So we're designing a new portable opensource firewall for windows. You'll be able to deploy it with other applications to keep them from leaking, as it will be a two-way firewall. I would like to solicit opinions on features. Comments and suggestions are now open.

Take Kerio 2.1.5 as a model

{QUOTE-> Take Kerio 2.1.5 as a model <-QUOTE}

Absolutely!! I couldn't agree more. Small yet very effective is the way to go.

That sounds awesome!

{QUOTE-> Take Kerio 2.1.5 as a model <-QUOTE}
Great choice!

Actually, we did pick up Kerio and take a look at it. So far our popups are pretty much the same. It was the best personal firewall I had seen yet. :D

{QUOTE-> Actually, we did pick up Kerio and take a look at it. So far our popups are pretty much the same. It was the best personal firewall I had seen yet. :D <-QUOTE}

I'm not sure I'd go that far. LnS seems to offer a bit more power as far as capabilities of the ruuleset.

Also, this is very important to me, but could you make it so that it does not require XP SP2? There is already a product out there, similar to what you are decribing, but it required SP2 and, since I refuse to bloat my system with convoluted code, I cannot use it.

Lets see. I think this one will run on as tiny as Win98. So far it is a kernel level driver injection, using the TDI Filter driver. However, I'm considering what it would take to make it an NDIS level driver, which is pretty much the only way to get any lower. However, I think that may mess with the portability of it. Something to be researched...

Okay. So we are getting alist of priorities.

So far you think it should be very small, lightweight in resource consumption. Okay. What do you like and dislike about other firewalls?

I dislike bloat, useless features (ad/script/cookie blocking, IDS, leak-proofing, eye-catching UI, etc), confusing rule editors, lack of full SPI (http://en.wikipedia.org/wiki/Stateful_firewall), hard-coded rules (default rules which can't be modified/deleted), filtering limited mostly to TCP/IP.
I like the table approach of Jetico (http://www.jetico.com/jpfirewall.htm) (related rules are grouped), the custom addresses of Kerio 2 (useful to limit remote endpoints in POP3/SMTP/IMAP/DNS/HTTPS/DHCP). I like the ability of Online Armor (http://www.tallemu.com/powerful_windows_firewall.html) of importing blacklists from a text file. I don't want any HIPS feature in a firewall other than hash checking (Kerio 2) and TDI filtering.

{QUOTE-> Actually, we did pick up Kerio and take a look at it. So far our popups are pretty much the same. It was the best personal firewall I had seen yet. :D <-QUOTE}

AFAIK is the very best ever conceived, i tried OA Armor and wouldn;t you know it, went right back to Kerio 2.15 again. It's withstood the test of time on both Windows 98/ME and now XP Pro without so much as a scratch. It is however supported with my HIPS as additional measure of protection as well as auto-restarted if ever forced closed.

Theres your template!!!

Password the configuration interface.

So you want it
1. Lightweight
2. Somehow do SPI while being lightweight. heh.
3. Password protected ruleset option
4. Similar to Kerio in HCI
5. Rule table display, sort by group/type
6. Import blacklists option
7. Non-multifunctional, no IDS, hash checking at most for trusted applications.

Does anyone here care about NDIS vs. TDI vs. Winsock injection?

IIRC, you need both NDIS and TDI drivers. The NDIS driver is necessary to perform filtering of network packets at the lowest level (rightly after the NIC has processed them) and the TDI driver is need to bind packets to applications. Am I correct? I don't know what's winsock injection.
A good SPI engine shouldn't be that demanding (at least in CPU cycles), see Jetico and CHX-I (lightweight firewalls which are known to perform a deep inspection of packets, specially CHX-I)
Also, if you put too much HIPS-like features, you will end up with something like CoreForce.

If you can, keep it light as possible but add suggestions above to strengthen it's capabilities and leave HIPS for HIPS makers, every single firewall and AV maker who adds HIPS only throws their specialty off-balance.

Keep it a true portable firewall and i like to suggest to add some GUI appearance control such as (if possible) slide out from the top or side of screen prompts.

Growing weary of same old scenario time and again.

ALL THE BEST!

easter

why make it like Kerio?? I just don't get why so many people on these forum like Kerio?

its just a very basic firewall with hardly any features with just a small amount of packet filtering rules nothing more. surley look n stop has to be better than Kerio 2.1 or 2.5 with all its extra Rules.

can some one please explain why Kerio is so good other than it being light weight??

