Vista - Kapersky firewall or windows firewall?

>> May I ask the reasoning behind 3 [f/ws running concurrently]?

Mr Arnold:

To prove that it can be done.

The self-serving MS comment that you should not do two f/ws because it is
unnecessary, and those who merely repeat MS comments, do end users a grave
disservice.

F/ws can use different technologies, and some f/ws have shortcomings; both
of these issues can be addressed by running two f/ws concurrently. Is there
a risk? Yes, but what do you do that does not involve a risk? Per my own
experience and per NG posts that I have read over the years, most people
running two f/ws do so w/o problems.

IMO, a significant shortcoming of the Vista f/w is the lack of a user
friendly outbound control. There are several 3rd-party f/ws that in my
experience can be run concurrently with the Vista f/w to address the
outbound control issue, and I am using the ZA beta f/w to do just that.

Note that MS has told people that it is ok to run ISA on the same computer
with Small Business Server 2003.
IMO, most IT security pros would challenge that comment.

On Thu, 7 Jun 2007 18:21:11 -0700, "CZ" <CZ@no99spam.com> wrote:

>>> Many people have run more than one firewall at once without a problem.
>However the *risk* of a problem is always there, and that's why it
>shouldn't be done.
>
>Here's what Microsoft has to say about running two software firewalls
>at once:
>http://www.microsoft.com/athome/secu.../firewall.mspx
>
>"Q. Should I use both the built-in firewall and a software firewall
>from a different company on my Windows XP computer?
>
>"A. No. Running multiple software firewalls is unnecessary for typical
>home computers, home networking, and small-business networking
>scenarios. Using two firewalls on the same connection could cause
>issues with connectivity to the Internet or other unexpected behavior.
>One firewall, whether it is the Windows XP Internet Connection
>Firewall or a different software firewall, can provide substantial
>protection for your computer."
>
>
>Ken:
>
>Do you know of a technical reason for not running two simple packet
>filtering f/ws concurrently?



No, I have no other details to provide.

--
Ken Blake, Microsoft MVP Windows - Shell/User
Please Reply to the Newsgroup

I think there are a couple motivators for the suggestion to not run multiple
packages simultaneously:

1) configuration of one UI can be tricky for a large population of users;
getting two sets of UI in sync could be almost impossible.

2) everything comes with a perf hit. there are certain packages that I will
not name, which on their own can cause a machine to be noticibly slower. If
you get two of them on the same box, you're better off not connecting to
anything at all.

3) not all packages play nice. it would be very frustrating to be paying
monthly subscriptions to both vendor A and B only to eventually realize that
B effectively turned A off.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.


"CZ" <CZ@no99spam.com> wrote in message
news:OTu8NtWqHHA.3284@TK2MSFTNGP03.phx.gbl...
>>> Many people have run more than one firewall at once without a problem.
> However the *risk* of a problem is always there, and that's why it
> shouldn't be done.
>
> Here's what Microsoft has to say about running two software firewalls
> at once:
> http://www.microsoft.com/athome/secu.../firewall.mspx
> "Q. Should I use both the built-in firewall and a software firewall
> from a different company on my Windows XP computer?
>
> "A. No. Running multiple software firewalls is unnecessary for typical
> home computers, home networking, and small-business networking
> scenarios. Using two firewalls on the same connection could cause
> issues with connectivity to the Internet or other unexpected behavior.
> One firewall, whether it is the Windows XP Internet Connection
> Firewall or a different software firewall, can provide substantial
> protection for your computer."
>
>
> Ken:
>
> Do you know of a technical reason for not running two simple packet
> filtering f/ws concurrently?

Hmmm I see. Thanks everyone.

