Solved

Stateful Firewall- Windows XP Firewall vs. Cisco VPN client Stateful Firewall

Posted on 2006-06-14
2
468 Views
Last Modified: 2013-12-04
Is the Windows Firewall a sufficient replacement for the Cisco VPN v4.6x Stateful Firewall (Always On) feature?  
For our WinXP clients, in the past, we enabled the Cisco VPN Stateful Firewall whenever the client came up not connected to our internal network (a utility we created checked to see if it was on the inside at Windows Startup).

With WinXP SP2 and its firewall, is there any reason to maintain this Cisco VPN client’s Stateful Firewall enabled? Note that the Cisco SF enabled packet filtering whether or not the client is connected through VPN – so if they were at home, but not VPN’d into our network it still did its thing.

I read that the Windows XP firewall also does Stateful Packet filtering.  Is this true?  Can we safely turn off our Cisco SF?  

Thanks,
<> Bailey
0
Comment
Question by:baileyk9
2 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 16906016
Yes, you can turn off the cisco SF, and XP's is stateful. Stateful is a fancy word for "remembering connection status".  http://en.wikipedia.org/wiki/Stateful_firewall
There can be problems if running two or more firewalls at once also, if one has more restrictive or differnt blocks in place, you have to look at both to find out what to change, basically overlap. You also are consuming system resorces and inviting BSOD's from having two programs acting on the same packets, perhaps in conflicting ways.
The XP Pro firewall is a sufficient firewall to keep out connections that are not initiated from the XP machine. There are firewalls like ZoneAlarm that also protect outgoing connections, pausing, allowing or denying programs to access the NIC\
http://en.wikipedia.org/wiki/Zone_Alarm
Windows firewall currently doesn't allow you to use such "egress" filtering of port's, and it's filtering of programs (xp's) is flawed, as you can rename an exe and it by-passes that restriction... ZA makes a hash/checksum of the exe and uses that to check for access, not just a simple file name.
-rich
0
 

Author Comment

by:baileyk9
ID: 16935746
richrumble,
thanks for the input.  I was hoping to confirm my opinion on this, which you did.
But you also provided some additional valuable information, and rapidly as well.
appreciate the effort.

regards,
Bailey

(I was out on vacation, so just getting to closing this out)
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question