XP Firewall and ICS

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

hi there
I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
cable modem using XP ICS. I have the XP firewall enabled by default.

The other PCs are connected to this PC through a wireless AP and everything
works fine.

However, my question is, I have read that while XP Firewall does block
incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
will installing a personal firewall on the gateway PC like Sygate or Zone
Alarm and disabling XP firewall be better off as they appear to report on
both incoming and outgoing traffic.

Also, if anybody has this in place, will the personal firewall on the
Gateway also block internal traffic between PCs on my network ?

Any answer will be greatly appreciated.....

Thanks

Alex
7 answers Last reply
More about firewall
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The best thing you can do is put a windows firewall on all machines and just
    make sure they can speak to each other.
    "Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
    news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
    > hi there
    > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to
    > a
    > cable modem using XP ICS. I have the XP firewall enabled by default.
    >
    > The other PCs are connected to this PC through a wireless AP and
    > everything
    > works fine.
    >
    > However, my question is, I have read that while XP Firewall does block
    > incoming traffic, it does not for outgoing traffic (pings, probes etc.).
    > So,
    > will installing a personal firewall on the gateway PC like Sygate or Zone
    > Alarm and disabling XP firewall be better off as they appear to report on
    > both incoming and outgoing traffic.
    >
    > Also, if anybody has this in place, will the personal firewall on the
    > Gateway also block internal traffic between PCs on my network ?
    >
    > Any answer will be greatly appreciated.....
    >
    > Thanks
    >
    > Alex
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    To answer your question -- yes on both counts. I have just recently
    started messing with Windows XP firewall. I previously utilized Zone
    Alarm and have recently been using Norton's Internet Security firewall.
    I like ZA and Norton's for the very reason that it doesn't take a
    rocket scientist to see which applications are using Internet connections.

    On the flip side, I like Windows XP firewall to protect inbound traffic
    and typically use it on server devices. In which case, I am advertising
    services over a network and the firewall is just one way to ensure that
    I don't unintentionally open a port for enquiring minds.

    Gateway firewalls usually end at the router, so peer-to-peer access
    should not be affected.

    Alex McClane wrote:

    > hi there
    > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
    > cable modem using XP ICS. I have the XP firewall enabled by default.
    >
    > The other PCs are connected to this PC through a wireless AP and everything
    > works fine.
    >
    > However, my question is, I have read that while XP Firewall does block
    > incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
    > will installing a personal firewall on the gateway PC like Sygate or Zone
    > Alarm and disabling XP firewall be better off as they appear to report on
    > both incoming and outgoing traffic.
    >
    > Also, if anybody has this in place, will the personal firewall on the
    > Gateway also block internal traffic between PCs on my network ?
    >
    > Any answer will be greatly appreciated.....
    >
    > Thanks
    >
    > Alex
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I don't know about Sygate, but ZoneAlarm is flexible enough to set up so
    that either all PCs on the local network can see each other, or set it up so
    that none can see each other.

    Of course, if they can all see each other, then they can all share viruses,
    worms, Trojans and other infections, so if you set them up so that they all
    can see each other, then don't skimp on protection by settling for free
    anti-virus and anti-spyware programs, that Don't constantly protect you by
    staying active in memory. When Free versions of anti-virus and anti-spyware
    programs find infections, the infections have already done their dirty work.

    Don't settle for Just Adequate. Buy versions of anti-virus and anti-spyware
    programs that constantly protect you from infections by staying active in
    memory.


    "Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
    news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
    hi there
    I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
    cable modem using XP ICS. I have the XP firewall enabled by default.

    The other PCs are connected to this PC through a wireless AP and everything
    works fine.

    However, my question is, I have read that while XP Firewall does block
    incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
    will installing a personal firewall on the gateway PC like Sygate or Zone
    Alarm and disabling XP firewall be better off as they appear to report on
    both incoming and outgoing traffic.

    Also, if anybody has this in place, will the personal firewall on the
    Gateway also block internal traffic between PCs on my network ?

    Any answer will be greatly appreciated.....

    Thanks

    Alex
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Alex-

    Both Dan W and JW have valid points. If you go with Dan W - and firewall
    everything - you better use the same software on every PC unless you want to
    spend even more $$'s on Tylenol and Advil.
    You'd also be well advised to install identical NIC hardware if you can.