I realize kerio is not Vista compatible. But will the new firewall be?

Would it be possible to make it fit in a Linksys WRT54GL? I don't know what system requirements you're looking at right now. Or is this going to be a software firewall that you stick on a USB drive?

Don't make it a separate program, have it so it is interegated with the XB browser so it is as automatic as possible for the novice user.

Lots of great suggestions here. Yes, it would have to be Vista compatible, which may or may not be possible (thank you microsoft). I agree that no IDS system really needs to be in place, except for rules that are based on applications/executables instead of traffic. I like the idea of NDIS and TCI levels.

As for integration, xB is eventually going to be a suite where you can install whatever components you like and they will automatically work with each other. At least, that's how I see it. The real trick is having the programs call each other to work in conjunction, but nothing I don't think we can do. I'll shortly be integrating xB Browser with xB VPN, at the launch of XeroBank 2.0 network this next month.

Let me ask another question, what if you had to reboot after installing it, is it still portable and with the same functionality? This may be a deal-breaker with NDIS drivers.

Keep the comments coming.

Hi,

AFAIK, there are two levels of users, "software does it" all and "I do it all" and the others somewhere in-between. So please provide beginner and expert levels, where beginners and plug and use and experts tweak everything they can.

Best Wishes
Avboy

I would like a right click from my mouse over a IP address and get whois info- if that is possible. Thanks.

Hello,

A simple question, maybe I'm missing something here:

The firewall will require a kernel driver - right? So, you'll implement some sort of service restart mechanism to allow on-the-fly use without rebooting? Is this possible in Windows? Because what do you mean exactly by portable ...

Mrk

The TCI I don't think we have to restart, but for NDIS I think we do.

Make it just a firewall instead of a security suite. No HIPS, NIPS or other trips. Use Kerio 2.1.5 as a model. Keep the ability to specify protocol, local and remote port numbers, IPs, and individual applications. Add IPv6 compatibility. Add filtering of ARP packets. Keep compatible with 9X systems. Add an option to the status screen that will allow individual connections to be closed, such as you can with TCPView. Keep good loopback connection control. On Kerio's rule edit screen, there's an option to specify "Other" in the protocols. Could this be modernized and expanded?
Kerio 2 has a custom address group. Several such groups would be useful, especially for blocking adservers, etc.
{QUOTE-> 5. Rule table display, sort by group/type <-QUOTE}
Most rule based firewalls read the ruleset from the top downwards. How do you plan to make a ruleset sortable by group or type without affecting the order in which they're applied? I may be old fashioned but I prefer the rules displayed in the order they're applied. Makes it much easier to maintain control over loopback traffic.

This might be too much to ask. Could it include IPv6 to IPv4 conversion to make older operating systems IPv6 compatible? Maybe function like a converter box in this respect?

Rick

Can it be made simple to use on default settings( like application based- allow x.exe, block y.exe etc)? Complex rules can be hidden in advanced settings for power users.

We won't be blocking applications from running, but we would allow applications from being blocked/limited for communicating.

{QUOTE-> Most rule based firewalls read the ruleset from the top downwards. How do you plan to make a ruleset sortable by group or type without affecting the order in which they're applied? <-QUOTE}
Take a look at Jetico and you'll see what I mean ;)

{QUOTE-> Take a look at Jetico and you'll see what I mean ;) <-QUOTE}
It's one thing to separate "network rules" from "application rules", but Jetico certainly is not intuitive. :P

IMO, or my preference :) , Kerio 2.1.5's model or ComodoFP are ideal. I mean only CFP's firewall bit, and with 2.4's GUI stile, not window here window there v3 stile...
Kerio since one table gets it all, or CFP since there are objective differences between global rules (apply to the OS as a whole) and per application rules. Global rules are read first.

Both are easy to set rules from the prompts, assuming you know them - doesn't take a manual, just networking concepts and knowing where the options are and how they work.

Kerio allows you to create a custom rule right from the prompt.
CFP allows you to set the "alert level", and then your answer to prompts will create rules as refined as you chose in that level (from yes or no, up to specific IPs and ports). That could be an extra option, i certainly enjoy that in CFP, and don't miss Kerio's feature that much because of it.

Being portable i don't know what is applicable really. How does it save settings, etc.

{QUOTE-> It's one thing to separate "network rules" from "application rules", but Jetico certainly is not intuitive. :P <-QUOTE}
Disable the Process Attack Table and Jetico is a intuitive rule-based firewall if you dig a bit.

{QUOTE-> We won't be blocking applications from running, but we would allow applications from being blocked/limited for communicating. <-QUOTE}
I mean Block internet access for x application, allow for Y application etc. Application based rules.

Some governements in europe are preparing in the next month a keylogger.

They will contact the antivirus and firewall editors in order to ask them no to
detect their keylogger.

Is kerio enought independant ??

{QUOTE-> So we're designing a new portable opensource firewall for windows. You'll be able to deploy it with other applications to keep them from leaking, as it will be a two-way firewall. I would like to solicit opinions on features. Comments and suggestions are now open. <-QUOTE}Well, the first comment is that you have no chance of being able to please everyone (as the varied requests made so far show) so providing some indication of design priorities (security, ease of use, flexibility, speed, low resource usage) may help in deciding which ones to accommodate first.

The second is that portability is going to be pretty hard for a firewall in Windows - you need to implement a driver of some sort for low-level network filtering and that in turn will require administrator privileges and a system restart.

However I don't think you have an option with NDIS-level filtering - security needs to be a prime factor and without NDIS, you can't provide adequate protection from incoming attacks (especially ones exploiting buffer overflows in the network stack). Being able to limit traffic by application is pretty much a requirement so you'll need TDI also.

A further factor to consider is malware resistance - do you want your firewall to be able to resist being shutdown or disabled by malware? If so, then you need to look at process control features (specifically being able to block driver installation, physical memory access and process termination/modification) regardless of the calls by others here to avoid "HIPS". Yes, Kerio may be a good network filter, but it wouldn't last a second against malware attack. If not, you need to warn users that extra software (e.g. System Safety Monitor) needs to be used, and you need to check compatibility.

Leaktest performance - Windows has certain "features" (Internet Explorer, DLL/code injection, AppInit DLLs) which malware has exploited to gain network access via trusted programs. If you want your firewall to provide comprehensive security, it needs to address such techniques.

Logging is important since users need to be able to see what is being allowed and what isn't. Without good logs (and easy ways to filter them) users will have to work blind in creating the best configuration.

Stateful Packet Inspection (SPI) - you can't do a useable firewall without at least network/transport-level SPI (identifying which TCP stream packets belong to) and that shouldn't require much extra processing (indeed, it could save CPU since you only have to do a full rules check on the initial SYN packets). Higher levels of SPI can be avoided (though adding something for FTP control/data connections would be a good idea).

Most users have little knowledge of what to allow or deny - if you are going to cater to non-experts, then you have to provide a simplified configuration setup (probably relying on whitelists of known legitimate applications).

Features which I would suggest as being of lesser importance (i.e. better left until version 1.0/2.0 is released) include: ARP filtering - not relevant to most home users. IP blacklists - attractive to P2P users but of little use to everyone else.Finally I would suggest considering this for GNU/Linux instead - there is almost nothing available there in terms of application filtering firewalls (the only example I can find is TuxGuardian (http://tuxguardian.sourceforge.net/)) while Windows users have dozens to choose from.

{QUOTE-> A further factor to consider is malware resistance - do you want your firewall to be able to resist being shutdown or disabled by malware? If so, then you need to look at process control features (specifically being able to block driver installation, physical memory access and process termination/modification) regardless of the calls by others here to avoid "HIPS". Yes, Kerio may be a good network filter, but it wouldn't last a second against malware attack. If not, you need to warn users that extra software (e.g. System Safety Monitor) needs to be used, and you need to check compatibility. <-QUOTE}
Adding HIPS is going to cause several problems. It wouldn't be very portable or easy to use if the user has to start out configuring a HIPS every time it's plugged into a different PC. Even if it uses whitelists of the common apps and system components, how would the portable HIPS determine if the apps are legit or malware files that have modified or replaced system files? Signatures for every version of each common internet-able executable that's been released? For how many versions of windows, going back how far? If this is limited to just the newer systems, you've just limited how portable it will be.

