Are Desktop Firewalls Overkill? 440
Barence writes "Should you be running firewalls on your desktop and server machines? PC Pro's Jon Honeyball argues the case for switching off Windows firewalls and handing over responsibility for security to server-based solutions. 'I'd rather have security baked right into my network design than scattered willy-nilly around my desktops and servers,' Honeyball argues. 'It seems to me that there's much sense in concentrating your security into a small number of trusty gatekeepers rather than relying on a fog of barely managed faux security devices. Of course, it puts your eggs into fewer baskets, but it does mean these gatekeepers are easier to control and manage: monitoring them in real-time becomes routine.'"
Comment removed (Score:5, Interesting)
Whatever, it just doesn't work. (Score:4, Interesting)
Re:stating the obvious... (Score:5, Interesting)
The article started to address this, but failed miserably.
One group will undoubtedly be saying "there's no harm in running both client- and server-side firewalls, so why even contemplate the heresy of turning off the built-in Windows firewall?" You would of course be right, except for one thing - it's actually quite hard to turn off the built-in firewall
Ah, what? The reason for not turning off the firewall is that it is hard to turn off the firewall? That makes no sense at all. It also doesn't seem too hard to me. In Win7, type firewall into the start menu search box and click on Windows Firewall. From there, choose "turn firewall on or off".
The reason for leaving the firewall on is to give a last line of defence if someone gets around the server protection. It also acts as a barrier when idiots decide to add an unauthorised wireless access point onto the network.
Re:stating the obvious... (Score:3, Interesting)
You seem to be talking about having "desktop firewalls" and "server firewalls" running on the same machine, i.e. two firewall systems on the same machine, which is of course only going to lead to problems.
An important distinction to make clear because it sounded like you think desktop machines' firewalls are made redundant by server machines' firewalls, which they are definitely not.
Re:Outgoing firewall: Yes. Incoming firewall: why? (Score:2, Interesting)
Agreed. Inbound connections should be blocked by disabling all unnecessary services which open listening ports. If service is not needed, then it should be disabled. If it is needed, then access to that service is probably needed too. Problem is, that in Windows it is impossible to disable certain listening ports.
Outbound connection blocking is much more valuable - if the malware is not clever enough to disable local firewall, it cannot open outbound connections.
Re:stating the obvious... (Score:5, Interesting)
Keeping workstation firewalls on behind network level firewalls is like locking the door of each room of your house as you pass through it. Unlock, open, go through, shut, and lock. Suddenly, the security measures outweigh their usefulness.
That depends: Do you live in a neighborhood where someone jiggles your front door handle every few seconds? Do you live in an apartment with roommates? Are the roommates close friends of yours, or only real-estate associates? Do your roommates bring over people you don't know? Do your roommates or roommates' friends jiggle your bedroom door handle occasionally to see if they can steal something? This would be more close to the computer analogy.
Re:stating the obvious... (Score:5, Interesting)
Unfortunately, my knowledge and experience with guns is very limited. If possible, I would prefer to position myself in a direction where any missed shots would be least likely to hit neighbors after passing through the walls. I wonder if shooting from behind a water bed would protect me from handgun bullets or not? Perhaps the distinctive sound of a pump type shotgun loading a shell into the chamber would discourage the intruders from continuing to try to break down the bedroom door.
Unfortunately, all I have ever had, anywhere I have ever lived, is flimsy hollow core exterior doors and hollow core bedroom doors.
Late at night, a few years ago, I had a minor encounter with a burglar who was trying to open the front door. I looked through the window in the front door and there was his face on the other side of the glass about two feet away from my face. We both started each other. There I was, unarmed and face to face with some guy who was covered with prison tattoos. As he took off, I noticed that there was also another guy who had been hiding in the bushes along side the building.
Perhaps, looking through the door's window face to face with the burglar was not the brightest thing to do, but it did scare them off. A sheriffs deputy later examined the minor damage to one window on the side of the building, and also the minor damage both the front and rear door frames and one striker plate. He wrote up a report.