value of firewall etc on non ics gateway pc

Discussion in 'Home Networking' started by Andrew, Oct 12, 2004.

  1. Andrew

    Andrew Guest

    Hi
    my home LAN setup is a XP box running as a server...
    with ICS running NAV and zonealarm... etc and that's OK

    now the other PCs on the LAN are fairly old (Pentium II 350 etc)
    running win98... I also had copies of NIS 2001 running on them
    (providing antivirus, firewall and parental control)
    which is now at the end of its subscription...
    I was also concerned with how much resource NIS was using...

    Now I was thinking about replacing NIS with AVG and leaving out
    a firewall on the win98 PC (as they only access internet via the ICS gateway
    ....)
    and not sure what to do for parental control ...

    What do people think about not having firewall on the non ICS PCs ...
    does everyone think the freeware AVG a decent virus scanner?
    and anyone recommend a standalone, non resource-heavy "parental control" (or
    not worth bothering about ... just lay down the law to my teenage
    children?)?

    thanks
    Andrew
     
    Andrew, Oct 12, 2004
    #1
    1. Advertisements

  2. Andrew

    mike Guest

    not sure on the parental control stuff.

    but you must have firewall/anti-virus on every machine...even with a router
    firewall.

    on all my 5 machines i run avg & zafree.
    the ics machine only provides the link...not protection

    i have never found any of the 'phone-home' virus stuff successfully get past
    those two & i have had the virus get in to them thanks to my kids & gaming
    sites!


    mike
     
    mike, Oct 12, 2004
    #2
    1. Advertisements

  3. Andrew

    [ste parker] Guest

    Why must you have a firewall on every machine? As I understand it, you
    only need one on the machine doing the ICS, otherwise running firewalls
    on the other PC's can stop normal network traffic unless you set them up
    to let all that through. As soon as I got my adsl firewall router the
    first thing I did was switch off the firewall on the PC that previously
    connected direct to the 'net (was only XP SP1 firewall, nothing fancy
    but enough).

    Antivirus sotware is obviously good to have running on all machines however.
     
    [ste parker], Oct 12, 2004
    #3
  4. Andrew

    [ste parker] Guest

    Andrew wrote:
    I don't see the point of having a firewall running on each indivisual
    machine as long as you have one decent one at the point of entry/exit to
    the outside world. I rely on the firewall on my router, with AVG Free
    Edition on the machines connecting.
     
    [ste parker], Oct 12, 2004
    #4
  5. Andrew

    Rob Morley Guest

    You need the outbound protection to stop malware that hasn't been caught
    by your AV from connecting out. It controls connections on an
    application level, which the main firewall cannot do.
     
    Rob Morley, Oct 12, 2004
    #5
  6. Andrew

    Clansman Guest

    The firewall on the host pc (server) has been told to allow `ALL' traffic to &
    from the local net. So if you don't have a firewall on the client and someone
    downloads a `zip'/rar etc, on a client, that has a virus/trojen inside and it
    gets `executed' then the host firewall will allow it to pass through and go
    about it's bussiness.

    Clansman
     
    Clansman, Oct 12, 2004
    #6
  7. Andrew

    [ste parker] Guest

    Am I missing something here? Why not just configure the firewall on the
    server (in this case the machine with ICS enabled, right?) to lockdown
    the most likely to be abused outgoing ports? Add up to date virus
    protection on the "clients" toom, surely this covers things?
     
    [ste parker], Oct 12, 2004
    #7
  8. Andrew

    [ste parker] Guest

    Yes, but surely you can cover outbound protection on the ICS PC with the
    firewall, right? I know that, for example, the firewall on my Netgear
    DG834G has all outgoing traffic allowed by default (and all incoming
    blocked), but is it not good enough in a case like this to be able to
    close any potentially dangerous outgoing ports in one place?

    If the answer to the above is "no", then whats the point of bothering
    with (in my case) a hardware firewall at the point of entry/exit to the
    WAN anyway, if I should really have another firewall behind the first?

    Excuse any ridiculous assumptions, I'm not exactly 100% up to speed on
    all this it would seem!
     
    [ste parker], Oct 12, 2004
    #8
  9. Andrew

    Alex Fraser Guest

    Yes, but only packet filtering - based on addresses and ports.
    Port 80 is a "potentially dangerous" destination port. Are you going to
    block that?
    Well, there's no benefit in having two firewalls that do the same thing. But
    perhaps one of them could be inoperative for some reason.

