RE: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"

From: George Peek (
Date: 07/02/03

  • Next message: Evers, Scott R.: "[fw-wiz] H.323 - NAT support in Checkpoint NG"
    To: "'Crissup, John (MBNP is)'" <>, "''" <>
    Date: Wed, 2 Jul 2003 08:30:57 -0700

    You can try to further restrict the connection by enabling TCP/IP filtering
    under network config in Windows 2000/NT. Allowing the user to disable the
    stateful firewall (which he easily can by right clicking on the icon) is
    going to be dangerous, as the user may forget to re-enable it, leaving you
    wide open to a possible attack.

    George Peek
    Network Specialist

    -----Original Message-----
    From: Crissup, John (MBNP is) []
    Sent: Monday, June 30, 2003 12:44 PM
    To: ''
    Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"

      Need some opinions on a firewall solution for our notebook computers. We
    are looking to set our notebooks up with a wireless card to utilize hotspots
    in Starbucks, etc. I have insisted that a firewall be included in this
    configuration. We now have a spirited discussion running concerning whether
    or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client
    is sufficient for this purpose. Note that this is different from using the
    firewall features that are only active while the IPSEC tunnel is up.

      Basically, as I understand it, this feature allows all outbound
    connections while active, and all inbound connections originally established
    from the inside. However, it would block all inbound connections
    established from the outside. This would be similar to a PIX with no access
    lists configured. This feature is not configurable according to Cisco's web

      My concern is that, because this is not configurable, there will be times
    that the user will need to switch it off. Our desktop group believes this
    is a workable solution if they simply script something to push a registry or
    INI file entry to force it back on. I'm concerned that we're missing
    something here and are opening ourselves up to a potential problem.
    Unfortunately, I'm afraid this decision may get made before this email has
    time to gather replies, but any help, info, arguments you all can provide
    would be greatly appreciated.

      Thanks much!!

    This email is confidential and intended solely for the use of
    the individual or organization to whom it is addressed. Any
    opinions or advice presented are solely those of the author
    and do not necessarily represent those of the Millward Brown
    Group of Companies.  DO NOT copy, modify, distribute or
    take any action in reliance on this email if you are not the
    intended recipient.  If you have received this email in error
    please notify the sender and delete this email from your system.
    Although this email has been checked for viruses and other
    defects, no responsibility can be accepted for any loss or
    damage arising from its receipt or use.
    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Evers, Scott R.: "[fw-wiz] H.323 - NAT support in Checkpoint NG"