Firewall question

[BillW]

This is probably an old question, but I will ask anyway being that SP2 has
been in use for a while now.

I have a Microsoft router as part of a 2-PC home network. Both PCs are on
XP SP2. The router has its own firewall. I have XP's firewall turned off
on both PCs. Should I run XP's firewall along with the router's firewall?

Thank you for your help.

 

[John Barnett MVP]

No. In many cases using two firewalls can cause conflict. The router
firewall is probably better than XP's anyway. XP's is just the basic
firewall it only stops incoming attacks whereas your router should prevent
incoming and outgoing traffic.
Although i don't have a router i never use the XP firewall i prefer to use
the 'free' version of Zone Alarm (www.zonelabs.com)

 

[Ken Blake]

In

I have a Microsoft router as part of a 2-PC home network. Both
PCs
are on XP SP2. The router has its own firewall. I have XP's
firewall turned off on both PCs. Should I run XP's firewall
along
with the router's firewall?

Because both your route's firewall and the XP firewall monitor
incoming traffic only, there's little reason to run both of them.
But almost any third-party firewall adds monitoring of outgoing
traffic and is worth running instead of the XP firewall. I use
and like the free version of ZoneAlarm.

 

[Mike Hall]

The SP2 firewall does more or less the same job as the router firewall.. you
are covered from incoming by the hardware firewall, but you may want to
cover yourself against unwelcome outgoings by installing one of many free
software firewalls on the internet.. doing this will allow for closure of
the SP2 firewall..

 

[Ken Blake]

In

No. In many cases using two firewalls can cause conflict.

John, although two *software* firewalls might conflict with
other, a hardware firewall and a software firewall (which is what
he asked about, can't conflict. Each of them isn't even aware of
the other.

 

[Leythos]

This is probably an old question, but I will ask anyway being that SP2 has
been in use for a while now.

I have a Microsoft router as part of a 2-PC home network. Both PCs are on
XP SP2. The router has its own firewall. I have XP's firewall turned off
on both PCs. Should I run XP's firewall along with the router's firewall?

Your router is not a firewall, it's a sharing service using NAT. One of
the features of NAT is that it does not permit unsolicited inbound
traffic - meaning that unless one of your computers/nodes ask for
something, it won't let it into your network. Do not confuse this
firewall "like" function with it acting like a firewall - it's not even
close.

As for SP2 firewall - In our protected networks, with hundreds of
computer behind a real firewall device and proper management of what the
users can access on the internet and with quality Anti-Virus software
running on each PC, we have disabled the Windows Firewall service so
that users can NOT start it. It's more of a pain in the arse than it's
worth, unless your computers are attached directly to the Internet
without a middle security layer.

If you want to know what your local computers are doing, install a
third-party firewall product like ZoneAlarm, it has filtering in both
directions and even application control. It's a mature product with a
large user base and is very easy for non-technical types to install and
configure.

With all of this in mind - how often are you reading the routers logs to
determine what's making it into/out-of your network?

 

[Ron AG]

This is probably an old question, but I will ask anyway being that SP2 has
been in use for a while now.

I have a Microsoft router as part of a 2-PC home network. Both PCs are on
XP SP2. The router has its own firewall. I have XP's firewall turned off
on both PCs. Should I run XP's firewall along with the router's firewall?

Thank you for your help.

It doesn't hurt to have XP's firewall turned on. I personally don't have any
3rd party SW firewall behind my router and think it's overkill. More
important is to have up to date antivirus and anti spyware installed.

Regards

 

[Mike Hall]

As stated, the SP2 firewall does essentially the same as a hardware
firewall.. having both running is overkill.. 3rd party software firewalls
cover both outgoing and incoming.. that can't be considered overkill in that
you are getting a new feature.. your call though..

--
Mike Hall
MVP - Windows Shell/user

 

[Leythos]

As stated, the SP2 firewall does essentially the same as a hardware
firewall.. having both running is overkill.. 3rd party software firewalls
cover both outgoing and incoming.. that can't be considered overkill in that
you are getting a new feature.. your call though..

Mike, you should consider rephrasing your statement - the SP2 firewall
is nothing like a hardware firewall, at best, it could be considered to
be only like a NAT router device (which is nothing like a firewall
device).

A true firewall would filter all types of services based on rule sets
installed/created by the user with no in/out bound traffic by default in
addition to many other functions.

NAT, commonly found in HOME user versions of routers, may be included in
firewalls, and while it will limit inbound connections to those
requested by the internal node, it's just a function of NAT, it's not a
firewall.

If I were wanting to run a personal firewall service on my PC, it would
certainly NOT be a Microsoft solution. Having a PFW is not overkill when
considering what many ignorant users are up against - a router that
provides NAT with a easy to use/maintain PFW (such as Zone Alarm) is an
ideal combination of measures for home users.

For those of us that already understand the threats, already know how to
secure systems, to update our apps, a router with NAT that ALSO provides
full in.out bound logging and real-time access to those logs may be all
that's needed for non-critical networks.

Since security is not a single measure, it also means doing more than
installing a router with NAT and a personal firewall application, it
includes antivirus software, anti-spyware applications, using a more
secure set of tools (browser, email client, etc...) and learning to
understand the difference between a threat and a non-threat.

 

[Mike Hall]

Consider it rephrased.. just for you, I will pass the contents of your
informative statement on to other colleagues which hopefully will prevent
these unnecessary slip-ups happening again..

--
Mike Hall
MVP - Windows Shell/user

 

[Leythos]

Consider it rephrased.. just for you, I will pass the contents of your
informative statement on to other colleagues which hopefully will prevent
these unnecessary slip-ups happening again..

Mike, I hope you didn't take my comments as being rude or anything like
that, it was certainly not the intent. In my business I secure networks
and our systems have never been compromised, but I get a little tired of
seeing the cheap marketing hype some companies use to pervert the
meaning of a firewall - when Linksys came out with the BEFSR41 unit it
was only called a Cable Modem Router, not one mention of a firewall
anywhere. A couple years later Linksys and others started calling them
Firewalls without changing ANY of the functionality - sort of like when
they changed tape drive capacity to be compressed capacity vs actually
capacity (or when hard drives use to use 1024 as 1K vs todays 1000 =
1k).

The reason for the reply is to try and stop those vendors from giving
false hopes of protection to the users of those devices.

Sincerely,
Leythos

 

[Mike Hall]

Its ok.. but you have to understand that most home users see a NAT router as
being a hardware firewall.. they are told this by the ISP that supplies
them.. it saves time and trouble leaving them with that thought, otherwise
you have to get into long discussions that only serve to confuse further..

I don't know if you have ever done support across a phone, but you ask if
somebody can see the window, they tell you that they can see three windows,
but the view out of two of them is not so good.. task bars and toolbars
become as one, as does 'quick launch' and the system tray/notification area
... you tell them to highlight something and they double click it..most can't
tell left from right.. what's a dropdown menu.. etc etc..

--
Mike Hall
MVP - Windows Shell/user

 

[Leythos]

Its ok.. but you have to understand that most home users see a NAT router as
being a hardware firewall.. they are told this by the ISP that supplies
them.. it saves time and trouble leaving them with that thought, otherwise
you have to get into long discussions that only serve to confuse further..

I don't know if you have ever done support across a phone, but you ask if
somebody can see the window, they tell you that they can see three windows,
but the view out of two of them is not so good.. task bars and toolbars
become as one, as does 'quick launch' and the system tray/notification area
.. you tell them to highlight something and they double click it..most can't
tell left from right.. what's a dropdown menu.. etc etc..

Yea, I own a company that designs MS solutions for small businesses
(less than 50 offices with under 500 nodes across them). A typical
customer will have 6~8 offices in various states and have from 1~2
servers with 5~8 workstations and a central email server in the home
office. We setup ALL clients with remote support (via VPN to the home
office) and they call as needed.

