RE: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"
From: George Peek (GKPeek_at_AllstateTicketing.com)
To: "'Crissup, John (MBNP is)'" <John.Crissup@us.millwardbrown.com>, "'firstname.lastname@example.org'" <email@example.com> Date: Wed, 2 Jul 2003 08:30:57 -0700
You can try to further restrict the connection by enabling TCP/IP filtering
under network config in Windows 2000/NT. Allowing the user to disable the
stateful firewall (which he easily can by right clicking on the icon) is
going to be dangerous, as the user may forget to re-enable it, leaving you
wide open to a possible attack.
From: Crissup, John (MBNP is) [mailto:John.Crissup@us.millwardbrown.com]
Sent: Monday, June 30, 2003 12:44 PM
Subject: [fw-wiz] Cisco VPN Client "Stateful Firewall (Always On)"
Need some opinions on a firewall solution for our notebook computers. We
are looking to set our notebooks up with a wireless card to utilize hotspots
in Starbucks, etc. I have insisted that a firewall be included in this
configuration. We now have a spirited discussion running concerning whether
or not the "Stateful Firewall (Always On)" feature of the Cisco VPN client
is sufficient for this purpose. Note that this is different from using the
firewall features that are only active while the IPSEC tunnel is up.
Basically, as I understand it, this feature allows all outbound
connections while active, and all inbound connections originally established
from the inside. However, it would block all inbound connections
established from the outside. This would be similar to a PIX with no access
lists configured. This feature is not configurable according to Cisco's web
My concern is that, because this is not configurable, there will be times
that the user will need to switch it off. Our desktop group believes this
is a workable solution if they simply script something to push a registry or
INI file entry to force it back on. I'm concerned that we're missing
something here and are opening ourselves up to a potential problem.
Unfortunately, I'm afraid this decision may get made before this email has
time to gather replies, but any help, info, arguments you all can provide
would be greatly appreciated.
-- John _____________________________________________________ This email is confidential and intended solely for the use of the individual or organization to whom it is addressed. Any opinions or advice presented are solely those of the author and do not necessarily represent those of the Millward Brown Group of Companies. DO NOT copy, modify, distribute or take any action in reliance on this email if you are not the intended recipient. If you have received this email in error please notify the sender and delete this email from your system. Although this email has been checked for viruses and other defects, no responsibility can be accepted for any loss or damage arising from its receipt or use. ______________________________________________________ _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards