Hardware AND Software firewalls together?

[Homerboy]

I've inherited this 60+ machine LAN at my new job... We have a nice Cisco PIX firewall in place that I ASSUME is configured correctly (we outsource to a 3rd party for the "real" server/networkign stuff).

However ~30% of the machines here also run cr@ppy Zone Alarm on them as an "added level" of security. Doesnt this seem sort of ludicrous? I guess it techincally cant hurt to have them both in place, but in reality the ZA causes more headaches of the n00bs here calling me every damn time they cant get somewhere, or ZA has a pop-u paskign if XYZ program can access the internet etc.

Am I missing something as to why having these 2 FWs in place is a good thing?

 

[ISAslot]

The software firewall would be for blocking outgoing requests, and is a good thing, provided the users choose the correct answer to the popup indicators.

 

[stephbu]

S/ware firewalls are starting to become absolutely vital in corporate scenarios. Only takes one bad machine behind a firewall to spread infection throughout a corporate LAN.

Like any other security measure - it's a necessary hassle. But more than anything else its a familiarity thing too - getting people used to dealing with it. There was the same resistance for passwords, followed by strong passwords, followed by smartcards etc...

Software usability in this arena will improve, as will peoples understanding of what it does for them (especially after a virus trashes their machine!) Stick with it as long as much as you can.