new windows firewall

  • Thread starter Thread starter Mark
  • Start date Start date
M

Mark

Please can I have some advice re. my home network of two
PCs, one with ICS enabled on one of its two network
adapters:

Is it better to:

use the new windows firewall on the network adapter that
faces the internet without exceptions and disable it on
the other "internal" network adapter

or

use the new windows firewall on all network adapters with
the exceptions that allow file and print sharing between
the two PCs?

I see this as a choice between having one very secure
perimeter or a weaker perimeter and internal division of
my home network.

Thanks for any advice...
 
Please can I have some advice re. my home network of two
PCs, one with ICS enabled on one of its two network
adapters:

Is it better to:

use the new windows firewall on the network adapter that
faces the internet without exceptions and disable it on
the other "internal" network adapter

or

use the new windows firewall on all network adapters with
the exceptions that allow file and print sharing between
the two PCs?

I see this as a choice between having one very secure
perimeter or a weaker perimeter and internal division of
my home network.

Thanks for any advice...
Click to expand...

Mark,

The old (pre-SP2) windows firewall (ICF) was designed only for perimeter
protection, and was properly enabled only on network adapters facing the
internet.

The new (SP2) Windows Firewall (WF) is designed for interior and exterior
protection, and can be enabled on all network adapters. You should enable the
FPS exception only for your subnet, by using Edit - Change scope.

This gives you the third, preferable result, a very secure perimeter, and
internal division of your home network. ;-}

If you are truly concerned about your network, however, consult the Usenet
discussions in comp.security.firewalls.
<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=comp.security.firewalls>

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
I carry that a bit further and limit the F&PS access scope to specific IPs of PCs on my local LAN.
Do that in the custom list...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
 
Chuck said:
Mark,

The old (pre-SP2) windows firewall (ICF) was designed only for perimeter
protection, and was properly enabled only on network adapters facing the
internet.

The new (SP2) Windows Firewall (WF) is designed for interior and exterior
protection, and can be enabled on all network adapters. You should enable the
FPS exception only for your subnet, by using Edit - Change scope.

This gives you the third, preferable result, a very secure perimeter, and
internal division of your home network. ;-}

If you are truly concerned about your network, however, consult the Usenet
discussions in comp.security.firewalls.
<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=comp.security.firewalls>

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Click to expand...

I don't disagree with what Chuck says, but note that ICF still only supplies
inbound protection. If you also want outbound protection (e.g., against spyware),
then a more flexible firewall may be better -- such as one of the Zone Alarm
products.

{I don't work for ZoneLabs. I do use Zone Alarm, both the free and non-free
flavors.}
 
I carry that a bit further and limit the F&PS access scope to specific IPs of PCs on my local LAN.
Do that in the custom list...
Click to expand...

This is a logical step, after disabling DHCP. I highly recommend this for
wireless LANs, where you cannot control physical access.

If you filter on ip address, and continue to use DHCP, you may have a problem
sometime.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
I don't disagree with what Chuck says, but note that ICF still only supplies
inbound protection. If you also want outbound protection (e.g., against spyware),
then a more flexible firewall may be better -- such as one of the Zone Alarm
products.

{I don't work for ZoneLabs. I do use Zone Alarm, both the free and non-free
flavors.}
Click to expand...


Good point. For more discussion, in addition to comp.security.firewalls, see
the Microsoft Security General forum.
<http://www.microsoft.com/technet/co...px?dg=microsoft.public.security&lang=en&cr=US>

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
Thanks for all of the good feedback.

I had briefly considered variations on what you have
suggested but was put off by the following text:

"Use the Custom list scope option and specify the IPv4
address range that corresponds to your private subnet's
network ID. For this example, you would configure a
custom address range of 192.168.0.0/16. However, this
computer is still vulnerable to incoming traffic from
potentially malicious Internet users that send traffic
from the 192.168.0.0/16 address range. This technique of
sending traffic from addresses other than those assigned
is known as spoofing."

Taken from here:

http://www.microsoft.com/technet/community/columns/cablegu
y/cg0204.mspx#ECAA

Also, as I am using ICS I thought the IP address of my
second PC was dynamically configured by the ICS host from
anywhere in the 192.168.x.x range so I can't configure
for a specific IP address.

Am I putting 2 and 2 together and making 5?
-----Original Message-----
I carry that a bit further and limit the F&PS access
Click to expand...
scope to specific IPs of PCs on my local LAN.
Do that in the custom list...
Click to expand...
group for the mutual benefit of all of us...
 
My Buffalo WBR-G54 wireless access point/router allows me to assign a DHCP IP address by specific
MAC address, ie. a pseudo static IP. That works well for my wireless client (specifically an iPAQ
5555 PocketPC) that obviously is configured to use a DHCP assigned IP addressing when connecting to
various private and public networks... So, the bottom line is I can still tightly control F&PS
access to specific IPs on my local LAN (wired and wireless)...

--
Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights...
 
Thanks for all of the good feedback.

I had briefly considered variations on what you have
suggested but was put off by the following text:

"Use the Custom list scope option and specify the IPv4
address range that corresponds to your private subnet's
network ID. For this example, you would configure a
custom address range of 192.168.0.0/16. However, this
computer is still vulnerable to incoming traffic from
potentially malicious Internet users that send traffic
from the 192.168.0.0/16 address range. This technique of
sending traffic from addresses other than those assigned
is known as spoofing."

Taken from here:

http://www.microsoft.com/technet/community/columns/cablegu
y/cg0204.mspx#ECAA

Also, as I am using ICS I thought the IP address of my
second PC was dynamically configured by the ICS host from
anywhere in the 192.168.x.x range so I can't configure
for a specific IP address.

Am I putting 2 and 2 together and making 5?
Click to expand...

Actually, Mark, you're making 4.000.

The distinction Microsoft makes, between "My Network (subnet)" and the Custom
list, where you can precisely specify your subnet, is interesting. At first
glance, I'd think that My Subnet should equal my private subnet's network id.

Address spoofing, and firewall configuration to prevent it, is an intriguing
topic. There was a good article discussing blocking spoofed traffic on
rule-based (non-GUI) firewalls, on SANS recently. I want to read it and see how
Microsoft's article applies. As soon as I can find it.

As you are suspecting, though, if you're going to use DHCP (with ICS), filtering
on individual ip addresses is not a good idea.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
My Buffalo WBR-G54 wireless access point/router allows me to assign a DHCP IP address by specific
MAC address, ie. a pseudo static IP. That works well for my wireless client (specifically an iPAQ
5555 PocketPC) that obviously is configured to use a DHCP assigned IP addressing when connecting to
various private and public networks... So, the bottom line is I can still tightly control F&PS
access to specific IPs on my local LAN (wired and wireless)...
Click to expand...

Al,

That's cute. A DHCP server that can pre-assign addresses. Most real DHCP
servers do allow this.

Remembering that most clients of these forums don't know the difference between
a true DHCP server, and the crippled version provided by most SOHO routers, IMHO
it's not a good idea to recommend filtering by fixed ip address, when DHCP is
used on the LAN.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ICS DNS suddenly stopped working. 4
Replaced Network Card, old settings still harrassing me 2
why I can't open shared folders in xp from win98? 4
Finding firewalls 7
Ethernet adapter interfering with Mouse 20
Loses Home Network but Maintains Internet Connection 3
Computer on Network Can't See Itself 10
XP and Windows 98 Network 5

Back
Top