Yowch. 99% processor suck, that's not fun.
I've never encountered that... but I haven't run W2k in, well, forever, and when I did it wasn't on a laptop and had (you guessed it) an external
firewall.
Maybe it's the Pro version, or maybe it's the ZA/OS interaction, I dunno. But yeah, ZA needs to go in that case. Wire's recommendation of Kerio
is a good one -- we used to use them back when I was setting up corporate networks. They's 'spensive for a corporate solution, which it doesn't
sound like you need. Kerio Personal Firewall was their home offering, and it's now offered by Sunbelt. I can't recommend for or against it, because I
haven't used it since the switchover... but Kerio made a damn fine corporate product, so I'd be willing to give it a trial run, personally.
As for the multi-layered defense... it's a trade-off. If it makes you feel more secure, by all means run with it. I personally don't like the
performance hit it generates, and the added layer of complexity (and potential for "WTF, why won't you talk to each other?" moments) isn't
worth the perception of greater security to me.
As an anecdotal data point: my FTP server is the only machine on my internal network that's ever been attacked -- which, well, duh, it's the only one
visible from the outside. My router has been attacked a couple hundred times -- just part of the territory on any high-speed link these days. No other
attacks make it past the NAT. None of the attacks have been successful. The thing is, this is in the bog-standard configuration, basically; I've applied
one firmware update to the Cisco, and that was for the Code Red thing waaaaaay back when.
That's not to say that security isn't needed, or that you won't be attacked? But all I'm saying is, consider the trade-off realistically. If
the firewall you're using is causing you problems, the question might not be "which one is better", but rather, "do I need one at all?"
What router are you using, if you don't mind me asking? A lot of them can do outbound filtering as well.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
I've never encountered that... but I haven't run W2k in, well, forever, and when I did it wasn't on a laptop and had (you guessed it) an external
firewall.
Maybe it's the Pro version, or maybe it's the ZA/OS interaction, I dunno. But yeah, ZA needs to go in that case. Wire's recommendation of Kerio
is a good one -- we used to use them back when I was setting up corporate networks. They's 'spensive for a corporate solution, which it doesn't
sound like you need. Kerio Personal Firewall was their home offering, and it's now offered by Sunbelt. I can't recommend for or against it, because I
haven't used it since the switchover... but Kerio made a damn fine corporate product, so I'd be willing to give it a trial run, personally.
As for the multi-layered defense... it's a trade-off. If it makes you feel more secure, by all means run with it. I personally don't like the
performance hit it generates, and the added layer of complexity (and potential for "WTF, why won't you talk to each other?" moments) isn't
worth the perception of greater security to me.
As an anecdotal data point: my FTP server is the only machine on my internal network that's ever been attacked -- which, well, duh, it's the only one
visible from the outside. My router has been attacked a couple hundred times -- just part of the territory on any high-speed link these days. No other
attacks make it past the NAT. None of the attacks have been successful. The thing is, this is in the bog-standard configuration, basically; I've applied
one firmware update to the Cisco, and that was for the Code Red thing waaaaaay back when.
That's not to say that security isn't needed, or that you won't be attacked? But all I'm saying is, consider the trade-off realistically. If
the firewall you're using is causing you problems, the question might not be "which one is better", but rather, "do I need one at all?"
What router are you using, if you don't mind me asking? A lot of them can do outbound filtering as well.
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs