Personal Firewall Opinions Needed

[gwigton]

Ok Folks sorry to make this so long, but I am trying to solve a dispute on our MIS team. Our network topology is that we have 2 main VLANs that exist in our network this network has 3 main remote locations, and we have a total of 2000 machines on the network.

On 1 of those VLANs most of the client machines are using a program called DeepFreeze, which basically puts a read only right on the hard-drive. A student can then change anything they want, but when the machine is re-booted it goes back to its origanal configuration. Nothing of value is stored on most of the machines on this VLAN but we do run Norton's AV 9 on each of these machines to ensure a virus outbreak doesn't occur. Up until this last semester we had the XP personal firewall enabled for every machine. I recently found out that one of our team members set a global policy on this VLan to disable the Personal Firewall. There reasoning is that because we run DeepFreeze we don't have to worry about viruses broadcasting and hurting the network and we have a external firewall to protect us from the outside world. They are also worried about the management standpoint for running behind the scene scripts and such.

My feeling is that even with the DeepFreeze if the machines don't get perminent damage they still have the potential for flooding the network because of one machine broadcasting and the rest trying to answere and at least bring down a segment of the network (we have seen this in the past a couple of times), which would interupt student activity even if for a few hours until we rebooted all of the machines. I also feel that we have to be just as worried about internal threats as much as external. Since we teach several IT couses in our small college, the level of interal threats could almost be higher.

My question is what is everyone else doing with Personal Firewall within their networks even if they don't have DeepFreeze, or what would your thoughts be to our situation??

 

[bcastner]

The native XP firewall controls inbound traffic. This has two consequences: it may well be already covered by your edge firewall; it will not stop worms from a broadcasting or IP scanned attack that originates inside your network; for example if obtained from a web page or email.

Similarly, your edge firewall will not stop these either, albeit it might stop non-LAN dissemination.

I agree with you here:

I also feel that we have to be just as worried about internal threats as much as external. Since we teach several IT couses in our small college, the level of interal threats could almost be higher.

Since neither the XP native firewall nor your edge firewall will protect you in this instance, adding a third-party firewall that does both inbound and outbound scanning seems sensible.

 

[gwigton]

bcastner thanks for the quick reply. In some aspects you are correct that it will not stop a worm that is obtained through very common ports such as 80 (web page). If traffic were blocked, on the clients recieving a web page would be impossible.

In other aspects I have to disagree with you that I have several server side utilites that we use to shutdown, reboot, and even our DeepFreeze app that needed to have a hole created in the firewall on each client in order to work on that client. Theses applications and utilites all originate from inside our network and even from the same segment.

it will not stop worms from a broadcasting or IP scanned attack that originates inside your network; for example if obtained from a web page or email.

I know the native firewall had some real problems with properly controlling traffic. We are currently running SP2 which had enhanced the firewall capabilities. This may be the diffence in our views.

 

[bcastner]

What does Windows Firewall do?

Windows Firewall (previously called Internet Connection Firewall or ICF) is a software-based, stateful filtering firewall for Microsoft Windows XP and Microsoft Windows Server™ 2003. Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited inbound connections through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6).

Notice the word inbound and nothing about outbound.

Here is the full explanation so you can see I didn't snip it out of context:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx#XSLTsection130121120120

Some apps may connect via outbound port and request a connection back on another inbound port, causing Win Firewall to prompt for permission. This behavior seems to mislead some users into believing that the firewall protection is both inbound and outbound. It is not. It is exactly as Microsoft describes it: a stateful filtering firewall for inbound connections.

 

[gwigton]

I think we are looking at the same thing from two different angles. You are exactally correct in the outbound traffic. Microsoft has never cared what comes out of a machine because that would inhibit their ability to have many of there apps "call home".

I guess I am looking at it from the point that I could have one client broadcasting something, which won't bring down the network, until I have 900 clients recieving the broadcast because of an open port and then replying. The replying aspect is what could flood the network.

I also understand that the machine doing the broadcasting may or may not be able recieve transmisions from the clients responding, but at that point the machine has been compromised so prtecting that machine isn't my goal; it is ensuring the network remains stable until the infected machine gets rebooted.

The lack of planning and foresight on your part does not constitute an emergency on my part!!

 

[gwigton]

bcastner don't think the last line was inteded for you...I was messing with my postscript setting and didn't put my name before it.

gwigton

The lack of planning and foresight on your part does not constitute an emergency on my part!!