Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Desktop Firewalls Overkill?

Posted by CmdrTaco on from the not-in-my-office dept.

Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"

29 of 440 comments (clear)

  1. stating the obvious... by digitalderbs · · Score: 5, Insightful

    why not both?

    1. Re:stating the obvious... by Java+Pimp · · Score: 4, Informative

      Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.

      --
      Ascalante: Your bride is over 3,000 years old.
      Kull: She told me she was 19!
    2. Re:stating the obvious... by somersault · · Score: 4, Insightful

      Seconded. This was going to be my exact comment.

      It's like saying "We don't need seatbelts anymore - we have airbags!"

      --
      which is totally what she said
    3. Re:stating the obvious... by Gadget_Guy · · Score: 4, Interesting

      The article started to address this, but failed miserably.

      One group will undoubtedly be saying "there's no harm in running both client- and server-side firewalls, so why even contemplate the heresy of turning off the built-in Windows firewall?" You would of course be right, except for one thing - it's actually quite hard to turn off the built-in firewall

      Ah, what? The reason for not turning off the firewall is that it is hard to turn off the firewall? That makes no sense at all. It also doesn't seem too hard to me. In Win7, type firewall into the start menu search box and click on Windows Firewall. From there, choose "turn firewall on or off".

      The reason for leaving the firewall on is to give a last line of defence if someone gets around the server protection. It also acts as a barrier when idiots decide to add an unauthorised wireless access point onto the network.

    4. Re:stating the obvious... by The+Clockwork+Troll · · Score: 5, Insightful

      Yes, this is why I lock the doors on my automobile but I leave the ignition key on the dashboard, and leave the glove compartment open and unlocked!

      Finally someone who sees things as I do!

      Also, first car analogy.

      --

      There are no karma whores, only moderation johns
    5. Re:stating the obvious... by KarrdeSW · · Score: 4, Insightful

      There is often-times a lot of overlap, so that the desktop filters are made redundant.

      This is only true if your company never has anybody bring in a USB Flash Drive which could have potentially been infected on their home computer or on another company's system.

    6. Re:stating the obvious... by postbigbang · · Score: 4, Insightful

      There is no such thing as a secure perimeter, especially when the majority of attacks come with in "secure perimeters". Jon Honeyball is an idiot, and PC Pro just dropped another notch. His heavily caveated article doesn't have the common sense that God gave to a goose.

      Each and every device that's connected in a network is potentially infected, rogue, and looking for others to maim. Every machine needs to be evaluated separately for its risk profile, as he mentions-- but you simply can't remove device security in the belief that other firewalls or services will do the unerring job of controlling the safety of a network. Run, don't walk, away from the concept of secure perimeters.

      --
      ---- Teach Peace. It's Cheaper Than War.
    7. Re:stating the obvious... by meloneg · · Score: 4, Insightful

      Well, most corporate networks are a lot more like those garages at some apartments. I have my own garage door. I can lock it. But, there is no wall between my car and my neighbors car.

      If I can absolutely trust everyone of my neighbors (current and future and maybe past, if they kept a key), I don't need to lock my car.

    8. Re:stating the obvious... by Rasperin · · Score: 5, Funny

      Actually, I do lock my bedroom door at night. If someone breaks into my house I may not hear them but if they try to break into my room I'm most likely to hear them giving me time to grab my gun and get into a vantage point where I'm well protected from return fire but have a great shot on anyone walking through the door. Even if they knock down the door with the first strike they are likely to grab for the handle first which will wake me up and if it doesn't the kicking down the door part will allow me time to roll off the side of the bed and pull the gun from under my bed and load it.

      --
      WTF Slashdot, why do I have to login 50 times to post?
    9. Re:stating the obvious... by Megahard · · Score: 5, Funny

      my girlfriend sleeps with her bedroom door locked, even with the front door to her house locked down.

      I think this says more about you than about Windows and firewalls.

      --
      I eat only the real part of complex carbohydrates.
    10. Re:stating the obvious... by Culture20 · · Score: 4, Interesting

      Keeping workstation firewalls on behind network level firewalls is like locking the door of each room of your house as you pass through it. Unlock, open, go through, shut, and lock. Suddenly, the security measures outweigh their usefulness.

      That depends: Do you live in a neighborhood where someone jiggles your front door handle every few seconds? Do you live in an apartment with roommates? Are the roommates close friends of yours, or only real-estate associates? Do your roommates bring over people you don't know? Do your roommates or roommates' friends jiggle your bedroom door handle occasionally to see if they can steal something? This would be more close to the computer analogy.

    11. Re:stating the obvious... by Rick17JJ · · Score: 4, Interesting

      I would prefer to have a solid core or metal door with a good sturdy slide bolt for my bedroom. Most master bedrooms just have a hollow core door that an intruder could easily kick his foot through. I mentioned having a slide bolt, because bedrooms typically have a bathroom door style lock which can quickly be opened with a screwdriver. I would also want a good strong door frame. I would probably have just enough time to quickly get my .356 magnum from the pistol safe (or a shotgun if I ever get one). I should start regularly practicing opening the push-button combination lock quickly.

      Unfortunately, my knowledge and experience with guns is very limited. If possible, I would prefer to position myself in a direction where any missed shots would be least likely to hit neighbors after passing through the walls. I wonder if shooting from behind a water bed would protect me from handgun bullets or not? Perhaps the distinctive sound of a pump type shotgun loading a shell into the chamber would discourage the intruders from continuing to try to break down the bedroom door.

