Why more then 1 Firewall?

Yet Again... I ask... Why more then 1 Firewall?

Hello all,

I have read many post and a few just recently about running more then one firewall at a time. This topic seems to become a heated debate as to what can/cannot, should/shouldnt be done when running more then one firewall. The biggest target of this subject is XP's ICF and just how effective it is. First off let me say that a "true "
firewall was designed and should be configurable both ways meaning "inbound traffic as well as out bound traffic. What I see in ICF is a one way street. This qoute below was pulled from MicroSoft Tech net and basicly says it all.

Goal for Internet Connection Firewall

The Internet Connection Firewall (ICF) is designed to give the home user and small business protection against these threats. The goal is to provide a baseline intrusion prevention mechanism in Windows XP. This means protecting against scans for information and denying all unsolicited INBOUND traffic. By doing this, the basic tools that are available to script kiddies will be ineffective and they will likely move on to an easier target.

I give Microsoft a pat on the back for wanting to help protect the aveage user with ICF but is it really effective? The questions I would ask is... what if a hacker gets past my IFC and plants a little nasty in my computer? what then? Can I control wether it gets out or not? The real answer is MAYBE!!! That is if you have taken the time to set up your computer properly to protect it in all aspects. Those aspects would start with
aquireing the proper, what I call IN HOUSE protection... a good AV (anti virus) as well as a good AT (anti trojan) as well as ad ware/spyware/malware programs and setting them up properly and keeping them updated.

One of the big problems I see with running more then one firewall is unfortunatly most people (average home users) dont have the so called, HORSE POWER SYSTEMS to handle many apps/programs running simultaneiously doing the same job, and even then it can still be a problem for the biggest system. Most conflicts caused within a system comes from more then one application trying to accsess the same thing at the same time. Lets face it, if one firewall is useing a certain service or port then the other cant so whats the point? The second firewall just sits and basicly waits it's turn until it can be granted accsess. By then the task is comleted and it becomes useless for the other to even try at that point.

The biggest problem today on the internet is that most people take for granite system security and I guess this would fall under the treminology of IGNORANCE (lack of knowledge) as what to use for security... whats good? and whats bad? and even more how to use it!!! Running more then one firewall becomes redundant at some point in my oinion due to the fact that if a single firewall is set up properly and the proper IN HOUSE security is implemented the there is no need for a second firewall.

With the design of routers today, placeing them in between a internet connection and your PC takes the strain off the firewall, and if the router if configured properly will drop/ignore all inbound unsolicited packets. If in fact a script kiddie gets into your system and you have a firewall up and running properly with the proper IN HOUSE security he has no way out!! no way to call home!!!. Out bound control is just as importaint for this reason, and this is where I belive ICF is lacking. Another Quote below for Microsoft Tech Net.

Q: Does ICF do outbound packet inspection?

A: Other than checking the source IP address, ICF does NOT do any outbound packet inspection

Thats scarey!!!

If ICF is so great then why back it with a second firewall? I'll tell ya why because of the few reasons listed above and in as much as there are a few out there that belive a 3rd, 4th and even 5th layer of protection is the best way to go I truely belive that they are not stateing the obvious. Running more apps for the same job causes a depletion in system resources, slow start up times, and even hang ups. Secondly it can cause possible conflicts, 3rd ICF does not do what a "true" firewall was intended to do and that is to inspect inbound and outbound packets giving you complete control over what is happening on your PC. ICF does give protection against inbound intrusions somewhat (if set up properly) but... if a script kiddie gets in he can easily get out at will. This is why most that use XP's firewall use a second because they know it does nothing to stop nasty's from getting out once in. Why not just disable it and put in a "real" firewall and control everything in one shot? Why do the same job several times?

The internet today is not fun anymore, we spend most of our time on line seeking out ways to keep out the bad guys anymore. A simple way to avoid this is to take the time to protect yourself and not use "OVERKILL ". Determine what your needs are and impliment them, and that goes for everyone from the home user to the buisness user. More then one firewall is just plain silly!!! It's like hiring 3 people to do the same job at the same time... you would be just spending more money then you need and waisting time to get the job done that one can do arent you? Configure your firewall properly and let it do the work, because the others are those employees that are just sitting around not earning thier keep and collecting a paycheck Remember nothing is BULLET PROOF... all we can do is our best to deal with what arises. If they want in they will find a way in, quit being so paraniod and enjoy your computer a little more..
isnt that why you bought it?

