Does ICF turn off Norton Firewall?

[Army George]

My Norton Firewall appears to be "off", it has the red x in it in the
toolbar. This happened after I turned on XP's internet connection
firewall....did ICF do something?

 

[Guest]

Army,

It's not recommended (by MS) to use ICF with others...

 

[Plato]

My Norton Firewall appears to be "off", it has the red x in it in the
toolbar. This happened after I turned on XP's internet connection
firewall....did ICF do something?

You really dont need two firewalls running at the same time anyway.

 

[CZ]

My Norton Firewall appears to be "off", it has the red x in it in the
toolbar. This happened after I turned on XP's internet connection
firewall....did ICF do something?

Army:

No. I have run ICF with NIS w/o problems.

Running two firewalls has worked fine for me for several years, and in this
case it may have saved your computer.

 

[Steve N.]

My Norton Firewall appears to be "off", it has the red x in it in the
toolbar. This happened after I turned on XP's internet connection
firewall....did ICF do something?

Yes. Turn of XP's ICF, it is not as good as Norton firewall anyhow and
obviously they conflict.

Steve

 

[Steve N.]

toolbar. This happened after I turned on XP's internet connection
firewall....did ICF do something?

Army:

No. I have run ICF with NIS w/o problems.

Running two firewalls has worked fine for me for several years, and in this
case it may have saved your computer.

You are lucky then. It is not recommended to run two firewalls and there
is no reason in the world to do so. XP ICF only looks at incomming
traffic, not outgoing, which can be a problem in some network scenarios.
For full firewall protection it is better to use a firewall that deals
with both incomming and outgoing traffic and Micorsoft even recommends
using a third party firewal for this very reason. One properly
configured firewall is sufficient.

Steve

 

[CZ]

Re: using two firewalls at the same time
is no reason in the world to do so. XP ICF only looks at incoming
traffic, not outgoing, which can be a problem in some network scenarios.
For full firewall protection it is better to use a firewall that deals
with both incoming and outgoing traffic and Microsoft even recommends
using a third party firewall for this very reason. One properly
configured firewall is sufficient.

Steve:

IMO, MS recommendations are often conservative and properly worded to keep
newbies (which we all are initially) from creating problems they cannot
easily solve. Once a user acquires knowledge/experience, and is willing to
be responsible for the results, he/she can move beyond the newbie
recommendations.

I have spent a lot time studying/testing TCP/IP, ICF, ICF2 (in XP SP2),
BlackICE (BID), NIS (and AtGuard), ZA free, Sygate, and MS's ISA. In
general, running two firewalls successfully depends upon the technologies
used by each. Two scenarios wherein I would not run two firewalls: running
two ID firewalls (ie., BID and Sygate), and I would not run a second
firewall on an ISA server. Otherwise, it can and does work well as many
user have posted in other NGs.

Incomplete focus. It is better to have a firewall "structure" that
processes traffic in both directions, and has as many of the firewall
technologies (application gateway, stateless, stateful, SPI, ID, circuit
level, proxy server, etc) as is desired without causing problems. The
problem is, finding a single end user product that does all or most of it at
a price you are willing to pay (ISA server uses a number of different
technologies, but cost about $1,500 min).

Firewalls that I have used in various combinations, with desired features
that others lack:
ICF: it is stateful and will dynamically block spoofed source addresses.
BID: it is an ID and monitors the host for suspicious activity
ZA free: it is an application gate (does not filter packets for outbound)
NIS (& Sygate): ability to write very powerful firewall rules.

If I need to put one of my XP computers on the Internet for a short period
of time w/o a router, I use:
ICF, BID, and ZA free


PS. also, MS's recommendations are sometimes two-faced:
ISA server: not recommended to use on a DC, or a computer running other
"network" services.
SBS2k3 Premium is a single MS product running ISA on a DC, with many other
"network" services.

PSS. note that MS is suggesting in XP SP2 that running two firewalls may be
ok.

 

[Steve N.]

Re: using two firewalls at the same time



is no reason in the world to do so. XP ICF only looks at incoming
traffic, not outgoing, which can be a problem in some network scenarios.
For full firewall protection it is better to use a firewall that deals
with both incoming and outgoing traffic and Microsoft even recommends
using a third party firewall for this very reason. One properly
configured firewall is sufficient.

Steve:

IMO, MS recommendations are often conservative and properly worded to keep
newbies (which we all are initially) from creating problems they cannot
easily solve. Once a user acquires knowledge/experience, and is willing to
be responsible for the results, he/she can move beyond the newbie
recommendations.

I have spent a lot time studying/testing TCP/IP, ICF, ICF2 (in XP SP2),
BlackICE (BID), NIS (and AtGuard), ZA free, Sygate, and MS's ISA. In
general, running two firewalls successfully depends upon the technologies
used by each. Two scenarios wherein I would not run two firewalls: running
two ID firewalls (ie., BID and Sygate), and I would not run a second
firewall on an ISA server. Otherwise, it can and does work well as many
user have posted in other NGs.




Incomplete focus. It is better to have a firewall "structure" that
processes traffic in both directions, and has as many of the firewall
technologies (application gateway, stateless, stateful, SPI, ID, circuit
level, proxy server, etc) as is desired without causing problems. The
problem is, finding a single end user product that does all or most of it at
a price you are willing to pay (ISA server uses a number of different
technologies, but cost about $1,500 min).

Firewalls that I have used in various combinations, with desired features
that others lack:
ICF: it is stateful and will dynamically block spoofed source addresses.
BID: it is an ID and monitors the host for suspicious activity
ZA free: it is an application gate (does not filter packets for outbound)
NIS (& Sygate): ability to write very powerful firewall rules.

