Re: using two firewalls at the same time
is no reason in the world to do so. XP ICF only looks at incoming
traffic, not outgoing, which can be a problem in some network scenarios.
For full firewall protection it is better to use a firewall that deals
with both incoming and outgoing traffic and Microsoft even recommends
using a third party firewall for this very reason. One properly
configured firewall is sufficient.
Steve:
IMO, MS recommendations are often conservative and properly worded to keep
newbies (which we all are initially) from creating problems they cannot
easily solve. Once a user acquires knowledge/experience, and is willing to
be responsible for the results, he/she can move beyond the newbie
recommendations.
I have spent a lot time studying/testing TCP/IP, ICF, ICF2 (in XP SP2),
BlackICE (BID), NIS (and AtGuard), ZA free, Sygate, and MS's ISA. In
general, running two firewalls successfully depends upon the technologies
used by each. Two scenarios wherein I would not run two firewalls: running
two ID firewalls (ie., BID and Sygate), and I would not run a second
firewall on an ISA server. Otherwise, it can and does work well as many
user have posted in other NGs.
Incomplete focus. It is better to have a firewall "structure" that
processes traffic in both directions, and has as many of the firewall
technologies (application gateway, stateless, stateful, SPI, ID, circuit
level, proxy server, etc) as is desired without causing problems. The
problem is, finding a single end user product that does all or most of it at
a price you are willing to pay (ISA server uses a number of different
technologies, but cost about $1,500 min).
Firewalls that I have used in various combinations, with desired features
that others lack:
ICF: it is stateful and will dynamically block spoofed source addresses.
BID: it is an ID and monitors the host for suspicious activity
ZA free: it is an application gate (does not filter packets for outbound)
NIS (& Sygate): ability to write very powerful firewall rules.
If I need to put one of my XP computers on the Internet for a short period
of time w/o a router, I use:
ICF, BID, and ZA free
PS. also, MS's recommendations are sometimes two-faced:
ISA server: not recommended to use on a DC, or a computer running other
"network" services.
SBS2k3 Premium is a single MS product running ISA on a DC, with many other
"network" services.
PSS. note that MS is suggesting in XP SP2 that running two firewalls may be
ok.