wrote on 24-Sep-2004 11:39 PM:

I agree with Kent. We have had nothing but problems when trying to use > than
one firewall either on our servers or client machines. One only! That's my
advice.

Just to drive the point home, last night I removed ZoneAlarm from a
system that was recently upgraded to SP2. ZoneAlarm worked fine by
itself on SP1 and SP2, but when the Windows Firewall was enabled, file
and printer sharing did not work and neither did ping (aka ICMP), even
though all settings permitted both.

As soon as ZoneAlarm was removed, the Windows Firewall acted as it
should have (barring bugs of course and file and printer sharing and
ping behavior returned to normal.

Of course, you may choose the other course, to disable Windows Firewall
and continue to use ZoneAlarm. It would seem that ZoneAlarm survives the
upgrade from SP1 to SP2 OK, unless ZoneLabs advises otherwise on their
web site.