Slashdot Mirror
Are Desktop Firewalls Overkill?
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.
Ascalante: Your bride is over 3,000 years old.
Kull: She told me she was 19!
Not to mention network attacks that originate inside your NAT. For example: that dumb ass down the hall who keeps clicking on viagra links in his emails.
What are you going to do? Put a hardware firewall on every cord?
The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.
But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.
Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.
It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.
2*3*3*3*3*11*251
Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.
Quo usque tandem abutere, Nimbus, patientia nostra?
In your experiences with corporate IT, your corporate IT staff have thus been incompetent.
Windows firewall is configuration via group policy, with multiple profiles for both inside and outside of your network. Your perimeter firewall will NOT save your network from some arse-clown plugging in an infected box. It will NOT save your laptop from being infected whilst in use at a wifi hotspot.
It will also not protect your network from some idiot plugging in an unsecured Wifi access point, or for that matter hopping onto a machine left logged in and unlocked.
The perimeter firewall mitigates the bulk of the threats to your corporate network sure, but if you have nothing else to protect your internal hosts, you're leaving yourself open to getting screwed, big time.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
When the person who sits next to you gets infected, your desktop firewall still defends against his machine attempting to infect yours.
It does help block the spread of a myriad of things internal to the network though.
Personally I have seen the damage done to the office network at work due to a worm that came in through usb-sticks...
While antivirus didnt detect the bugger the thing couldnt spread to other machines due to the firewalls on individual machines blocking the vulnerable service.