Below are some links I have put up for the new/average home user and pertain to basic security and should allow the basis user to get started in being secure on the net today. They are easy to install and use but be forewarned you DO need to read and understand how they work and what effect they can have on your pc if not used properly.

FIREWALLS:
BASIC FIREWALL FAQ
KERIO PFW 2.1.5 FREE
SYGATE FW FREE
ZA FIREWALL FREE

ANTI-VIRUS SOFTWARE:
AVG 6.0 AV FREE
NOD32V2 ANTI VIRUS
PANDA ANTI VIRUS

AD WARE/SPYWARE/MALWARE KILLERS
SPYWAREBLASTER
SPYWAREGUARD
SPY BOT S&D
AD WARE 6.0 FREE
MRU BLASTER

ANTI TROJAN:
Note I recommend the one posted below but there are many more out there.

TDS3 ANTI TROJAN

Best regards,

~FIREDANCER~

 

Hello FireDancer,

Agreed, all the limitations are there. I'm addressing myself to ICF and ICF ONLY. NO MONEY and its an XP service, always there, not installed/unstalled - rather enabled/disabled, vastly different from ZA et al.

For me its an extra "wall ", not taking all that much resources - have run with and without.

I personally don't want to install a hardware router on a single system. Besides which, whose router software and is it configured properly? No panacea.

Aside from the potentail conflicts and resource use, ICF performs the same function - inbound port blocking.

Not quite true about ICF being not configuarble:

From XP Inside/OUT by Ed Bott and Carl Siechert:

quote:
Internet Connection Firewall (ICF) is a software component that blocks unsolicited traffic from the Internet. It does this by monitoring all inbound and outbound communication involving the computers it protects. Inbound traffic (that is, communication originating from the Internet, not from you or a computer on your network) is dropped (blocked without notification to the originating party) if ICF does not recognize it as a response to an outbound communication emanating from one of the computers on your network. You notice nothing if an inbound packet is dropped, but you can (at your option) create a plain-text log of all such events.

You can configure ICF to allow particular forms of unsolicited traffic. If you’re hosting a Web site, for example, you can configure ICF to allow the HTTP Web Server service.

You should use ICF (or another firewall) on each direct Internet connection. For example, if your network is insulated from the Internet by means of a residential gateway, but one computer on the network also connects to the Internet via a modem and dial-up account, that dial-up connection should be firewall-protected.
If you’re using Internet Connection Sharing (ICS), a configuration in which one computer is directly connected to the Internet and other computers share this con- nection, enable Internet Connection Firewall only on the computer that is directly connected. If you enable ICF on the sharing computers, you will disrupt local net- work communications.

Enabling Internet Connection Firewall

Follow these steps to enable ICF:

Open Network Connections in Control Panel.

Right-click the connection you want to firewall and choose Properties from the shortcut menu.

Click the Advanced tab.

On the Advanced tab of the properties dialog box, select Protect My Computer And Network By Limiting Or Preventing Access To This Computer From The Internet.

Enabling and Configuring a Log of Firewall Activity

ICF does not create an activity log by default. If you want to see a record of what your firewall is doing, follow these steps:

On the Advanced tab of the connection’s properties dialog box, click Settings.

In the Advanced Settings dialog box, click the Security Logging tab

Select the check boxes for the kinds of events you want to log—dropped packets, successful connections, or both.

Specify a file name.

To keep a log from getting too large, specify a maximum file size.
Click OK.

Logging dropped packets can help you determine whether someone is trying to scan ports in search of a security hole in your system. Logging successful connections might also be interesting, but if you use the Internet much, a log including successful connections will quickly grow to maximum proportions.

To read your log, open it in Notepad or another text editor.

The log uses the W3C Extended Log format, a standard logging format that allows you to analyze data using third-party utilities.

To understand what the columns mean, look at the column headers in line 4 (they don’t align over the data below, but they’re in the right order).

The most significant columns are the first eight, listed in Table 20-1.

Table 20-1. The First Eight Columns of ICF’s Activity Log
Item Description
Date Year-Month-Date of occurrence
Time Hour:Minute:Second of occurrence
Action Specifies the operation that was logged by the firewall.

