Activating an XP firewall on a LAN

Activating an XP firewall on a LAN

The following question and answer thread was excerpted from ITKnowledge Exchange. Click here to read the entire thread or to start a new one.


A user identified as stanslad posted the following question:
"We would like to activate an XP firewall in our corporate LAN. However, I've been advised not to do so because activating such a firewall causes complications for LAN-based users, applications and services. What should we do?"

A user identified as hedgehog advised:
"I would enable it first on a small test bed of controlled clients and see how it goes. Keep in mind that, as with most personal firewalls, the WinXP firewall will have some connectivity problems, especially with client-server apps or with those that need to 'ping' the machines to work. You will need to determine which ports/services are in use and open them in the firewalls. If you allow laptops into your corporate LAN, a personal firewall should be mandatory on those machines. While having a personal firewall on a desktop is not as critical, they also contribute to your overall security."

A user identified as csmric advised:
"When I initially deployed SP2 throughout our organization,

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I enabled an XP firewall and created 'holes' in it as necessary. However, as we proceeded, I found more and more LAN-related problems. The Terminal Server users, the various antispyware and antivirus solutions we employ became too much to keep up with as I opened more and more holes. Since we use a hardware (PIX) firewall and an ISA Server, I decided to disable the XP firewall on all computers. We have used this configuration for 6 months now and haven't experienced any adverse reactions. I would also recommend configuring the laptops so they use the XP firewall. This protects the laptops when the user is not on your LAN."

More Information

Have a firewall question? Pose a question to our network security expert.

Learn how to choose a firewall.

Learn about firewalls, how they work, vulnerabilities, troubleshooting, configurations and more.

A user identified as gstornelli advised:
"On small, well-protected networks, I have used group policy to disable the firewall while the workstation is on the network, and enable the firewall while the workstation is off the network. That way you don't have to deal with apps that are only run while in the office, while protecting the notebook users when they're on the road."

A user identified as poppaman2 advised:
"While I agree that a desktop firewall is a good idea, I disagree that the XPSP2 firewall should be deployed. It is an ingress-only firewall and leaves outgoing data untouched. I suggest, depending upon how much security is needed, something a bit more robust, such as Sygate, Tiny, Black Ice or Zone Alarm."

A user identified as amigus advised:
"I disagree with the notion that an ingress-only firewall is not useful or adequate. Egress filtering usually comes with a significant maintenance burden. While egress filtering is very useful (and often recommended) on network firewalls it's not that useful on workstations. In my opinion, there are only two reasons you would want to use egress filtering:

  1. You want to limit the communications of user-installed applications.
  2. You have spyware problems.

With respect to limiting application network exposure, it's rather difficult because (most of the time) if they can install applications, they can also pass through the firewall using the same privilege they used to install it. With respect to spyware, again, the user probably has too much privilege. With that said, I believe egress filtering is more trouble than it's worth and for what it's worth, it seems Microsoft agrees. If you're serious about security, spend your time making your network work with unprivileged user accounts, rather than wasting your helpdesk resources configuring cranky firewalls. If you really want egress filtering, implement it on your network firewall. And, if you really want to limit the scope of workstation communication, use IPSec."

This was first published in October 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top