Sign in with
Sign up | Sign in
Your question

XP Firewall and ICS

Last response: in Windows XP
Share
Anonymous
December 29, 2004 5:29:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

hi there
I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
cable modem using XP ICS. I have the XP firewall enabled by default.

The other PCs are connected to this PC through a wireless AP and everything
works fine.

However, my question is, I have read that while XP Firewall does block
incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
will installing a personal firewall on the gateway PC like Sygate or Zone
Alarm and disabling XP firewall be better off as they appear to report on
both incoming and outgoing traffic.

Also, if anybody has this in place, will the personal firewall on the
Gateway also block internal traffic between PCs on my network ?

Any answer will be greatly appreciated.....

Thanks

Alex

More about : firewall ics

Anonymous
December 30, 2004 3:09:34 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The best thing you can do is put a windows firewall on all machines and just
make sure they can speak to each other.
"Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
> hi there
> I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to
> a
> cable modem using XP ICS. I have the XP firewall enabled by default.
>
> The other PCs are connected to this PC through a wireless AP and
> everything
> works fine.
>
> However, my question is, I have read that while XP Firewall does block
> incoming traffic, it does not for outgoing traffic (pings, probes etc.).
> So,
> will installing a personal firewall on the gateway PC like Sygate or Zone
> Alarm and disabling XP firewall be better off as they appear to report on
> both incoming and outgoing traffic.
>
> Also, if anybody has this in place, will the personal firewall on the
> Gateway also block internal traffic between PCs on my network ?
>
> Any answer will be greatly appreciated.....
>
> Thanks
>
> Alex
Anonymous
December 30, 2004 4:34:55 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

To answer your question -- yes on both counts. I have just recently
started messing with Windows XP firewall. I previously utilized Zone
Alarm and have recently been using Norton's Internet Security firewall.
I like ZA and Norton's for the very reason that it doesn't take a
rocket scientist to see which applications are using Internet connections.

On the flip side, I like Windows XP firewall to protect inbound traffic
and typically use it on server devices. In which case, I am advertising
services over a network and the firewall is just one way to ensure that
I don't unintentionally open a port for enquiring minds.

Gateway firewalls usually end at the router, so peer-to-peer access
should not be affected.

Alex McClane wrote:

> hi there
> I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
> cable modem using XP ICS. I have the XP firewall enabled by default.
>
> The other PCs are connected to this PC through a wireless AP and everything
> works fine.
>
> However, my question is, I have read that while XP Firewall does block
> incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
> will installing a personal firewall on the gateway PC like Sygate or Zone
> Alarm and disabling XP firewall be better off as they appear to report on
> both incoming and outgoing traffic.
>
> Also, if anybody has this in place, will the personal firewall on the
> Gateway also block internal traffic between PCs on my network ?
>
> Any answer will be greatly appreciated.....
>
> Thanks
>
> Alex
Related resources
December 30, 2004 10:25:35 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I don't know about Sygate, but ZoneAlarm is flexible enough to set up so
that either all PCs on the local network can see each other, or set it up so
that none can see each other.

Of course, if they can all see each other, then they can all share viruses,
worms, Trojans and other infections, so if you set them up so that they all
can see each other, then don't skimp on protection by settling for free
anti-virus and anti-spyware programs, that Don't constantly protect you by
staying active in memory. When Free versions of anti-virus and anti-spyware
programs find infections, the infections have already done their dirty work.

Don't settle for Just Adequate. Buy versions of anti-virus and anti-spyware
programs that constantly protect you from infections by staying active in
memory.


"Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
hi there
I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
cable modem using XP ICS. I have the XP firewall enabled by default.

The other PCs are connected to this PC through a wireless AP and everything
works fine.

However, my question is, I have read that while XP Firewall does block
incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
will installing a personal firewall on the gateway PC like Sygate or Zone
Alarm and disabling XP firewall be better off as they appear to report on
both incoming and outgoing traffic.

Also, if anybody has this in place, will the personal firewall on the
Gateway also block internal traffic between PCs on my network ?

Any answer will be greatly appreciated.....

