RE: Cisco VPN Client "Stateful Firewall (Always On)"

["Sloane, David" <DSloane () vfa com>]

While the "Stateful Firewall" feature is better than nothing, you probably
have some applications that need to reach out and touch each workstation.

Anti-Virus updates, software distribution and software inventory come to
mind as functions which often use inbound connections to a laptop (or other
work station) from a central system.

While you can do a lot with login scripts, stopping and starting services to
open access sounds a little dangerous.  You would need to confirm that the
registry/ini/service change was successfully undone for each client machine.
If turning off the firewall succeeds but turning on the firewall fails,
you're left with an unprotected system.  Of course, you can probably manage
it remotely at that point, but that's a fairly manual process.

Being in a similar situation (minus the Cisco VPN Client), I've been
evaluating Zone Labs and Symantec* managed personal firewalls.  I'd
recommend either one, with a slight edge to Zone Labs, over "inbound=off,
outbound=on" functionality.  I believe Zone Labs Integrity provides some
integration with Cisco VPN client software.


Good luck.


-David


-----Original Message-----
From: Crissup, John (MBNP is) [mailto:John.Crissup () us millwardbrown com] 
Sent: Monday, June 30, 2003 3:44 PM
To: 'firewall-wizards () honor icsalabs com'
Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"


  Need some opinions on a firewall solution for our notebook computers.  We
are looking to set our notebooks up with a wireless card to utilize hotspots
in Starbucks, etc.   I have insisted that a firewall be included in this
configuration.  We now have a spirited discussion running concerning whether
or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client
is sufficient for this purpose.  Note that this is different from using the
firewall features that are only active while the IPSEC tunnel is up.

  Basically, as I understand it, this feature allows all outbound
connections while active, and all inbound connections originally established
from the inside.  However, it would block all inbound connections
established from the outside.  This would be similar to a PIX with no access
lists configured.  This feature is not configurable according to Cisco's web
site.

  My concern is that, because this is not configurable, there will be times
that the user will need to switch it off.  Our desktop group believes this
is a workable solution if they simply script something to push a registry or
INI file entry to force it back on.  I'm concerned that we're missing
something here and are opening ourselves up to a potential problem.
Unfortunately, I'm afraid this decision may get made before this email has
time to gather replies, but any help, info, arguments you all can provide
would be greatly appreciated.

  Thanks much!!

--
John


_____________________________________________________
This email is confidential and intended solely for the use of the individual
or organization to whom it is addressed. Any opinions or advice presented
are solely those of the author and do not necessarily represent those of the
Millward Brown Group of Companies.  DO NOT copy, modify, distribute or take
any action in reliance on this email if you are not the intended recipient.
If you have received this email in error please notify the sender and delete
this email from your system. Although this email has been checked for
viruses and other defects, no responsibility can be accepted for any loss or
damage arising from its receipt or use.
______________________________________________________

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards