Looking for a 3rd Party firewall for Windows Vista that ...

Discussion in 'other firewalls' started by DaNose, Dec 23, 2007.

Thread Status:
Not open for further replies.
  1. DaNose

    DaNose Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    6
    I am starting to set up a new PC for the sole purpose of running Quicken to monitor my finances though am paranoid about the privacy and security implications of doing so.

    In attempt to appease my perhaps unreasonable fears, I am looking for a high-quality firewall from a commercial software company with a good reputation, that I can configure such that it can only access the following sets of sites:

    1) Windows Update
    2) Security signature updates - e.g. anti-virus signature updates, etc.
    3) Relevant app update sites - e.g. Quicken, Mozilla, Acrobat Reader, etc.
    4) small set of trusted financial sites e.g. bank, broker, etc.

    I will use Vista as a standard-user and will NOT use the machine to browse any other sites; it is a dedicated machine.

    I was told to look for a firewall that supports URL filtering; however I haven't yet come across any Windows host based firewalls that claim that as a feature.

    A couple other goals:
    1) Ideally this firewall is part of a decent quality security suite w/ a strong anti-virus component - I don't want to install lots of kernel mode code from a # of different vendors (e.g. anti-virus from one vendor, firewall from another, etc)

    2) I want to actually block inbound and outbound connections from other sites at an IP level - (e.g. a fishing filter in a browser is not what I am looking for).

    3) Online Armour claims something like this - a "banking mode". I am not looking for banking as a "mode".

    Your advice and inputs are greatly appreciated - DaNose
     
  2. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    Use the build-in Firewall of Vista and block all. Set your favourites as exception, activate Windows-Defender and DEP and install a good AV-Scanner. Avast is a good recommendation for Vista. Light, fast and sufficient.
     
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Hopefully you have an NAT-enabled router and it's configured with your own (not the default password). Turn off UPnP and you're already in pretty good shape. Jetico has been getting a lot of attention for their firewall. I haven't used it, but people I respect have good things to say about it.

    Also, DevilFrank, does the VISTA firewall still default to "allow" for outbound connections? It's great to have the bi-directional protection, but it might help if they - you know - turned it on! I know their concern was support calls ("A message pops up that says 'do you want to allow..."), but really, that was horrible and surely they have fixed that?
    http://www.pcworld.com/businesscent...ista_firewall_fails_on_outbound_security.html

    http://members.rushmore.com/~jsky/id34.html

    Good luck, DaNose.....
     
  4. DaNose

    DaNose Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    6
    Thanks for the good advice. Yes, I have a router w/ NAT & fairly unique password I set.

    DevilFrank : I have a question about Exceptions w/ Vista Firewall:

    How do I handle the case where a financial institution uses some form of load-balancing (e.g., they run 8 servers) where they have names like www.bank.com, ww1.bank.com, ww2.bank.com, ww3.bank.com, ww4.bank.com, ww5.bank.com, ww6.bank.com, ww7.bank.com. I suppose the hard case is not really knowing if/when or how to handle the event they add a 9th (or more) servers into their serverfarm.

    I was told by a guy who knows more about firewalls than I that this is basically why I needed a firewall that does URL filtering, and he implied that the built-in firewall in Vista does not include such functionality?

    Thanks, DaNose
     
  5. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    In all honesty, if you are that concerned about internet banking with these conditions you most likely are doing something that needs to be hidden.
     
  6. DaNose

    DaNose Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    6
    Nothing illegitimate. If I wanted to do that - I suspect there are other resources that may be better sources of information for such.

    Rather I am just out to protect my identity, access to high-value accounts, and access to high value information - aka a Quicken file of everything.

    I suppose I could just flat out ask all the financial firms I do business wiht to disable online access to all my accounts, and instead type all account activity into Quicken by hand. However experience tells me that fairly impractical. I am fond of the hypothesis of a dedicated very-locked-down dedicated PC as a bit more practical.

    thanks for the input, DaNose
     
  7. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    Pretty much any firewall that has network and program capabilities will do, then.

    I would advise against using any public networks, especially open ones. And I might look into VPN, software, too.
     
  8. DaNose

    DaNose Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    6
    I wish financial institutions offered VPN logins instead of websites on the internet - and required authentication via smart card (or equivalent). Know of any decent financial institutions that do?

    I don't think one of the institutions I currently do business with do :-(

    DaNose
     
  9. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    Well, yes, I do know of some that have VPNs, but only for employees.
     
