value of firewall etc on non ics gateway pc

Hi
my home LAN setup is a XP box running as a server...
with ICS running NAV and zonealarm... etc and that's OK

now the other PCs on the LAN are fairly old (Pentium II 350 etc)
running win98... I also had copies of NIS 2001 running on them
(providing antivirus, firewall and parental control)
which is now at the end of its subscription...
I was also concerned with how much resource NIS was using...

Now I was thinking about replacing NIS with AVG and leaving out
a firewall on the win98 PC (as they only access internet via the ICS gateway
....)
and not sure what to do for parental control ...

What do people think about not having firewall on the non ICS PCs ...
does everyone think the freeware AVG a decent virus scanner?
and anyone recommend a standalone, non resource-heavy "parental control" (or
not worth bothering about ... just lay down the law to my teenage
children?)?

thanks
Andrew

not sure on the parental control stuff.

but you must have firewall/anti-virus on every machine...even with a router
firewall.

on all my 5 machines i run avg & zafree.
the ics machine only provides the link...not protection

i have never found any of the 'phone-home' virus stuff successfully get past
those two & i have had the virus get in to them thanks to my kids & gaming
sites!


mike

"Andrew" <(E-Mail Removed)> wrote in message
news:ckgj19$k11$(E-Mail Removed)...
> Hi
> my home LAN setup is a XP box running as a server...
> with ICS running NAV and zonealarm... etc and that's OK
>
> now the other PCs on the LAN are fairly old (Pentium II 350 etc)
> running win98... I also had copies of NIS 2001 running on them
> (providing antivirus, firewall and parental control)
> which is now at the end of its subscription...
> I was also concerned with how much resource NIS was using...
>
> Now I was thinking about replacing NIS with AVG and leaving out
> a firewall on the win98 PC (as they only access internet via the ICS
gateway
> ...)
> and not sure what to do for parental control ...
>
> What do people think about not having firewall on the non ICS PCs ...
> does everyone think the freeware AVG a decent virus scanner?
> and anyone recommend a standalone, non resource-heavy "parental control"
(or
> not worth bothering about ... just lay down the law to my teenage
> children?)?
>
> thanks
> Andrew
>
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.775 / Virus Database: 522 - Release Date: 08/10/2004

mike wrote:
> not sure on the parental control stuff.
>
> but you must have firewall/anti-virus on every machine...even with a router
> firewall.
>
> on all my 5 machines i run avg & zafree.
> the ics machine only provides the link...not protection
>
> i have never found any of the 'phone-home' virus stuff successfully get past
> those two & i have had the virus get in to them thanks to my kids & gaming
> sites!
>

Why must you have a firewall on every machine? As I understand it, you
only need one on the machine doing the ICS, otherwise running firewalls
on the other PC's can stop normal network traffic unless you set them up
to let all that through. As soon as I got my adsl firewall router the
first thing I did was switch off the firewall on the PC that previously
connected direct to the 'net (was only XP SP1 firewall, nothing fancy
but enough).

Antivirus sotware is obviously good to have running on all machines however.

--
[ste]
My Rpoints referral:
http://www.rpoints.com/?ruid=44649

Andrew wrote:
<sni>
>
> What do people think about not having firewall on the non ICS PCs ...
> does everyone think the freeware AVG a decent virus scanner?
> and anyone recommend a standalone, non resource-heavy "parental control" (or
> not worth bothering about ... just lay down the law to my teenage
> children?)?
>

I don't see the point of having a firewall running on each indivisual
machine as long as you have one decent one at the point of entry/exit to
the outside world. I rely on the firewall on my router, with AVG Free
Edition on the machines connecting.


--
[ste]
My Rpoints referral:
http://www.rpoints.com/?ruid=44649

In article <(E-Mail Removed)>, "[ste parker]"
(E-Mail Removed) says...
> Andrew wrote:
> <sni>
> >
> > What do people think about not having firewall on the non ICS PCs ...
> > does everyone think the freeware AVG a decent virus scanner?
> > and anyone recommend a standalone, non resource-heavy "parental control" (or
> > not worth bothering about ... just lay down the law to my teenage
> > children?)?
> >
>
> I don't see the point of having a firewall running on each indivisual
> machine as long as you have one decent one at the point of entry/exit to
> the outside world. I rely on the firewall on my router, with AVG Free
> Edition on the machines connecting.
>
You need the outbound protection to stop malware that hasn't been caught
by your AV from connecting out. It controls connections on an
application level, which the main firewall cannot do.

