Forgot your password?
typodupeerror
Security IT

Are Desktop Firewalls Overkill? 440

Posted by CmdrTaco
from the not-in-my-office dept.
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
This discussion has been archived. No new comments can be posted.

Are Desktop Firewalls Overkill?

Comments Filter:
  • by digitalderbs (718388) on Wednesday September 22, 2010 @11:35AM (#33663212)
    why not both?
    • by Java Pimp (98454) <java_pimpNO@SPAMyahoo.com> on Wednesday September 22, 2010 @11:38AM (#33663278) Homepage

      Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.

      • by Hatta (162192)

        Layers are good, but desktop firewalls are the wrong solution. Instead of blocking ports, just don't open them in the first place.

        • by 0123456 (636235)

          Layers are good, but desktop firewalls are the wrong solution. Instead of blocking ports, just don't open them in the first place.

          So then, how do I allow a few of the Linux machines on my network to access my server and none of the Windows machines? I either put another firewall box between the server and the network or I put a firewall on the server.

      • by mcgrew (92797) *

        TFA agrees: "I don't recommend you do this, but it's useful to know that you can should you decide to install some third-party protection scheme... Even so, and this is the big issue, I'm a total advocate of the layerd-onion approach to security within a company..."

    • by somersault (912633) on Wednesday September 22, 2010 @11:40AM (#33663312) Homepage Journal

      Seconded. This was going to be my exact comment.

      It's like saying "We don't need seatbelts anymore - we have airbags!"

      • by denzacar (181829) on Wednesday September 22, 2010 @11:48AM (#33663512) Journal

        I was given that very advice recently while strapping on the seat-belt.
        From a nurse, no less.

        And I wish I had a dime every time someone told me "You don't need the seatbelt - there are no cops around here/I know the cops around here/it's just couple of minutes down the road."...

        • by alta (1263)

          With the way I drive, I feel insecure not having a seatbelt. Hell, I should get a 5point harness...

          At least I've never done this with my pathfinder
          http://www.youtube.com/watch?v=qvDBWX8-iB0 [youtube.com]

    • Re: (Score:3, Insightful)

      by socsoc (1116769)
      No kidding, desktop firewalls protect against threats on your internal network. They aren't a replacement, but a complement to your border protection.
      • by CAIMLAS (41445)

        They are a necessity in a scenario where the most active threat is actually sitting at the computers in question.

        Desktops, regardless of their type, should be on their own networks with means to filter/actively block traffic, if at all possible. They should also have individual firewalls which inhibit any incoming connections and block unapproved traffic going out.

        With as easy as it has become for a Windows workstation to be infected, doing anything else is asking for infosec breaches.

    • Re: (Score:2, Insightful)

      by rs1n (1867908)
      It's system resources that could be better put to use, however little (that gets used by the desktop firewall) this may be. My personal reason for not really caring for Windows' built-in firewall setup is that there is almost no configuration beyond clicking a button that says "turn on" or "turn off" the feature and a list in which you can add program exceptions. The problem with a completely configurable firewall is that most users don't know what the hell they have to do to set up good rules. On the othe
      • by aster_ken (516808)

        On Windows XP this is certainly true, but both Windows Vista and Windows 7 have a more sophisticated firewall configuration tool under Administrative Tools. Since the article also talks about server operating systems, I should note that Windows Server 2003 SP1 and later also include this tool.

    • Re: (Score:3, Insightful)

      by sdnoob (917382)

      Because the typical computer USER doesn't know squat about network or system security.

    • Defense in depth (Score:5, Insightful)

      by TopSpin (753) on Wednesday September 22, 2010 @11:46AM (#33663476) Journal

      The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

      This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I had to search for "defense in depth". No one else mentions this at this point.

        It's obvious, the more obstacles for an attack, the better.

        Desktop firewalls have evolved from only being packet filters. Some have stateful inspection, some have HIDS functionality (e.g. allow firefox.exe with md5sum "X" from being executed) and are now increasingly combined with Antivirus/antimalware software.

        Depending on them is dangerous, but all together from a layering of defense mechanisms that either stop or slow down an

      • by mlts (1038732) *

        Maybe this is a good argument for having NICs that have hardware firewalling. This way, Windows can be left wide open, but unless the hardware configuration utility is explicitly run to open ports on the NIC, nothing will be able to get in, except perhaps ping, and if done right, the hardware card would handle that [1], and not let that touch the OS at all. Couple this with an outgoing rule to block port 25 out so if the laptop does get rooted, it won't turn into a spam server, and that is a decent securi

      • Re: (Score:3, Insightful)

        by hodet (620484)
        While I agree this is pretty straightforward there are no stupid questions. Anyone that instills that atmosphere in our meetings is equally a liability. This was a "dumb" question that has been well answered by many posts, including the first part of your answer.
      • Re: (Score:3, Funny)

        by demonbug (309515)

        The most important "desktops" are the laptops that get hauled around airports by the powers that be. Relying exclusively on your servers/switches to isolate your "desktops" doesn't work in a Beijing hotel.

        This really is too obvious to be worth mentioning. Anyone indulging this non-debate is a liability.

        Don't be silly. Haven't you heard of the Great Firewall of China? Clearly, it is completely unnecessary to worry about a laptop getting infected in Beijing, as it has been behind a firewall the whole time.

    • by Gadget_Guy (627405) * on Wednesday September 22, 2010 @11:49AM (#33663524)

      The article started to address this, but failed miserably.

      One group will undoubtedly be saying "there's no harm in running both client- and server-side firewalls, so why even contemplate the heresy of turning off the built-in Windows firewall?" You would of course be right, except for one thing - it's actually quite hard to turn off the built-in firewall

      Ah, what? The reason for not turning off the firewall is that it is hard to turn off the firewall? That makes no sense at all. It also doesn't seem too hard to me. In Win7, type firewall into the start menu search box and click on Windows Firewall. From there, choose "turn firewall on or off".

      The reason for leaving the firewall on is to give a last line of defence if someone gets around the server protection. It also acts as a barrier when idiots decide to add an unauthorised wireless access point onto the network.

    • by fwarren (579763)

      The problem lies with the fact that dial-up users were getting owned. People on broadband were able to rely on the firewall in their cable/DSL modem.

      What Microsoft should have done is have a security policy where the firewall is turned on and off with a dial up connection.

    • Because it has a cost if you do it properly.
      And the gain on top of your point-of-entry firewall is only marginal.
    • Re: (Score:3, Funny)

      by alta (1263)

      I prefer using desktop traffic to restrict ports 1-65535 tcp/udp outbound on the client machines. It helps keep them focused.

  • I prefer the phrase "completely inadequate."

    Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

    • by nizo (81281) *

      Huh?

      So I shouldn't turn on my firewall when I am in a coffee shop? Assuming I only use ssh and ssl, theoretically with my firewall in place I couldn't care less what kind of nastiness is floating all around me.

    • Kind of like Wolverine? Cool!

    • Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

      So it's a second layer of defense for your internal organs? That's a bad thing, how?

    • Re:Hardly Overkill (Score:5, Insightful)

      by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday September 22, 2010 @11:42AM (#33663372) Homepage Journal

      Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body.

      That's really not true. The firewall on the machine is an effective part of an overall strategy. It helps protect your systems from rogue nodes, for example. To have them non-firewalled is foolish. Why expose ports unnecessarily?

      The desktop firewall is completely necessary. It is, however, also inadequate.

      • Re: (Score:3, Insightful)

        by geminidomino (614729)

        ...The firewall on the machine is an effective part of an overall strategy...The desktop firewall is completely necessary. It is, however, also inadequate.

        That was my entire point. That's why I said "inadequate" and not "useless".

        It drives me nuts that Microsoft will put a goddamn HTML rendering engine in the kernel, but apparently decent packet filtering is better left to the likes of *hock-ptooey* ZoneAlarm et al.

    • "Putting the firewall on the machine its meant to protect is like wearing a bulletproof vest inside your body."

      The Slashdot user name "BadAnalogyGuy" is already taken ... and at the risk of being modded down, might I suggest learning about computer security before pretending you understand it on Slashdot?

  • by Zocalo (252965) on Wednesday September 22, 2010 @11:38AM (#33663282) Homepage
    I'll give him the benefit of the doubt in that the use of the term "desktop" means just that and excludes mobile devices that might be connected up to uncontrolled and potentially insecure networks, but even so this is still dumb. There are plenty of security applications out there, on all OS platforms, that allow centrally managed security policies to be pushed out to clients, so why wouldn't you use one if you have the budget and know how? For instance, if you know the IPs of your IT/management workstations (you did put them all in the same subnet, right?), then why on earth wouldn't you lock down access to your client based remote admin tools to just that subnet? Equally, why would you want your desktops to be able to connect to any other key server (DNS, SMTP, Proxy...) other than the official ones?

    Oh, right. You want to have a major clean up operation and all the business disruption that entails on your hands the next time some worm using a 0-day exploit manages to get inside your network and runs rampant. That's an approach that is (allegedly) working out real well for the techs at Iran's Bushehr nuclear plant right now...
  • ...that you have uninterrupted flow of shared network resources on your network. Unless, of course, permissions are set up to prevent that.

    I run a hard firewall and gateway at home as well as MAC address access so I can keep others off of my wired and wireless networks without having to compromise the ease of use a home network should allow. It's nice being able to have a media center with data files, and attached carousel drives so I can actually watch any movie or listen to any music from any spot in my h

  • by teridon (139550) on Wednesday September 22, 2010 @11:41AM (#33663340) Homepage
    Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network. Especially when the guy next to you clicks on a genuine-looking link in a forged email :-P
    • And then the virus disables the desktop firewall so it can spread. What's your point?
      • Re: (Score:3, Insightful)

        by 0123456 (636235)

        And then the virus disables the desktop firewall so it can spread. What's your point?

        How is a virus on someone else's machine going to disable the firewall on my machine?

    • Server-based and gatekeeper solutions are useless when the compromise comes from other systems on the same network.

      Also, the server firewall is pretty much unable to deal with filtering outbound traffic in a nice way. The desktop firewall is integrated into the system, and can query the OS for important information. This allows the desktop firewall to know that the IP packet destined for some random IP's port 80 came from firefox rather than some other software which (without the user's consent) is spying and sending data back to it's maker. The desktop based firewall can then pop up a nice prompt to let the user know a

  • Defense in Depth (Score:5, Insightful)

    by rotide (1015173) on Wednesday September 22, 2010 @11:41AM (#33663352)

    Maybe there are cases where running host based Firewalls and/or IPS is overkill. But you _never_ pretend that you've got security 100% covered. It's great to think you have security locked down, but threats come from _all_ angles.

    Case in point, I don't care how good your external firewall/IPS is if John in Sales decides to try and break into a server on the LAN. Hence, Defense in Depth. Multiple layers of security all the way down to the OS. Sure, that desktop over there might contain _no_ critical data whatsoever. That doesn't mean it won't end up becoming a SPAM bot or have a backdoor installed for easy LAN access.

    "Here’s a contentious topic to chew on, but before I go any further let me make something crystal clear – I’m not advocating that you try this, I’m not saying it’s a good idea, and I’m not saying I would do it on my own networks."

    Frankly, it sounds like he just wants to write an article with an absurd title to get clicks, nothing of value to see here

  • by HBI (604924) <{kparadine} {at} {gmail.com}> on Wednesday September 22, 2010 @11:43AM (#33663394) Homepage Journal

    A machine firewall does what...it protects the computer from the listening ports that the OS allowed ITSELF to open.

    A simple correspondence list of listening port to application would have killed this issue dead at the beginning. Of course, then people would ask why so much crap needs to be open by default on Microsoft operating systems. For added hilarity, the OS now allows applications to insert their own machine firewall exceptions.

    And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.

    • Re: (Score:2, Insightful)

      by Zero__Kelvin (151819)

      "A machine firewall does what...it protects the computer from the listening ports that the OS allowed ITSELF to open."

      Sure it does that, but it does a lot more. For example, I might want to allow ssh access from one, a few, or all systems on my internal LAN, but block them from the other side of the DMZ. Just how do you propose to do that without a firewall local to the machine.

      "And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall

    • by gman003 (1693318)

      And before I hear about pf and iptables, you do not need to run those. A well managed system on those platforms needs a firewall like it needs trepanning.

      pf on my desktop may be overkill, but then again, there's no kill like overkill.

  • If you can control every network connection behind your main firewall, and every machine, and can verify they are all always patched and malware free at all times. Of course laptops that travel around and places where anything can be plugged in pretty much make this impossible.

  • by h00manist (800926) on Wednesday September 22, 2010 @11:44AM (#33663432) Journal
    In order to get a terminal which does something as simple as read all websites, it has to support a ton of bloated technologies, which more or less forces you to run some expensive bloaty OS, with a bunch of other protections. Gigabytes of support libraries to display a page. Websites are supposed to be universally readable. Thankfully now mobile devices are popular and low-powered, perhaps now the universal-readable concept and argument will gain more strength over the most-visual-selling argument.
  • ... film at 11.

    seriously.

  • Defense in depth (Score:5, Informative)

    by Urban Garlic (447282) on Wednesday September 22, 2010 @11:45AM (#33663450)

    The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.

    But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.

    Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.

    It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.

    • by omglolbah (731566)

      Working in the process control industry I can attest to firewalls sometimes being a pain in the ass...

      But I am more than willing to live with having to open a port every leap year.. I've done it once in 2 years and the firewall is not that permissive of stuff...

      And I run all kinds of crud on the machine.. ModbusTCP simulators, serial server connections on odd ports, PLC programming tools over tcp/ip and various other odds and ends.. Most of it is whitelisted already, but on the odd chance that it isnt I whi

  • Generally, I view the software firewall as adding a final all around security strategy to the protection afforded by your hardware firewall, but there's a catch. Hardware firewall is there for prevention and mostly to block "bad stuff " from coming in and occasionally from going out. The software firewall is more of an alert system. Generally, I find it more useful for being alerted to opening up potential attack vectors than anything. If you run a program that opens up some ports you are alerted to it and

  • Err, what? (Score:5, Informative)

    by Penguinisto (415985) on Wednesday September 22, 2010 @11:50AM (#33663560) Journal

    Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.

  • And this, ladies and gentlemen, is why John Honeyball is writing about IT, rather than actually solve any problems with it.
    That, or possibly the other way around. It's hard to judge cause and consequences.

    But, lest anybody be confused, there is no single point where security is not a concern. The only way to reach adequate (heh) security is to stop all components from doing more than they need, rather than just one. A functioning such approach pretty much obsoletes the need for specific "security devices" s

    • In defence of John H, he does puport to do other IT Sysadmin stuff other than just write about it all the time.

      That said, this article has lost any credability he once have in my eyes.
      Sure have multi level firewalls to protect the nasties from getting in.
      Are you then going to stop every laptop, every wifi connectable device being bought onto your premises by visitors from connecting to your network?
      Ok, a lot of companies already do this by conficating all Mobiles but that is mostly to stop people with camer

  • Ever since man invented the wall, first around his own house, then around the village and eventually around an entire city, they have still kept locks on their doors (where available)

    If something penetrates the outer defence you need to keep yourself secure in your own dwelling, and you also need to have some security against a threat from within.

    Firewalls should be on every PC capable of storing information separate from the server (so, a dumb terminal needs no security beyond logon scripts etc)

    The End.

  • by QuietLagoon (813062) on Wednesday September 22, 2010 @12:00PM (#33663756)
    ... is that people, like this Jon Honeyball guy, who do not have a clue about computer security, are telling people how computer security should be done.

    .
    As many others here have mentioned, computer security is multi-level. Per-computer firewalls have as much of a place in security plans as do network edge firewalls.

    Maybe the next thing than Mr. Honeyball will be advocating is that PC programs and operating systems do not need to be secure because the network is protected by a firewall.

  • Other posters have pointed out the obvious. What if your LAN firewall is breached? What if there's a rogue computer brought into your network? Rogue flash drive? Or just Rogue? She could absorb all your powers and then you wouldn't be IT. You'd be just. like. everyone. else.