Possible values: OPEN, CLOSE, DROP, and INFO-EVENTS-LOST

Protocol Protocol used for the communication. Possible values: TCP, UDP, ICMP

Source IP The IP address of the computer that initiated the communication

Destination IP The IP address of your computer
Source Port The port number of the sending computer
Destination Port The port that the sending computer was trying to access on your computer Allowing Particular Services to Pass the Firewall

By default, ICF blocks all unsolicited incoming data packets. If you run a Web, FTP, or Telnet site, or if you want to enable contact from the outside on some particular TCP port, you need to take some additional setup steps.

To enable a service, such as HTTP Web Server, click the Services tab in the Advanced Settings dialog box. The Services tab provides check boxes for enabling a combination of predefined services. To use one of these services, all you need to do is select the appropriate check box.

Enabling Ping and Other Diagnostic Commands

Error correction and diagnostic commands, such as Ping and Tracert, use Internet Control Message Protocol (ICMP) rather than TCP or UDP. These functions are also disabled by default on an ICF-protected network. To enable them, click the ICMP tab of the Advanced Settings dialog box. The ICMP tab provides a set of check boxes for predefined ICMP services, along with descriptive information about each. Select the check boxes for the services you intend to use.

Limitations of Internet Connection Firewall

The firewall software supplied with Windows XP provides a basic level of protection against intrusion via the Internet. ICF is concerned only with blocking unwanted inbound traffic.
end quote

Regards - Charles

 

Unless I am thinking wrong, that is basis of the whole dam arguement about ICF. And I see the word BASIC in there too.

Where as With Kerio if I do not want the kids getting to AOL from one machine then all I have to do is make a change or remove an entry in Kerio ( or NIS on that machine ) and THEY AIN'T GONNA GET THERE

I do not believe that can be done with ICF.

As far as a Router goes. Before I installed it ( I had NIS at the time ) NIS was getting HAMMERED constantly. Once I installed the Router NOTHING on the INBOUND side.

BillyBob

 

BB,

In bound only and basic - How is that different from your router?

Regards - Charles

 

Hi again

Charles,

A router isnt to BASIC like I stated in the start of the thread if you configure it to your needs ... much can be accomplished
such as

Forwarding, Dynamic Routing, Static Routing, DMZ Hosting
and MAC Address Cloneing. My Favorite is Forwarding Ports though as I can make a CLOSED port STEALTH by fowarding.

EXAMPLE:
I go to GRC.com and do a firewall test and my port 125 comes up CLOSED.. well that is good but I want it invisible so that NO responce at all is sent back from my PC, ie communicating back to the pinging pc that infact I am here just not responding. Stealth = doent exsist!!!

I FORWARD it to a fake IP address. The set up would be

Port 125/125 TCP protocal, Forward to IP 192.168.1.75 lets say, now it is deferd and invisible.

I dont guess you can do that with ICF? or can you? I belive from what I have read about ICF is that there is no statefull packet inspection whatsoever and it makes it a absolute must for you to do twice the work in setting up a firewall because now you have to darn sure what you are letting outbound is correct due to the fact that ICF (the second point out from the PC now is going to permit it.) Lets hope it is not a trojan

With Kerio I design the rule for a certain app and or protocal and it follows those rules period!! Once you allow something through your firewall to go out bound it will just blow right by ICF and that is teribbly dangerous for a newbie dont you aggree? This is why I say one basic firewall to get started and learn with and disable ICF as it can not only confuse but make the situation worse for out bound traffic.

And as far as I know ICF wasnt designed to act like a router.

Regards,

~FIREDANCER~

 

The router is indeed a one way deal just like ICF. But with one difference. IT IS USER programable. FireDancer explains that better than I can.

That is why the In House TWO WAY software user controlable Firewall is needed

Like FireDancer said. Both the Router and software firewall have MUCH greater capabilities than ICF.

Again like FireDancer As the user I can set the rules for Kerio which will blow ICF all to hello and back.

The Router just makes Kreios' job a little easier.

But actually my Router serves several purposes. And has proved well worth the cost. ( almost twice as much as now )

1--It helps to block incoming phone calls.

2-- It is a Router/Switch ( not a Router/Hub ) which keeps the WAN and the LAN separated.

3--I can get as many as four machines on line all at once with only one account.

4-My Wife and I can be playing cards between two machine and the other two be online and nobody inferfers with anybody.

XPs ICF will do NONE of that. So for me and my setup ICF id USELESS.

Oh BTW. Does ICF protect the Local Ares Network the way Kerio has the capability of doing. ? I can STOP ANYBODY from getting to this machine VIA the LAN. And I also have to give myself permission to connect to another machine.

I do not know for sure but I do not think ICF will do that.

BillyBob

 

Directley from Microsoft!!!!!

A firewall is a security system that acts as a protective boundary between a network and the outside world. Windows XP includes Internet Connection Firewall (ICF) software you can use to restrict what information is communicated between the Internet and your home network. ICF also protects a single computer connected to the Internet with a cable modem, a DSL modem, or a dial–up modem.

If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, you should use ICF on the shared Internet connection. However, ICS and ICF can be enabled separately. You should not enable the firewall on any connection that does not directly connect to the Internet. ICF is not needed if you already have a firewall or proxy server on your network in your home.

From the makers them selves


HMMMM....

~FIREDANCER~

 

Hi Firedancer,

I do use it on a direct connection. As for not needed, lots of things not needed, and used anyway, especially in the security area.

What's that phrase: "layered defense" I think that one of the senior people on Wilders uses



BillyBob,

A great deal of what you are pointing out has to do with a network. So my situation is a single machine, not a network, the case for a majority of users I believe. Under those circumstances, ICF does just fine - free, configuable to some extenct, and easy to "toggle" on/off.

Regards - Charles

 

I do have to ask.

WHY would one even consider turning ICF off ? That action puzzles me. Unless they had another software Firewall to cover things.

ICF may not be the best thing going but it sure as heck is better than nothing.

BillyBob

 

BB,

I've run ICF with both ZoneAlarm Pro and now with Sygate. My appologies if I have not made that clear.

Regards - Charles

 

OK got it.

Thanks

BB

 

Hi all,

Charles,

I belive in layerd defences too but when does it become overkill? When does it stop taking up room and resources?

I use ONE FIREWALL (KERIO), ONE AV NOD32V2 , ONE AT TDS-3 , SPYBOT S&D, SPYWAREBLASTER, SPYWAREGUARD, AD WARE 6.0 with these seven items and my stringant firewall rules I havent had a trojan, virus or any problem with spyware in years.

I guess it all comes to what you feel good with and what works for you. I do not think that ICF is or even should be considerd a firewall. Maybe Microsoft should of advertised it as a built in router !! I am sorry to seem hard on you Charles I am not trying to be, I am being hard on ICF.

I guess my point is that there are many new people out there buying pc's everyday and the fact remains that most of them DONT know what a firewall is let alone how to set one up or what to do with it.!! I quess that I feel strongly about people learning and making it as easy as possible to learn about this stuff with out complicating it to much.

A firewall without outbound statefull packet inspection is like trying to dig a hole without a shovel... and we know what that will get ya... tired, frustrated and ready to quit when you realize that it just aint cutting it!!!

BB,

The only time I unload my firewall is when I am completely disconnected from the net to do service on hardware.

I guess I would have to agree

I guess if one can make it work and they feel it is actually doing them good
then so be it!!!

Regards,

~FIREDANCER~

 

Firedancer,

"but when does it become overkill? When does it stop taking up room and resources? "

With all due respect, you don't know what you're talking about.

When you personally run XP and not a 9X system with its "resource" limits, then you can make a judgment about resources and overkill on a XP system.

ICF is a "service ", there whether used or not. So, obviously you don't know what XP's services are.

I also can make all the malware free claims you make, and its irrelevent to this subject. I understand that you have the ferver of the "new ", but I suggest that you calm down a little and understand that there are many ways to achieve security, not just your way.



"I guess my point is that there are many new people out there buying pc's everyday and the fact remains that most of them DONT know what a firewall is let alone how to set one up or what to do with it.!! "

You and others actually make a case for ICF. A free inbound firewall is built into the OS and MS gets dissed for it LOL.

A reminder, ICF stopped the Blaster worm, just as any other FW did.

The simple fact is that the majority of users operate in blissful ignorance and will continue to do so. You're attitude reminds me of that old phrase "driving out the good for the perfect ".

I've learned something from these threads on ICF, namely how much resentment and mistrust MS engenders. The irony is that on a thread from months ago, I wrote that MS was in fact a monopoly and should have been taken down a peg - long peg and that because of its dominance, other OS's didn't have a chance - merit just didn't have anything to do with it. Well, it just wasn't a popular position to say the least.

Regards - Charles

 

Whoa here !!

I presonally run both 98SE and XP Pro.