If I need to put one of my XP computers on the Internet for a short period
of time w/o a router, I use:
ICF, BID, and ZA free


PS. also, MS's recommendations are sometimes two-faced:
ISA server: not recommended to use on a DC, or a computer running other
"network" services.
SBS2k3 Premium is a single MS product running ISA on a DC, with many other
"network" services.

PSS. note that MS is suggesting in XP SP2 that running two firewalls may be
ok.

Very good points but well beyond the average user.

Steve

 

[CZ]

Very good points but well beyond the average user.

Steve

Sadly, they are apparently beyond most respondents (including MVPs) in this
NG.

Your comments re: running multiple firewalls are incorrect ("there is no
reason in the world to do so" and "One properly
configured firewall is sufficient"). However, they are the norm for this
NG.

It will be interesting to read responses in this NG once XP SP2 is released
and MS implies that it is ok to do it.

My previous post:
IMO, MS recommendations are often conservative and properly worded to keep
newbies (which we all are initially) from creating problems they cannot
easily solve. Once a user acquires knowledge/experience, and is willing to
be responsible for the results, he/she can move beyond the newbie
recommendations.

I have spent a lot time studying/testing TCP/IP, ICF, ICF2 (in XP SP2),
BlackICE (BID), NIS (and AtGuard), ZA free, Sygate, and MS's ISA. In
general, running two firewalls successfully depends upon the technologies
used by each. Two scenarios wherein I would not run two firewalls: running
two ID firewalls (ie., BID and Sygate), and I would not run a second
firewall on an ISA server. Otherwise, it can and does work well as many
user have posted in other NGs.

Incomplete focus. It is better to have a firewall "structure" that
processes traffic in both directions, and has as many of the firewall
technologies (application gateway, stateless, stateful, SPI, ID, circuit
level, proxy server, etc) as is desired without causing problems. The
problem is, finding a single end user product that does all or most of it at
a price you are willing to pay (ISA server uses a number of different
technologies, but cost about $1,500 min).

Firewalls that I have used in various combinations, with desired features
that others lack:
ICF: it is stateful and will dynamically block spoofed source addresses.
BID: it is an ID and monitors the host for suspicious activity
ZA free: it is an application gate (does not filter packets for outbound)
NIS (& Sygate): ability to write very powerful firewall rules.

If I need to put one of my XP computers on the Internet for a short period
of time w/o a router, I use:
ICF, BID, and ZA free


PS. also, MS's recommendations are sometimes two-faced:
ISA server: not recommended to use on a DC, or a computer running other
"network" services.
SBS2k3 Premium is a single MS product running ISA on a DC, with many other
"network" services.

PSS. note that MS is suggesting in XP SP2 that running two firewalls may be
ok.

 

[cquirke (MVP Win9x)]

CZ wrote:

Very good points but well beyond the average user.

Yes, but it's only through exposure to such info that we can rise
above average and take the standard up as we go. So keep 'em coming,
CZ, especially as you so clearly notate such content as "some assembly
required" so that we know who it's for

PS: Any relation to that maker of great dirt bikes from the '70s?

--------------- ----- ---- --- -- - - -

Who is General Failure and
why is he reading my disk?

 

[Kelly]

Who is General Failure and

why is he reading my disk?

<LOL>

 

[Alex Nichol]

Sadly, they are apparently beyond most respondents (including MVPs) in this
NG.

Your comments re: running multiple firewalls are incorrect ("there is no
reason in the world to do so" and "One properly
configured firewall is sufficient"). However, they are the norm for this
NG.

It will be interesting to read responses in this NG once XP SP2 is released
and MS implies that it is ok to do it.

The XP one is enough if all you are interested in is incoming probes,
but may not be as easy to configure for special cases (such for example
as the needs of Messenger if you want to send files with it)

A benefit of running that as well as another that you want around, is as
a backup; especially for moments of exposure when you are upgrading your
own firewall, or switching to a different one. There is a little extra
overhead - not much. Indications are that when running ZA along with
the SP2 one then it is ZA that is doing the work once it is up and
running; but the windows one probably comes in earlier during boot to
ensure protection then (this is a point that it is not practicable to
check)

 

[CZ]

Re: running multiple firewalls
a backup; especially for moments of exposure when you are upgrading your
own firewall, or switching to a different one. There is a little extra
overhead - not much. Indications are that when running ZA along with
the SP2 one then it is ZA that is doing the work once it is up and
running; but the windows one probably comes in earlier during boot to
ensure protection then (this is a point that it is not practicable to
check)


Alex:

Good points.

IMO, a primary reason for running multiple firewalls is to have real-time
complimentary protection.
This means if one firewall by design cannot do certain protection, the other
firewall can do it, and both firewalls are running at the same time.

Case in point:
ZA free has rather weak outbound control in that it is only an application
gate (it does not do packet filtering for outbound, nor does it do ID
(intrusion detection)). BlackICE (BID) does ID (monitors for suspicious
activity).
Using only ZA free is like only using the lock on your car door for
protection. Once the bugler gets into the car, there is no protection.
Using BID is like your car alarm, once the bugler is inside the car, there
is still protection.

IMO, a major misunderstanding is that many users think that all firewalls do
the same thing. They do not! They use different firewall technologies, and
each technology can provide protection for a different aspect/type of
malicious activity.

So, running ZA free and BID together provides much stronger security than
running ZA free by itself.

Users who claim that you do not need to run multiple firewalls, and who
often also claim that there is no advantage to it, do not understand that
all firewalls are not the same, they can (and often do) cover different
aspects of the problem.

A key issue in selecting a firewall should be knowing what technologies it
uses.

Of course it would help if Steve Gibson had a more realistic opinion of ZA
and BlackICE <g>