Thanks

Alex
Anonymous
December 30, 2004 10:25:36 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Alex-

Both Dan W and JW have valid points. If you go with Dan W - and firewall
everything - you better use the same software on every PC unless you want to
spend even more $$'s on Tylenol and Advil.
You'd also be well advised to install identical NIC hardware if you can.

I too have a Gateway PC w/dual NICs setup as you described. I use a Belkin
4-port DSL router as HW firewall (which you did not mention in your setup: I
think a HW firewall - such as the Belkin or LinkSys routers - between your
cable modem and gateway ICS host is a very worthwhile improvement to your
setup), a Linksys GigaSwitch for my workgroup, with Norton Internet Security
installed and Windows firewall is disabled.
As long as your cable-modem connects ONLY to the ICS host PC (and no other
PC connects directly to your modem), then your Firewall protection should be
effective for all PC's concerned (until some hacker figures out how to defeat
that capabillity of memory-resident SW firewalls).
I don't know how easy it is in ZoneAlarm to configure workgroup
connectivity, but it's a peice of cake in Norton IS. They have created
"zones" similar to IE which makes conceptual understanding of how to
implement their software Tylenol-free.

JW's points re: "free" (mostly, but some paid-for ones, too) anti-virus and
other mal-ware detectors is valid in that these programs are more like the
old-style car "idiot-light" that tells you after the engine has fallen out,
that indeed, the engine has just fallen out. The malware has already
unleashed itself. An ounce of prevention... JW's advice is well to be heeded.

I would submit you consider this also in your evaluations as to how to best
service your overall Security needs:
"Real firewalls" are considerably complex animals. Most PC "Power Users" are
not capable of managing them, they take a real Security Professional to
install, configure, and maintain: they are quite complex. The huge majority
of the firewall products which "regular" consumers like you and I consider -
mostly because they are inexpensive and affordable to us - are merely
scaled-down simplified versions and have the majority of the tweaks and
nuances of a Real firewall pre-determined and decided for us by the
manufacturer so they can sell it at $50/pop and still make a profit. What
that does is to limit the flexibility the product has of being adjustable to
suit any particular indivuduals' specific need - or environment - and some
features are just not flexible at all. But in order to be more than just
functional, flexible capability has to exist, so manufacturers do that. But
not everybody is flexible the same ways, even across similar product lines or
families. This causes firmware/upgrades/updates to be an additional
maintenance chore for the Administrator (i.e. you). But if you implement
multiple solutions on the same "layer", things can get mixed up fast if just
one little setting who-the-heck-knows where gets changed (even if they're not
on the same layer, this often occurs). And unless your expert enough in
knowing how all the stuff you can't change works with all the stuff you can
change, and then know how to recognize when somthing is set this way when it
should be that way, twiddling with a handfull of firewalls instead of just
one can be frustratingly time-consuming and cost-inefficient (think of what
the electric company power meter looked like when The Griswald family house
XMAS lights finally came on in Nat'l Lampoons Christmas Vacation w/Chevy
Chase).
On the other hand, you might need or actually like to get hip-deep in modern
software technology. It's not like only rocket scientists can do it. If I
can, then anybody can. Just prepare yourself for the picky mentality of
Firewalls. After all, their sole purpose in life is to keep what wasn't asked
for out, and let out *ONLY what you tell it* can go out. The more exceptions
(e.g. rules) you build (or have to put in because you have placed more
firewalls on other PC's that are really behind your REAL Firewall) will
*always* make things more difficult for you to administer (i.e., take care of
in a clean and well-documented way), so that the things you want to
accomplish amongst your own little LAN can not only be done, but be done
easily and simply.
If the purpose of your LAN is more of a business or career-based/supportive
role in your life, then perhaps the headaches and time-consumption that
firmware upgrades (to routers and modems), new software releases/upgrades and
updates (firewall, and lest we not forget to mention MS Service Packs), will
bring to you in order to maintain a LAN where each PC is a fortress unto
itself will entail, is worth it to you. Then again, perhaps not. But that's
your decision to make, I'm not trying to make it for you.
But if your LAN is more of a convenience (like a home network where most of
the computing resources are utilized for pleasure or recreational activities)
IMHO I would not spend nearly that amount of effort necessary in fretting
over every little mal-ware. I'd keep my one Firewall as Robust and Current
and simple as possible, in one place; and let the children inside the
playground have an open sandbox - after all, I still wear the belt in my
household, the rules will be obeyed! Just keep handy a periodically updated
ASR-recovery system restore set on a bootable CD, and tell the family THEY
are responsible in backing their Documents and Settings folder to the
Gateway/server, so when you need to refresh a system, you can do so fairly
easily. Perhaps the first rebuild or two will do more in teaching youngsters
the value of responsibly maintaining a daily "chore", when they lose their
collection of MP3s for the 2nd time because they didn't do backups. A pretty
cheap way to learn a valuable trait...