I had one lady at an office complain that she could not get email, and
that she followed all the directions... We preconfigure each users
desktop and also provide a 10 page document with lots of pictures....
She was setup for Outlook 2003 and using the Exchange connector - she
insisted that she could not get any email no matter what password she
typed in... but should would never contact us while sitting in front of
the computer, only relay problems through email via other office
workers... After 7 weeks of this game I called her and made her sit at
the computer as I watched (RAdmin 2.1) her open the desktop, go to
start/programs and open Outlook Express...... She had completely ignored
Outlook, the pretty pictures of where we documented it, the fact that
no-one in the company uses Express and the fact that I had told her we
don't use Express.... Once I got her on Outlook she then had trouble
with her printer - she wanted to print from the office computer to her
printer in her home.....

 

[Mike Hall]

LOL.. I can see that you have been there more than once.. so do you laugh or
cry when somebody calls you up to tell you that the mouse and keyboard are
not responding, you walk across a huge complex, grabbing a coffee en route,
only to find that the user has failed to power up the computer?.. there are
times when "sorry, I didn't know about that button" just doesn't cut it..

--
Mike Hall
MVP - Windows Shell/user

 

[Leythos]

LOL.. I can see that you have been there more than once.. so do you laugh or
cry when somebody calls you up to tell you that the mouse and keyboard are
not responding, you walk across a huge complex, grabbing a coffee en route,
only to find that the user has failed to power up the computer?.. there are
times when "sorry, I didn't know about that button" just doesn't cut it..

I feel sorry for them mostly.

I had a client call me and ask if it was OK to install a new printer
they had just bought - they didn't want to share it with the domain,
just wanted to have a way to print in their office.

She connected it up, turned it on, got the power light, but it would not
print. Everytime she printed it went to the work group printer.... So,
she called me, and I asked, did you connect the printer to the computer?
(yes), did the drivers install properly? (I think so, it didn't ask me
to do anything), click on start, control panel, printers and faxes, do
you see the printer there? (yes), does it have a checkmark on it? (Yes,
right above that tube thingie), Tube thingie? Do you mean something that
looks like a cable with a little gold dot where it connects to the
printer? (yes), Mam, that's someone elses printer, that tube means it's
a printer on the network, do you see one without the network cable in
it's icon? (I see the Adobe PDF printer and the MS Office Document Image
Writer ones, they don't have those network parts), Ok, lets start from
scratch: When you took the printer out of the box - it's an inkjet right
(yes), it would have a power cable/supply and a USB cable - did you plug
them both into the printer? (long pause.... I plugged the printer into
the power cube thing and that into the wall and then I set the printer
next to the computer.). Mam, did you connect the printer to the computer
via the USB cable? (... long pause..., what cable?), Mam, in order for
the computer to talk to the printer you will have to connect the
communication port, either USB or Parallel, to the printer via a cable -
look on the box and see if it says there is a cable included or if you
will need one.... (It shows a cable, and that it's not included, does
this mean I need to go buy one?). Yes, you will need to buy one or I can
send you one in the next delivery...... and so it goes...

There is also the Director that purchases a laptop, one of those ones
that has nothing onboard, everything has to connect via a USB jack - and
the laptop only has 1 USB jack... He proceeds to purchase a IPAQ, 2
Palms, two printers (laser and inkjet), a scanner, two memory card
readers, and still wants to use the USB CD-ROM and USB Floppy drive, oh,
and the best part is that he bought all the parts used to save some
money... If you've worked with USB like I have you probably hate it as
much as I do - it's only good for mice and keyboards, beyond that it's a
crap-shoot....

Or what about the friend of a client that calls and tells us that their
keyboard is acting weird, that they have two offices across from each
other and that when one types it shows on the others screen.... She
wants to know if there is some type of spyware or if the other person is
spying on her.... As it turns out, they have wireless keyboards and will
swap them with each other from time to time.....