Vista FW outbound check

Vista FW outbound check
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Vista FW outbound check news.tim.it 07-15-2007
Posted by news.tim.it on July 15, 2007, 5:00 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,
Vista FW with advanced security comes with an outbound traffic default
setting "allow everything which is not denied". I think this is completely
useless, because the main reason for outbound traffic filter is to block
UNKNOWN programs (worm, trojans ....) so it is impossible to make a rule to
deny an unknown program/destination port. On the other hand if I change the
outbound setting to "block everything that does not match a rule" it is
nearly impossible to design a rule for legitimate programs because, as far
as I understand, there is no "display notification" for outbound breaking
rule, and it is not simple to know applications/services/ports of the
majority of legitimate applications (apart from browser mailer and few
others).
My question is: is there a way to have a kind of display notification of the
outbound offended rule with applications/services/ports of the offending
programs?
Thanks in advance
Riccardo


Posted by Mr. Arnold on July 15, 2007, 7:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options


>
> and it is not simple to know applications/services/ports of the majority
> of legitimate applications (apart from browser mailer and few others).

That's not true, because you can run something like Currports, which runs on
Vista, and look at all connections being made by a program, what port it's
using and whether it is TCP or UDP.

http://www.nirsoft.net/

You can find Currports here too.

http://www.bestvistadownloads.com/

So, you can know all the programs that are running on your machine and stop
outbound traffic for everything, execpt for the known/accepted programs.

> My question is: is there a way to have a kind of display notification of
> the outbound offended rule with applications/services/ports of the
> offending programs?

I myself, I don't need more questions being asked by Vista. I see enough of
them. So that will never be enabled or some kind of rules set.

I don't think this NG is ready to help you with Vista and its FW, so maybe,
you should post to Microsoft.Public.Windows.Vista General or Security NG
where there are people that know how to set the rules you're looking to
implement, and the popup FW messages too.

msnews.microsoft.com


Posted by Juergen Nieveler on July 15, 2007, 4:30 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Vista FW with advanced security comes with an outbound traffic default
> setting "allow everything which is not denied". I think this is
> completely useless, because the main reason for outbound traffic
> filter is to block UNKNOWN programs (worm, trojans ....) so it is
> impossible to make a rule to deny an unknown program/destination port.

OTOH, if the trojan is already running on your machine and wants to
connect outbound, how's a piece of software going to distinguish wether
you want that to happen or not?

Outbound filtering sounds like a nice idea, but it really only adds a
little bit more complexity to trojans. If you install a trojan that
says "I need to connect to my website to check for updates" - just what
are you going to do? ;-)

Juergen Nieveler
--
Unsecured turrets will only swing freely mid-way through a rail tunnel.

Posted by Kayman on July 15, 2007, 7:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hi,
> Vista FW with advanced security comes with an outbound traffic default
> setting "allow everything which is not denied". I think this is completely
> useless, because the main reason for outbound traffic filter is to block
> UNKNOWN programs (worm, trojans ....) so it is impossible to make a rule
> to deny an unknown program/destination port. On the other hand if I change
> the outbound setting to "block everything that does not match a rule" it
> is nearly impossible to design a rule for legitimate programs because, as
> far as I understand, there is no "display notification" for outbound
> breaking rule, and it is not simple to know applications/services/ports of
> the majority of legitimate applications (apart from browser mailer and few
> others).
> My question is: is there a way to have a kind of display notification of
> the outbound offended rule with applications/services/ports of the
> offending programs?
>

Learn how to configure Vista Firewall to suit your computing habits.

Interesting/educational reading:
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
Scroll down to:
"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."

http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
"Outbound protection is security theater-it's a gimmick..."
"...the Windows firewall will provide the protection you need..."

Stay away from 'Phoney-Baloney' 3rd party PFW's - use your brain and filter
out the absurd advertisement hype created by these makers.
http://samspade.org/d/firewalls.html
"Personal Firewalls" are mostly snake-oil"


Posted by Mr. Arnold on July 15, 2007, 8:30 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>> Hi,
>> Vista FW with advanced security comes with an outbound traffic default
>> setting "allow everything which is not denied". I think this is
>> completely useless, because the main reason for outbound traffic filter
>> is to block UNKNOWN programs (worm, trojans ....) so it is impossible to
>> make a rule to deny an unknown program/destination port. On the other
>> hand if I change the outbound setting to "block everything that does not
>> match a rule" it is nearly impossible to design a rule for legitimate
>> programs because, as far as I understand, there is no "display
>> notification" for outbound breaking rule, and it is not simple to know
>> applications/services/ports of the majority of legitimate applications
>> (apart from browser mailer and few others).
>> My question is: is there a way to have a kind of display notification of
>> the outbound offended rule with applications/services/ports of the
>> offending programs?
>>
>
> Learn how to configure Vista Firewall to suit your computing habits.
>
> Interesting/educational reading:
>
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx
> Scroll down to:
> "Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."
>
>
http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx
> "Outbound protection is security theater-it's a gimmick..."
> "...the Windows firewall will provide the protection you need..."
>
> Stay away from 'Phoney-Baloney' 3rd party PFW's - use your brain and
> filter
> out the absurd advertisement hype created by these makers.
> http://samspade.org/d/firewalls.html
> "Personal Firewalls" are mostly snake-oil"

Personal FW's are packet filters running at the machine level.

For the most part, the 3rd party solutions are doing the same thing as
Vista's FW in their ability to set packet filtering rules to stop inbound or
outbound packets to and from the machine, which is no different than Vista's
FW/packet filter.

Granted, 3rd party solutions have some snake-oil in them too, beyond just
being simple packet filters and so does Vista's FW/packet filter as well
with its WPF and BEF, which malware can cut right through it if it can get
on the machine and execute.

As far as outbound filtering by setting packet filtering rule to stop
traffic for a 3rd party solution, then there is nothing wrong with it.



Similar ThreadsPosted
Windows Vista and Check Point Connectra April 16, 2007, 4:46 pm
FIREWALL: TCP State Check and Replay Check December 2, 2007, 8:21 am
How to check for spyware? February 10, 2005, 11:46 am
Free Ipod - check it out! January 28, 2005, 4:25 pm
Check Point Firewall October 5, 2005, 6:29 pm
Check Point Vs Juniper August 2, 2008, 11:20 am
How does Zonealarm check outgoing packets? May 31, 2005, 1:15 am
Proxy on VPN client for check point? May 31, 2005, 1:29 am
URL for Norton Internet Security Check? June 22, 2005, 5:25 pm
Please help hijack this log. Don't know how to check spywares and malwares. August 26, 2005, 2:30 pm

The site map in XML format XML site map

Contact Us | Privacy Policy