• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Firewalls for corporate laptops

O

oddyager

Diamond Member
Out of curiosity, what all do you use to secure your business laptops? For awhile we've bene using ZoneAlarm but its been a complete PITA for the users with the constant popups and notifications (because it keeps detecting a new network). Kerio was probably the best answer since it has everything I could want (functionality at layer 7 and layer 3) but unfortunately it doesn't mesh with the software my company develops here. I've also tried Outpost (startup becomes painfully slow), and LooknStop. Sygate's FW was bought by Symmantec I think and discontinued? Basically I just need something simple that allows all traffic going out and limit traffic coming in only to a Trusted Network.

Do you all have any other solutions? ideas?
 
Windows SP2 Firewall. It's pretty highly configurable via Group Policy. And it doesn't interfere with most necessary business traffic.
 
Another vote for the XP SP2 firewall. I've got several hundred laptop users with it and the settings are all controled via a GPO.

Easy to manage and the price is right.

-Erik
 
Hmm, the only drawback I can see is that the user can disable since they have administrative rights on their laptops (its necessary for them in their line of business). Unless there's a way to restrict Windows Firewall access to only a certain admin account...
 
they have administrative rights on their laptops (its necessary for them in their line of business)
Click to expand...
This is a subject for another thread, but this almost never true. Administrative access on laptops is really really dangerous. Especially if those laptops are ever connected to the internal network.

Anyway, admin access would allow a user to disable any kind of firewall. This isn't some flaw inherent to Windows Firewall...

If you give laptop users admin access, enabling a firewall almost seems like a moot point. There are so many things that can go wrong, from a security standpoint, a policy standpoint and a compliance standpoint. Laptop users with admin access can install whatever they want. This could include software that is not licensed by your company. This can get your company in Big Trouble.

Admin access for users == Not Good.
 
I agree, if they have admin access it doesnt matter what firewall they use because they still have the privilages to break it.

I highly recommend engineering your laptop build so that your LOB application will run without administrative privilages. 95+% of the applications that "need to be run as admin" can be run as a standard user if you alter the right security setting(s) and/or give privilages to the proper directories/registry keys.

But to address your concern with admins see the above posts, the firewall can be controlled via group policy (so you can set it to enabled in a GPO, they would not be able to easily change it).
 
But to address your concern with admins see the above posts, the firewall can be controlled via group policy (so you can set it to enabled in a GPO, they would not be able to easily change it).
Click to expand...
They could easily stop the service. This would be enough until the next time computer group policy applies, which could be awhile on a lappy.
 
yes, but they could do the same for pretty much any software firewall if they had admin privilages...

Hell, with admin privilages they could break it so the GPO wouldnt apply at all (or even remove it from the domain).
 
Originally posted by: stash
they have administrative rights on their laptops (its necessary for them in their line of business)
Click to expand...
This is a subject for another thread, but this almost never true. Administrative access on laptops is really really dangerous. Especially if those laptops are ever connected to the internal network.

Anyway, admin access would allow a user to disable any kind of firewall. This isn't some flaw inherent to Windows Firewall...

If you give laptop users admin access, enabling a firewall almost seems like a moot point. There are so many things that can go wrong, from a security standpoint, a policy standpoint and a compliance standpoint. Laptop users with admin access can install whatever they want. This could include software that is not licensed by your company. This can get your company in Big Trouble.

Admin access for users == Not Good.
Click to expand...


Which is why I am looking for software firewall. Even with admin rights you can configure them to be password protected so a typical employee (with admin rights) can not uninstall or disable the firewall. 🙂 I'm sure there are ways but its already been taken into account that the typical user we have are professionals and are not technically saavy enough to start breaking things we set up and even if some of they are (which there are), their utter reliance on the laptop to sell our products will also serve as a deterrent for them.
 
Originally posted by: spyordie007
I agree, if they have admin access it doesnt matter what firewall they use because they still have the privilages to break it.

I highly recommend engineering your laptop build so that your LOB application will run without administrative privilages. 95+% of the applications that "need to be run as admin" can be run as a standard user if you alter the right security setting(s) and/or give privilages to the proper directories/registry keys.

But to address your concern with admins see the above posts, the firewall can be controlled via group policy (so you can set it to enabled in a GPO, they would not be able to easily change it).
Click to expand...