"David Beder [MSFT]" <dbeder@online.microsoft.com> wrote in message
news:OE7w11ZqHHA.192@TK2MSFTNGP02.phx.gbl...
>I think there are a couple motivators for the suggestion to not run
>multiple packages simultaneously:
>
> 1) configuration of one UI can be tricky for a large population of users;
> getting two sets of UI in sync could be almost impossible.
>
> 2) everything comes with a perf hit. there are certain packages that I
> will not name, which on their own can cause a machine to be noticibly
> slower. If you get two of them on the same box, you're better off not
> connecting to anything at all.
>
> 3) not all packages play nice. it would be very frustrating to be paying
> monthly subscriptions to both vendor A and B only to eventually realize
> that B effectively turned A off.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "CZ" <CZ@no99spam.com> wrote in message
> news:OTu8NtWqHHA.3284@TK2MSFTNGP03.phx.gbl...
>>>> Many people have run more than one firewall at once without a problem.
>> However the *risk* of a problem is always there, and that's why it
>> shouldn't be done.
>>
>> Here's what Microsoft has to say about running two software firewalls
>> at once:
>> http://www.microsoft.com/athome/secu.../firewall.mspx
>> "Q. Should I use both the built-in firewall and a software firewall
>> from a different company on my Windows XP computer?
>>
>> "A. No. Running multiple software firewalls is unnecessary for typical
>> home computers, home networking, and small-business networking
>> scenarios. Using two firewalls on the same connection could cause
>> issues with connectivity to the Internet or other unexpected behavior.
>> One firewall, whether it is the Windows XP Internet Connection
>> Firewall or a different software firewall, can provide substantial
>> protection for your computer."
>>
>>
>> Ken:
>>
>> Do you know of a technical reason for not running two simple packet
>> filtering f/ws concurrently?
>
>

David:

>> I think there are a couple motivators for the suggestion to not run
>> multiple
packages simultaneously:
>> 1) configuration of one UI can be tricky for a large population of users;
getting two sets of UI in sync could be almost impossible.

IMO:
a) The complexity of the Vista f/w is probably only exceeded by that of NIS.
b) Simple packet filtering f/ws pass the packets sequentially, so trouble
shooting can be as simple as disable one while you test the other. This
assumes that the user can read/edit/write f/w rules.

>> 2) everything comes with a perf hit. there are certain packages that I
>> will
not name, which on their own can cause a machine to be noticeably slower. If
you get two of them on the same box, you're better off not connecting to
anything at all.

IMO:
a) the unnamed f/w is probably NIS. I ran the pre-release version of NIS on
Vista and thought that Symantec had improved the product substantially by
removing some extraneous features that were in the previous versions. NIS
is a sophisticated f/w that does a lot, but requires a degree of knowledge
to setup properly, and to maintain. However, there are much simpler f/ws
than either NIS or Vista's that are available (e.g., ZA (still in beta), PC
Tools, and Vista Firewall Control).
The challenge is to find a 3rd party f/w that works well with Vista's f/w,
as I think the Vista f/w is well done overall (is stateful for example)
except for the absence for "useable" outbound control. I Think highly
enough of Vista's f/w that I would not recommend disabling it, but running a
second f/w with it. Per testing, NIS disables Vista's f/w, ZA beta, PCT and
VFC do not. Also, I would not recommend running NIS with Vista's f/w (even
if you could) as NIS is more than a simple packet filtering f/w, and you
would be much more likely to have issues with running the two together.

The issue is that a user should not run two complex f/ws together, running
one complex and one simple f/w together has never been a problem in my
experience of doing so for 10 (??) years. Of course, the next issue is what
is a complex f/w.

As much as I like ZA, I have been reluctant to run it by itself, as it has
been more of an application gate type of f/w ( the weakest type?) rather
than a packet filtering f/w (plus XP's and Vista's f/ws have been stateful).

Re: a performance hit: in general, that is secondary to the value of
increase security/control within reason; ZA beta in Vista does load slowly,
but I want the control that ZA provides, so I wait.

>> 3) not all packages play nice. it would be very frustrating to be paying
monthly subscriptions to both vendor A and B only to eventually realize that
B effectively turned A off.

That is the value of the 30 day trial period (and Google). I am impressed
enough with ZA running with Vista's f/w that I plan to buy the released
product (it is still in beta) just to have the Expert rules feature that
will not be part of the free ZA version. I use ZA Expert rules to block all
Windows networking ports on my wired/wireless portable in case I forget to
change Vista's network profile from Private to Public when switching from a
wired network to a wireless network. That is just another example of the
value of running two f/ws, as one can cover for a user config error in the
other.

