What's wrong with using windows firewall?
I was developing a system which requires connection between two computers. I decided to connect the two machines together via direct ethernet cable.
My boss didn't like it as there is no firewall in between. The two computer are both connected to separate corporate networks. The cable would essentially bridge these two networks posing security concerns
My boss then decided that we purchase a CISCO firewall just to connect the two machines. I told him why not use windows firewall? Wouldn't that be sufficient? The answer: It's not standard!
Is there any particular standard that demotes Windows Firewall?
Thanks
Cisco firewall or not, if I cross-connected two corporate networks without the knowledge and explicit permission of the network owners, I'd be in seriously hot water.
So what you need to do is to get those parties involved. If it's going across their networks, then they need to talk:
Step 1. Establish the owners of both said corporate networks. I mean, find out who is the lead engineer responsible for both of them.
Step 2. Write them both an email explaining what you want to do, and why, asking whether there are any implications for this.
Step 3. Don't do anything without explicit permission from both owners of the other networks.
Step 4. When you have permission from both you can start figuring out how to interconnect them. In actual fact, both network owners should now be in a position to advise you on how it should be done.
The reason for preferring an ASA (or something) over the windows firewall is extremely unclear in this case.
The appropriate thing to do is to assess whether there is any reason that data should not flow from the node on one side of the (crossover) cable to the node on the other.
The answer is a continuum somewhere between two extremes:
- Neither computer is internet-connected and both are used by the same people for the same purpose, and they are equally trusted. A firewall of any kind is likely wasted effort in this case.
- One computer is a publicly accessible node in a DMZ, and another one is connected to a network which processes privileged information. In this case, a firewall is strongly recommended, if the connection must be made at all.
Not knowing where you lie on this continuum makes it very difficult to give a decent answer, but thinking about that might help you arrive at one. It is clear that you lie somewhere in the middle, but you should figure out what it is you want to isolate between the two networks and why it is that they are separate. "I want to isolate connections" is usually not an adequate answer to that question.
As to why one might prefer one type of firewall over another, the best reasons are the existence of a central configuration management infrastructure (or a focus in business expertise) and the need for a particular feature available in one but not the other. Lacking such a reason (and one probably exists), the direction you are being given is likely misguided.
It would be absurd for a public standard to mandate or prohibit the use of certain firewalls by brand name. However, internal standards and contractual standards might well specify such a thing.
The concerns in this case are likely more business than technical.
There is not a great logical difference between a software firewall and a CISCO firewall, apart from some extra options that you might be able to set on the CISCO device.
Purchasing a CISCO firewall just for a connection between two hosts is a bit overkill. Suggest a different brand, or connect that computer into your firewall and route the traffic through to your computer, instead of directly to your computer.