IPS vs. Firewall

What are the pros and cons for having just my IPS turned on but have
the Firewall feature off on my Symantec Client Security software?

I'm about to deploy this client to a large amount of machines but don't
want to constantly manage the firewall ports for our huge list of
network applications that might be blocked unintentionally. The
firewall would probably be swiss cheese with all the ports and servers
I'm going to have to allow to have my users successfully working on my
network so I figure it wouldn't matter if that part is turned off.

Won't the IPS software portion successfully thwart attacks that are
attempted on the machine regardless of the firewall functionality? Is
that protection good enough?

Thanks for your thoughts in advance.

Re: IPS vs. Firewall

Post removed (X-No-Archive: yes)

Re: IPS vs. Firewall

Sebastian Gottschalk wrote:
> hiding_elephant@hotmail.com wrote:
>
> > What are the pros and cons for having just my IPS turned on but have
> > the Firewall feature off on my Symantec Client Security software?
>
> pros: system works better
> cons: you still didn't uninstall it
>
> > I'm about to deploy this client to a large amount of machines
>
> Bad idea.
>
> > Won't the IPS software portion successfully thwart attacks that are
> > attempted on the machine regardless of the firewall functionality?
>
> No, it will support them instead.
>
> > Is that protection good enough?
>
> Which protection?


I'm guessing you're not a fan of Symantec Client Security's Firewall
and IPS software.

Re: IPS vs. Firewall

Post removed (X-No-Archive: yes)

Re: IPS vs. Firewall

In article <%ciMg.335$MD6.282@tornado.ohiordc.rr.com>, void@nowhere.lan says...
> In article <1157731211.884243.179920@b28g2000cwb.googlegroups.com>,
> hiding_elephant@hotmail.com says...
> > What are the pros and cons for having just my IPS turned on but have
> > the Firewall feature off on my Symantec Client Security software?
> >
> > I'm about to deploy this client to a large amount of machines but don't
> > want to constantly manage the firewall ports for our huge list of
> > network applications that might be blocked unintentionally. The
> > firewall would probably be swiss cheese with all the ports and servers
> > I'm going to have to allow to have my users successfully working on my
> > network so I figure it wouldn't matter if that part is turned off.
> >
> > Won't the IPS software portion successfully thwart attacks that are
> > attempted on the machine regardless of the firewall functionality? Is
> > that protection good enough?
> >
> > Thanks for your thoughts in advance.
>
> There are people in this group that will tell you that everything you
> install on any computer, that could protect it, is bad and will only
> lead to your machine being exploited. The same group will tell you that
> you only need Windows XP Firewall for complete protection and that
> nothing works better and has a better chance of protecting you.

Never were truer words spoken!

>
> I would suggest that you contact Symantec Support and ask them the same
> questions you posted here so that you can get a real answer.
>

Good recommendation!

Casey

Re: IPS vs. Firewall

Leythos schrieb:

> In article <1157731211.884243.179920@b28g2000cwb.googlegroups.com>,
> hiding_elephant@hotmail.com says...
> > What are the pros and cons for having just my IPS turned on but have
> > the Firewall feature off on my Symantec Client Security software?
> >
> > I'm about to deploy this client to a large amount of machines but don't
> > want to constantly manage the firewall ports for our huge list of
> > network applications that might be blocked unintentionally. The
> > firewall would probably be swiss cheese with all the ports and servers
> > I'm going to have to allow to have my users successfully working on my
> > network so I figure it wouldn't matter if that part is turned off.
> >
> > Won't the IPS software portion successfully thwart attacks that are
> > attempted on the machine regardless of the firewall functionality? Is
> > that protection good enough?
> >
> > Thanks for your thoughts in advance.
>
> There are people in this group that will tell you that everything you
> install on any computer, that could protect it, is bad and will only
> lead to your machine being exploited.

Well, it is really not one of the best ideas you could have to protect
a machine with software that runs on exactly this machine.

> The same group will tell you that
> you only need Windows XP Firewall for complete protection and that
> nothing works better and has a better chance of protecting you.

Show me one (just one) post that suggests this.

The op wants to protect a bunch of machines. Assuming that these are
all in the same network, why for god=B4s sake would you want to protect
them with any piece of software running on the individual machines?
Apart from licensing cost, this would be an admin=B4s nightmare. Install
(and administer) one packet filter at the edge, and the job is done. At
least if the local machines can trust each other. Otherwise you have a
serious prblem anyway.

> I would suggest that you contact Symantec Support and ask them the same
> questions you posted here so that you can get a real answer.

But please post their answer as well.

Regards
Thomas

Re: IPS vs. Firewall

> The op wants to protect a bunch of machines. Assuming that these are
> all in the same network, why for god=B4s sake would you want to protect
> them with any piece of software running on the individual machines?

Because they're not behind our network perimeter firewall and IPS when
users take their laptops home. Sure, they're protected with our network
appliances when tunneling in via VPN but it's another story when
they're out in the field.

> Apart from licensing cost, this would be an admin=B4s nightmare. Install
> (and administer) one packet filter at the edge, and the job is done.

It's already done. The post was intended for mobile users away from the
protected network.

Re: IPS vs. Firewall

hiding_elephant@hotmail.com schrieb:

> > The op wants to protect a bunch of machines. Assuming that these are
> > all in the same network, why for god=B4s sake would you want to protect
> > them with any piece of software running on the individual machines?
>
> Because they're not behind our network perimeter firewall and IPS when
> users take their laptops home. Sure, they're protected with our network
> appliances when tunneling in via VPN but it's another story when
> they're out in the field.

Just do not allow them to access the internet other that using the vpn
and your corporate internet access. And don=B4t give them local admin
privileges, no matter how loud they cry. I agree that this may be hard,
once the user is a c executive.
>
> > Apart from licensing cost, this would be an admin=B4s nightmare. Install
> > (and administer) one packet filter at the edge, and the job is done.
>
> It's already done. The post was intended for mobile users away from the
> protected network.

Force them to use the protected network and prevent any other access to
public networks.

Regards
Thomas

Re: IPS vs. Firewall

Post removed (X-No-Archive: yes)

Re: IPS vs. Firewall

Post removed (X-No-Archive: yes)

Re: IPS vs. Firewall

Hiding_elephant,
If you are concerned about you laptop users and VPN connections you may
want to look at
SSL VPN, layer 2-7 protection. There are a few flavours out there,
Nokia
secure access systems, Juniper(my fav), FS networks, Aventail networks,

Array networks and AEP networks just to name a few. You have to take a
serious look at what you are cover, mid size, enterprise, TCO and you
also
want to complement currently technologies that you have in place.

IMHO & HTH,
Greg


hiding_elephant@hotmail.com wrote:
> > The op wants to protect a bunch of machines. Assuming that these are
> > all in the same network, why for god=B4s sake would you want to protect
> > them with any piece of software running on the individual machines?
>
> Because they're not behind our network perimeter firewall and IPS when
> users take their laptops home. Sure, they're protected with our network
> appliances when tunneling in via VPN but it's another story when
> they're out in the field.
>
> > Apart from licensing cost, this would be an admin=B4s nightmare. Install
> > (and administer) one packet filter at the edge, and the job is done.
>
> It's already done. The post was intended for mobile users away from the
> protected network.