Solved

Stateful Firewall- Windows XP Firewall vs. Cisco VPN client Stateful Firewall

Posted on 2006-06-14
2
473 Views
Last Modified: 2013-12-04
Is the Windows Firewall a sufficient replacement for the Cisco VPN v4.6x Stateful Firewall (Always On) feature?  
For our WinXP clients, in the past, we enabled the Cisco VPN Stateful Firewall whenever the client came up not connected to our internal network (a utility we created checked to see if it was on the inside at Windows Startup).

With WinXP SP2 and its firewall, is there any reason to maintain this Cisco VPN client’s Stateful Firewall enabled? Note that the Cisco SF enabled packet filtering whether or not the client is connected through VPN – so if they were at home, but not VPN’d into our network it still did its thing.

I read that the Windows XP firewall also does Stateful Packet filtering.  Is this true?  Can we safely turn off our Cisco SF?  

Thanks,
<> Bailey
0
Comment
Question by:baileyk9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 16906016
Yes, you can turn off the cisco SF, and XP's is stateful. Stateful is a fancy word for "remembering connection status".  http://en.wikipedia.org/wiki/Stateful_firewall
There can be problems if running two or more firewalls at once also, if one has more restrictive or differnt blocks in place, you have to look at both to find out what to change, basically overlap. You also are consuming system resorces and inviting BSOD's from having two programs acting on the same packets, perhaps in conflicting ways.
The XP Pro firewall is a sufficient firewall to keep out connections that are not initiated from the XP machine. There are firewalls like ZoneAlarm that also protect outgoing connections, pausing, allowing or denying programs to access the NIC\
http://en.wikipedia.org/wiki/Zone_Alarm
Windows firewall currently doesn't allow you to use such "egress" filtering of port's, and it's filtering of programs (xp's) is flawed, as you can rename an exe and it by-passes that restriction... ZA makes a hash/checksum of the exe and uses that to check for access, not just a simple file name.
-rich
0
 

Author Comment

by:baileyk9
ID: 16935746
richrumble,
thanks for the input.  I was hoping to confirm my opinion on this, which you did.
But you also provided some additional valuable information, and rapidly as well.
appreciate the effort.

regards,
Bailey

(I was out on vacation, so just getting to closing this out)
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question