• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Enterprise Level Software (Client-side) Firewall?

D

dclive

Elite Member
I'm trying to find an enterprise-based software client-side firewall that can be managed to do a few different things:

1. Turned off while on the corporate network, whether at the office physically or attached via VPN

2. Turned on while off the corporate network, blocking all traffic (inspecting packets statefully, permitting all programs out but only statefully requested traffic in)

This would be for 5000 clients or so, give or take, laptops, XPSP1 currently; XPSP2 wouldn't be a problem.

No work must be required of the user. In other words, it's got to 'just work', without any GUI interaction or other work.

Windows Firewall in SP2 won't do it - it cannot sense the presence of the corporate network via VPN. If it could, it work work wonderfully; ours is a fairly basic requirement.

Symantec's Firewall has this, but Locate Awareness appears to be buggy and doesn't work in our testing - it doesn't sense when a laptop has moved to another network.

Is anyone familiar with any alternatives? Any firewall products with location awareness / location sensing?

....must have enterprise productline, enterprise support, enterprise manageability. Must be able to sense location and act appropriately. (For example, base location on the ability to ping a given computer, or the DNS Suffix recieved from a DHCP server, or....)
 
ISA?


Trend Micro seems to have good stuff but I am sure ISA is fine.

And why can't you set the computer to use the VPN as the default route when the PC is VPN'd so that you can control all traffic.

I am sure you can create a rule for the VPN-based subnet for packet filtering as well.
 
Originally posted by: Goosemaster
Originally posted by: dclive
Can you expand on that a little bit please?
Click to expand...

IP Filter. A real mans firewall.
Click to expand...

What's the URL?
What's the management component?
Who supports and markets it?

These are enterprise machines, not one-offs.
 
Originally posted by: Goosemaster
ISA?


Trend Micro seems to have good stuff but I am sure ISA is fine.

And why can't you set the computer to use the VPN as the default route when the PC is VPN'd so that you can control all traffic.

I am sure you can create a rule for the VPN-based subnet for packet filtering as well.
Click to expand...

ISA is for a 2003 Server. These are XP boxes, _client_ boxes.

The VPN is the default route when the machine is VPN'd in. The question is how to have a FW when it isn't VPN'd in - and how to ensure that FW doesn't interfere with the connection when attached via VPN or physical network.

To do that, I need a client-side firewall.

Any suggestions on one?
 
Originally posted by: ivwshane
I don't know if this will do everything that you want but I don't see why it wouldn't:

clarkconnect
http://www.clarkconnect.com/
Click to expand...

I think everyone here is still missing what I'm trying to convey.

This is for LAPTOP CLIENT machines, not servers.

They need a LOCAL FIREWALL application, not a firewall application for the endpoints.

The solutions that I've seen here so far are for endpoints and for servers on those endpoints. ClarkConnect appears to be a small business server. I don't need or want anything having to do with servers.

Again, I need a firewall for LAPTOPS working as CLIENT PCs running WINDOWS XP. It needs to be MANAGEABLE (ie have a server component that controls it remotely) and it needs to be COMMERCIAL (ie with a support agreement and a company that backs it, sufficient for an enterprise environment).

Thanks for reading!
 
BlackIce from ISS (iss.net?)
May be called Defender or something now.
NAI/Macafee also offers something in this space.

Typically, you're not going to bring the fw up/down based on network connection. FW is always up, and you define "trusted" subnets to the FW, so it knows that the corporate network is a permitted network, and has different (no?) restrictions.
 
if you want security then you really do want vpn computers to be firewalled or anyone could have unhindered access to your network
 
Originally posted by: dclive
Originally posted by: Goosemaster
ISA?


Trend Micro seems to have good stuff but I am sure ISA is fine.

And why can't you set the computer to use the VPN as the default route when the PC is VPN'd so that you can control all traffic.

I am sure you can create a rule for the VPN-based subnet for packet filtering as well.
Click to expand...

ISA is for a 2003 Server. These are XP boxes, _client_ boxes.

The VPN is the default route when the machine is VPN'd in. The question is how to have a FW when it isn't VPN'd in - and how to ensure that FW doesn't interfere with the connection when attached via VPN or physical network.

To do that, I need a client-side firewall.

Any suggestions on one?
Click to expand...



dude..read what I wrote...using whatever software firewall you want block whatever you want and set everything to max, and setthe VPN SUBNET AS A TRUSTED NETWORK.

It will be useless for the msot part, but when they conenct to the VPN, the firewall will recognize the network and will trust it.

simple.


and ISA is a firewall SERVER with clients that run off of it. It will manage all the clients seamlessly. you install the clients on the PC and it will take care of differentiateing between VPN subnets and 0.0.0.0 (everthing else)

...jsut like basically any firewall....except that with ISA and Trend Micro, you can monage it all from the office


sounds liek you are knew at this.
 
Originally posted by: Woodie
BlackIce from ISS (iss.net?)
May be called Defender or something now.
NAI/Macafee also offers something in this space.

Typically, you're not going to bring the fw up/down based on network connection. FW is always up, and you define "trusted" subnets to the FW, so it knows that the corporate network is a permitted network, and has different (no?) restrictions.
Click to expand...

Unfortunately, our trusted subnet is on a 10.* network. 10.* is commonly used as a non-routeable local subnet for hotels and home networks (10.* and 192.* are both non-routable), so if we trusted 10.*, we'd effectively be trusting home and hotel networks, which is not wise.

 
Originally posted by: Czar
if you want security then you really do want vpn computers to be firewalled or anyone could have unhindered access to your network
Click to expand...

Agreed. Once the VPN connects, the client computer is firewalled away from everything else on the client's local network, using the VPN vendor's firewall. However, in addition to that we need firewall software for when it *isn't* attached via VPN (say, at home or at a hotel).

The VPN vendor has a firewall that will do this, but it doesn't fit our needs; it's pricey.

Thanks!
 
Originally posted by: Goosemaster
Originally posted by: dclive
Originally posted by: Goosemaster
ISA?


Trend Micro seems to have good stuff but I am sure ISA is fine.

And why can't you set the computer to use the VPN as the default route when the PC is VPN'd so that you can control all traffic.

I am sure you can create a rule for the VPN-based subnet for packet filtering as well.
Click to expand...

ISA is for a 2003 Server. These are XP boxes, _client_ boxes.

The VPN is the default route when the machine is VPN'd in. The question is how to have a FW when it isn't VPN'd in - and how to ensure that FW doesn't interfere with the connection when attached via VPN or physical network.

To do that, I need a client-side firewall.

Any suggestions on one?
Click to expand...



dude..read what I wrote...using whatever software firewall you want block whatever you want and set everything to max, and setthe VPN SUBNET AS A TRUSTED NETWORK.

It will be useless for the msot part, but when they conenct to the VPN, the firewall will recognize the network and will trust it.

simple.


and ISA is a firewall SERVER with clients that run off of it. It will manage all the clients seamlessly. you install the clients on the PC and it will take care of differentiateing between VPN subnets and 0.0.0.0 (everthing else)

...jsut like basically any firewall....except that with ISA and Trend Micro, you can monage it all from the office


sounds liek you are knew at this.
Click to expand...

🙂

I've pointed out why trusted networks by IP aren't a good solution (see the 10.* post). Trusting the entire 10.* and 205.* range won't work. Thus, we need some sort of location awareness so that it can sense, per connection, whether it is on the corporate network, then act accordingly.

Re:ISA: We already have a VPN solution. Changing would be very difficult. I am simply looking for a client firewall.
 
Originally posted by: RebateMonger
n.m.
Click to expand...

RE: Turn off FW inside the corporate network

Typically a firewall can still be turned on and can still be active, and can trust certain networks so that its' protection is lowered, *but* it can still have intrusion prevention features active. In other words, the firewall may be active but not blocking anything, but if it senses that a worm is coming in on a known port with a known signature (or using common worm traits) it can block the worm from doing anything.
 
Originally posted by: dclive
Originally posted by: Goosemaster
Originally posted by: dclive
Originally posted by: Goosemaster
ISA?


Trend Micro seems to have good stuff but I am sure ISA is fine.

And why can't you set the computer to use the VPN as the default route when the PC is VPN'd so that you can control all traffic.

I am sure you can create a rule for the VPN-based subnet for packet filtering as well.
Click to expand...

ISA is for a 2003 Server. These are XP boxes, _client_ boxes.

The VPN is the default route when the machine is VPN'd in. The question is how to have a FW when it isn't VPN'd in - and how to ensure that FW doesn't interfere with the connection when attached via VPN or physical network.

To do that, I need a client-side firewall.

Any suggestions on one?
Click to expand...



dude..read what I wrote...using whatever software firewall you want block whatever you want and set everything to max, and setthe VPN SUBNET AS A TRUSTED NETWORK.

It will be useless for the msot part, but when they conenct to the VPN, the firewall will recognize the network and will trust it.

simple.


and ISA is a firewall SERVER with clients that run off of it. It will manage all the clients seamlessly. you install the clients on the PC and it will take care of differentiateing between VPN subnets and 0.0.0.0 (everthing else)

...jsut like basically any firewall....except that with ISA and Trend Micro, you can monage it all from the office


sounds liek you are knew at this.
Click to expand...

🙂

I've pointed out why trusted networks by IP aren't a good solution (see the 10.* post). Trusting the entire 10.* and 205.* range won't work. Thus, we need some sort of location awareness so that it can sense, per connection, whether it is on the corporate network, then act accordingly.

Re:ISA: We already have a VPN solution. Changing would be very difficult. I am simply looking for a client firewall.
Click to expand...

ISA is a firewall... it can do VPN, but I am strictly referencing its firewall features🙂

 
I beleive with most firewalls you can also assign or rather restrict rules to an interface. I know Norton Personal firewall will do this.

Just set it to ultra mega super block mode😉 and set the trusted subnet on the VPN interface assuming that you are using the windows client....if you are using another VPN client , it should still should have created a virtual interface that you can impose rules on🙂
 
Originally posted by: Goosemaster
I beleive with most firewalls you can also assign or rather restrict rules to an interface. I know Norton Personal firewall will do this.
Click to expand...
I'm not sure how this helps for this particular issue. What issue are you addressing with this?

Just set it to ultra mega super block mode😉 and set the trusted subnet on the VPN interface assuming that you are using the windows client....if you are using another VPN client , it should still should have created a virtual interface that you can impose rules on🙂
Click to expand...

"The windows client" -- ISA 2004 windows client?

Sorry; I'm a bit confused.

If I had ISA2004, the FW client should allow me to set up rules so that if it senses a connection to the ISA2004 servers (ie senses it's on the corporate network locally or via VPN), the FW comes down or relaxes the rules, and if it does not sense a connection to the ISA2004 servers (say the laptop is on a hotel network), the FW is in place and only a few programs can poke in. That's what I need - does it do that?

In reading http://www.microsoft.com/isaserver/evaluation/overview/default.mspx, it's a bit light on the details....
 
assuming that you are using a basic PPTP VPN usig windows networking (DEAR GOD hopefully that is not the case and are using IPsec....)

assuming that a virtual interface is created in windows networking....then you can use a sofware firewall to allow all traffic on that interface (VPN) and imose a strict ruleet on the internet interface
 
OK, so you put the strict ruleset on the real adapter, and you take it into the office, and nothing in the office works.

Hence the need for location awareness.

I didn't see anything like this in the ISA2004 documentation. Is it there?
 
Originally posted by: dclive
OK, so you put the strict ruleset on the real adapter, and you take it into the office, and nothing in the office works.

Hence the need for location awareness.

I didn't see anything like this in the ISA2004 documentation. Is it there?
Click to expand...

I'm sorry, but I am just a junior networking guy.


From my vantage point I am tryign to answer questions that you should already have the answers to.


Sorry, but you have reached a limit of my knowledge.


I can route anything anywhere, but I really haven't messed with ISA much...🙂

I would recommend that you ask folks like spidey07 and scottmac for such advice.🙂
 
I don't understand.

You tell me I'm "new" at this, and then you can't answer basic questions on a product you recommended, and you tell me I should have the answers to these questions (about a product I'm admittedly unfamiliar with, and you claim familiarity with)?

How would I have the answers to any of this already? What in the *world* does that mean, when you tell me I should have answers to a product you now tell me you aren't familiar with, yet you recommended?

🙁

Anyway, does anyone have any suggestions concerning firewalls? Real world experience in an enterprise environment? I don't think ISA Server 2004 is what most people would really consider a client-side firewall product in the same class as, say, Symantec Corporate FW.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top