    One of our departments runs egress filtering on their desktops -- only certain applications and external ports can be accessed: 80, 22, 443, etc. If a computer gets infected by a new virus, it can't jump from computer to computer

  • I have yet to actually find an instance where a desktop firewall helped in any way. Mostly they just get in the way of things and create another piece of software that has to be naggingly trained and updated.
  • YES.

    There are all sorts of nasty things that can be done unless incoming IP access is filtered. Worms are spread in this way.

    If you aren't using a door, leave it closed.

  • by CajunArson (465943) on Wednesday September 22, 2010 @12:18PM (#33664130) Journal

    I know that ZoneAlarm is obnoxious but on a desktop the best "firewall" isn't a port & address based filter, but instead an application layer firewall that can say "Hey, the officially installed web browser can go out on port 80, but not some random malware you just downloaded" While this doesn't protect you from everything (like the browser itself being hijacked) it can make a big difference in stopping any old program that wants to go to a random website. One of my biggest issues with Linux is that this type of security isn't even possible short of using some of the more arcane features in SELinux that normal desktop users are never going to configure.

  • between the dos/os2 to windows95/os2 warp days network security environments were referred to as "crunchy on the outside gooey on the inside". i don't want to go back.

  • by kc8jhs (746030) on Wednesday September 22, 2010 @12:32PM (#33664356)

    The whole point of a firewall is blocking connections. I don't know about anyone else, but I make a point to not run services that I don't want people to connect to on my machine. How hard is that?

    An outgoing firewall though is immensely valuable. I love seeing everything that every little shareware app or office suite tries to phone home with. When doing local web development, I've even been surprised to find a number of open source CMS/frameworks phoning home with more info than I care to share.

  • Stupid... (Score:4, Insightful)

    by Bert64 (520050) <bert@NoSPaM.slashdot.firenzee.com> on Wednesday September 22, 2010 @01:23PM (#33665258) Homepage

    Many networks are exactly as the article describes, no firewalls on desktops or individual servers and instead relying entirely on the border firewall connecting the company lan to the internet...
    What this means however, is that a single rogue employee, rogue wireless access point, mobile device or laptop, or an exploit which penetrates the border firewalls (browser based, email based etc) results in a catastrophic breach as it becomes trivial to compromise everything once you get behind the main firewalls.

    Now don't get me wrong, desktop firewalls are a nasty crutch too - desktop machines should _NEVER_ be offering services to the network, especially by default, and therefore shouldn't need a firewall to block access to these services... The fact that windows comes with several services listening by default on a workstation configuration (msrpc, smb, etc) is just stupid, the fact these services are a pain to disable even more so, and the fact people would rather hide these services behind a firewall instead of turning them off is just laughable - if noone needs to access them they shouldn't be running at all, not hiding behind a firewall.

    Ideally your network should have a secure and well monitored gateway to the internet, as well as a secure and well monitored gateway between servers and workstations (and if possible treat the workstations as totally untrusted and make them use a vpn)...
    The workstations themselves should expose no services to the network, or at most expose a single admin service which can only be reached from a predefined management network.

    The firewalls should be for logging rather than filtering, on the basis that if a service doesnt need to be accessed it shouldnt be listening, not relying on a firewall to block it.

    Servers should only expose their intended services to the client lan, admin services should be separated from client services.

  • Bad idea (Score:3, Insightful)

    by GWBasic (900357) <slashdot@nosPAM.andrewrondeau.com> on Wednesday September 22, 2010 @02:04PM (#33665922) Homepage
    This is a bad idea for two reasons:
    1. Notebooks need protection in public networks like coffee shops and airplanes.
    2. Someone can still bring a virus onto a network through a download, USB key, or a rouge device.

    (Now, I didn't read TFA.) It's important that devices on a network have some form of resiliency. A firewall will certainly prevent DDOSes and can help prevent malicious behavior from entering a network, but there's so many ways to get around a firewall that it just can't be the only solution. For example, "anti-virus" on a firewall might block sites known to spread viruses, but it still won't prevent someone from downloading a random zip file with a virus.

Whoever dies with the most toys wins.

Working...