    Alex
     
    Alex Fraser, Oct 12, 2004
    #9
  10. Andrew

    Conor Guest

    To protect you from the trojans that spread through LANs. To notify you
    if any spyware you've acidentally loaded is trying to phone home.
     
    Conor, Oct 12, 2004
    #10
  11. Andrew

    Conor Guest

    Once upon a time there was this worm called Sasser that spread across
    LANs. THere was this company called Geopost who thought, like you,
    that you only needed a firewall on the WAN side. The IT staff spent
    weeks removing Sasser from all the machines on the LAN.
     
    Conor, Oct 12, 2004
    #11
  12. Andrew

    Rob Morley Guest

    There's no such thing as a potentially dangerous outbound port - these
    ports are allocated on your machine as required to whatever application
    requests them. Servers operate on "well-known" ports, but if you're
    behind NAT these won't be visible outside your LAN anyway.
    The firewall on your gateway router keeps bad stuff off your LAN. The
    firewall on your desktop machine stops bad stuff from escaping from that
    machine to go anywhere else. If your desktop machine is locked down
    (i.e. you don't use Internet Explorer or Outlook Express, you frequently
    update your AV, run Windows Update and spyware detectors, among other
    things) and you never do anything dodgy on it (like running programs
    that you've downloaded from an unknown source) then you probably don't
    need to worry too much about a desktop firewall.
     
    Rob Morley, Oct 12, 2004
    #12
  13. Andrew

    [ste parker] Guest

    Hell why not. Ultra safe mode for the paranoid :)

    But seriously, I do see what you mean.
     
    [ste parker], Oct 12, 2004
    #13
  14. Andrew

    [ste parker] Guest

    Thats more where I was coming from. I was worried I was doing the wrong
    thing by not having the extra firewalls, but I think I'll suffice by
    keeping my practices good instead :)
     
    [ste parker], Oct 12, 2004
    #14
  15. Andrew

    Andrew Guest

    ok thanks...
    so I see I need a firewall on the ICS clients...
    given they're fairly old (Pentium II 350 etc), and used by teenagers
    is ZAlarm (free) the right one ... when I use it on the server ... it pops
    up
    a question asking to allow access ... I wouldn't trust by children to make
    the right
    decision ... can granting access be restricted by password?
    Presume up-to-date AVG is an ok replacement for and old NAV?
    thanks again
    Andrew
     
    Andrew, Oct 12, 2004
    #15
  16. Andrew

    brushes Guest

    As the wise Arab said "trust in God, but tie up your camel first". As has
    been pointed out you do need a separate firewall on each machine I too have
    a NAT router, on each machine (7) I also have the ICF enabled, each machine
    also has ZA (free), AVG or Avast, spybot, adaware, spywareblaster, firefox &
    thunderbird. My file & printer sharing is unbound from tcp/ip and many
    windows services are disabled. Conflicts - none, peace of mind - lots.

    Missing out such a simple step as installing ZA will not seem like a
    cost/time benefit if you either have to a) wipe your drive or b) spend hours
    trying to remove something nasty! I am reminded on a daily basis of this as
    I go out each and every day removing crud from other peoples systems and
    getting their machines back in working order afterwards.

    It is far, far easier to prevent than repair

    B
     
    brushes, Oct 12, 2004
    #16
  17. Andrew

    [ste parker] Guest

    I'm not a company, otherwise I'd put a bit more effort and security in.
    As it is, I'll stick with common sense. What did you (I don't mean
    you personally of course!) have to do to get in fected with sasser?
     
    [ste parker], Oct 12, 2004
    #17
  18. Andrew

    Dave Stanton Guest

    You just connect an open pc to the net and wait 30 secs. Oh yes, you must
    be running windows XP.

    Dave
     
    Dave Stanton, Oct 13, 2004
    #18
  19. Andrew

    [ste parker] Guest

    But a single firewall on an ADSL router stopping all inbound traffic
    would stop something like that, correct? I was wondering how and why it
    would get on a machine to try weigh up how a decent outbound controlling
    firewall would benefit.
     
    [ste parker], Oct 13, 2004
    #19
  20. Andrew

    Rob Morley Guest

    In the most basic case, a NAT router should reject or drop any inbound
    traffic that isn't related to an existing outbound connection.
     
    Rob Morley, Oct 13, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.