      Unfortunately, all I have ever had, anywhere I have ever lived, is flimsy hollow core exterior doors and hollow core bedroom doors.

      Late at night, a few years ago, I had a minor encounter with a burglar who was trying to open the front door. I looked through the window in the front door and there was his face on the other side of the glass about two feet away from my face. We both started each other. There I was, unarmed and face to face with some guy who was covered with prison tattoos. As he took off, I noticed that there was also another guy who had been hiding in the bushes along side the building.

      Perhaps, looking through the door's window face to face with the burglar was not the brightest thing to do, but it did scare them off. A sheriffs deputy later examined the minor damage to one window on the side of the building, and also the minor damage both the front and rear door frames and one striker plate. He wrote up a report.

  2. I guess he's not heard of defense-in-depth then... by Zocalo · · Score: 4, Insightful

    I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?

    Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...

    --
    UNIX? They're not even circumcised! Savages!
  3. Re:Flash drives, tarballs, &c. by DJ+Jones · · Score: 4, Informative

    Not to mention network attacks that originate inside your NAT. For example: that dumb ass down the hall who keeps clicking on viagra links in his emails.

    What are you going to do? Put a hardware firewall on every cord?

  4. Desktop firewalls are necessary by teridon · · Score: 4, Insightful

    Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P

    --
    I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
  5. Defense in Depth by rotide · · Score: 5, Insightful

    Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.

    Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.

    "Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."

    Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here

  6. Re:Hardly Overkill by drinkypoo · · Score: 4, Insightful

    Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

    That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?

    The desktop firewall is completely necessary. It is, however, also inadequate.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Machine firewalls == symptom of bad design by HBI · · Score: 4, Interesting

    A machine firewall does what...it protects the computer from the listening ports that the OS allowed ITSELF to open.

    A simple correspondence list of listening port to application would have killed this issue dead at the beginning. Of course, then people would ask why so much crap needs to be open by default on Microsoft operating systems. For added hilarity, the OS now allows applications to insert their own machine firewall exceptions.

    And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  8. Defense in depth by Urban+Garlic · · Score: 5, Informative

    The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.

    But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.

    Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.

    It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.

    --
    2*3*3*3*3*11*251
  9. Defense in depth by TopSpin · · Score: 5, Insightful

    The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

    This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

    --
    Lurking at the bottom of the gravity well, getting old
  10. Funny you should mention that... by denzacar · · Score: 4, Insightful

    I was given that very advice recently while strapping on the seat-belt.
    From a nurse, no less.

    And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
    1. Re:Funny you should mention that... by IndustrialComplex · · Score: 4, Insightful

      Indeed. I actually have a high standard of driving, but I also prefer my passengers to wear their seatbelts ;)

      No matter how well someone drives, it only takes some other idiot who can't drive to cause an accident. If you are observant then hopefully you can reduce the risk of any accident actually being serious, but still, the risk is always there. This is why I don't have a motorbike.

      Seatbelts also serve a secondary purpose to preventing injury. They keep you in a position to still operate the vehicle.

      Accident occurs no seatbelt: The driver will probably be thrown from the seat, or jarred from the proper driving position. As a result, the vehicle is out of control from the moment that the driver lost contact with the wheel. This could increase the number of vehicles involved in the accident, injure others, or further damage the driver's vehicle if a secondary impact occurs.

      Prior to accident no seatbelt: In attempting to avoid an accident, the driver could be forced from their seat during a swerve, as a result, they may not be able to avoid the accident at best, at worst they could exacerbate the accident as they are now out of control of their vehicle.

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    2. Re:Funny you should mention that... by interkin3tic · · Score: 4, Funny

      But in the event of an accident, those people who are not belted in will be thrown free of the car to relative safety whereas those belted in will be strapped into a deathcage which could easily catch fire!!!

  11. Err, what? by Penguinisto · · Score: 4, Informative

    Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  12. Re:Flash drives, tarballs, &c. by Imagix · · Score: 4, Informative

    When the person who sits next to you gets infected, your desktop firewall still defends against his machine attempting to infect yours.

  13. Part of the problem with PC security.... by QuietLagoon · · Score: 4, Insightful
    ... is that people, like this Jon Honeyball guy, who do not have a clue about computer security, are telling people how computer security should be done.

    .
    As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.

    Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.

  14. How about an application level firewall... by CajunArson · · Score: 4, Insightful

    I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  15. Outgoing firewall: Yes. Incoming firewall: why? by kc8jhs · · Score: 4, Insightful

    The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?

    An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.

  16. Re:Dude... by Profane+MuthaFucka · · Score: 5, Funny

    My plan is to run downstairs, get a bucket and fill it with water. Then I'll balance it on my door. Then I go back downstairs and bake a pie. After it cools, I take it upstairs and find a good place to attack from. When the intruder comes in the bucket of water will soak him head to toe, and that's when I hit him in the face with the pie. My pies are AWESOME so when he stops to eat the pie, I sneak around him and run out the front door naked. Someone is bound to see me naked and call the cops on me. When they show up I can explain that I'm naked because I didn't have time to pull on some shorts and also bake a pie. I had to choose just one thing to save my life.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!