    I too have a Gateway PC w/dual NICs setup as you described. I use a Belkin
    4-port DSL router as HW firewall (which you did not mention in your setup: I
    think a HW firewall - such as the Belkin or LinkSys routers - between your
    cable modem and gateway ICS host is a very worthwhile improvement to your
    setup), a Linksys GigaSwitch for my workgroup, with Norton Internet Security
    installed and Windows firewall is disabled.
    As long as your cable-modem connects ONLY to the ICS host PC (and no other
    PC connects directly to your modem), then your Firewall protection should be
    effective for all PC's concerned (until some hacker figures out how to defeat
    that capabillity of memory-resident SW firewalls).
    I don't know how easy it is in ZoneAlarm to configure workgroup
    connectivity, but it's a peice of cake in Norton IS. They have created
    "zones" similar to IE which makes conceptual understanding of how to
    implement their software Tylenol-free.

    JW's points re: "free" (mostly, but some paid-for ones, too) anti-virus and
    other mal-ware detectors is valid in that these programs are more like the
    old-style car "idiot-light" that tells you after the engine has fallen out,
    that indeed, the engine has just fallen out. The malware has already
    unleashed itself. An ounce of prevention... JW's advice is well to be heeded.

    I would submit you consider this also in your evaluations as to how to best
    service your overall Security needs:
    "Real firewalls" are considerably complex animals. Most PC "Power Users" are
    not capable of managing them, they take a real Security Professional to
    install, configure, and maintain: they are quite complex. The huge majority
    of the firewall products which "regular" consumers like you and I consider -
    mostly because they are inexpensive and affordable to us - are merely
    scaled-down simplified versions and have the majority of the tweaks and
    nuances of a Real firewall pre-determined and decided for us by the
    manufacturer so they can sell it at $50/pop and still make a profit. What
    that does is to limit the flexibility the product has of being adjustable to
    suit any particular indivuduals' specific need - or environment - and some
    features are just not flexible at all. But in order to be more than just
    functional, flexible capability has to exist, so manufacturers do that. But
    not everybody is flexible the same ways, even across similar product lines or
    families. This causes firmware/upgrades/updates to be an additional
    maintenance chore for the Administrator (i.e. you). But if you implement
    multiple solutions on the same "layer", things can get mixed up fast if just
    one little setting who-the-heck-knows where gets changed (even if they're not
    on the same layer, this often occurs). And unless your expert enough in
    knowing how all the stuff you can't change works with all the stuff you can
    change, and then know how to recognize when somthing is set this way when it
    should be that way, twiddling with a handfull of firewalls instead of just
    one can be frustratingly time-consuming and cost-inefficient (think of what
    the electric company power meter looked like when The Griswald family house
    XMAS lights finally came on in Nat'l Lampoons Christmas Vacation w/Chevy
    Chase).
    On the other hand, you might need or actually like to get hip-deep in modern
    software technology. It's not like only rocket scientists can do it. If I
    can, then anybody can. Just prepare yourself for the picky mentality of
    Firewalls. After all, their sole purpose in life is to keep what wasn't asked
    for out, and let out *ONLY what you tell it* can go out. The more exceptions
    (e.g. rules) you build (or have to put in because you have placed more
    firewalls on other PC's that are really behind your REAL Firewall) will
    *always* make things more difficult for you to administer (i.e., take care of
    in a clean and well-documented way), so that the things you want to
    accomplish amongst your own little LAN can not only be done, but be done
    easily and simply.
    If the purpose of your LAN is more of a business or career-based/supportive
    role in your life, then perhaps the headaches and time-consumption that
    firmware upgrades (to routers and modems), new software releases/upgrades and
    updates (firewall, and lest we not forget to mention MS Service Packs), will
    bring to you in order to maintain a LAN where each PC is a fortress unto
    itself will entail, is worth it to you. Then again, perhaps not. But that's
    your decision to make, I'm not trying to make it for you.
    But if your LAN is more of a convenience (like a home network where most of
    the computing resources are utilized for pleasure or recreational activities)
    IMHO I would not spend nearly that amount of effort necessary in fretting
    over every little mal-ware. I'd keep my one Firewall as Robust and Current
    and simple as possible, in one place; and let the children inside the
    playground have an open sandbox - after all, I still wear the belt in my
    household, the rules will be obeyed! Just keep handy a periodically updated
    ASR-recovery system restore set on a bootable CD, and tell the family THEY
    are responsible in backing their Documents and Settings folder to the
    Gateway/server, so when you need to refresh a system, you can do so fairly
    easily. Perhaps the first rebuild or two will do more in teaching youngsters
    the value of responsibly maintaining a daily "chore", when they lose their
    collection of MP3s for the 2nd time because they didn't do backups. A pretty
    cheap way to learn a valuable trait...

