Are Desktop Firewalls Overkill? 440
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
Re:stating the obvious... (Score:5, Informative)
Exactly. It's called multi-level security. Desktop firewalls are not meant to replace server-based solutions but complement them.
Re:Flash drives, tarballs, &c. (Score:5, Informative)
What are you going to do? Put a hardware firewall on every cord?
What a moron (Score:1, Informative)
This guy apparently never heard the words "defense in depth."
Defense in depth (Score:5, Informative)
The article has the kernel of an interesting point, namely the trade-off between the cost of managing firewalls on all the workstations in an enterprise, versus their inevitable half-assed-ness and tendency to get in the way, thereby consuming support hours.
But, where I work, we have a standard config that gets pushed out to all the systems, and I suspect that's pretty standard. Half-assedness arises when individual users open (or close) random ports on their own firewalls, but that case by definition doesn't necessarily consume support time if it's the users doing it, and not the support team.
Our operating theory is that of defense in depth. The boundary routers have fixed routing tables and firewalls. The servers have firewalls and white-lists of allowed clients. Clients have firewalls and intrusion-detection systems. Network traffic is monitored for suspicious patterns. And machines with special network needs are in a firewall DMZ and separately managed.
It's not perfect by any means, and I sometimes wish we could be more flexible, but I'm not ready to pre-emptively exclude any of these tools.
Err, what? (Score:5, Informative)
Seriously? There's a reason we have this thing called defense in depth. Sure - you may have a reasonably secure network, hardware firewall, policies, etc... but that doesn't mean you start removing other bits to make up for it.
Re:Been doing that since day one. (Score:4, Informative)
In your experiences with corporate IT, your corporate IT staff have thus been incompetent.
Windows firewall is configuration via group policy, with multiple profiles for both inside and outside of your network. Your perimeter firewall will NOT save your network from some arse-clown plugging in an infected box. It will NOT save your laptop from being infected whilst in use at a wifi hotspot.
It will also not protect your network from some idiot plugging in an unsecured Wifi access point, or for that matter hopping onto a machine left logged in and unlocked.
The perimeter firewall mitigates the bulk of the threats to your corporate network sure, but if you have nothing else to protect your internal hosts, you're leaving yourself open to getting screwed, big time.
Re:Flash drives, tarballs, &c. (Score:5, Informative)
Re:Defense in depth (Score:2, Informative)
I had to search for "defense in depth". No one else mentions this at this point.
It's obvious, the more obstacles for an attack, the better.
Desktop firewalls have evolved from only being packet filters. Some have stateful inspection, some have HIDS functionality (e.g. allow firefox.exe with md5sum "X" from being executed) and are now increasingly combined with Antivirus/antimalware software.
Depending on them is dangerous, but all together from a layering of defense mechanisms that either stop or slow down an attack, giving you enough time to react if possible.
Re:stating the obvious... (Score:4, Informative)
It does help block the spread of a myriad of things internal to the network though.
Personally I have seen the damage done to the office network at work due to a worm that came in through usb-sticks...
While antivirus didnt detect the bugger the thing couldnt spread to other machines due to the firewalls on individual machines blocking the vulnerable service.
Re:stating the obvious... (Score:3, Informative)
PC Pro was useless and irrelevant years ago. The only people that pay attention to that rag is PHB's or really really dumb executives.
Re:Outgoing firewall: Yes. Incoming firewall: why? (Score:1, Informative)
I make a point to not run services that I don't want people to connect to on my machine. How hard is that?
Unbelievably hard, that's how. There's so much software, including the OS, which makes it nigh impossible to keep everything under wraps. Windows users for example can not limit the file and printer sharing ports to local machines, except with the help of a firewall. Another example: WinLIRC (Open Source IR remote receiver software) binds to all interfaces, not just loopback as you'd expect.
The firewall, whether local or on the network perimeter, is a kludge, but it's a necessary kludge due to the massive amount of badly written network-bound software.
I won't give up my firewall until the OS has a facility to deny network access per application and until all software which I need to open ports has access control on par with ssh.
Re:Dude... (Score:2, Informative)
Ahhh yes, the ol' Goldberging of home protection.
All the tasks you listed are generally complementary with the exception of the "regular psychological evaluation" for lucidness upon a sudden awakening. That's just unadulterated FUD. The pets thing is pretty rich too.
My guess is that your firearms experience is limited to watching "24" reruns.
For the record, I do not consider rolling off the bed and loading a firearm stored there as a solid home protection tactic. Unloaded firearms are pretty much worthless.
Not to totally invalidate your second point but, home invasions and robberies happen even in the nicest of neighborhoods. Although I do not have a citation, common sense says that the nicer neighborhood you live in, the bigger target you become. The OP might live in a gated community with a full time security patrol for all we know.
The reason you view my plan comment as specious is that you likely have no efficient means of protecting yourself, property and/or loved ones. Thus, planning for the unthinkable is outside of your comprehension (and probably scares you a little too).
All that aside and making an assumption about you, I support your "It'll never happen to me" opinion and wish you the best of luck.
Cheers!
Re:Dude... (Score:3, Informative)
Unloaded firearms are pretty much worthless.
you likely have no efficient means of protecting yourself, property and/or loved ones.
One of the _very_ best ways of protecting your loved ones is not having loaded guns easily available.