Firewall Wizards mailing list archives
RE: Cisco VPN Client "Stateful Firewall (Always On)"
From: "Sloane, David" <DSloane () vfa com>
Date: Wed, 2 Jul 2003 11:10:11 -0400
While the "Stateful Firewall" feature is better than nothing, you probably have some applications that need to reach out and touch each workstation. Anti-Virus updates, software distribution and software inventory come to mind as functions which often use inbound connections to a laptop (or other work station) from a central system. While you can do a lot with login scripts, stopping and starting services to open access sounds a little dangerous. You would need to confirm that the registry/ini/service change was successfully undone for each client machine. If turning off the firewall succeeds but turning on the firewall fails, you're left with an unprotected system. Of course, you can probably manage it remotely at that point, but that's a fairly manual process. Being in a similar situation (minus the Cisco VPN Client), I've been evaluating Zone Labs and Symantec* managed personal firewalls. I'd recommend either one, with a slight edge to Zone Labs, over "inbound=off, outbound=on" functionality. I believe Zone Labs Integrity provides some integration with Cisco VPN client software. Good luck. -David -----Original Message----- From: Crissup, John (MBNP is) [mailto:John.Crissup () us millwardbrown com] Sent: Monday, June 30, 2003 3:44 PM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)" Need some opinions on a firewall solution for our notebook computers. We are looking to set our notebooks up with a wireless card to utilize hotspots in Starbucks, etc. I have insisted that a firewall be included in this configuration. We now have a spirited discussion running concerning whether or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client is sufficient for this purpose. Note that this is different from using the firewall features that are only active while the IPSEC tunnel is up. Basically, as I understand it, this feature allows all outbound connections while active, and all inbound connections originally established from the inside. However, it would block all inbound connections established from the outside. This would be similar to a PIX with no access lists configured. This feature is not configurable according to Cisco's web site. My concern is that, because this is not configurable, there will be times that the user will need to switch it off. Our desktop group believes this is a workable solution if they simply script something to push a registry or INI file entry to force it back on. I'm concerned that we're missing something here and are opening ourselves up to a potential problem. Unfortunately, I'm afraid this decision may get made before this email has time to gather replies, but any help, info, arguments you all can provide would be greatly appreciated. Thanks much!! -- John _____________________________________________________ This email is confidential and intended solely for the use of the individual or organization to whom it is addressed. Any opinions or advice presented are solely those of the author and do not necessarily represent those of the Millward Brown Group of Companies. DO NOT copy, modify, distribute or take any action in reliance on this email if you are not the intended recipient. If you have received this email in error please notify the sender and delete this email from your system. Although this email has been checked for viruses and other defects, no responsibility can be accepted for any loss or damage arising from its receipt or use. ______________________________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco VPN Client "Stateful Firewall (Always On)" Crissup, John (MBNP is) (Jul 01)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Dave Rinker (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Peter Robinson (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Milon Papezik (Jul 06)
- <Possible follow-ups>
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Melson, Paul (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" Sloane, David (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" George Peek (Jul 03)
- Re: Cisco VPN Client "Stateful Firewall (Always On)" Marcus J. Ranum (Jul 03)
- RE: Cisco VPN Client "Stateful Firewall (Always On)" marco misitano (Jul 07)