As long as you keep your frontline security tools (anti-spyware, virus, and
firewall) on your gateway to be the robust best-you-can-afford kind, and then
up-to-date, and the other PC's behind it isolated from a direct connect to
the internet *or any other computer*, and everybody exercises common sense
practices about removable media (floppies, CD's Zips, etc) from external
sources, save yourself from some headache in both configuring and maintaining
firewalls on every machine (just keep your ASR restore backups current after
each new SW install/upgrade). Unless, of course, you want an exercise that
will require you to expand both your knowledge and technical capability with
computing; such a project - successfully completed - will most certainly
expand that knowledgebase.

Remember: with computers unless EVERYTHING is right something is WRONG and
there aren't enough RIGHTS in the world to overcome one WRONG to a computer,
it will just refuse to work until you make EVERY "bit" RIGHT. And firewalls
are the pickiest of softwares to a computer.

But if your LAN security needs are to protect data and resources more vital
than the family Entertainment Consoles, perhaps a more robust approach is
called for. Isolating each PC has it's advantages. But... if each PC has the
same level and kind of protection on it and something gets in onto one of
them, then the others aren't appreciably more protected than the first one
was. And unless you can run to the AP or gateway PC to do an emergency
disconnect faster than those bits and bytes can whiz around your LAN... But,
then again, having each PC port-configuring-capable makes it possible for you
to micro-manage the ports on each of the PC's. Oh - BTW - there are over
65,000 ports... on *each* PC.

I realize this has been a long spill, but I hope it's helped you evaluate
your situation to a more heightened state of clarity for your needs.


"JW" wrote:

> I don't know about Sygate, but ZoneAlarm is flexible enough to set up so
> that either all PCs on the local network can see each other, or set it up so
> that none can see each other.
>
> Of course, if they can all see each other, then they can all share viruses,
> worms, Trojans and other infections, so if you set them up so that they all
> can see each other, then don't skimp on protection by settling for free
> anti-virus and anti-spyware programs, that Don't constantly protect you by
> staying active in memory. When Free versions of anti-virus and anti-spyware
> programs find infections, the infections have already done their dirty work.
>
> Don't settle for Just Adequate. Buy versions of anti-virus and anti-spyware
> programs that constantly protect you from infections by staying active in
> memory.
>
>
> "Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
> news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
> hi there
> I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
> cable modem using XP ICS. I have the XP firewall enabled by default.
>
> The other PCs are connected to this PC through a wireless AP and everything
> works fine.
>
> However, my question is, I have read that while XP Firewall does block
> incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
> will installing a personal firewall on the gateway PC like Sygate or Zone
> Alarm and disabling XP firewall be better off as they appear to report on
> both incoming and outgoing traffic.
>
> Also, if anybody has this in place, will the personal firewall on the
> Gateway also block internal traffic between PCs on my network ?
>
> Any answer will be greatly appreciated.....
>
> Thanks
>
> Alex
>
>
>
December 30, 2004 2:30:58 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I also like ZoneAlarm for the superior flexibility in handling both inbound
and outbound traffic. With ZA, it's not just Yes or No. If i am expecting
inbound traffic from somebody particular on a specific port, i can set ZA to
ask me, and answer Yes if it's who i expect, or No if it's somebody i do not
expect. For outbound traffic, i can answer Yes if it's a program i know
needs outbound permission, or answer No if it's a program that suddenly
wants to break out without my expecting it. I can even change settings in a
Limited Account. The disadvantage is the complexity and learning curve.
The advantage of the XP firewall is it's simplicity. Norton's firewall got
some unflattering remarks in the documentation for LeakTest on www.grc.com


"Eric Niewoehner" <eric.niewoehner@uas.alaska.edu> wrote in message
news:o bJrTrl7EHA.3592@TK2MSFTNGP09.phx.gbl...
To answer your question -- yes on both counts. I have just recently
started messing with Windows XP firewall. I previously utilized Zone
Alarm and have recently been using Norton's Internet Security firewall.
I like ZA and Norton's for the very reason that it doesn't take a
rocket scientist to see which applications are using Internet connections.

On the flip side, I like Windows XP firewall to protect inbound traffic
and typically use it on server devices. In which case, I am advertising
services over a network and the firewall is just one way to ensure that
I don't unintentionally open a port for enquiring minds.

Gateway firewalls usually end at the router, so peer-to-peer access
should not be affected.

Alex McClane wrote:

> hi there
> I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to
> a
> cable modem using XP ICS. I have the XP firewall enabled by default.
>
> The other PCs are connected to this PC through a wireless AP and
> everything
> works fine.
>
> However, my question is, I have read that while XP Firewall does block
> incoming traffic, it does not for outgoing traffic (pings, probes etc.).
> So,
> will installing a personal firewall on the gateway PC like Sygate or Zone
> Alarm and disabling XP firewall be better off as they appear to report on
> both incoming and outgoing traffic.
>
> Also, if anybody has this in place, will the personal firewall on the
> Gateway also block internal traffic between PCs on my network ?
>
> Any answer will be greatly appreciated.....
>
> Thanks
>
> Alex
Anonymous
December 30, 2004 5:33:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for all your responses guys. Very valid points too JW. I might have to
reconsider my setup with the router. While I do not need the best
virus/firewall software, I'd just prefer ones that do report a little better
than XP's firewall.

Its just that sometimes, its better to know what is trying to get out
especially if one has not initiated anything on the network.....

Thanks all...
AMc



"JW" wrote:

> I also like ZoneAlarm for the superior flexibility in handling both inbound
> and outbound traffic. With ZA, it's not just Yes or No. If i am expecting
> inbound traffic from somebody particular on a specific port, i can set ZA to
> ask me, and answer Yes if it's who i expect, or No if it's somebody i do not
> expect. For outbound traffic, i can answer Yes if it's a program i know
> needs outbound permission, or answer No if it's a program that suddenly
> wants to break out without my expecting it. I can even change settings in a
> Limited Account. The disadvantage is the complexity and learning curve.
> The advantage of the XP firewall is it's simplicity. Norton's firewall got
> some unflattering remarks in the documentation for LeakTest on www.grc.com
>
>
> "Eric Niewoehner" <eric.niewoehner@uas.alaska.edu> wrote in message
> news:o bJrTrl7EHA.3592@TK2MSFTNGP09.phx.gbl...
> To answer your question -- yes on both counts. I have just recently
> started messing with Windows XP firewall. I previously utilized Zone
> Alarm and have recently been using Norton's Internet Security firewall.
> I like ZA and Norton's for the very reason that it doesn't take a
> rocket scientist to see which applications are using Internet connections.
>
> On the flip side, I like Windows XP firewall to protect inbound traffic
> and typically use it on server devices. In which case, I am advertising
> services over a network and the firewall is just one way to ensure that
> I don't unintentionally open a port for enquiring minds.
>
> Gateway firewalls usually end at the router, so peer-to-peer access
> should not be affected.
>
> Alex McClane wrote:
>
> > hi there
> > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to
> > a
> > cable modem using XP ICS. I have the XP firewall enabled by default.
> >
> > The other PCs are connected to this PC through a wireless AP and
> > everything
> > works fine.
> >
> > However, my question is, I have read that while XP Firewall does block
> > incoming traffic, it does not for outgoing traffic (pings, probes etc.).
> > So,
> > will installing a personal firewall on the gateway PC like Sygate or Zone
> > Alarm and disabling XP firewall be better off as they appear to report on
> > both incoming and outgoing traffic.
> >
> > Also, if anybody has this in place, will the personal firewall on the
> > Gateway also block internal traffic between PCs on my network ?
> >
> > Any answer will be greatly appreciated.....
> >
> > Thanks
> >
> > Alex
>
>
>
December 31, 2004 6:04:23 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

http://www.pcworld.com/reviews/article/0,aid,115939,pg,...

i can understand the trade-off. sometimes, choosing the very best
combination of anti-virus, anti-spyware, and firewall protection takes an
investment in learning and tweaking that is not small. for most home users,
who really don't want to buy into the investment of learning and tweaking
5-7 different programs (anti-virus, firewall, and 3-5 anti-spyware programs
often recommended on this newsgroup), then see the PC World article above.

