Opinions: Is Windows Firewall adequate

[Double Density]

Our Symantec subscription on the store's machines is up, and I'm going to change security systems. The Symantec is just too hard on our older machines...particularly the ones that have no memory (and with Rambus memory...they aren't going to be getting any!).

I've been looking at a lot of different packages, some with software firewalls and some without. If I get just an antivirus without a firewall, will Windows Firewall along with the router's security features be enough? Is it time to consider a hardware firewall?

[PCBruiser]

No software firewall is enough, and the Windows firewall isn't good enough anyway. Read the Securing Windows XP paper and you will see why. If you are on broadband, and do not have a hardware router/firewall in addition to software protection, you are just asking for trouble.

http://www.abxzone.com/abx_reviews/t...secure_p1.html

[SubZero]

As far as I know the windows firewall doesn't even block outgoing traffic and for that fact alone it is completely useless...

And PCB is right, no software firewall is enough but on the other handwe shouldn't overhype it. If you are carefull with your surfing habbitsand use common sense you can prevent a lot of problems.

For general home usage I'd almost say a software firewall (expcept the norton/symantec crap) IS good enough.

[PCBruiser]

Quote:

Originally Posted by SubZero

As far as I know the windows firewall doesn't even block outgoing traffic and for that fact alone it is completely useless...

That is correct.

Quote:

Originally Posted by SubZero

And PCB is right, no software firewall is enough but on the other handwe shouldn't overhype it. If you are carefull with your surfing habbitsand use common sense you can prevent a lot of problems.

In this case it is for a business, which makes the need even greater.

Quote:

Originally Posted by SubZero

For general home usage I'd almost say a software firewall (expcept the norton/symantec crap) IS good enough.

I disagree. In this day and age with the sheer number of zombies out there pounding away at your OS, and given the low cost of decent (not great but decent) hardware firewall/routers, there is just no reason not to have one. I really can't recommend going without one, no matter how good your software protections may be.

[JoeFrat]

One of the major problems with all of this security software is Legacy apps. The sheer amount of old programs in use is staggering. This being the case, using PCB's security recommendations doesn't work for 100% of our existing customer base (500+) and 50% of my local business accounts (100+). Due to these limitations, here is the security routine I have implemented which may help you.

1. Broadband access connected to a Sonicwall TZ-170 Firewall/Router
1a Admin accounts have strong passwords, alot of these apps require admin access to hardware so they must be used. Where this isn't necessary use user accounts for daily activities.
2. Symantec Small Business 10.0 (AV & Spyware), 9.0 where necessary. Properly configured this will take up limited resources and still be effective protection.
3. MS AntiSpyware or Spybot for pre 2k machines...sometimes not even this can be run due to interference.
4. Locked Down IE settings, only websites that require IE are allowed. Firefox is used for general surfing.
6. Where I can, Thunderbird is used for email access. Otherwise Outlook w/ some filters to help with junkmail.
5. Only items that need to be shared, are shared (certain folders,printers) No full shares of any drives, even cd roms.

The majority of my customer base runs very cleanly on this setup. It's very rare that a virus or spyware outbreak occurs. The key to this is educating the users on what they can/cannot do with their business machines.

Hope this helps.

[PCBruiser]

Understood, special problems require special solutions. One thing you might think about - you can use the SonicWALL Gateway Protection Package with the TZ170. That has AV, anti-malware, content protection and email scanning all built in at the packet level. And, all that runs on the router itself, not on the individual systems. It also updates every hour automatically, so there really is not much need for human intervention except for firmware updates. It dows add some overhead at the router level, but it hasn't done much to my Internet speeds to any meaningful extent.

[JoeFrat]

Quote:

Originally Posted by PCBruiser

Understood, special problems require special solutions. One thing you might think about - you can use the SonicWALL Gateway Protection Package with the TZ170. That has AV, anti-malware, content protection and email scanning all built in at the packet level. And, all that runs on the router itself, not on the individual systems. It also updates every hour automatically, so there really is not much need for human intervention except for firmware updates. It dows add some overhead at the router level, but it hasn't done much to my Internet speeds to any meaningful extent.

While I agree 100% with you, the cold hard fact is selling it to the small business. If it was a bit cheaper, I could sell it more often. Keep in mind that a small biz looking at AV, the sonicwall(and yearly subscription/warranty renewal),broadband, etc.etc., yearly cost rises quickly. It's really a delicate balance of what they can afford easily AND protects them adequately.

Otherwise, I'd turn on every feature of the Sonicwall and sleep better at night

[PCBruiser]

I understand that too. I have a TZ150, and had to think more than once before I added the Gateway Protection.

[bjbgraphics]

I believe it does. I use Windows Firewall and it has asked me if I want to allow certain programs to connect to the internet when they are run. It has asked this with Trillian, some games, and a few other programs.

I can tell it not to allow or allow and it will either add a rule to its exceptions list or not.