It should be possible to give the firewall resistance to termination without making it a full blown HIPS. Resistance to malware is a very tall order for a portable product.
{QUOTE-> Features which I would suggest as being of lesser importance (i.e. better left until version 1.0/2.0 is released) include:
ARP filtering - not relevant to most home users. <-QUOTE}
Being portable, it's likely this would be used mainly on someone elses PC or network. Anyone security conscious enough to want a portable firewall is most likely running one already on their home PC or network, where using such a device would be redundant. Since it's going to be used on PCs and networks that are not under the users control, possibly already compromised, it should have this. It would be useful for power users but might be more than the average user can deal with. Then again, would an average user carry a portable firewall? IMO, such a device targets power users and those who take security seriously, users who should be able to handle the details. It's also probable that it would get used on PCs and networks that have existing firewalls the user isn't aware of, causing possible compatibility problems and interactions.
Rick

I forgot to mention WIPFW. You might want to check it out in case you haven't already Xerobank :)

{QUOTE-> Disable the Process Attack Table and Jetico is a intuitive rule-based firewall if you dig a bit. <-QUOTE}
I disagree. Although i didn't use it that long, it still stands. I didn't get the point in a few days, so it's not intuitive for me.
Rules were all over the place :P

{QUOTE-> Adding HIPS is going to cause several problems. It wouldn't be very portable or easy to use if the user has to start out configuring a HIPS every time it's plugged into a different PC. <-QUOTE}Agreed. A default configuration covering a basic Windows setup would cut the burden though.{QUOTE-> Even if it uses whitelists of the common apps and system components, how would the portable HIPS determine if the apps are legit or malware files that have modified or replaced system files? Signatures for every version of each common internet-able executable that's been released? For how many versions of windows, going back how far? <-QUOTE}Signatures for the 50 or so most common products should be good enough for most new users in most cases. Windows system components should be digitally signed so checking this is valid should suffice.{QUOTE-> It should be possible to give the firewall resistance to termination without making it a full blown HIPS. Resistance to malware is a very tall order for a portable product. <-QUOTE}Malware resistance is something that either needs to be done well or not at all. Doing it well means covering all the actions noted above (and others like WM_CLOSE/SC_CLOSE messages, SendKeys, process suspension or debug privileges).{QUOTE-> Being portable, it's likely this would be used mainly on someone elses PC or network. <-QUOTE}Given the requirements (admin access and reboot) I think portability is impractical. A better bet would be to use a VM (GNU/Linux most likely) and implement a firewall within that. Then at least you have a known environment, though still vulnerable if the host OS is compromised.{QUOTE-> Since it's going to be used on PCs and networks that are not under the users control, possibly already compromised, it should have this. <-QUOTE}How on earth is ARP filtering going to be of any use with a compromsed system? There is realistically nothing a firewall could do since it can't be sure of setting hooks, intercepting network traffic or even seeing what programs are running. ARP filtering is only useful for users sharing a LAN with an attacker and all it protects against are some types of DoS attacks.

{QUOTE-> I disagree. Although i didn't use it that long, it still stands. I didn't get the point in a few days, so it's not intuitive for me.
Rules were all over the place :P <-QUOTE}
Well, this proves that someone's mind works differently than other's . I have a "Kerio 2 mindset". This and a bit of reading (help file, forums) was enough to dominate Jetico :D

Hello,

Paranoid, when you say Linux firewalls with application filtering are few, you should remember that most are based on iptables with a nice frontend.

iptables allow you to filter packets by user id, group id, process id, process name, and so forth. This means that any distro running iptables can effectively filter applications. It's not simple to setup, but it's there.

Just type man iptables (google or linux terminal) and you'll see an endless list of options...

As to effectiveness of a portable firewall, I agree - and that's why I asked my original question. How can this be implemented without rebooting, starting a service etc...

Mrk

{QUOTE-> {QUOTE->
Adding HIPS is going to cause several problems. It wouldn't be very portable or easy to use if the user has to start out configuring a HIPS every time it's plugged into a different PC. <-QUOTE}Agreed. A default configuration covering a basic Windows setup would cut the burden though.
{QUOTE-> ......Signatures for every version of each common internet-able executable that's been released? For how many versions of windows, going back how far? <-QUOTE}
Signatures for the 50 or so most common products should be good enough for most new users in most cases. Windows system components should be digitally signed so checking this is valid should suffice. <-QUOTE}
This will be very problematic. Between the different versions of OS components and the number of versions of those 50 or so internet apps, this could easily get to hundreds if not thousands of signatures. That signature database could become obsolete very quickly as well whenever a new version of one of those apps is released. Unless the user updated it very regularly, any form of integrity checking that involved stored signatures could become outdated almost as fast as AV signatures. This might require too much maintenance to be practical.
{QUOTE-> Malware resistance is something that either needs to be done well or not at all. <-QUOTE}
Ideally, yes, but I don't see where that would be possible. For an app to be resistant to all possible malware attacks, it has to be hooked into the OS pretty deep, almost to the point of becoming part of the OS. That's completely impractical for a plugin device. Even so, there's nothing lost by giving it some termination resistance against the more commonly used methods. The user just has to understand its limitations, starting with the fact that a plugin device can't have the same level of control over an OS as a kernel hooking security suite (or a rootkit).
{QUOTE-> How on earth is ARP filtering going to be of any use with a compromised system? <-QUOTE}
Even if it could do very little, I'd still want the ability to view the traffic.

I've been trying to figure out just where such a device would most likely get used. The places that come to mind are the workplace and possibly on a friends or acquaintances PC. I don't see either one responding favorably to someone attaching such a device, no matter what it's purpose. Many if not most PCs, home networks, businesses, etc already have at least an inbound firewall in place. If not the one in Windows, the one that's part of the cable or DSL modem. Even if it can be made to work well, I'd question if it should be used on someone elses property. I can't imagine the average employer saying yes and I'd be quite mad if I caught someone plugging a device into my PC without asking.
Rick

{QUOTE-> Given the requirements (admin access and reboot) I think portability is impractical. A better bet would be to use a VM (GNU/Linux most likely) and implement a firewall within that. Then at least you have a known environment, though still vulnerable if the host OS is compromised. <-QUOTE}

Heh. Think about that for a second, Paranoid: We don't have admin and boot privs, so instead we'll use a VM, which requires admin and boot to install drivers.

I'm thinking we can do TCI from the current session. That may be all we can do. Then again, we're still trying to think about what is possible in a world where users want features. When we get into NDIS we're approaching trouble.

My thought is the firewall is deployable: 1) It uses TCI for current session, and if you want to keep it in place 2) we can insert a NDIS driver on boot.

This allows us to even stay Vista compatible. I don't think we're going to try to support <2k.

The idea isn't the end-all be-all firewall. There are already a gazillion of those out there. I'm trying to feel out if there needs to be an alternative, if there is a niche that isn't being filled.

So let's start with some assumptions for the TM:

1) The user has driver installation privs for TCI

2) The user isn't worried about stopping malware, but spyware/leakware

3) The attacks we are trying to stop are anonymity/privacy compromising issues. For example: leaky plugins, bad mime handlers, PDFs phoning home, evil Java, etc.

4) The user doesn't have a strong understanding of anonymity/privacy aspects.


As you may notice, lots of software is written without regard to anonymity or privacy aspects. This is perhaps one reason that anti-spyware/cleanup programs don't go after flash cookies or DOM storage. Well, this firewall might be suited to stopping unauthorized communications that diminish the privacy of the user.

{QUOTE-> iptables allow you to filter packets by user id, group id, process id, process name, and so forth. <-QUOTE}The process name would be useful but only if it included the full path (so /usr/bin/traceroute's permissions aren't allocated to /0wned/traceroute also). There would still be a need to keep a hash of each process (and check it on every new connection) to catch any changes, so this would need a bit more than just a front end.

However assuming the problems are worked out (command matching is supposed to have problems on SMP systems, is that still an issue?) then iptables could certainly be used as a foundation for a more interactive firewall.{QUOTE-> As to effectiveness of a portable firewall, I agree - and that's why I asked my original question. How can this be implemented without rebooting, starting a service etc... <-QUOTE}You can avoid having a service by using a driver but avoiding the reboot is going to be harder. However Drive Snapshot loads a driver temporarily for low-level disk access without needing a reboot (just admin privileges) via SCM/services.exe so maybe the method it uses (http://www.syssafety.com/forum/viewtopic.php?t=1048) could be applied to gain low-level network access too.{QUOTE-> Between the different versions of OS components and the number of versions of those 50 or so internet apps, this could easily get to hundreds if not thousands of signatures. That signature database could become obsolete very quickly as well whenever a new version of one of those apps is released. Unless the user updated it very regularly, any form of integrity checking that involved stored signatures could become outdated almost as fast as AV signatures. <-QUOTE}It's far easier than the task currently managed by AV software, involving tracking tens of thousands of malware variants and updates would require far less work (no need for code analysis, just a script to check the main download site for each utility daily for updates). Accumulating signatures for older software versions would be harder but allowing users to submit theirs is one method. A bigger concern would be ensuring any updates are not subject to compromise (using https: should suffice).

