Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Desktop Firewalls Overkill?

Posted by CmdrTaco on from the not-in-my-office dept.

Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"

5 of 440 comments (clear)

  1. Re:stating the obvious... by Java+Pimp · · Score: 4, Informative

    Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.

    --
    Ascalante: Your bride is over 3,000 years old.
    Kull: She told me she was 19!
  2. Re:Flash drives, tarballs, &c. by DJ+Jones · · Score: 4, Informative

    Not to mention network attacks that originate inside your NAT. For example: that dumb ass down the hall who keeps clicking on viagra links in his emails.

    What are you going to do? Put a hardware firewall on every cord?

  3. Defense in depth by Urban+Garlic · · Score: 5, Informative

    The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.

    But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.

    Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.

    It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.

    --
    2*3*3*3*3*11*251
  4. Err, what? by Penguinisto · · Score: 4, Informative

    Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  5. Re:Flash drives, tarballs, &c. by Imagix · · Score: 4, Informative

    When the person who sits next to you gets infected, your desktop firewall still defends against his machine attempting to infect yours.