The application doesn't require admin rights to run. However for them to demonstrate and sell the product to potential clients they need to be able to do whatever on the laptop locally.
 
However for them to demonstrate and sell the product to potential clients they need to be able to do whatever on the laptop locally.
Click to expand...
How about Virtual PC running a non-domain member virtual machine?

It would be better for them because they could do pretty much anything to it (up to and including break the OS) but than their host machine could be managed properly.
 
Cisco Security Agent > *

Central management, almost infinitely configurable, does not use signatures, customizable, group management, can block day 0 vulnerabilities, can be set to block all or wide open from the central site.
 
the typical user we have are professionals and are not technically saavy enough to start breaking things
Click to expand...
Non-technical users are incredibly gifted at breaking things. 🙂

Spy's idea is a good one. If the virtual PC does not need to be connected to the Internet, it would be even better. But even if it is connected to the Internet, the damage would be minimal. You could just copy the original VHD file back and be set to go.
 
On CSA, I forgot to mention that it can be configured to watch for and report bad behavior. A computer can get unsolicated packets to it and it can then tell all the other clients that so-and-so is bad and they will all start ignoring the bad computer. CSA is not just a firewall, but a behavior monitor.
 
Originally posted by: spyordie007
However for them to demonstrate and sell the product to potential clients they need to be able to do whatever on the laptop locally.
Click to expand...
How about Virtual PC running a non-domain member virtual machine?

It would be better for them because they could do pretty much anything to it (up to and including break the OS) but than their host machine could be managed properly.
Click to expand...

Does that require a unique license for every installation? We have close to 200 laptops to deploy it on. 🙁

 
But the Windows Firewall can't block outgoing traffic? Do you use ACLs to prevent malicious software from communicating?
 
Does that require a unique license for every installation? We have close to 200 laptops to deploy it on.
Click to expand...
You would require a Virtual PC license for every machine.

For a less expensive option you might want to check out the free VMWare Player (which I was recently made aware of):
http://www.vmware.com/products/player/

Users cannot create virtual machines so someone would need the full version of VMWare to create the initial virtual machine and distribute it to your sales group, but your cost per laptop would be zero.

Keep in mind that there are also going to be other business drivers here (to help you gain support if you wanted to go the virtualization route). For example having a consistant & reliable demo/eval platform is a big plus with many sales groups. You could even do things like give the virtual demo machines out to potential customers so they could try it on their own (through the VMWare player or Virtual PC). There are plenty of other pluses here, too many to list...
But the Windows Firewall can't block outgoing traffic? Do you use ACLs to prevent malicious software from communicating?
Click to expand...
That's correct, if they want to limit outbound traffic they'd still need a 3rd party software firewall.
 
not that I think it's that applicable as a "firewall"...but CTA works great for 802.1X auth stuff, sending unclean/questionable machines to the networking "corner"
 
Originally posted by: InlineFive
But the Windows Firewall can't block outgoing traffic? Do you use ACLs to prevent malicious software from communicating?
Click to expand...

Vista's firewall does inbound and outbound. You can get an idea of what it will be like if you check out OneCare. That uses an inbound and outbound firewall.

It really isn't intended to block malicious software from communicating. Any firewall that tries to sell you on that point is full of it. All a malicious piece of code would need to do is communicate over port 80, and it would get through pretty much every firewall in existence.

What it can be used for is management. In a domain, where you can control firewall settings with policy, you can manage what services your users can access inside your network.
 
Originally posted by: nweaver
not that I think it's that applicable as a "firewall"...but CTA works great for 802.1X auth stuff, sending unclean/questionable machines to the networking "corner"
Click to expand...
CSA can include CTA as the package. Phase 2 for us is setting up the remediation VLANs. We hope to do it in layer 2 eventually, but parts of it are not yet available.
 
they now have all that NAC stuff pushed into their wireless stuff, as of ACS 4 and with the soon to be (or maybe is?) 1200 series AP firmware. You can use the CTA and vlans and full functionality for wireless clients.
 
Originally posted by: nweaver
they now have all that NAC stuff pushed into their wireless stuff, as of ACS 4 and with the soon to be (or maybe is?) 1200 series AP firmware. You can use the CTA and vlans and full functionality for wireless clients.
Click to expand...
We are trying to get wired to work too. Sounds like you are where we are. We have wireless working in the lab now.

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top