Looking for a 3rd Party firewall for Windows Vista that ...

I am starting to set up a new PC for the sole purpose of running Quicken to monitor my finances though am paranoid about the privacy and security implications of doing so.

In attempt to appease my perhaps unreasonable fears, I am looking for a high-quality firewall from a commercial software company with a good reputation, that I can configure such that it can only access the following sets of sites:

1) Windows Update
2) Security signature updates - e.g. anti-virus signature updates, etc.
3) Relevant app update sites - e.g. Quicken, Mozilla, Acrobat Reader, etc.
4) small set of trusted financial sites e.g. bank, broker, etc.

I will use Vista as a standard-user and will NOT use the machine to browse any other sites; it is a dedicated machine.

I was told to look for a firewall that supports URL filtering; however I haven't yet come across any Windows host based firewalls that claim that as a feature.

A couple other goals:
1) Ideally this firewall is part of a decent quality security suite w/ a strong anti-virus component - I don't want to install lots of kernel mode code from a # of different vendors (e.g. anti-virus from one vendor, firewall from another, etc)

2) I want to actually block inbound and outbound connections from other sites at an IP level - (e.g. a fishing filter in a browser is not what I am looking for).

3) Online Armour claims something like this - a "banking mode". I am not looking for banking as a "mode".

Your advice and inputs are greatly appreciated - DaNose

 

Use the build-in Firewall of Vista and block all. Set your favourites as exception, activate Windows-Defender and DEP and install a good AV-Scanner. Avast is a good recommendation for Vista. Light, fast and sufficient.

 

Hopefully you have an NAT-enabled router and it's configured with your own (not the default password). Turn off UPnP and you're already in pretty good shape. Jetico has been getting a lot of attention for their firewall. I haven't used it, but people I respect have good things to say about it.

Also, DevilFrank, does the VISTA firewall still default to "allow" for outbound connections? It's great to have the bi-directional protection, but it might help if they - you know - turned it on! I know their concern was support calls ("A message pops up that says 'do you want to allow..."), but really, that was horrible and surely they have fixed that?
http://www.pcworld.com/businesscent...ista_firewall_fails_on_outbound_security.html

http://members.rushmore.com/~jsky/id34.html

Good luck, DaNose.....

 

Thanks for the good advice. Yes, I have a router w/ NAT & fairly unique password I set.

DevilFrank : I have a question about Exceptions w/ Vista Firewall:

How do I handle the case where a financial institution uses some form of load-balancing (e.g., they run 8 servers) where they have names like www.bank.com, ww1.bank.com, ww2.bank.com, ww3.bank.com, ww4.bank.com, ww5.bank.com, ww6.bank.com, ww7.bank.com. I suppose the hard case is not really knowing if/when or how to handle the event they add a 9th (or more) servers into their serverfarm.

I was told by a guy who knows more about firewalls than I that this is basically why I needed a firewall that does URL filtering, and he implied that the built-in firewall in Vista does not include such functionality?

Thanks, DaNose

 

In all honesty, if you are that concerned about internet banking with these conditions you most likely are doing something that needs to be hidden.

 

Nothing illegitimate. If I wanted to do that - I suspect there are other resources that may be better sources of information for such.

Rather I am just out to protect my identity, access to high-value accounts, and access to high value information - aka a Quicken file of everything.

I suppose I could just flat out ask all the financial firms I do business wiht to disable online access to all my accounts, and instead type all account activity into Quicken by hand. However experience tells me that fairly impractical. I am fond of the hypothesis of a dedicated very-locked-down dedicated PC as a bit more practical.

thanks for the input, DaNose

 

Pretty much any firewall that has network and program capabilities will do, then.

I would advise against using any public networks, especially open ones. And I might look into VPN, software, too.

 

I wish financial institutions offered VPN logins instead of websites on the internet - and required authentication via smart card (or equivalent). Know of any decent financial institutions that do?

