Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Alex-
Both Dan W and JW have valid points. If you go with Dan W - and firewall
everything - you better use the same software on every PC unless you want to
spend even more $$'s on Tylenol and Advil.
You'd also be well advised to install identical NIC hardware if you can.
I too have a Gateway PC w/dual NICs setup as you described. I use a Belkin
4-port DSL router as HW firewall (which you did not mention in your setup: I
think a HW firewall - such as the Belkin or LinkSys routers - between your
cable modem and gateway ICS host is a very worthwhile improvement to your
setup), a Linksys GigaSwitch for my workgroup, with Norton Internet Security
installed and Windows firewall is disabled.
As long as your cable-modem connects ONLY to the ICS host PC (and no other
PC connects directly to your modem), then your Firewall protection should be
effective for all PC's concerned (until some hacker figures out how to defeat
that capabillity of memory-resident SW firewalls).
I don't know how easy it is in ZoneAlarm to configure workgroup
connectivity, but it's a peice of cake in Norton IS. They have created
"zones" similar to IE which makes conceptual understanding of how to
implement their software Tylenol-free.
JW's points re: "free" (mostly, but some paid-for ones, too) anti-virus and
other mal-ware detectors is valid in that these programs are more like the
old-style car "idiot-light" that tells you after the engine has fallen out,
that indeed, the engine has just fallen out. The malware has already
unleashed itself. An ounce of prevention... JW's advice is well to be heeded.
I would submit you consider this also in your evaluations as to how to best
service your overall Security needs:
"Real firewalls" are considerably complex animals. Most PC "Power Users" are
not capable of managing them, they take a real Security Professional to
install, configure, and maintain: they are quite complex. The huge majority
of the firewall products which "regular" consumers like you and I consider -
mostly because they are inexpensive and affordable to us - are merely
scaled-down simplified versions and have the majority of the tweaks and
nuances of a Real firewall pre-determined and decided for us by the
manufacturer so they can sell it at $50/pop and still make a profit. What
that does is to limit the flexibility the product has of being adjustable to
suit any particular indivuduals' specific need - or environment - and some
features are just not flexible at all. But in order to be more than just
functional, flexible capability has to exist, so manufacturers do that. But
not everybody is flexible the same ways, even across similar product lines or
families. This causes firmware/upgrades/updates to be an additional
maintenance chore for the Administrator (i.e. you). But if you implement
multiple solutions on the same "layer", things can get mixed up fast if just
one little setting who-the-heck-knows where gets changed (even if they're not
on the same layer, this often occurs). And unless your expert enough in
knowing how all the stuff you can't change works with all the stuff you can
change, and then know how to recognize when somthing is set this way when it
should be that way, twiddling with a handfull of firewalls instead of just
one can be frustratingly time-consuming and cost-inefficient (think of what
the electric company power meter looked like when The Griswald family house
XMAS lights finally came on in Nat'l Lampoons Christmas Vacation w/Chevy
Chase).
On the other hand, you might need or actually like to get hip-deep in modern
software technology. It's not like only rocket scientists can do it. If I
can, then anybody can. Just prepare yourself for the picky mentality of
Firewalls. After all, their sole purpose in life is to keep what wasn't asked
for out, and let out *ONLY what you tell it* can go out. The more exceptions
(e.g. rules) you build (or have to put in because you have placed more
firewalls on other PC's that are really behind your REAL Firewall) will
*always* make things more difficult for you to administer (i.e., take care of
in a clean and well-documented way), so that the things you want to
accomplish amongst your own little LAN can not only be done, but be done
easily and simply.
If the purpose of your LAN is more of a business or career-based/supportive
role in your life, then perhaps the headaches and time-consumption that
firmware upgrades (to routers and modems), new software releases/upgrades and
updates (firewall, and lest we not forget to mention MS Service Packs), will
bring to you in order to maintain a LAN where each PC is a fortress unto
itself will entail, is worth it to you. Then again, perhaps not. But that's
your decision to make, I'm not trying to make it for you.
