Re: Cisco VPN Client "Stateful Firewall (Always On)"

[Dave Rinker <firewall () dsrtech com>]

John,

I would agree and opt for the "always on". I don't see the necessity of
laptops in the field needing to permit inbound initiated connections.

Most laptop users that I have encountered are "power users" and have
some sort of clue as to what is going on. The Cisco client can start up
by default on boot and if you show your users how to "right click, exit"
that might suffice for your environment. (returning on reboot)

good luck with your policy.

Dave



On Mon, 2003-06-30 at 15:44, Crissup, John (MBNP is) wrote:
>   Need some opinions on a firewall solution for our notebook computers.  We
> are looking to set our notebooks up with a wireless card to utilize hotspots
> in Starbucks, etc.   I have insisted that a firewall be included in this
> configuration.  We now have a spirited discussion running concerning whether
> or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client
> is sufficient for this purpose.  Note that this is different from using the
> firewall features that are only active while the IPSEC tunnel is up.
>
>   Basically, as I understand it, this feature allows all outbound
> connections while active, and all inbound connections originally established
> from the inside.  However, it would block all inbound connections
> established from the outside.  This would be similar to a PIX with no access
> lists configured.  This feature is not configurable according to Cisco's web
> site.
>
>   My concern is that, because this is not configurable, there will be times
> that the user will need to switch it off.  Our desktop group believes this
> is a workable solution if they simply script something to push a registry or
> INI file entry to force it back on.  I'm concerned that we're missing
> something here and are opening ourselves up to a potential problem.
> Unfortunately, I'm afraid this decision may get made before this email has
> time to gather replies, but any help, info, arguments you all can provide
> would be greatly appreciated.
>
>   Thanks much!!
>
> --
> John
>
>
> _____________________________________________________
> This email is confidential and intended solely for the use of
> the individual or organization to whom it is addressed. Any
> opinions or advice presented are solely those of the author
> and do not necessarily represent those of the Millward Brown
> Group of Companies.  DO NOT copy, modify, distribute or
> take any action in reliance on this email if you are not the
> intended recipient.  If you have received this email in error
> please notify the sender and delete this email from your system.
> Although this email has been checked for viruses and other
> defects, no responsibility can be accepted for any loss or
> damage arising from its receipt or use.
> ______________________________________________________
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards