XP SP2 Firewall

[BillW]

I have a Microsoft router with its own firewall. Is there any reason not to
turn on XP's firewall in addition to the router's firewall? Seems like it
would offer more protection. Thanks.

 

[gerryR]

Will offer more protection. If a computer within your network is infected
the router can do nothing about that. eg a laptop gets infected when on a
network outside yours.

hth
gerryR

 

[Phil]

Usually you don't need two firewalls running. But what kind of firewall does
the router have? With a nat router, the xp firewall may help. If you have a
real hardware firewall that does SPI and nat then the xp firewall is
probably not needed.

 

[gerryR]

Well I can only go from my personal experience. We have a hardware router
in our office which is our only gateway to the internet. Around the time of
the blaster worm onw of our laptops was out of the office for a few weeks
and his anti-virus had not updated, he had also been connected to the
internet through dial up and had no software firewall installed, he
obviously got infected with the blaster and as soon as he arrived back at
work, plugged into the network it had spread through the office.

Hth
gerryR

 

[Mike Hall]

Always run a software firewall.. The XP firewall and SP2 variant are there
to ensure that the first connection to the internet will be covered.. the
SP2 firewall is not intended to replace a good software firewall.. some
versions are free..

 

[Phil]

The op never said they are on a network. Just because you have a router
doesn't necessarily mean they have networked computers.
That's what anti-virus software is for. NOBODY connects to any network I
take care of without updated av software on every machine. (and if the user
can't learn to keep the av updated, then they don't connect to my network)
This also tells me that your office computers were not patched. The patch to
plug the hole that blaster used was out way before the virus hit. An updated
computer would not be effected.
Also, if any of my user has a laptop that they bring to the office and
connect to the network, I make sure to set them up with a firewall for when
they are at home. If the user used common internet security and had the
firewall on when at home they would not get infected.
So you can see there is at least three security issue that were not
addressed with this user and that's why your office got infected. Sure if
everyone in the office had a firewall up and running the damage would have
been minimized, but that's like making sure to lock the door after someone
already broke in. If the user was correctly secured for home and office
usage your network would have been fine. So, imo, securing "outside"
computers is more important than crippling the network with the xp firewall
on. (pre-sp2, the xp firewall was very hard to tweak and setup for networks
who need certain ports open and closed).
To each his own I guess, but a correctly secured network and correctly
secured remote users makes using a firewall on the internal network an
unneeded practice.(if you have a good hardware firewall) Most corporate
settings will not have firewalls on users computers when their connected to
the network.

 

[Ken Blake]

In

I have a Microsoft router with its own firewall. Is there any
reason
not to turn on XP's firewall in addition to the router's
firewall? Seems like it would offer more protection. Thanks.

Although it doesn't hurt to turn on the Windows firewall, it
doesn't really do anything the router doesn't, and doesn't help
you. The Windows firewall, like the router, monitors incoming
traffic only.

However if you use a third-party firewall instead of the Windows
one, such as the free ZoneAlarm, it *does* offer more protection,
since it also monitors outgoing traffic, such as rogue programs
trying to call home.

 

[SlowJet]

Condition Results

Router Only all unsolicied incoming blocked.
failure or mis configured exposes computer to
everything. Outgoing not blocked on most cheap wireless.

Router and WFW same thing but each back up the other in case of failure.
WFW acts like second door on a hallway.

Router and ZA same as R&WFW except outgoing ports are blocked. Programs
that need outgoing ports need permission from user before port is open. ZA
free is only for non networked computer so ZA PRO is needed on networked
computers. All clients need ZA PRO to stop local lan visus spread.

Since ZA Pro is not free, then there are other chioces. They all do the same
thing with different add on's and look and feel.(and price)

SJ

 

[James]

The op never said they are on a network. Just because you have a router
doesn't necessarily mean they have networked computers.
That's what anti-virus software is for. NOBODY connects to any network I
take care of without updated av software on every machine. (and if the user
can't learn to keep the av updated, then they don't connect to my network)
This also tells me that your office computers were not patched. The patch to
plug the hole that blaster used was out way before the virus hit. An updated
computer would not be effected.
Also, if any of my user has a laptop that they bring to the office and
connect to the network, I make sure to set them up with a firewall for when
they are at home. If the user used common internet security and had the
firewall on when at home they would not get infected.
So you can see there is at least three security issue that were not
addressed with this user and that's why your office got infected. Sure if
everyone in the office had a firewall up and running the damage would have
been minimized, but that's like making sure to lock the door after someone
already broke in. If the user was correctly secured for home and office
usage your network would have been fine. So, imo, securing "outside"
computers is more important than crippling the network with the xp firewall
on. (pre-sp2, the xp firewall was very hard to tweak and setup for networks
who need certain ports open and closed).
To each his own I guess, but a correctly secured network and correctly
secured remote users makes using a firewall on the internal network an
unneeded practice.(if you have a good hardware firewall) Most corporate
settings will not have firewalls on users computers when their connected to
the network.

Not true. It may be true in your experience but that's all it is: your
experience. Our office network has a router AND each box on the network
has its own software firewall. When you say "most" you obviously cannot
speak for "most" since you don't know "most" networks. You're simply
guessing and since you were wrong about our network, I can well imagine
you are wrong about many others.

 

[Phil]

Not true. It may be true in your experience but that's all it is: your
experience. Our office network has a router AND each box on the
network has its own software firewall. When you say "most" you
obviously cannot speak for "most" since you don't know "most"
networks. You're simply guessing and since you were wrong about our
network, I can well imagine you are wrong about many others.

First I guessed about your network, I said nothing about it. You told me you
used software firewalls. I didn't tell you that you didn't. I said most
corporate networks don't use software firewalls because I seen it first
hand. I worked for large corporations and small business and also did
support for businesses, with networks from 10 computers to 1000's of
computers and none of them ever had a software firewall. My mother and
girfriend worked at Kodak, a huge corporation and they didn't have any
software firewalls on any kodak network or computer at all. In fact I can't
remember any office that I've been to in my entire life that had software
firewalls running. I'm not saying your setup is bad or wrong, you can do it
that way if you want, but you're in the minority. I not guessing, I'm
speaking from corproate experience. A network is secured in many other ways,
like with group policies, or employee procedures, with hardware firewalls
locked down for inbound and outbound activity, iis lockdown, corporate
routers, vpn's, tweaks, updates, remote user lockdown, etc.....

 

[Mike Hall]

Large companies, IBM for instance, does not apply software firewalls to each
machine.. they have extensive hardware firewalls and an intranet that has
enough information safely gathered such that employees have no need to
search outside of it.. anything that does attempt to go out of the IBM
system is monitored and most of it stopped.. smaller companies do not have
the resources for their own intranets, relying far more on the global and
much less secure network, hence the need for software firewalls..

 

[James]

Thanks for the information. I stand corrected.

Large companies, IBM for instance, does not apply software firewalls to each
machine.. they have extensive hardware firewalls and an intranet that has
enough information safely gathered such that employees have no need to
search outside of it.. anything that does attempt to go out of the IBM
system is monitored and most of it stopped.. smaller companies do not have
the resources for their own intranets, relying far more on the global and
much less secure network, hence the need for software firewalls..