Bear in mind that 100% coverage isn't essential here - just providing the most common signatures to cut down on prompts, so users can focus more closely on those that remain.{QUOTE-> Even if it could do very little, I'd still want the ability to view the traffic. <-QUOTE}That is, I would respectfully suggest, very much a specialist feature.{QUOTE-> My thought is the firewall is deployable: 1) It uses TCI for current session, and if you want to keep it in place 2) we can insert a NDIS driver on boot. <-QUOTE}That should be workable provided that the NDIS install checks first for existing firewalls and prompts the user to go offline and disable/remove them first. Even with TCI/TDI only, compatibility with some existing firewalls may be a problem.{QUOTE-> 1) The user has driver installation privs for TCI

2) The user isn't worried about stopping malware, but spyware/leakware

3) The attacks we are trying to stop are anonymity/privacy compromising issues. For example: leaky plugins, bad mime handlers, PDFs phoning home, evil Java, etc.

4) The user doesn't have a strong understanding of anonymity/privacy aspects. <-QUOTE}In this case, how about just providing premade configuration files for those firewalls supporting rules import? That would achieve these goals with much less work.

On the other hand, if you're using a GNU/Linux VM, the iptables options mentioned by Mrkvonic could be brought into play - the downsides shouldn't be an issue with a clean VM image.

Hello,

Paranoid, the exact path has less meaning in Linux than in Windows, because built-in commands are declared in the PATH variable. Therefore, when you type traceroute, you will only ever execute the one declared in the path.

To change the path, you require root - and if "malware" gets into root areas of the system then the firewall won't help you. Likewise, if the bad app has access to path and can change it, it's much more serious than firewall control.

Local commands will require ./ to execute, but again, they will only ever run with local user privileges - no access to root areas.

Finally, the chance of contracting badware is much reduced, since there's the issue of official repositories, global system-wide updates, separation of user/root, and the inherent trust of the environment. While in Windows, you definitely want to restrict apps - you probably do not want to this in Linux - and most won't try to phone home, either way.

Thanks for pointing out the driver issue ...

Mrk

{QUOTE-> Paranoid, the exact path has less meaning in Linux than in Windows, because built-in commands are declared in the PATH variable. Therefore, when you type traceroute, you will only ever execute the one declared in the path. <-QUOTE}Windows is similar in having a $PATH variable, however the reason for having the full path name in firewall permissions isn't to cover a user from accidentally running the wrong version of a file - it is to prevent malware from using an identical filename to gain network access (it would certainly use the full pathname to call its networking component in such a case).{QUOTE-> Finally, the chance of contracting badware is much reduced...While in Windows, you definitely want to restrict apps - you probably do not want to this in Linux - and most won't try to phone home, either way. <-QUOTE}The overall risk for a Linux system may be less than with a Windows one but it is still present and likely to increase - it is therefore desireable to have security solutions that can not only address current threats but also look ahead to future ones.

Hello,
Thanks for the interesting topic.
Cheers,
Mrk

{QUOTE->
Bear in mind that 100% coverage isn't essential here - just providing the most common signatures to cut down on prompts, so users can focus more closely on those that remain.That is, I would respectfully suggest, very much a specialist feature.That should be workable provided that the NDIS install checks first for existing firewalls and prompts the user to go offline and disable/remove them first. Even with TCI/TDI only, compatibility with some existing firewalls may be a problem.In this case, how about just providing premade configuration files for those firewalls supporting rules import? That would achieve these goals with much less work. <-QUOTE}

Hmmm I suppose that is doable, but what about for those that have no such firewalls at all?

{QUOTE-> Hmmm I suppose that is doable, but what about for those that have no such firewalls at all? <-QUOTE}You can provide some general guidance on firewall configuration (e.g. limiting browsers and Java to connecting to Xerobank's client only, blocking open DNS traffic) but otherwise the situation is analogous to someone using Firefox rather than XB's browser - they can do it, but they have to take responsibility for the configuration themselves.

There are GUI's for Windows fw, one adds application control. That's a possibility no?

Why not have two versions in one package. Option to use portable firewall (with limited security), or install the full thing.

Maybe check out http://www.personalfirewall.comodo.com/distribute.html (comodo firewall) and think about getting a stripped custom version as one of the options when installing?

You might consider this thread on the process:

http://www.wilderssecurity.com/showthread.php?p=1107681

In my opinion, Outpost Firewall is the best I ever used. Beware the new versions, because they are not that good. I am using 4.0.1025.7828 (700) now.