  10. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Firewalls with url filtering is usually used in a corporate environment where http connections run through a proxy. I can think of 3 alternatives.

    1) Run a local proxy http://wiki.castlecops.com/Lists_of_freeware_proxy_software url filter through the local proxy. Then have the firewall block everything except a) browser to connect from localhost:non service port to localhost:http/https b) proxy to connect from localhost:http/https to bankip:http/https. For bankip, just do a whois on the bank and get the ip range. Getting bankip is not essential but will help with phishing attacks.

    2) Buy a soho firewall with content filter capabilities. Watchguard Firebox x10, Cisco PIX 501, Untangle platform comes to mind.

    3) Use parental controls software like netnanny.
     
  11. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Why don't you put a password on the machine and enforce the policy through self restraint? Or, do you have an employee doing the work on it for you?
     
  12. Vettetech

    Vettetech Former Poster

    Joined:
    Nov 24, 2007
    Posts:
    339
    ZA allows you to lock the internet with a password.
     
  13. ProSecurity

    ProSecurity Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    123
    Guy, the best advice for someone who classifies themself as "paranoid" is TRUST NO ONE.
    Reputable software company?
    HaHa!
    Have you ever read any of these software licensing agreements?
    THEY ALL CLAIM NO LIABILITY.
    Best answer?
    Ask your financial institution what they recommend, so at least you will have someone to sue if something goes wrong!
     
  14. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    DaNode,

    if you know the subnet of the serverfarm, you can configure the endpoints at the Vista Firewall as exceptions.
    Of course, the Vista firewall is tricky and not a set-up and forget it tool.

    For more information start here:
    http://technet.microsoft.com/en-us/network/bb545423.aspx
     
  15. Hangetsu

    Hangetsu Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    259
    Create an outbound rule for the applications that need it (Quicken?). Use the custom option, as that will give you the ability to set which IP addresses it can connect to only.

    This will block the application from going elsewhere (if it becomes compromised), as well as continue to prevent any other software from hitting the internet.

    Just be sure to create svchost.exe rules for the various windows services you want to access the internet as well (such as the Windows Defender service and the Windows Update service.
     
  16. DaNose

    DaNose Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    6
    Self-restraint would be great; however both my wife and I need to use the machine and she is not as aware of the risks that visiting random sites on the internet represent - hence my "you can't stop it you can only hope to contain it" strategy.

    Does Parental Control software really limit all inbound and outbound connections - or does it just limit what is accessable via a web browser? (e.g. does it also block other apps like Quicken?)

    Alternatively - the suggestion of a local proxy seems convenient. I am looking for a relatively low-maintenance solution (would prefer to not need to add & maintain another machine as a proxy server). I suppose that is the price i pay for paranoia ;-)

    DaNose
     
  17. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    Maybe NIS 2008 is a way. You can configure the rules for your trusted applications and deny all others. You will get the AV-scanner from the same vendor how do you want it.

    Read more
     
  18. DaNose

    DaNose Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    6
    I was curious about NIS 2008. Apparently the 08 version is "less worse" than prior versions. Yes - minimizing the # of different vendors who provide kernel mode code is desirous.

    However I wasn't sure about it's firewall. It didn't appear to support URL filtering so I wanted to get other's opinions on that before I buy.

    thanks for all the input.
     
  19. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    That isn´t correct. You can configure the applications separately and define the connections that you want allow or deny. See the screen. Sorry, but is German version of NIS 2008...
     

    Attached Files:

  20. JASTECH

    JASTECH Registered Member

    Joined:
    Oct 23, 2007
    Posts:
    38
    Hmmm, I would agree the the hardware router and a software firewall. As far as routers I too agree with the post above a few and for the software I would go with KIS7. It has AV and a firewall. I am working on KIS8 and modules with Parental Control, Porno ect. It also has Anti-Spam, Anti-Banner, HIPS, Proactive and System Watch, Stealth, you can set IP ranges, Intrusion Shield ect. well you get the point, it is one heck of a system to try and beat. I have beta tested a lot of firewalls and Kaspersky is loading this one the way it should be (no blowt-ware) and everything to do business with as all us beta testers want. We are looking for programmers who would like to try and make 3rd party plug-ins for even tighter security for those who need it. Please come and help if you would like. http://forum.kaspersky.com/index.php?showtopic=56789
    Thanks for your time, JASTECH
     
Loading...
Thread Status:
Not open for further replies.