Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Desktop Firewalls Overkill?

Posted by CmdrTaco on from the not-in-my-office dept.

Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"

8 of 440 comments (clear)

  1. stating the obvious... by digitalderbs · · Score: 5, Insightful

    why not both?

    1. Re:stating the obvious... by The+Clockwork+Troll · · Score: 5, Insightful

      Yes, this is why I lock the doors on my automobile but I leave the ignition key on the dashboard, and leave the glove compartment open and unlocked!

      Finally someone who sees things as I do!

      Also, first car analogy.

      --

      There are no karma whores, only moderation johns
    2. Re:stating the obvious... by Rasperin · · Score: 5, Funny

      Actually, I do lock my bedroom door at night. If someone breaks into my house I may not hear them but if they try to break into my room I'm most likely to hear them giving me time to grab my gun and get into a vantage point where I'm well protected from return fire but have a great shot on anyone walking through the door. Even if they knock down the door with the first strike they are likely to grab for the handle first which will wake me up and if it doesn't the kicking down the door part will allow me time to roll off the side of the bed and pull the gun from under my bed and load it.

      --
      WTF Slashdot, why do I have to login 50 times to post?
    3. Re:stating the obvious... by Megahard · · Score: 5, Funny

      my girlfriend sleeps with her bedroom door locked, even with the front door to her house locked down.

      I think this says more about you than about Windows and firewalls.

      --
      I eat only the real part of complex carbohydrates.
  2. Defense in Depth by rotide · · Score: 5, Insightful

    Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.

    Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.

    "Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."

    Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here

  3. Defense in depth by Urban+Garlic · · Score: 5, Informative

    The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.

    But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.

    Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.

    It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.

    --
    2*3*3*3*3*11*251
  4. Defense in depth by TopSpin · · Score: 5, Insightful

    The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

    This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

    --
    Lurking at the bottom of the gravity well, getting old
  5. Re:Dude... by Profane+MuthaFucka · · Score: 5, Funny

    My plan is to run downstairs, get a bucket and fill it with water. Then I'll balance it on my door. Then I go back downstairs and bake a pie. After it cools, I take it upstairs and find a good place to attack from. When the intruder comes in the bucket of water will soak him head to toe, and that's when I hit him in the face with the pie. My pies are AWESOME so when he stops to eat the pie, I sneak around him and run out the front door naked. Someone is bound to see me naked and call the cops on me. When they show up I can explain that I'm naked because I didn't have time to pull on some shorts and also bake a pie. I had to choose just one thing to save my life.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!