I don't think one of the institutions I currently do business with do :-(

DaNose

 

Well, yes, I do know of some that have VPNs, but only for employees.

 

Firewalls with url filtering is usually used in a corporate environment where http connections run through a proxy. I can think of 3 alternatives.

1) Run a local proxy http://wiki.castlecops.com/Lists_of_freeware_proxy_software url filter through the local proxy. Then have the firewall block everything except a) browser to connect from localhost:non service port to localhost:http/https b) proxy to connect from localhost:http/https to bankip:http/https. For bankip, just do a whois on the bank and get the ip range. Getting bankip is not essential but will help with phishing attacks.

2) Buy a soho firewall with content filter capabilities. Watchguard Firebox x10, Cisco PIX 501, Untangle platform comes to mind.

3) Use parental controls software like netnanny.

 

Why don't you put a password on the machine and enforce the policy through self restraint? Or, do you have an employee doing the work on it for you?

 

ZA allows you to lock the internet with a password.

 

Guy, the best advice for someone who classifies themself as "paranoid" is TRUST NO ONE.
Reputable software company?
HaHa!
Have you ever read any of these software licensing agreements?
THEY ALL CLAIM NO LIABILITY.
Best answer?
Ask your financial institution what they recommend, so at least you will have someone to sue if something goes wrong!

 

DaNode,

if you know the subnet of the serverfarm, you can configure the endpoints at the Vista Firewall as exceptions.
Of course, the Vista firewall is tricky and not a set-up and forget it tool.

For more information start here:
http://technet.microsoft.com/en-us/network/bb545423.aspx

 

Create an outbound rule for the applications that need it (Quicken?). Use the custom option, as that will give you the ability to set which IP addresses it can connect to only.

This will block the application from going elsewhere (if it becomes compromised), as well as continue to prevent any other software from hitting the internet.

Just be sure to create svchost.exe rules for the various windows services you want to access the internet as well (such as the Windows Defender service and the Windows Update service.

 

Self-restraint would be great; however both my wife and I need to use the machine and she is not as aware of the risks that visiting random sites on the internet represent - hence my "you can't stop it you can only hope to contain it" strategy.

Does Parental Control software really limit all inbound and outbound connections - or does it just limit what is accessable via a web browser? (e.g. does it also block other apps like Quicken?)

Alternatively - the suggestion of a local proxy seems convenient. I am looking for a relatively low-maintenance solution (would prefer to not need to add & maintain another machine as a proxy server). I suppose that is the price i pay for paranoia ;-)

DaNose

 

Maybe NIS 2008 is a way. You can configure the rules for your trusted applications and deny all others. You will get the AV-scanner from the same vendor how do you want it.

Read more

 

I was curious about NIS 2008. Apparently the 08 version is "less worse" than prior versions. Yes - minimizing the # of different vendors who provide kernel mode code is desirous.

However I wasn't sure about it's firewall. It didn't appear to support URL filtering so I wanted to get other's opinions on that before I buy.

thanks for all the input.

 

That isn´t correct. You can configure the applications separately and define the connections that you want allow or deny. See the screen. Sorry, but is German version of NIS 2008...

 

Hmmm, I would agree the the hardware router and a software firewall. As far as routers I too agree with the post above a few and for the software I would go with KIS7. It has AV and a firewall. I am working on KIS8 and modules with Parental Control, Porno ect. It also has Anti-Spam, Anti-Banner, HIPS, Proactive and System Watch, Stealth, you can set IP ranges, Intrusion Shield ect. well you get the point, it is one heck of a system to try and beat. I have beta tested a lot of firewalls and Kaspersky is loading this one the way it should be (no blowt-ware) and everything to do business with as all us beta testers want. We are looking for programmers who would like to try and make 3rd party plug-ins for even tighter security for those who need it. Please come and help if you would like. http://forum.kaspersky.com/index.php?showtopic=56789
Thanks for your time, JASTECH