But if your LAN is more of a convenience (like a home network where most of
the computing resources are utilized for pleasure or recreational activities)
IMHO I would not spend nearly that amount of effort necessary in fretting
over every little mal-ware. I'd keep my one Firewall as Robust and Current
and simple as possible, in one place; and let the children inside the
playground have an open sandbox - after all, I still wear the belt in my
household, the rules will be obeyed! Just keep handy a periodically updated
ASR-recovery system restore set on a bootable CD, and tell the family THEY
are responsible in backing their Documents and Settings folder to the
Gateway/server, so when you need to refresh a system, you can do so fairly
easily. Perhaps the first rebuild or two will do more in teaching youngsters
the value of responsibly maintaining a daily "chore", when they lose their
collection of MP3s for the 2nd time because they didn't do backups. A pretty
cheap way to learn a valuable trait...
As long as you keep your frontline security tools (anti-spyware, virus, and
firewall) on your gateway to be the robust best-you-can-afford kind, and then
up-to-date, and the other PC's behind it isolated from a direct connect to
the internet *or any other computer*, and everybody exercises common sense
practices about removable media (floppies, CD's Zips, etc) from external
sources, save yourself from some headache in both configuring and maintaining
firewalls on every machine (just keep your ASR restore backups current after
each new SW install/upgrade). Unless, of course, you want an exercise that
will require you to expand both your knowledge and technical capability with
computing; such a project - successfully completed - will most certainly
expand that knowledgebase.
Remember: with computers unless EVERYTHING is right something is WRONG and
there aren't enough RIGHTS in the world to overcome one WRONG to a computer,
it will just refuse to work until you make EVERY "bit" RIGHT. And firewalls
are the pickiest of softwares to a computer.
But if your LAN security needs are to protect data and resources more vital
than the family Entertainment Consoles, perhaps a more robust approach is
called for. Isolating each PC has it's advantages. But... if each PC has the
same level and kind of protection on it and something gets in onto one of
them, then the others aren't appreciably more protected than the first one
was. And unless you can run to the AP or gateway PC to do an emergency
disconnect faster than those bits and bytes can whiz around your LAN... But,
then again, having each PC port-configuring-capable makes it possible for you
to micro-manage the ports on each of the PC's. Oh - BTW - there are over
65,000 ports... on *each* PC.
I realize this has been a long spill, but I hope it's helped you evaluate
your situation to a more heightened state of clarity for your needs.
"JW" wrote:
> I don't know about Sygate, but ZoneAlarm is flexible enough to set up so
> that either all PCs on the local network can see each other, or set it up so
> that none can see each other.
>
> Of course, if they can all see each other, then they can all share viruses,
> worms, Trojans and other infections, so if you set them up so that they all
> can see each other, then don't skimp on protection by settling for free
> anti-virus and anti-spyware programs, that Don't constantly protect you by
> staying active in memory. When Free versions of anti-virus and anti-spyware
> programs find infections, the infections have already done their dirty work.
>
> Don't settle for Just Adequate. Buy versions of anti-virus and anti-spyware
> programs that constantly protect you from infections by staying active in
> memory.
>
>
> "Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
> news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
> hi there
> I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
> cable modem using XP ICS. I have the XP firewall enabled by default.
>
> The other PCs are connected to this PC through a wireless AP and everything
> works fine.
>
> However, my question is, I have read that while XP Firewall does block
> incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
> will installing a personal firewall on the gateway PC like Sygate or Zone
> Alarm and disabling XP firewall be better off as they appear to report on
> both incoming and outgoing traffic.
>
> Also, if anybody has this in place, will the personal firewall on the
> Gateway also block internal traffic between PCs on my network ?
>
> Any answer will be greatly appreciated.....
>
> Thanks
>
> Alex
>
>
>
Facebook
Twitter
Instagram