    As long as you keep your frontline security tools (anti-spyware, virus, and
    firewall) on your gateway to be the robust best-you-can-afford kind, and then
    up-to-date, and the other PC's behind it isolated from a direct connect to
    the internet *or any other computer*, and everybody exercises common sense
    practices about removable media (floppies, CD's Zips, etc) from external
    sources, save yourself from some headache in both configuring and maintaining
    firewalls on every machine (just keep your ASR restore backups current after
    each new SW install/upgrade). Unless, of course, you want an exercise that
    will require you to expand both your knowledge and technical capability with
    computing; such a project - successfully completed - will most certainly
    expand that knowledgebase.

    Remember: with computers unless EVERYTHING is right something is WRONG and
    there aren't enough RIGHTS in the world to overcome one WRONG to a computer,
    it will just refuse to work until you make EVERY "bit" RIGHT. And firewalls
    are the pickiest of softwares to a computer.

    But if your LAN security needs are to protect data and resources more vital
    than the family Entertainment Consoles, perhaps a more robust approach is
    called for. Isolating each PC has it's advantages. But... if each PC has the
    same level and kind of protection on it and something gets in onto one of
    them, then the others aren't appreciably more protected than the first one
    was. And unless you can run to the AP or gateway PC to do an emergency
    disconnect faster than those bits and bytes can whiz around your LAN... But,
    then again, having each PC port-configuring-capable makes it possible for you
    to micro-manage the ports on each of the PC's. Oh - BTW - there are over
    65,000 ports... on *each* PC.

    I realize this has been a long spill, but I hope it's helped you evaluate
    your situation to a more heightened state of clarity for your needs.


    "JW" wrote:

    > I don't know about Sygate, but ZoneAlarm is flexible enough to set up so
    > that either all PCs on the local network can see each other, or set it up so
    > that none can see each other.
    >
    > Of course, if they can all see each other, then they can all share viruses,
    > worms, Trojans and other infections, so if you set them up so that they all
    > can see each other, then don't skimp on protection by settling for free
    > anti-virus and anti-spyware programs, that Don't constantly protect you by
    > staying active in memory. When Free versions of anti-virus and anti-spyware
    > programs find infections, the infections have already done their dirty work.
    >
    > Don't settle for Just Adequate. Buy versions of anti-virus and anti-spyware
    > programs that constantly protect you from infections by staying active in
    > memory.
    >
    >
    > "Alex McClane" <Alex McClane@discussions.microsoft.com> wrote in message
    > news:72B71FEE-81CF-4B2F-889D-9C1B71C96D1A@microsoft.com...
    > hi there
    > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to a
    > cable modem using XP ICS. I have the XP firewall enabled by default.
    >
    > The other PCs are connected to this PC through a wireless AP and everything
    > works fine.
    >
    > However, my question is, I have read that while XP Firewall does block
    > incoming traffic, it does not for outgoing traffic (pings, probes etc.). So,
    > will installing a personal firewall on the gateway PC like Sygate or Zone
    > Alarm and disabling XP firewall be better off as they appear to report on
    > both incoming and outgoing traffic.
    >
    > Also, if anybody has this in place, will the personal firewall on the
    > Gateway also block internal traffic between PCs on my network ?
    >
    > Any answer will be greatly appreciated.....
    >
    > Thanks
    >
    > Alex
    >
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I also like ZoneAlarm for the superior flexibility in handling both inbound
    and outbound traffic. With ZA, it's not just Yes or No. If i am expecting
    inbound traffic from somebody particular on a specific port, i can set ZA to
    ask me, and answer Yes if it's who i expect, or No if it's somebody i do not
    expect. For outbound traffic, i can answer Yes if it's a program i know
    needs outbound permission, or answer No if it's a program that suddenly
    wants to break out without my expecting it. I can even change settings in a
    Limited Account. The disadvantage is the complexity and learning curve.
    The advantage of the XP firewall is it's simplicity. Norton's firewall got
    some unflattering remarks in the documentation for LeakTest on www.grc.com


    "Eric Niewoehner" <eric.niewoehner@uas.alaska.edu> wrote in message
    news:ObJrTrl7EHA.3592@TK2MSFTNGP09.phx.gbl...
    To answer your question -- yes on both counts. I have just recently
    started messing with Windows XP firewall. I previously utilized Zone
    Alarm and have recently been using Norton's Internet Security firewall.
    I like ZA and Norton's for the very reason that it doesn't take a
    rocket scientist to see which applications are using Internet connections.

