This came up in another thread, and I thought that I'd start a new thread dealing with this topic. My question is whether there are any firewalls (free/paid) that can be used to just monitor (filter) outbound connections? I use a router, so the software firewall monitoring inbound seems redundant.
I think it would be very silly to develop a firewall with only outbound support. This makes no much sense because the resources are almost the same while functionality is very partial. Take any one and make a rule "Allow, Inbound, All". In such a way you will convert any firewall to outbound only
Yes as he said, pick any Firewall you like/ your system like, configure the outbound protection you need and make sure to Allow all incoming connections should you need to 'disable' incoming monitoring.
I couldn't find the thread that I had read before, that mentioned a firewall that you could shut off inbound monitoring by way of options-menu. I ask because I was thinking of trying out the firewall, got distracted and forgot about it. Now I can't remember which one it was Yes, I realize the "allow all" rule...
I believe Look'n'Stop and/or Kerio 2.x will do this or you could just run a HIPS program like System Safety Monitor, Prosecurity, and AppDefend.
This has already been discussed here several times; here are two such discussions and I'm pretty sure you could find more using the forum search. https://www.wilderssecurity.com/showthread.php?t=177234&highlight=outbound https://www.wilderssecurity.com/showthread.php?t=174914&highlight=outbound
In my humble opinion the benefits from disabling inbound monitor are quite delusive. 0.1-1% at most depending on the implementation. If you look for the outbound protection it seems HIPS features are more important than anything else because firewall without HIPS does not really protect outbound and can be easily tricked by not too skilled intruder.
Aha, this is the thread I had read!!! LnS was the one, I'll dLo right now b4 I forget again! Thanx 4 ur replies!!!
I agree, and I forgot to mention that I have HIPS already. I had read a thread about a firewall that would be a good starting point. After my last re4mat, I decided to stop changing my security set-up so often. I've been reading so many different posts (at several forums) trying to narrow down my list of possible f/w's down to 3-4. Thanx for all ur replies!
The latest trend in malware is to disable the firewall altogether. That makes outbound filtering and leak testing an illusion from the perspective of using it as last ditch detection of malware. Its only useful to keep media players and odd components of Windows from phoning home.
One guy made some tests concerning protection deactivation. I think it can be interesting: http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
OK, so now I need security for my security apps. And who will protect this pc from me...I feel the need to "over-load" on security apps again! lol
Threatfire might be worth a try. You can make advanced rules for outbound network access. It's a pain to create the rules but it works.
Even when used with a hardware firewall, a software firewall is still useful for inbound control. A software firewall allows you to control inbound and outbound connections for applications individually. A separate hardware firewall works on an overall basis. If an app on your system needs to receive incoming traffic, a software firewall can permit that traffic for the app that needs it while blocking that traffic from connecting to anything else. Hardware firewalls can control inbound traffic based on its protocol, the IP it comes from, and the port it uses, but not on a "per application" level. HIPS programs with network access components have a similar problem. They can control whether a specific app can have internet access but not the port and protocol it uses or what IP(s) it can connect to. With HIPS, it's yes or no. Hardware firewalls, software firewalls, and HIPS with network access components all have different strengths. Each is a poor substitute for the other. The hardware firewall is best suited for blocking attacks from the internet. Software firewalls are the best for controlling traffic of legitimate applications. HIPS are best for making sure that the apps (and their traffic) are legitimate and not under the control of another unwanted process. You'll achieve the most secure results if you choose and configure apps/hardware with this in mind. Rick
Well, I didn't install the software firewall. I continued along the path that I had originally intended. (A good days sleep helps ) I got hardening-tools to secure the OS itself by closing the open holes of unneeded services, etc. I also remembered an app. Bellgamin had recommended to me, called Tiny Watcher that monitors installations. As far as s/w-firewalls are concerned, that'll hafta wait. I'm gonna use ThreatFire's protection with advanced rulesets to tighten some more. Might as well stick with the devil I know.... P.S.-Thanx for the food for thought ideas, it helped narrow my search and clear my thoughts
Hi, I found this one on PCWorld. This guy sounded like the firewall doesn't mean that much for pc security. http://www.pcworld.com/article/id,133212-page,1-c,privacysecurity/article.html
I won't even waste my time reading the article, the firewall is a major part of PC security and if he says it is not he is very uninformed.
Actually, he was saying outbound control isn't that important, in relation to the Vista-firewall only needing the default inbound control. I would still say HIPS are important, but I don't use Vista to know if that is important with the new OS
Some interesting stuff here. The malware unhooking test was against HIPS programs, not firewalls or AV's. If this stuff can disable some rarely used HIPS, I wonder what it could do to a widely used firewall or AV. A magazine article cited is dismissive of outbound filtering and at least one member here that is dismissive of that article. There is a link to Sphinx Vista Firewall control, I am going to try that. Also several members have been raving about Sandboxie. I don't know how much that would improve on IE7 in Vista, but it might be worth a try with Firefox.
No, not this way. Unhooking test was against ANY security software that uses kernel hooks. It tried to unhook kernel hooks and then do something. In case an attempt was successful it could do whatever it wished. AV or FW just didn't see it.
Sandboxie can be configuered to "act as a firewall" quite easily, but I've in their forum some issues with it in Vista. (I have Sandboxie also)
Clearly, reasonable inbound perimeter protection can be accomplished by using one of many good hardware devices, some of which are very inexpensive and designed for use in the home. When personal firewalls first came on the scene they were a welcome addition. They gave basic inbound protection to the average user, savvy enough to at least take basic precautions. They also provided a moderate level of outbound protection for all personal computers, including those already protected by perimeter firewalls. Then came a period of mergers and buyouts. Many of the trusted personal firewalls once produced by innovative, small businesses were now owned by large publicly traded security companies. No longer eager to provide "free" personal firewalls to individual users, they began shaving features which eventually rendered the "free" personal firewall nearly impotent and reduced the paid versions to mere skeletons. Thus, few remain today and many of the best are disappearing from the infosec marketplace, just as malware is becoming more sophisticated in response to Microsoft's bundling of basic protection with its OS's. Here's an interesting discussion on the current state of affairs with Leo LaPorte and Steve Gibson: http://www.twit.tv/sn105 Download the mp3 for show #105, August 17, 2007 and go to the 20 minute mark in the program where the discussion begins.