PC World tested/evaluated many firewall, anti-spyware, and anti-virus
products recently, and detailed specific problems with Norton and McAfee
products, that led them to recommend Neither one. Only one product was
recommended in Both the firewall and anti-virus categories -- PCcillin
Internet Security by Trend Micro. While i still prefer separate specialized
products, i am now learning the ropes with the PCcillin suite, and like what
i see.

it covers all the bases well, including detection and warning of Outbound
communication, but i would urge readers here to Not give up the superior
anti-spyware products often recommended in this newsgroup, including
IE-Spyad and Spybot S&D. Warnings for inbound communication are not
available in PCcillin's firewall (only Allow or Block).


"Alex McClane" <AlexMcClane@discussions.microsoft.com> wrote in message
news:B8B66521-B39F-47A3-B2EB-3CE4F0078688@microsoft.com...
Thanks for all your responses guys. Very valid points too JW. I might have
to
reconsider my setup with the router. While I do not need the best
virus/firewall software, I'd just prefer ones that do report a little better
than XP's firewall.

Its just that sometimes, its better to know what is trying to get out
especially if one has not initiated anything on the network.....

Thanks all...
AMc



"JW" wrote:

> I also like ZoneAlarm for the superior flexibility in handling both
> inbound
> and outbound traffic. With ZA, it's not just Yes or No. If i am
> expecting
> inbound traffic from somebody particular on a specific port, i can set ZA
> to
> ask me, and answer Yes if it's who i expect, or No if it's somebody i do
> not
> expect. For outbound traffic, i can answer Yes if it's a program i know
> needs outbound permission, or answer No if it's a program that suddenly
> wants to break out without my expecting it. I can even change settings in
> a
> Limited Account. The disadvantage is the complexity and learning curve.
> The advantage of the XP firewall is it's simplicity. Norton's firewall
> got
> some unflattering remarks in the documentation for LeakTest on www.grc.com
>
>
> "Eric Niewoehner" <eric.niewoehner@uas.alaska.edu> wrote in message
> news:o bJrTrl7EHA.3592@TK2MSFTNGP09.phx.gbl...
> To answer your question -- yes on both counts. I have just recently
> started messing with Windows XP firewall. I previously utilized Zone
> Alarm and have recently been using Norton's Internet Security firewall.
> I like ZA and Norton's for the very reason that it doesn't take a
> rocket scientist to see which applications are using Internet connections.
>
> On the flip side, I like Windows XP firewall to protect inbound traffic
> and typically use it on server devices. In which case, I am advertising
> services over a network and the firewall is just one way to ensure that
> I don't unintentionally open a port for enquiring minds.
>
> Gateway firewalls usually end at the router, so peer-to-peer access
> should not be affected.
>
> Alex McClane wrote:
>
> > hi there
> > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected
> > to
> > a
> > cable modem using XP ICS. I have the XP firewall enabled by default.
> >
> > The other PCs are connected to this PC through a wireless AP and
> > everything
> > works fine.
> >
> > However, my question is, I have read that while XP Firewall does block
> > incoming traffic, it does not for outgoing traffic (pings, probes etc.).
> > So,
> > will installing a personal firewall on the gateway PC like Sygate or
> > Zone
> > Alarm and disabling XP firewall be better off as they appear to report
> > on
> > both incoming and outgoing traffic.
> >
> > Also, if anybody has this in place, will the personal firewall on the
> > Gateway also block internal traffic between PCs on my network ?
> >
> > Any answer will be greatly appreciated.....
> >
> > Thanks
> >
> > Alex
>
>
>
!