    On the flip side, I like Windows XP firewall to protect inbound traffic
    and typically use it on server devices. In which case, I am advertising
    services over a network and the firewall is just one way to ensure that
    I don't unintentionally open a port for enquiring minds.

    Gateway firewalls usually end at the router, so peer-to-peer access
    should not be affected.

    Alex McClane wrote:

    > hi there
    > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to
    > a
    > cable modem using XP ICS. I have the XP firewall enabled by default.
    >
    > The other PCs are connected to this PC through a wireless AP and
    > everything
    > works fine.
    >
    > However, my question is, I have read that while XP Firewall does block
    > incoming traffic, it does not for outgoing traffic (pings, probes etc.).
    > So,
    > will installing a personal firewall on the gateway PC like Sygate or Zone
    > Alarm and disabling XP firewall be better off as they appear to report on
    > both incoming and outgoing traffic.
    >
    > Also, if anybody has this in place, will the personal firewall on the
    > Gateway also block internal traffic between PCs on my network ?
    >
    > Any answer will be greatly appreciated.....
    >
    > Thanks
    >
    > Alex
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for all your responses guys. Very valid points too JW. I might have to
    reconsider my setup with the router. While I do not need the best
    virus/firewall software, I'd just prefer ones that do report a little better
    than XP's firewall.

    Its just that sometimes, its better to know what is trying to get out
    especially if one has not initiated anything on the network.....

    Thanks all...
    AMc


    "JW" wrote:

    > I also like ZoneAlarm for the superior flexibility in handling both inbound
    > and outbound traffic. With ZA, it's not just Yes or No. If i am expecting
    > inbound traffic from somebody particular on a specific port, i can set ZA to
    > ask me, and answer Yes if it's who i expect, or No if it's somebody i do not
    > expect. For outbound traffic, i can answer Yes if it's a program i know
    > needs outbound permission, or answer No if it's a program that suddenly
    > wants to break out without my expecting it. I can even change settings in a
    > Limited Account. The disadvantage is the complexity and learning curve.
    > The advantage of the XP firewall is it's simplicity. Norton's firewall got
    > some unflattering remarks in the documentation for LeakTest on www.grc.com
    >
    >
    > "Eric Niewoehner" <eric.niewoehner@uas.alaska.edu> wrote in message
    > news:ObJrTrl7EHA.3592@TK2MSFTNGP09.phx.gbl...
    > To answer your question -- yes on both counts. I have just recently
    > started messing with Windows XP firewall. I previously utilized Zone
    > Alarm and have recently been using Norton's Internet Security firewall.
    > I like ZA and Norton's for the very reason that it doesn't take a
    > rocket scientist to see which applications are using Internet connections.
    >
    > On the flip side, I like Windows XP firewall to protect inbound traffic
    > and typically use it on server devices. In which case, I am advertising
    > services over a network and the firewall is just one way to ensure that
    > I don't unintentionally open a port for enquiring minds.
    >
    > Gateway firewalls usually end at the router, so peer-to-peer access
    > should not be affected.
    >
    > Alex McClane wrote:
    >
    > > hi there
    > > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected to
    > > a
    > > cable modem using XP ICS. I have the XP firewall enabled by default.
    > >
    > > The other PCs are connected to this PC through a wireless AP and
    > > everything
    > > works fine.
    > >
    > > However, my question is, I have read that while XP Firewall does block
    > > incoming traffic, it does not for outgoing traffic (pings, probes etc.).
    > > So,
    > > will installing a personal firewall on the gateway PC like Sygate or Zone
    > > Alarm and disabling XP firewall be better off as they appear to report on
    > > both incoming and outgoing traffic.
    > >
    > > Also, if anybody has this in place, will the personal firewall on the
    > > Gateway also block internal traffic between PCs on my network ?
    > >
    > > Any answer will be greatly appreciated.....
    > >
    > > Thanks
    > >
    > > Alex
    >
    >
    >
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    http://www.pcworld.com/reviews/article/0,aid,115939,pg,1,00.asp

    i can understand the trade-off. sometimes, choosing the very best
    combination of anti-virus, anti-spyware, and firewall protection takes an
    investment in learning and tweaking that is not small. for most home users,
    who really don't want to buy into the investment of learning and tweaking
    5-7 different programs (anti-virus, firewall, and 3-5 anti-spyware programs
    often recommended on this newsgroup), then see the PC World article above.

