New to Firewalls Questions?

Discussion in 'other firewalls' started by AtlBo, Mar 10, 2014.

Thread Status:
Not open for further replies.
  1. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    Just started using PrivateFirewall on XP SP3 a few months ago. I'm kind of new to firewalls, but I did go through 2 short stints with Comodo. I like PrivateFirewall much better, and the design of the program seems to me to hint at some real, solid thinking in the program. However, PF is the first firewall I have really stuck with.

    I need a firewall that will primarily protect against identity theft. In this light, I guess this means protecting against keylogging and rogue screenshot apps and the like. Actually, I don't know all the angles on this. Also, I am assuming that it is basically impossible to guarantee that no rogue program could ever be downloaded to the PC because of the vulnerabilities browsers create.

    All this in mind, what as a new user can I do to stop data from being transmitted through an outgoing connection? Specifically, if anyone has any experience with PF, I would like to know what to do in it. Every once in awhile I get a message that an outgoing connection has been blocked. It's always been Google or something I could explain so far. So how can I lock down all outgoing connections?

    One thought...is there a firewall that gives a user the ability to declare open browser connections as safe and then all others unsafe, so they can be blocked? This seems like a fairly sure fire way to stop unwanted outgoing data transmissions.

    Again new at this, so I am all over the place. Any help appreciated...
     
    Last edited: Mar 10, 2014
  2. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    If I were you I would try Keepass2 with two channel auto-type obfuscation for passwords, IDs, credit card numbers etc. Or some of those keyscrambler applications, but I don't know much about them because I don't use any.

    http://keepass.info/help/v2/autotype_obfuscation.html
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    Yes, this is great information from both of you guys...and what I was hoping to find. Thanks, I learned alot this evening. First I learned that PrivateFirewall doesn't pass Gibson's leak test. Got some thinking to do on this subject...
     
  5. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,692
    Location:
    Texas
    Correct me if I make an error here, but my understanding is, if your using PF & have a router. It will be your router that gets tested. Hence in order to truly test PF, you would need to remove the router to test PF
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    For inbound, yes, that's basically it. The router will take all the inbound hits before they reach the PF.
     
  7. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    The knowledge has helped. Much appreciation.

    I do have a question about the router. I was in a discussion with someone who used to be in IT, and he said I should look into the router firewall. I tried, but the page that contained the router settings is missing. What kinds of traffic should I expect the router to shut down? Is it based on multiple connections for a web page or something similar or is this completely wrong?

    Sounds like it's mostly focused on inbound connections based on your comment Kerodo...
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    The router will (or should) block all unsolicited inbound traffic, nothing more, nothing less. If you're concerned about outbound traffic, you should realize that it is probably virtually impossible to fully control outbound without the chance of some piece of malware finding a way out. It just isn't 100% foolproof. The best thing you can do is keep the bad stuff off your machine to begin with, and to do this, you, as the user must be educated and smart enough to keep things clean. You can use all the usual security apps and such, but the bottom line is, it's up to you. Don't ever rely 100% on ANY piece of security software to protect you. That's about the best I can sum it up.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For traffic from internet, yes. But you should also test protection from traffic from your other devices/computers that are behind the same router.
     
  10. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    I tried some behavior type programs to monitor keyboard reading, unsolicited screen capture, unsolicited web cam capture, clipboard capture, and auto-fill capture. I like the ideas in some of the programs, but there appears at least to me to be holes in each of them. There were conflicts that I think were with the firewall too. PF monitors for key capture, unsolicited screen capture, and clipboard capture, so I wondered if that could be the problem.

    Being new to firewalls I am just content for now to learn as much as I can and see where it goes. There are probably some great firewalls that cost $$$, and I will likely pay for one after I get a real chance to look into the capabilities of a great firewall.

    I think the one thing I have learned is that I would like to see a firewall that makes it possible to search processes by activated protection element, so that a protection could be deactivated across multiple processes quickly. Maybe this is already present in PF. I need to look more carefully, but I have run across a couple of times when I would have liked to deactivate a protection for all processes with it activated, these during the testing of the behavior walls or whatever they should be called.

    Thanks for helping out.

    :)
     
  11. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Hi AtlBo:

    When using a router:
    If you do a port scan for example at "shields up" you will be scanning your router and not
    PF for open ports. I would recommend looking at the default router settings. You'll find
    info here at Wilders or just do a search on changing router settings.
    Also check the router firmware for updates.


    Comodo put out a leaktest (zip file) that simulates different exploits.
    Gibson's leak test you said you have already tried.

    Don't know how effective or accurate these tests are. Ocassionally I watch videos
    of people who test AV/Firewall/Hips/ online, but some just don't know enough about configuring
    and how the program actually works. It's always good to know the potential and the
    limitations of the product your using.

    I've used both Online Armor firewall and PrivateFirewall.

    Online Armor firewall will probably run heavier (more memory usage) than PrivateFirewall.
    That was my experience. Both firewalls claim Anti-logger protection.


    Note: I always do my testing in a virtual system just in case something happens.
    Also good to have reliable image/clone backups in place for restoring OS and important files.
     
  12. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    KeyPer4Life

    Alot to look into, but I know I should. At least it's a topic that interests me.

    On a side issue, I was looking around at toys for added protection on various download sites, and I noticed a program I hadn't seen before from MS called TCPView. I downloaded it from MS and installed, and I found that there were a significant number of connections listed in TCPView that don't appear in PF :( . The ones that concerned me the most were designated System Process connections. I found some very interesting information in these connections such as one that goes by this http:

    snt-re2-8c.sjc.dropbox.com

    I right clicked and checked the whois properties for the connection and found that this domain is actually registered to/managed by a company called MarkMonitor.com (Mark Monitor). Turns out this company represents companies by protecting their brands and trademarks. I will test later, but it appears that, the registrant being DropBox, this is something associated with DB...I allow DB connections for file sharing, so maybe I will examine that closer.

    There is another connection registered to enom.com, a company that sells net domains. This appears as an avast connection. I have no idea why. I would like to do some trial and error to see if I can find the source of these connections where it isn't listed. There is another MarkMonitor.com connection that has to do with Amazon and another for Google. These two connections puzzle me a little bit. There are 2 or 3 three more of these like a web host service called AKAMAI.COM and one for which the whois contains only one line, whois.corporatedomains.com.

    Are these the result of of sleaziness from developers? I can understand a company looking after its brand, and the whois data is complete for the MarkMonitor connections, but these others concern me a little bit. I would like to know why MM is watching over Amazon on this PC and over Google. I have the Google toolbar in IE8 and in Firefox, so maybe that's it, but no Amazon apps. Anyway, the whois information in the right click menu of TCPView is helpful for sure. This would be a big improvement for PF if it offered this kind of investigative tool. Deciding to blacklist a connection would be easier.

    Well, at least can I say that the LocalHost connections are safe?

    Just noticed another strange connection. GoDaddy.com is apparently snooping for LogMeIn, Inc.? The longer I watch this, the more of these seem to be popping up...
     
  13. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,279
    Location:
    UK
    @AtlBo:

    As your primary concern seems to be securing outbound connections against keylogging and identity theft, you could consider Webroot SecureAnywhere. WSA is an antimalware that can either be used as a standalone application or can be used as a supplement to an existing antivirus. On most systems, it runs very light.

    WSA has an outbound only firewall (it is intended to be used alongside the Windows firewall for inbound connections) that is linked to the antimalware component. Outbound connections from known good applications are allowed and known bad applications are blocked. Unknown processes are monitored and restricted until their status can be determined. The Identity Shield takes care of keylogging, screen grabbing, etc.

    Not only do you get outbound protection without needing to know about firewall technology, you also get enhanced protection against anything malicious getting onto the system in the first place. All actions by unknown processes are journalled so they can be reversed if the processs is later determined to be malicious.

    You can read more about WSA here: http://live.webrootanywhere.com/wsapchelp

    Although an antimalware, rather than a dedicated firewall, WSA might meet your needs and could be worth considering.
     
  14. stephentony

    stephentony Registered Member

    Joined:
    Oct 2, 2003
    Posts:
    142
    Location:
    USA
    To say I couldn't agree more is a huge understatement. And for the individual who is squeamish about the way WSA works, add a conventional AV. You don't need it, but you can add it. The combo of WSA and Windows FW is so light it's ridiculous! Actually, you are seeing more companies like Panda and Avira for example, that allow you to install their security suites and use their front-end to control Windows FW outbound traffic.
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    @AtlBo: Domain registration records can be confusing when multiple parties are involved. Some companies offer domain management/privacy services and thus are administratively involved on the domain records side of things. Normally, what's of most importance is who has technical control over the network/machine associated with the remote IP Address. This too can be confusing due to scenarios like:

    Company A uses Company B for hosting/services
    Company B's platform uses Company C's content delivery network for some things

    By observing a URL and/or associated forward DNS lookup, it may appear that IP Address X is assigned to Company A. However, when performing a reverse DNS lookup or IP Address assignment lookup (http://whois.arin.net/) it may appear that IP Address X is assigned to Company B or Company C.

    Understanding who is involved, and in what way, requires some investigative work and stitching the pieces of information together to form a picture. This may include forward and reverse DNS lookups, IP Address assignment lookups, traceroutes, examining domain registration records, and sometimes other steps including general searches for information about a host/address/URL in order to identify relationships between companies. At first it will be confusing, but the more you do it the easier it will become to recognize the players and how things fit together.
     
  16. AtlBo

    AtlBo Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    18
    Location:
    United States
    OK...great information thanks all of you.

    At this point, I would like to know why TCPView detects so many connections that PrivateFirewall apparently cannot detect. In Port Tracking in PF, I count at this time (as an example) 5 System connections and 2 svchost connections. In TCPView, however, there are 13-15 System connections and 3 svchost connections.

    PF appears to be missing altogether some connections. I have no idea how these have been established and don't have any way to block them. Stopping them only stops them once. Is this the result of tracking cookies? Whatever is causing the connections, will WSA detect and give me the ability to block these connections?

    I really would like to know how these connections are established. PF seems to be saying that I have not approved them, since they don't show up in PortTracking...
     
Loading...
Thread Status:
Not open for further replies.