Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Desktop Firewalls Overkill?

Posted by CmdrTaco on from the not-in-my-office dept.

Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"

16 of 440 comments (clear)

  1. stating the obvious... by digitalderbs · · Score: 5, Insightful

    why not both?

    1. Re:stating the obvious... by somersault · · Score: 4, Insightful

      Seconded. This was going to be my exact comment.

      It's like saying "We don't need seatbelts anymore - we have airbags!"

      --
      which is totally what she said
    2. Re:stating the obvious... by The+Clockwork+Troll · · Score: 5, Insightful

      Yes, this is why I lock the doors on my automobile but I leave the ignition key on the dashboard, and leave the glove compartment open and unlocked!

      Finally someone who sees things as I do!

      Also, first car analogy.

      --

      There are no karma whores, only moderation johns
    3. Re:stating the obvious... by KarrdeSW · · Score: 4, Insightful

      There is often-times a lot of overlap, so that the desktop filters are made redundant.

      This is only true if your company never has anybody bring in a USB Flash Drive which could have potentially been infected on their home computer or on another company's system.

    4. Re:stating the obvious... by postbigbang · · Score: 4, Insightful

      There is no such thing as a secure perimeter, especially when the majority of attacks come with in "secure perimeters". Jon Honeyball is an idiot, and PC Pro just dropped another notch. His heavily caveated article doesn't have the common sense that God gave to a goose.

      Each and every device that's connected in a network is potentially infected, rogue, and looking for others to maim. Every machine needs to be evaluated separately for its risk profile, as he mentions-- but you simply can't remove device security in the belief that other firewalls or services will do the unerring job of controlling the safety of a network. Run, don't walk, away from the concept of secure perimeters.

      --
      ---- Teach Peace. It's Cheaper Than War.
    5. Re:stating the obvious... by meloneg · · Score: 4, Insightful

      Well, most corporate networks are a lot more like those garages at some apartments. I have my own garage door. I can lock it. But, there is no wall between my car and my neighbors car.

      If I can absolutely trust everyone of my neighbors (current and future and maybe past, if they kept a key), I don't need to lock my car.

  2. I guess he's not heard of defense-in-depth then... by Zocalo · · Score: 4, Insightful

    I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?

    Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...

    --
    UNIX? They're not even circumcised! Savages!
  3. Desktop firewalls are necessary by teridon · · Score: 4, Insightful

    Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P

    --
    I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
  4. Defense in Depth by rotide · · Score: 5, Insightful

    Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.

    Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.

    "Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."

    Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here

  5. Re:Hardly Overkill by drinkypoo · · Score: 4, Insightful

    Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

    That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?

    The desktop firewall is completely necessary. It is, however, also inadequate.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  6. Defense in depth by TopSpin · · Score: 5, Insightful

    The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

    This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

    --
    Lurking at the bottom of the gravity well, getting old
  7. Funny you should mention that... by denzacar · · Score: 4, Insightful

    I was given that very advice recently while strapping on the seat-belt.
    From a nurse, no less.

    And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
    1. Re:Funny you should mention that... by IndustrialComplex · · Score: 4, Insightful

      Indeed. I actually have a high standard of driving, but I also prefer my passengers to wear their seatbelts ;)

      No matter how well someone drives, it only takes some other idiot who can't drive to cause an accident. If you are observant then hopefully you can reduce the risk of any accident actually being serious, but still, the risk is always there. This is why I don't have a motorbike.

      Seatbelts also serve a secondary purpose to preventing injury. They keep you in a position to still operate the vehicle.

      Accident occurs no seatbelt: The driver will probably be thrown from the seat, or jarred from the proper driving position. As a result, the vehicle is out of control from the moment that the driver lost contact with the wheel. This could increase the number of vehicles involved in the accident, injure others, or further damage the driver's vehicle if a secondary impact occurs.

      Prior to accident no seatbelt: In attempting to avoid an accident, the driver could be forced from their seat during a swerve, as a result, they may not be able to avoid the accident at best, at worst they could exacerbate the accident as they are now out of control of their vehicle.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
  8. Part of the problem with PC security.... by QuietLagoon · · Score: 4, Insightful
    ... is that people, like this Jon Honeyball guy, who do not have a clue about computer security, are telling people how computer security should be done.

    .
    As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.

    Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.

  9. How about an application level firewall... by CajunArson · · Score: 4, Insightful

    I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  10. Outgoing firewall: Yes. Incoming firewall: why? by kc8jhs · · Score: 4, Insightful

    The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?

    An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.