Summary: IMO, it can be very beneficial to run a 2nd f/w with Vista's f/w
enabled. Per my experience if the 2nd f/w is a simple f/w (e.g.., ZA (still
in beta), PC Tools, and Vista Firewall Control) I would not expect any
problems due to running two f/ws concurrently.

So if I enable the kapersky firewall, will the Vista firewall get disabled?

"CZ" <CZ@no99spam.com> wrote in message
news:ODL3#HiqHHA.3380@TK2MSFTNGP03.phx.gbl...
> David:
>
>>> I think there are a couple motivators for the suggestion to not run
>>> multiple
> packages simultaneously:
>>> 1) configuration of one UI can be tricky for a large population of
>>> users;
> getting two sets of UI in sync could be almost impossible.
>
> IMO:
> a) The complexity of the Vista f/w is probably only exceeded by that of
> NIS.
> b) Simple packet filtering f/ws pass the packets sequentially, so trouble
> shooting can be as simple as disable one while you test the other. This
> assumes that the user can read/edit/write f/w rules.
>
>>> 2) everything comes with a perf hit. there are certain packages that I
>>> will
> not name, which on their own can cause a machine to be noticeably slower.
> If
> you get two of them on the same box, you're better off not connecting to
> anything at all.
>
> IMO:
> a) the unnamed f/w is probably NIS. I ran the pre-release version of NIS
> on Vista and thought that Symantec had improved the product substantially
> by removing some extraneous features that were in the previous versions.
> NIS is a sophisticated f/w that does a lot, but requires a degree of
> knowledge to setup properly, and to maintain. However, there are much
> simpler f/ws than either NIS or Vista's that are available (e.g., ZA
> (still in beta), PC Tools, and Vista Firewall Control).
> The challenge is to find a 3rd party f/w that works well with Vista's f/w,
> as I think the Vista f/w is well done overall (is stateful for example)
> except for the absence for "useable" outbound control. I Think highly
> enough of Vista's f/w that I would not recommend disabling it, but running
> a second f/w with it. Per testing, NIS disables Vista's f/w, ZA beta, PCT
> and VFC do not. Also, I would not recommend running NIS with Vista's f/w
> (even if you could) as NIS is more than a simple packet filtering f/w, and
> you would be much more likely to have issues with running the two
> together.
>
> The issue is that a user should not run two complex f/ws together, running
> one complex and one simple f/w together has never been a problem in my
> experience of doing so for 10 (??) years. Of course, the next issue is
> what is a complex f/w.
>
> As much as I like ZA, I have been reluctant to run it by itself, as it has
> been more of an application gate type of f/w ( the weakest type?) rather
> than a packet filtering f/w (plus XP's and Vista's f/ws have been
> stateful).
>
> Re: a performance hit: in general, that is secondary to the value of
> increase security/control within reason; ZA beta in Vista does load
> slowly, but I want the control that ZA provides, so I wait.
>
>>> 3) not all packages play nice. it would be very frustrating to be paying
> monthly subscriptions to both vendor A and B only to eventually realize
> that
> B effectively turned A off.
>
> That is the value of the 30 day trial period (and Google). I am impressed
> enough with ZA running with Vista's f/w that I plan to buy the released
> product (it is still in beta) just to have the Expert rules feature that
> will not be part of the free ZA version. I use ZA Expert rules to block
> all Windows networking ports on my wired/wireless portable in case I
> forget to change Vista's network profile from Private to Public when
> switching from a wired network to a wireless network. That is just
> another example of the value of running two f/ws, as one can cover for a
> user config error in the other.
>
> Summary: IMO, it can be very beneficial to run a 2nd f/w with Vista's f/w
> enabled. Per my experience if the 2nd f/w is a simple f/w (e.g.., ZA
> (still in beta), PC Tools, and Vista Firewall Control) I would not expect
> any problems due to running two f/ws concurrently.
>
>
>
>

Off at a slight tangent but a very simple yet, as far as I can tell,
effective firewall, is Sphinx Vista Firewall Control. I have been using the
free version in addition to the Windows Firewall with no conflict. From:
http://www.sphinx-soft.com/Vista/index.html
It downloads and installs very quickly and starts working immediately. As
each application tries to communicate you can allow it inwards, outwards,
both or neither, either on just that single occasion or more permanently.
The resultant growing list of applications can be pruned and edited easily.
In unusual circumstances you can set it to block all or to allow all via the
system tray. Starkly minimal and very nice to use. - Doug.

