RE: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"

From: George Peek (
Date: 07/02/03

  • Next message: Evers, Scott R.: "[fw-wiz] H.323 - NAT support in Checkpoint NG"
    To: "'Crissup, John (MBNP is)'" <>, "''" <>
    Date: Wed, 2 Jul 2003 08:30:57 -0700

    You can try to further restrict the connection by enabling TCP/IP filtering
    under network config in Windows 2000/NT. Allowing the user to disable the
    stateful firewall (which he easily can by right clicking on the icon) is
    going to be dangerous, as the user may forget to re-enable it, leaving you
    wide open to a possible attack.

    George Peek
    Network Specialist

    -----Original Message-----
    From: Crissup, John (MBNP is) []
    Sent: Monday, June 30, 2003 12:44 PM
    To: ''
    Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"

      Need some opinions on a firewall solution for our notebook computers. We
    are looking to set our notebooks up with a wireless card to utilize hotspots
    in Starbucks, etc. I have insisted that a firewall be included in this
    configuration. We now have a spirited discussion running concerning whether
    or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client
    is sufficient for this purpose. Note that this is different from using the
    firewall features that are only active while the IPSEC tunnel is up.

      Basically, as I understand it, this feature allows all outbound
    connections while active, and all inbound connections originally established
    from the inside. However, it would block all inbound connections
    established from the outside. This would be similar to a PIX with no access
    lists configured. This feature is not configurable according to Cisco's web

      My concern is that, because this is not configurable, there will be times
    that the user will need to switch it off. Our desktop group believes this
    is a workable solution if they simply script something to push a registry or
    INI file entry to force it back on. I'm concerned that we're missing
    something here and are opening ourselves up to a potential problem.
    Unfortunately, I'm afraid this decision may get made before this email has
    time to gather replies, but any help, info, arguments you all can provide
    would be greatly appreciated.

      Thanks much!!

    This email is confidential and intended solely for the use of
    the individual or organization to whom it is addressed. Any
    opinions or advice presented are solely those of the author
    and do not necessarily represent those of the Millward Brown
    Group of Companies.  DO NOT copy, modify, distribute or
    take any action in reliance on this email if you are not the
    intended recipient.  If you have received this email in error
    please notify the sender and delete this email from your system.
    Although this email has been checked for viruses and other
    defects, no responsibility can be accepted for any loss or
    damage arising from its receipt or use.
    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Evers, Scott R.: "[fw-wiz] H.323 - NAT support in Checkpoint NG"

    Relevant Pages

    • RE: firewall not warning me?
      ... The Windows firewall allows all outbound connections without ... protection is not a security feature. ...
    • Re: ip masquerading
      ... Your firewall rules look, uh, ugly, meaning, not meant for human eyes. ... resulted from the inclusion of the plugin in my DSL config ... connections, machines, religions, whatever, until you corner it in its ... I have never recommended or performed a Linux reinstall becouse of ...
    • Re: What is the Pattern here ?
      ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
    • Re: Black Ice confesses faulty program!!!
      ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ...
    • Re: Port 135
      ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...