BJB

Quote:

Originally Posted by PCBruiser

Originally Posted by SubZero
As far as I know the windows firewall doesn't even block outgoing traffic and for that fact alone it is completely useless...

That is correct.

[Double Density]

Thanks guys. In our current configuration, we're using the software firewalls in addition to the firewalls in our routers....which being more or less mainstream (Linksys and Westell), leads me to believe there are stronger solutions....I'm going to talk to my network guy about the Sonicwall router.

The thing that worries me is that I don't want to hinder the usefulness of our systems. We do a lot of back and forth communication with manufacturer sites that often have pretty wacky connection requirements. To be truthful, I miss the days when we had to physically dial in to their systems using proprietary software. At least then, there was none of this trying to figure out what port has to be open crap.

[Fleabus]

I use a router (Linksys BEFSR41 4-port wired).
Windows firewall disabled.
ZoneAlarm free software firewall to monitor any bad boys
trying to call out.
AVG as resident/background antivirus scanner. Non-intrusive and behaves well.
AntiVir free antivirus scanner used manually only. The one I depend on.
MS AntiSpyware used mainly for its shelding capability.
SpyBot S&D (Immunization on).
All of these programs get along with each other just fine on my system.
Windows firewall is good enough to switch on after a clean XP SP2 install to authenticate the O/S and go to the Windows Update site.

The only issue I had with Zone Alarm was when trying to check out Avast
free antivirus, it objected to something in ZA's behavior and wanted me
to uninstall ZA or cripple it. Forget which.
No loss. I'm very happy with the antivirus programs I already use.

Happy trails,

[pointreyes]

Quote:

Originally Posted by Double Density

I've been looking at a lot of different packages, some with software firewalls and some without. If I get just an antivirus without a firewall, will Windows Firewall along with the router's security features be enough? Is it time to consider a hardware firewall?

What is your budget?
Do you have to contend with wireless connections?
What OSes are being used?
Are there any baseline security policies within this organization? That can make a difference on what type of software/hardware to look at. Or it could even make it possible to change the requirements.
Is there security awareness training for the employees?

Sorry, I'm taking the holistic approach. Unfortunately, another important variable is social engineering and hence the reason why I see the importance of security awareness training to be considered part of a security budget. Or another common idea: Users are inherently evil, they just don't know it.

To help with the training aspect this might help:
http://www.cscic.state.ny.us/msisac/...ct05/index.htm
Most especially this link from the above link: http://www.cscic.state.ny.us/msisac/webcasts/index.htm

[Double Density]

Quote:

Originally Posted by pointreyes

What is your budget?
Do you have to contend with wireless connections?
What OSes are being used?
Are there any baseline security policies within this organization? That can make a difference on what type of software/hardware to look at. Or it could even make it possible to change the requirements.
Is there security awareness training for the employees?

Sorry, I'm taking the holistic approach. Unfortunately, another important variable is social engineering and hence the reason why I see the importance of security awareness training to be considered part of a security budget. Or another common idea: Users are inherently evil, they just don't know it.

To help with the training aspect this might help:
http://www.cscic.state.ny.us/msisac/...ct05/index.htm
Most especially this link from the above link: http://www.cscic.state.ny.us/msisac/webcasts/index.htm

Budget isn't too much of a concern this time of the year (at least not to the extent of a $600 router and a couple of hours of tech time worrying me). We're running mostly XP, with a smattering of ME, 98 and a Mac. Only a few of the computers are on a workgroup (our POS system), the rest just connect to the Net through the routers, and only the laptops are connected via wireless. All but one computer is turned off when not in use.

The only reason I'm looking at changing software is that a few of the XP computers are older machines (1.6/2.0 processors w/256m of rambus RAM) and those machines get bogged down with the Symantec security checks. I'm tired of seeing "Windows is waiting for a virus scan of xxxx" popping up all day long. I'd swap the old machines out, but they still do their primary job (POS)well....and reinstalling the software is a royal pain.

[Terry Reynolds]

I've found Symantec is just too much of a resource hog. (Well, it was a few years ago when I finally gave up on them.) Of course, a lot of security software is. Our business uses CA's anti-virus, but it just isn't up to snuff any more. ('lot of stuff getting through) I'm looking into F-Secure and McAffee for replacement, and I will let you know how trim they might be when I find out for myself. Zone Alarm seems to do the trick for firewall, but I wouldn't call it trim.

I wouldn't consider doing without a firewall-router. If budget's not a problem - SonicWall. But they might eat you alive if you have too many users. And, you still need something on the idividual computers. Don't rely on the router soley.

[INVALiD]

The windows based firewall only offers inbound protection, but it's better than nothing at all.
I think the best firewall solution lies with a combination of hardware(router) and software firewalls.

Absolutely hate security bundles/packages/suits like Norton, Zone Alarm etc.
These companies usually make one good product while the rest of the bundles suit is total crapware.