AND 98SE DOES NOT have resource limints if handled carefully.

If 98SE has resourece problems it si user created and not Windows. I ran SE on here for two years and NEVER ran into a resource problem.

And XP has its own CONFLICT problems just like 98SE.

Nobody said they resented ICF.

It is just the fact that IT DOES NOT offer good solid protection BOTH WAYS as something like a Kerio does. Even though M$ try to make us thing it does.

And controling OUTGOING is just as important as incoming.

And I believe that is more what we are trying to point out. To both new and older users.

Other wise why are you running Sygate and/or ZA ? There must be a reason. And with either one of them ICF IS NOT needed.

And why do you have to turn ICF on/off ? Is possibley because it conflicts with something ?

BillyBob

 

BB,

"if handled carefully ", Ok, we've been thru the resource issue and don't want go into it again.

Resentment: not ICF, but MS.

"It is just the fact that IT DOES NOT offer good solid protection BOTH WAYS as something like a Kerio does. Even though M$ try to make us thing it does." Could you direct me to a site where MS makes this claim?


Turn on/off for tests, I'm an inveterate test taker. I always compare the same test with it on/off. No it does not conflict with anything.

Run Sygate because I want to control outbound and want to be able to block particular ports and/or IP addresses, VeiSign redirect a good example.

Is your router's firewall function needed? If you could, would you take the FW function out of your router? After all, its not needed.

Regards - Charles

 

Hi Charles,

Well as a matter of fact I do but I did not come here to create a argument or get into a pissing contest as we allready have.

Right now I have 3 boxes with XP on them and the have not even been plugged in to the wall in 6 months or better. The reason why? Simply I did not like it at all as it was unstable and very bloated, but that is besides the point.

Resources are a compilation of things not just Ram.. it also consists of disk space, CPU speed
yada yada yada... the list goes on.you need to consider alot of differant aspects of the system to make things work properly and smoothly.

Yes, I run WIN98SE because contrary to popular believe it is the most stable OS out there for the average user and the most advanced as well.

No, I am actually making a case against it FREE!!!! NOT everyone useing XP had to purchase it!!! the firewall was built in for the price as ridiculiously high as it was. I got Kerio 2.1.5 Free for as long as I want of the internet and it is a fully customizable rule based firewall!!!!!!!!!!!!!!!!

Hmmmm, I guess a few hundred thousand people more or less didnt have thier ICF enabled, thier AV updated or thier system patched and least likey a rule based firewall that had a rule reading TCP inbound port 135 any/any DENY ya think?

Be honest did ICF catch your MS BLASTER or did your second firewall catch it?... I tend to think it was the second or niether!!!

Hmmm, how bout "adviseing of the bad and offering a better alternitive" Your right, The simple fact is that the majority of users operate in blissful ignorance and will continue to do so,
and thats what makes BLASTER so strong as well as other viruses and hacks, JUST PLAIN OL blissful ignorance.

I come here to try to help othes understand what they can do to secure themselves in as much as you feel I am ramming my way down thier throat!!
There are many people here with many differant ways of solving problems and that is what makes boards such as this one so valuable to others that would not know other wise.

Ya think maybe MS created that problem thier selves?

To finish up here I still have not got a answer to my question. Why 2 firewalls? In as much as prople would like to belive that they are safe with enabeling ICF it just aint true. and I will say it again just as Microsoft did....

A firewall is a security system that acts as a protective boundary between a network and the outside world. Windows XP includes Internet Connection Firewall (ICF) software you can use to restrict what information is communicated between the Internet and your home network. ICF also protects a single computer connected to the Internet with a cable modem, a DSL modem, or a dial–up modem.

If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, you should use ICF on the shared Internet connection. However, ICS and ICF can be enabled separately. You should not enable the firewall on any connection that does not directly connect to the Internet. ICF is not needed if you already have a firewall or proxy server on your network in your home.

You must be logged on to your computer with an administrator account in order to enable the firewall.

You should not enable Internet Connection Firewall on virtual private networking (VPN) connections, which are typically used to securely log in to a corporate network. You should not enable ICF on client computers that are part of a large company or school network with a server-client structure. ICF will interfere with file and printer sharing in these scenarios.

Seems to me that there are alot of NOTS in there as well as the word INTERFERE!!