    PC World tested/evaluated many firewall, anti-spyware, and anti-virus
    products recently, and detailed specific problems with Norton and McAfee
    products, that led them to recommend Neither one. Only one product was
    recommended in Both the firewall and anti-virus categories -- PCcillin
    Internet Security by Trend Micro. While i still prefer separate specialized
    products, i am now learning the ropes with the PCcillin suite, and like what
    i see.

    it covers all the bases well, including detection and warning of Outbound
    communication, but i would urge readers here to Not give up the superior
    anti-spyware products often recommended in this newsgroup, including
    IE-Spyad and Spybot S&D. Warnings for inbound communication are not
    available in PCcillin's firewall (only Allow or Block).


    "Alex McClane" <AlexMcClane@discussions.microsoft.com> wrote in message
    news:B8B66521-B39F-47A3-B2EB-3CE4F0078688@microsoft.com...
    Thanks for all your responses guys. Very valid points too JW. I might have
    to
    reconsider my setup with the router. While I do not need the best
    virus/firewall software, I'd just prefer ones that do report a little better
    than XP's firewall.

    Its just that sometimes, its better to know what is trying to get out
    especially if one has not initiated anything on the network.....

    Thanks all...
    AMc


    "JW" wrote:

    > I also like ZoneAlarm for the superior flexibility in handling both
    > inbound
    > and outbound traffic. With ZA, it's not just Yes or No. If i am
    > expecting
    > inbound traffic from somebody particular on a specific port, i can set ZA
    > to
    > ask me, and answer Yes if it's who i expect, or No if it's somebody i do
    > not
    > expect. For outbound traffic, i can answer Yes if it's a program i know
    > needs outbound permission, or answer No if it's a program that suddenly
    > wants to break out without my expecting it. I can even change settings in
    > a
    > Limited Account. The disadvantage is the complexity and learning curve.
    > The advantage of the XP firewall is it's simplicity. Norton's firewall
    > got
    > some unflattering remarks in the documentation for LeakTest on www.grc.com
    >
    >
    > "Eric Niewoehner" <eric.niewoehner@uas.alaska.edu> wrote in message
    > news:ObJrTrl7EHA.3592@TK2MSFTNGP09.phx.gbl...
    > To answer your question -- yes on both counts. I have just recently
    > started messing with Windows XP firewall. I previously utilized Zone
    > Alarm and have recently been using Norton's Internet Security firewall.
    > I like ZA and Norton's for the very reason that it doesn't take a
    > rocket scientist to see which applications are using Internet connections.
    >
    > On the flip side, I like Windows XP firewall to protect inbound traffic
    > and typically use it on server devices. In which case, I am advertising
    > services over a network and the firewall is just one way to ensure that
    > I don't unintentionally open a port for enquiring minds.
    >
    > Gateway firewalls usually end at the router, so peer-to-peer access
    > should not be affected.
    >
    > Alex McClane wrote:
    >
    > > hi there
    > > I have a PC with 2 NICs (XP SP2) setup as an Internet Gateway connected
    > > to
    > > a
    > > cable modem using XP ICS. I have the XP firewall enabled by default.
    > >
    > > The other PCs are connected to this PC through a wireless AP and
    > > everything
    > > works fine.
    > >
    > > However, my question is, I have read that while XP Firewall does block
    > > incoming traffic, it does not for outgoing traffic (pings, probes etc.).
    > > So,
    > > will installing a personal firewall on the gateway PC like Sygate or
    > > Zone
    > > Alarm and disabling XP firewall be better off as they appear to report
    > > on
    > > both incoming and outgoing traffic.
    > >
    > > Also, if anybody has this in place, will the personal firewall on the
    > > Gateway also block internal traffic between PCs on my network ?
    > >
    > > Any answer will be greatly appreciated.....
    > >
    > > Thanks
    > >
    > > Alex
    >
    >
    >
Ask a new question

Read More

Firewalls Gateway Windows XP