Outbound Application Filtering

I dont get alot of alerts either. BUT! when i set up a program for the first time i do try to run through all the program features and set them up when i install it. As a result i only get alerts when something strange happens. (almost never)

That said. When i have set up friends computers i sometimes miss things because i dont spend the time necessary to catch all the alerts. This leaves them with alot of confusing alerts to look at.
So i suppose its all in the initial setup. Taking the time to configure it properly.

Michael

 

Personally, the only time I feel app-filtering is useful is when legitimate apps want to phone-home for no good reason (what the hell does my photo editor need to talk about anyway ). As mentioned already, there are other ways to disable outbound communication for most apps.
I use Visnetic fw and I have enough application and back-end security in place where I don't worry about outbound trojan communication. If a trojan is able to install itself on my pc, I've screwed up pretty bad, as it has multiple layers to get through.

The part I enjoy the most about running Visnetic is I'm able to view and analyze every packet processed by the fw in realtime. I have granular control over my ruleset and if I see any suspicious traffic I have the power to shut it down, ban it, and tarpit unwanted connection attempts. By only allowing what I specify it also eliminates a lot of junk-packets and internet back-talk that can get by other firewalls.

Of course the topic of app-filtering or no app-filtering is not about right or wrong, it's about what works for each person and what is comfortable for the user.

One more thing, I see the terms outbound-filtering and app-filtering used interchangeably here, but there is a difference. For example, Visnetic can filter all outbound UDP requests on port 6666 but it can't do this specifically for one application.

 

Very good post Se7

I see you're not guilty of "selective reading" and not trying to foist off your
favorite pet theory or your brand of FW on everyone else.

You stated very clearly what you didn't like about "call home" apps. and I
think very objectivly what you like about your firewall...and why you use it.

Also very well done...stating what a person is comfortable with...and his/her
level of knowledge.

 

How to setup Jetico firewall working only for application filtering and have another tool for packet filtering?

This is just the answer from Jetico Inc. and it works fine for me.

"You can turn off the packet filtering in JP Firewall and probably the most simple way is to remove JP Firewall packet filtering driver bc_filter.sys from Windows system directory (for example, for Windows 2000/XP it is WINDOWS/System32/Drivers)."

 

Joter,

That is an interesting observation for those who want some app filtering with Jetico. You could pretty much dispense with detailed rules in that case and set up a couple of tables to take care of just about everything. However, I found Jetico to require way too much interaction for my tastes. In fact, it is the firewall that caused me to start thinking this way.

Just Wondering,

I believe that I have addressed your point. With the more advanced firewalls it takes quite a while until they shut up, and it seems like it is never completely over. There is always some link in the help file or a little used check for updates that is going to pop up. Don't forget this is argument is behavioral as well as technical, so individual perceptions are involved. Also, take note that not everyone would have your level of patience in dealing with advanced application control. One of my big complaints about forums of all sorts is that persons with experience or aptitude completely forget what everyone else is like.

By the way, I have not been pitching any particular firewall. The ones mentioned are the better known firewalls lacking outbound application filtering. Visnetic is the same as 8Signs, sold under a different name. But, in case anyone has any doubts, I do like CHX-1, 8Signs, Visnetic and the SP2 ICF.

 

Hello All,
Just wanted all creatures to know how I feel about this too:

Blue said:

"In the grand scheme of things I can understand this. Given an option to have either a software firewall or a NAT/SPI router, I'd direct the person to go with the router for a number of reasons, the main one being that it's an independent piece of hardware and load balances against anything subsequently installed on a PC. All one needs to do is examine the load on a software firewall with and without a NAT router to understand that for most people a router should come first. Why? Once it's plugged in and set-up, there is nothing else for a user to do. No popups. No decisions. Unsolicited inbound communications are dealt with cleanly and completely. This is the route to follow even for users with a single PC, a fact which escapes many"

Well Said BLUE!! I totally agree with this. I have been behind one for almost a year now. Your machines operate a lot more silently then with software firewalls alone, constantly blocking and logging stuff. The nice thing is if some how something were to creep through that hardware. Then the software firewall will catch it and log the attempt to boot. I can not imagine the conditions that would occur for this to happen.

I also agree Divers points do have merit, yes they certainly do. I continue to read this thread with much interest as so many have weighed in.

 

If I wanted some app filtering to go with, for instance, CHX-I, I don't think Jetico is the one I'd pick. Too many prompts, as you mention, and with the lack of hash updating when upgrading an app, it's more of a nuisance than anything else IMO. I'd probably go with ZA or LnS with CHX-I. But it is interesting to note that it's possible with JPF as well...