Vista Firewall Issue

Discussion in 'Windows Vista Security' started by Antius, Jan 2, 2008.

  1. Antius

    Antius Guest

    Happy new year everyone, I'm using the 64bit version of Vista Ultimate,
    I have an ethernet connection to a cable modem & no home network, IPv6
    is disabled.

    When I set the firewall to block all outbound connections but allow a
    few exceptions, the programs exempted from this rule can't access the
    internet any longer for example Internet Explorer, Windows Mail etc,
    irrespective of what profile they're under e.g. public ,private or
    domain.

    The problem persists even if I change the network location type from
    public to private in the Network & Sharing
    Center, is there a way to resolve this without having to set 'Outbound
    connections that do not match a rule are allowed' in Windows
    Firewall with Advanced Security?.
     
    Antius, Jan 2, 2008
    #1
    1. Advertisements

  2. Antius

    Jesper Guest

    Don't set a "block all" outbound rule. It is virtually impossible to do that
    on a general purpose system, and it provides virtually no security. You would
    need to permit all ports between 1024 and 5000 for your apps to function.

    What *specific* threat are you trying to mitigate?
     
    Jesper, Jan 2, 2008
    #2
    1. Advertisements

  3. Antius

    Antius Guest

    Thanks for your prompt response Jesper, I want to block programs that
    I'm unaware of from making outbound connections since the Vista firewall
    doesn't seem to warn me of these events in real time.
     
    Antius, Jan 2, 2008
    #3
  4. Antius

    Hatter Guest

    Then what you might want is 3rd party firewall that does alert you when a
    program makes an attempt.

    I was using AVG Suite and found it useful, but switched to another product.

    Also, you can set up rules to monitor, log and block services from your
    router.
     
    Hatter, Jan 2, 2008
    #4
  5. Antius

    Jesper Guest

    You are really setting yourself up for a world of hurt. First, you cannot
    block a program from making outbound connections. Any program that wishes to
    do so can without your noticing. There is no way, including with third-party
    firewalls, to effectively block one program from making outbound connections
    as another program running in the same user context. Third party firewalls
    can be set up to notify you when programs that chose to not be stealthy try
    to connect outbound, but they cannot stop malicious programs that do so.

    Second, when you use that functionality in third-party products you will be
    notified incessantly because the programs can use any port they want to
    communicate out. The usual response is to disable the notifications for
    particular applications, which completely obviates any value in the feature.
    Since it provides no security value the Vista firewall does not include the
    notification functionality.

    In other words, attempting to block outbound unapproved traffic provides no
    additional security whatsoever, but is often used as a selling point by
    vendors who either do not understand security, or are trying to make money by
    misleading customers. If you want that type of functionality, you need a
    third-party firewall from one of those vendors. My advice would be to focus
    on things that actually will improve your security instead.

    Having now tried to dissuade you from the entire project, the Vista firewall
    can be used to create a "block all" rule and permit only certain programs.
    More than likely you have a rule that does not permit the program to
    communicate on all ports to all ports, for all users. If you configure the
    firewall log to log dropped packets you will get log events like this one:
    2008-01-02 15:40:00 DROP TCP 1.2.3.4 65.99.255.140 52969 80 0 - 0 0 0 - - -
    SEND

    That will at least tell you what the firewall saw even though it does not
    tell you which application made the connection. Notice the source port:
    52969. Client apps can use any port they want for the source port, and you
    need to permit all 64,000 of them. Might that be what is blocking your
    traffic?

    There is more information about troubleshooting the Windows Firewall here:
    http://technet2.microsoft.com/Windo...ade8-4dbe-ac05-6ef10a6dd7a51033.mspx?mfr=true. It may be useful to you.
     
    Jesper, Jan 2, 2008
    #5
  6. Host based outbound control is an illusion.
     
    Straight Talk, Jan 3, 2008
    #6
  7. Antius

    DevilsPGD Guest

    In message <> Straight Talk
    Not necessarily. If you're a limited user, and don't elevate or
    otherwise give admin access, you can trust host-based solutions.

    Otherwise, they're just snakeoil.
     
    DevilsPGD, Jan 3, 2008
    #7
  8. Antius

    Antius Guest

    Hello again Jesper, you mentioned that 'the Vista firewall
    can be used to create a "block all" rule and permit only certain
    programs' can you give some examples of how to configure that setup?,
    none of my specific outbound rules have been overridden by a block rule,
    all apps are allowed to communicate from any local address or source
    port to any remote address or port for any user but I have restricted
    the protocol to TCP.
     
    Antius, Jan 3, 2008
    #8
  9. Antius

    Nick ///// Guest

    As other have pointed out value is questionable and pain and agro is high.

    If you must then:

    www.sphinx-soft.com Vista Firewall Control will do what you want far more
    easily than you trying to configure yourself.

    Nick /////
     
    Nick /////, Jan 3, 2008
    #9
  10. Antius

    Jesper Guest

    All you do is set the firewall to block all outbound traffic. Then you create
    an outbound program rule. In my case I permitted Internet Explorer
    (%programfiles%\Internet Explorer\iexplore.exe) to communicate out over all
    protocols and all ports. After that IE could browse the web but Firefox could
    not. I just tested it and went through the wizard clicking Yes on most
    everything.

    Start with that very open rule. Then start putting in more restrictions
    until you see what breaks.

    I still question the need for this exercise, BTW.
     
    Jesper, Jan 3, 2008
    #10
  11. Antius

    Stretch Guest

    Antius
    I think the point is that there are numerous additional controls in most
    security applications
    to prevent personal information from being sent to the net. Key logging,
    sniffers that steal
    critical inform ation that is not for world publication, etc.

    Many times, utilizing a known port that is monitored for such information
    will result in the
    program being caught. So some of the programs that do this specify a
    specific port to connect
    from so that they can effectively bypass the security protocols. When a
    firewall is set to not notify you that a program is trying to connect to an
    outside source, one that you haven't specified, it may notify you. Better
    security software will not accept the path of the program, and it is
    difficult, if not impossible, to have 2 programs using the same path and
    filename.

    Therefore, a catchall rule should be the first rule applied in a firewall
    system. Then programs
    are granted permissions based on a need to access. The good thing about
    writing such a config is that it can be exported and reinstalled on other
    machines to grant the same basic
    permissions. That is good in a networked environment. Especially good if the
    system also
    uses a proxy.

    In the old linux systems using things like ipchains, you could tail the
    firewall log and monitor
    the firewall in real time on a vt. In most windows based systems, a popup
    notification is used.

    Without the popup, there are probably still ways to get the firewall to
    notify you. The problem comes when you want to specify how. Again, in a
    linux system, you have access to multiple accounts and can write something
    to do it for you, and send it to a specific location. It is
    much more difficult to do the same in vista, since account switching can be
    laborious.

    Third party firewalls have built in utilities to mitigate that. But then
    trade off is that they are
    resource intensive. Installing third party software can cause a loss of
    resources to the tune
    of 20% or more. My guess as to why the vista advanced firewall doesn't
    notify you?
    Remote management of systems in a business type environment, which disallow
    individual users from overriding the firewall, and giving perms to programs
    that shouldn't be given access.

    Security in the computer world is ever evolving. The best thing to keep in
    mind is that any computer can be breached as long as someone has physical
    access to the box. Otherwise, two little wires hold the fate of the known
    universe in their control. Now, with wireless, the ability to sniff computer
    input directly from hardware without connecting to it, and hardened
    facilities to protect your data, the odds that someone can get to it are
    ever increasing, right along with security protocols to prevent it.

    The simplest thing to ask yourself, is, "Why does anyone even want my data?
    If I can't get a credit card, who else can in my name?" "If there's no money
    in my account, there's no money to steal." If you really want to stop anyone
    from paying any attention to you at all, go on a wild spending spree, then
    pay your bills late. No one will bother you after that. Get a balloon
    mortgage. They will run from you. A felony record. No one wants that. Become
    a sex offender.
    You get your photo published along with your address. And with the internet,
    once you turn off your spam blocker, there's loads of people that can and
    will help you do all of the above.

    The point is, once you are thrashed, you are no longer a target. These
    people will move on to greener pastures. and they'll probably turn off your
    dsl once they see that you haven't paid the bill. It's better to rent than
    buy anyway, since it's nearly impossible to sell. And if the weather trashes
    your place, you can simply move away without losing anything more than a
    months deposit.

    Hey, if you need our help with security, let us know. We'll be more than
    happy to.

    The real question to ask yourself, is, " Why are the black helicopters
    outside? What do they really want from me?"

    For most people, the answer really is nothing. Don't be a victim. Don't give
    out your information to anyone you don't know. Don't download unnecessary
    software. Avoid porn sites, and their ilk. Stay away from get rich quick
    schemes. And above all, don't let your kids talk to strangers.

    Just like the real world. Use your better judgment.
     
    Stretch, Jan 4, 2008
    #11
  12. LUA surely helps containing malware. LUA does not ensure trust in
    outbound control. Various IPC methods still apply.
    They are.
     
    Straight Talk, Jan 4, 2008
    #12
  13. Antius

    Hatter Guest

    I had a printer driver that when installed, would try to make an outbound
    connection - and fail.

    So I disabled the ports and services it was using. The driver now installed
    and working.

    I don't want OpenOffice communicating or grabbing images or content off the
    'net.

    I see that I would be fighting a swarm of bees to counter the group-think
    going on here, just realize that not everyone buys snake oil but still wants
    to monitor or block applications from initiating their own outbound
    connection. Calling home, checking for updates, or reporting on user
    activity.
     
    Hatter, Jan 4, 2008
    #13
  14. Antius

    Antius Guest

    Hi Jesper, I'm still having the same problem, blocking all outbound
    traffic & creating an outbound rule to communicate through the firewall
    no longer works, before I abandon this line of enquiry do any of the
    pre-existing rules especially those belonging to the Core-Networking
    group have to be enabled to allow apps like Internet Explorer, Windows
    Mail etc to communicate succesfully through the firewall?.
     
    Antius, Jan 4, 2008
    #14
  15. Antius

    DevilsPGD Guest

    In message <> "Hatter"
    The problem is, host-based software can be overcome by other host-based
    software. Any application that doesn't want it's activities monitored
    by a specific host-based packet filter can either reconfigure it or
    bypass it.
     
    DevilsPGD, Jan 4, 2008
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.