On Tue, 12 Oct 2004 11:22:18 -0400, "[ste parker]" <(E-Mail Removed)>
wrote:

>Andrew wrote:
><sni>
>>
>> What do people think about not having firewall on the non ICS PCs ...
>> does everyone think the freeware AVG a decent virus scanner?
>> and anyone recommend a standalone, non resource-heavy "parental control" (or
>> not worth bothering about ... just lay down the law to my teenage
>> children?)?
>>
>
>I don't see the point of having a firewall running on each indivisual
>machine as long as you have one decent one at the point of entry/exit to
>the outside world. I rely on the firewall on my router, with AVG Free
>Edition on the machines connecting.

The firewall on the host pc (server) has been told to allow `ALL' traffic to &
from the local net. So if you don't have a firewall on the client and someone
downloads a `zip'/rar etc, on a client, that has a virus/trojen inside and it
gets `executed' then the host firewall will allow it to pass through and go
about it's bussiness.

Clansman

Clansman wrote:
> On Tue, 12 Oct 2004 11:22:18 -0400, "[ste parker]" <(E-Mail Removed)>
> wrote:
>
>
>>Andrew wrote:
>><sni>
>>
>>>What do people think about not having firewall on the non ICS PCs ...
>>>does everyone think the freeware AVG a decent virus scanner?
>>>and anyone recommend a standalone, non resource-heavy "parental control" (or
>>>not worth bothering about ... just lay down the law to my teenage
>>>children?)?
>>>
>>
>>I don't see the point of having a firewall running on each indivisual
>>machine as long as you have one decent one at the point of entry/exit to
>>the outside world. I rely on the firewall on my router, with AVG Free
>>Edition on the machines connecting.
>
>
> The firewall on the host pc (server) has been told to allow `ALL' traffic to &
> from the local net. So if you don't have a firewall on the client and someone
> downloads a `zip'/rar etc, on a client, that has a virus/trojen inside and it
> gets `executed' then the host firewall will allow it to pass through and go
> about it's bussiness.
>

Am I missing something here? Why not just configure the firewall on the
server (in this case the machine with ICS enabled, right?) to lockdown
the most likely to be abused outgoing ports? Add up to date virus
protection on the "clients" toom, surely this covers things?


--
[ste]
My Rpoints referral:
http://www.rpoints.com/?ruid=44649

Rob Morley wrote:
>>
>>I don't see the point of having a firewall running on each indivisual
>>machine as long as you have one decent one at the point of entry/exit to
>>the outside world. I rely on the firewall on my router, with AVG Free
>>Edition on the machines connecting.
>>
> You need the outbound protection to stop malware that hasn't been caught
> by your AV from connecting out. It controls connections on an
> application level, which the main firewall cannot do.

Yes, but surely you can cover outbound protection on the ICS PC with the
firewall, right? I know that, for example, the firewall on my Netgear
DG834G has all outgoing traffic allowed by default (and all incoming
blocked), but is it not good enough in a case like this to be able to
close any potentially dangerous outgoing ports in one place?

If the answer to the above is "no", then whats the point of bothering
with (in my case) a hardware firewall at the point of entry/exit to the
WAN anyway, if I should really have another firewall behind the first?

Excuse any ridiculous assumptions, I'm not exactly 100% up to speed on
all this it would seem!

--
[ste]
My Rpoints referral:
http://www.rpoints.com/?ruid=44649

"[ste parker]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Rob Morley wrote:
[snip]
> > You need the outbound protection to stop malware that hasn't been
> > caught by your AV from connecting out. It controls connections on an
> > application level, which the main firewall cannot do.
>
> Yes, but surely you can cover outbound protection on the ICS PC with the
> firewall, right?

Yes, but only packet filtering - based on addresses and ports.

> is it not good enough in a case like this to be able to close any
> potentially dangerous outgoing ports in one place?

Port 80 is a "potentially dangerous" destination port. Are you going to
block that?

> If the answer to the above is "no", then whats the point of bothering
> with (in my case) a hardware firewall at the point of entry/exit to the
> WAN anyway, if I should really have another firewall behind the first?

Well, there's no benefit in having two firewalls that do the same thing. But
perhaps one of them could be inoperative for some reason.

Alex

In article <(E-Mail Removed)>, [ste parker] says...

> Why must you have a firewall on every machine?

To protect you from the trojans that spread through LANs. To notify you
if any spyware you've acidentally loaded is trying to phone home.


--
Conor

Opinions personal, facts suspect.