If you are sharing an Internet connection, enable the firewall only on the host computer that is connected to the Internet. The host computer appears to the Internet as the only computer on the Internet, hiding the computers in your home network. The host computer with ICF enabled provides a single point of security for your host computer and home network computers.

(A single point of security) are they really saying get something a bit better this will do for now?

Here is a real good laugh!!!!!

Computers running earlier versions of Windows are protected without the need for additional firewalls. Hmm
what is MS really saying here that you need 4 firewalls to protect XP and above? UGGGHHH! They build OS's not Firewalls!!!!!

My point here today was that if you can obtain a firewall for free or a low price that will offer more protection even to the average user and get the same job done with less work and more results then why run two? No one has really answerd the question straight. Even if ICF was fully customizable inbound and outbound you then would not need another firewall as you would be making the same rules over for the second firewall a second time for the same protocals and thus making one firewall redundant.

If a person cant make rules in the first place or understand what the functions of the firewall is to it's full potential or at least willing to learn, then he/she might as well throw caution to the wind... disable ICF and not even have a firewall!!!! And I guess I could just say
happy surfing

and just incase someone missed it Microsoft offerd this advise....

ICF is not needed if you already have a firewall or proxy server on your network in your home.

Can someone tell me why they offerd that advise?

Happy Surfing,

~FIREDANCER~

 

Firedancer,

My appologies. You went over a line in your last post, I felt patronized. I'm not a naif on this issue and you treated me like one.

I could answer issue by issue, but I won't. Suffice it say anyone with a XP system can easily see for themselves how much resources - ram - and time are added to the system and test the effect on any number of testing sites. These are the same sites that everyone relies on to test Kerio or any other FW.

What I'm amazed by is how many will not try it and test my premis to either tell me I was full of **** or not. Johanna was the only person that actually let me know that she tried to run it but had a conflict. And before we go into a riff on conflicts, plenty of people have conflicts with any number of software while others don't.

One minor point, I don't have passwords on my system, don't need admin permissions, their implied.

Regards - Charles

 

Lets not get into the function of my Router because as I stated earlier it does A LOT more than just protect one machine.

NO. I would not even think about removing it. IT IS needed. With out it my Internet and my LAN would not be separted. But that is the Router not ICF. Different things doing different jobs.

I only have three machines on right now. But if I want 4th all I have to do is install the NIC, Plug it into the Router. Give the new PC a name and add it to the workgroup MsHome and I am up and running. Both LAN & WAN. 10 to 15 minutes tops and it is done.

However. It is not pluged into the Router untill I have both and AV and a firewall installed.

And BTW. That went for XP install also. XP was not given access to the Net until I had NAV & NIS ( I was using them at the time ) installed and made sure they loaded at bootup. And they were THE FIRST programs allowed access to the NET until they were fully updated. Then other things were allowed access.

In other words you are saying just what I am trying to say. ICF does not have the capibilities that Sygate, Kerio or ZA do.

BillyBob

 

HHMMM ! It did get put aside didn't it ?

I will answer that.

You don't need to run two.

ONLY if you are not using ICF. ( which is not a full fledged Firewall anyway.)

If running ICF you need two. Then you have both a full function two way Firewall and a One Way ( incoming only ).

BillyBob

 

Hi Charles,

I am sorry If I made you feel that but my question was simple and maybe by seeing and experiancing what MS has done to XP and other OS's I just had to ask the question I did.

This thread was not directed at you it was in general. I guess I will never understand
why people think that 2 firewalls are a necessity. In as much as there are firewalls out there that were just plain designed porely there are some real good ones. I use Kerio as a example to to the fact that it is what I use and I am partial to it. Sygate is a good one too if you can get a handel on it

As far as test sites go I have used all or most with not so satisfactory results in the past and that with the help of others has helped me to learn what is good and what is bad with my firewall.

I respect you for argueing/beleiving in what works for you. As well it might work for others and be helpfull. My experiances with dual firewalls or any other software has been nothing short of disasterace at times I have seen more horor stories about running 2 firewalls then none and I still stand by
opinion that 2 are not needed..

allthough MS in thier infinate wisdom created half a firewall instead of the whole thing and I belive that is what is causing people such as your self to be forced to run a second at times but I am still stummped as to the fact.. why not just disable ICF and BEEF up Sygate both ways?

It still doenst make sence and I belive that ICF and MS is giving people a false sence of security. I would like to hear a point by point on the question I asked when you feel up to it

Regards,

~FIREDANCER~