I think that in todays paranoid time then having a personal firewall in the
corporate environment is not a bad thing.
If you look at IDS products that have firewall like technology (ICE) then
they have a central reporting and management mechanism that allows desktops
to report and configure after an attack, or be pre-configured by
administrators.
Personally, even though I am a firewall administrator, looking after a large
number of corporate firewalls, I still have a personal firewall for my own
piece of mind!
Simon
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Watts
Sent: 09 February 2001 13:14
To: '[EMAIL PROTECTED]'
Subject: RE: Personal Firewalls in corporate settings...
Brenno,
You're absolutely right - letting the user administer the firewall is just
as bad as not having it.
Several of the newer versions of these firewalls, Tiny for example, have
the ability to supress warning dialogs and also allow password protected
remote administration.
Maybe I should clarify my position,
I'm researching a report on Personal Firewalls and their potential use in a
corporate environment.
This means that I'm testing many of the latest offerings.
Some of them do appear to have very good centralised administration/rollout
support.
I'm not necessarially for or against them - just looking for balanced
opinions.
Cheers,
Mark.
-----Original Message-----
From: Hiemstra, Brenno [SMTP:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 12:59 PM
To: 'mwatts'; '[EMAIL PROTECTED]'
Subject: RE: Personal Firewalls in corporate settings...
Mark,
I don't really see the use of a personal firewall on each workstation
because the user
has to give the application access (for example iexplore.exe) thru the
personal firewall...
If the user is able to do that it can also give access to all other
applications that wants
to access the internet... which doesn't reduce the load on the firewall
at
all...
if you disable the user to edit / alter the granting of access thru the
personal firewall then
maybe you are getting somewhere... but how you want to do this I don;t
know....
and the user is still bothered with the irritating pop-ups...
and the administration of everything will be a pain in the ass too...
I think the best way is not to grant users the ability to install
applications on their own
but do this centrallized and give access to the applications that they need
to have...
which all can be done with policies / profiles and scripts..
Dunno if this is exactly what you ment.... I thought it
Greets,
Brenno
> -----Original Message-----
> From: mwatts [SMTP:[EMAIL PROTECTED]]
> Sent: vrijdag 9 februari 2001 13:23
> To: '[EMAIL PROTECTED]'
> Subject: RE: Personal Firewalls in corporate settings...
>
> Agreed, any company that just relied on a desktop solution would be daft
> IMHO.
>
> What I'm suggesting is that they would be used in conjunction with a
> perimeter firewall to enhance what was already there.
>
> IMO, anything that can reduce the pressure on the firewall/gateway would
> be a good thing.
> This would have the added benifit of improving the responsiveness of the
> firewall when lots of users are doing allowed things.
>
> Cheers,
>
> Mark.
>
>
> > -----Original Message-----
> > From: Hiemstra, Brenno
> > Sent: vrijdag 9 februari 2001 12:56
> > To: 'mwatts'
> > Subject: RE: Personal Firewalls in corporate settings...
> >
> > Mark,
> >
> > Personal Firewalls are not safe for corporate use...
> >
> > Installing it in a corporate network doesn't disable the ability for
> > trojan horses
> > to access the internet in some sort of way.
> >
> > Personal Firewalls grant access to applications which want to connect
to
> > the
> > internet. Corporate Firewalls (like Checkpoint Firewall 1) grant access
> by
> > rules
> > on traffic shape (http or ftp) and ports (80, 21). which eliminate
> trojan
> > horses that
> > want to access the internet on for example port 3333.
> >
> > Further more you probably use somekind of internet sharing program like
> > sygate
> > or winroute which you grant access thru your personal firewall.
> > For example sygate.exe.
> >
> > This service routes every traffic it get's on it's internal interface
> onto
> > the internet.
> > So.. you can see.. also traffic of trojan horses which uses some
> client
> > PC in
> > the network...
> >
> > IRC, ICQ, and all that services have access to.. with corporate
> firewalls
> > you can
> > eliminate this by your ruleset.... These service uses the internet
> > sharing service
> > of the gateway/firewall to access the internet... and in my
example...
> > that executable
> > has access thru for example: zonealarm or sygate personal firewall...
> >
> > I just pointed you some serious flaws in personal firewalls in
> comparrison
> > to a
> > corporate firewall like Firewall 1, Raptor, Sidewinder or IPCHAINS /
> > Netfilter (linux).
> >
> > My suggestion is NOT to use a personal firewall in a corporate LAN...
> > But that's my opinion...
> >
> > And we had already a lovely discussion about personal firewalls on this
> > list...
> > which pointed out NOT to use them in corporate networks...
> >
> > And various security websites also pointed this out...
> > Maybe you have to do some research on the net before you are going to
> > deploy a
> > personal firewall in a company network... I would like to be the
> company
> > who has
> > one and thinks that they are secure of trojans and all that stuff....
> >
> > Anyway.. enough said from my side...
> >
> > Hope you have something about it !
> >
> > Greets
> >
> > brenno
> >
> > -----Original Message-----
> > From: mwatts [SMTP:[EMAIL PROTECTED]]
> > Sent: vrijdag 9 februari 2001 12:42
> > To: [EMAIL PROTECTED]
> > Subject: Personal Firewalls in corporate settings...
> >
> > Greetings all,
> >
> > Does anyone here have any experiance in deploying a Personal Firewall
> > (ZoneAlarm, Tiny et al) solution in a corporate setting?
> >
> > Comments, suggestions, experiances and remarks are all welcome.
> >
> > Cheers,
> >
> > Mark Watts,
> > Research Scientist
> > DERA.
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
