Archived from groups: comp.security.firewalls (
More info?)
"Bob" <ace-62@earthlinkNOSPAM.net> wrote in news:CA%kc.1527$a47.1023
@newsread3.news.atl.earthlink.net:
> Hello,
> I have a question for you all please.
>
> I have been running the XP firewall, but now have a firewall made by
> Sygate. Do I need to turn off the one in XP, or is it OK to run them
both
> for the added protection?
> I have heard both, but I thought that a few of you guy who seem to
really
> know your stuff in here might be able to give me the correct answer.
>
> Thanks,
> Bob
>
>
>
If you want to run two, then run one that has many of the FW like
features and does more than the XP ICF that's on the O/S. Malware can
take down any third party host based FW easily, but it's hard to take
down IPsec, since it's integrated with the O/S.
In addition to this, XP's FW upon the release of SP 2 will have
application control that will bring XP's FW on par with third party host
based FW(s).
Currently, IPsec will get to the TCP/IP connection first at boot and XP's
SP 2 FW will also get to the TCP/IP connection at boot.
At boot is a vulnerable situation for a machine with a third party FW
solution installed, since malware will beat any of them to the TCP/IP
connection and be done by the time any of them can get there and stop it.
http://www.petri.co.il/block_ping_traffic_with_ipsec.htm
http://www.analogx.com/contents/articles/ipsec.htm
All you have to do is implement the AnalogX Secpol file and you're
covered. The POP3, HTTP etc, etc for the *client* are already configured.
You may want to look at *Protecting against Denial of Service Attacks*
being discussed in the link.
http://www.uksecurityonline.com/husdg/windowsxp.php
On the other hand, you may want to get a cheap NAT router and use Sygate
and IPsec behind it to supplement, like I do with the NAT router BlackIce
and IPsec on all machines.
A cheap NAT router cost as much as you have paid for Sygate, if not the
free one, because a NAT router stops everything in front of the machine
and the O/S and the FW will not react -- the true *stealth* part in a *I
am stealth* statement.
http://www.homenethelp.com/web/explain/about-NAT.asp
Duane