"Sharon T" <nospam@nospam.nospam> wrote in message
news:689D2A60-FB35-4AE9-959C-30BB952E3FFB@microsoft.com...
> So if I enable the kapersky firewall, will the Vista firewall get
> disabled?
>
> "CZ" <CZ@no99spam.com> wrote in message
> news:ODL3#HiqHHA.3380@TK2MSFTNGP03.phx.gbl...
>> David:
>>
>>>> I think there are a couple motivators for the suggestion to not run
>>>> multiple
>> packages simultaneously:
>>>> 1) configuration of one UI can be tricky for a large population of
>>>> users;
>> getting two sets of UI in sync could be almost impossible.
>>
>> IMO:
>> a) The complexity of the Vista f/w is probably only exceeded by that of
>> NIS.
>> b) Simple packet filtering f/ws pass the packets sequentially, so trouble
>> shooting can be as simple as disable one while you test the other. This
>> assumes that the user can read/edit/write f/w rules.
>>
>>>> 2) everything comes with a perf hit. there are certain packages that I
>>>> will
>> not name, which on their own can cause a machine to be noticeably slower.
>> If
>> you get two of them on the same box, you're better off not connecting to
>> anything at all.
>>
>> IMO:
>> a) the unnamed f/w is probably NIS. I ran the pre-release version of NIS
>> on Vista and thought that Symantec had improved the product substantially
>> by removing some extraneous features that were in the previous versions.
>> NIS is a sophisticated f/w that does a lot, but requires a degree of
>> knowledge to setup properly, and to maintain. However, there are much
>> simpler f/ws than either NIS or Vista's that are available (e.g., ZA
>> (still in beta), PC Tools, and Vista Firewall Control).
>> The challenge is to find a 3rd party f/w that works well with Vista's
>> f/w, as I think the Vista f/w is well done overall (is stateful for
>> example) except for the absence for "useable" outbound control. I Think
>> highly enough of Vista's f/w that I would not recommend disabling it, but
>> running a second f/w with it. Per testing, NIS disables Vista's f/w, ZA
>> beta, PCT and VFC do not. Also, I would not recommend running NIS with
>> Vista's f/w (even if you could) as NIS is more than a simple packet
>> filtering f/w, and you would be much more likely to have issues with
>> running the two together.
>>
>> The issue is that a user should not run two complex f/ws together,
>> running one complex and one simple f/w together has never been a problem
>> in my experience of doing so for 10 (??) years. Of course, the next
>> issue is what is a complex f/w.
>>
>> As much as I like ZA, I have been reluctant to run it by itself, as it
>> has been more of an application gate type of f/w ( the weakest type?)
>> rather than a packet filtering f/w (plus XP's and Vista's f/ws have been
>> stateful).
>>
>> Re: a performance hit: in general, that is secondary to the value of
>> increase security/control within reason; ZA beta in Vista does load
>> slowly, but I want the control that ZA provides, so I wait.
>>
>>>> 3) not all packages play nice. it would be very frustrating to be
>>>> paying
>> monthly subscriptions to both vendor A and B only to eventually realize
>> that
>> B effectively turned A off.
>>
>> That is the value of the 30 day trial period (and Google). I am
>> impressed enough with ZA running with Vista's f/w that I plan to buy the
>> released product (it is still in beta) just to have the Expert rules
>> feature that will not be part of the free ZA version. I use ZA Expert
>> rules to block all Windows networking ports on my wired/wireless portable
>> in case I forget to change Vista's network profile from Private to Public
>> when switching from a wired network to a wireless network. That is just
>> another example of the value of running two f/ws, as one can cover for a
>> user config error in the other.
>>
>> Summary: IMO, it can be very beneficial to run a 2nd f/w with Vista's f/w
>> enabled. Per my experience if the 2nd f/w is a simple f/w (e.g.., ZA
>> (still in beta), PC Tools, and Vista Firewall Control) I would not
>> expect any problems due to running two f/ws concurrently.
>>
>>
>>
>>