SP2 firewall in network environment

[longlivegoku]

Anyone have suggestions on this? We have a Cisco PIX firewall in place already. Is there any need to enable the SP2 firewall on desktop machines? We have laptops that travel and I can see the need on them as they dial up to get into the network through an outside ISP. Any feeling on this?

Thanks,

Ed

 

[jfp23]

I wouldn't enable it as it will cause you too many headaches trying to get all of your network apps enabled again.

 

[brian80909]

I would install it on a test segment first and see what apps break. We have it running on a few machines with very few if any problems. The PIX protects you to some extent from the outside, but do you have anything protecting internaly?

 

[Spirit]

What your talking about is parimeter security. Ask yourself where does you rparimeter stop and how do you secure it? You have the $50K FW bconfigured and reporting perfectly but what happens if someone downloads a trojan/virus etc from Internet / floppy / USB / CD / Mobile Phone etc?

Too many admins just think script kidding / hacker start thinking malicious employee distruction, think idiot wanting to show his/her work mate this really cool app from the net remember "Elf Bowling"? And its usual the Owner BIG boss that introduces these things.

Anything that can help minimise is a good thing ignore the crap about it broke that or this test it, test it again and get ready for some late nights and deploy it there's not really anything wrong with it apart from being secure and stopping things creating network traffic i.e Anti Virus for live updates, Applications needing access to Licence servers.

Do you have virus scanning on your mail server AND desktops? If not why? If so why? Answer that and you'll have your answer on whether or not to deploy.

iain

 

[NetworkAdmin123]

I chose for the time being to disable it. Once test is done this may be changed.

For any that are interested MS has a way to change your group policy to edit the firewall on all systems. Helped a bunch.

 

[SCFROMDC]

Create a little subnet with all your different configs, identify what you need, and use active directory to modify those settings across the board..like I did..(and I have a 2000 domain!---((I imported the adm's))
The firewall enabled only SEEMS like overkill, in actuality, it has virtually destroyed the ability of most new virii and spyware/adware apps to communicate on my network of 8000+ pc's...therefore virtually eliminating the bandwidth issue, the propagation of new virri, or ones that seem to creep in on pc's with damaged antivirus installations, to name a couple of benefits...think about it....internal and external.
I did open up 6129 for dameware(our remote app) and a few more for what we need, but all other doors are CLOSED, thank god....its a pain to begin with, but its just another hole you can plug with a little work.

Note to all:
if you import those adms on a 2000 domain, you will be faced with some errors after importing and trying to modify policy, but they arent critical, and do not affect functionality, you can either wait on the next 2k service pack, or call microsoft for a fix....
I didnt bother calling...

http://www.deadcenter.us

I hear and I forget. I see and I remember. I do and I understand.
Confucius

 

[NetworkAdmin123]

I found that same issue. If you connect to your GPO from one of the SP2 machines you don't receive the errors.

 

[SCFROMDC]

Yup, you are correct, sir, but as I was knocking around I found the truncated text fix on microsofts site, no problems on my three dc's after installing....btw, citrix clients may die a horrible death after sp2 is installed...and nothing seems to work around it, not the newest client, not adding to trusted, NOTHING.anybody that knows a fix can enlighten me.

http://www.deadcenter.us

I hear and I forget. I see and I remember. I do and I understand.
Confucius