Strictly Outbound?

Discussion in 'other firewalls' started by 19monty64, Sep 4, 2007.

Thread Status:
Not open for further replies.
  1. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    This came up in another thread, and I thought that I'd start a new thread dealing with this topic. My question is whether there are any firewalls (free/paid) that can be used to just monitor (filter) outbound connections? I use a router, so the software firewall monitoring inbound seems redundant.
     
  2. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I think it would be very silly to develop a firewall with only outbound support. This makes no much sense because the resources are almost the same while functionality is very partial. Take any one and make a rule "Allow, Inbound, All". In such a way you will convert any firewall to outbound only :)
     
  3. Gen

    Gen Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    73
    Yes as he said, pick any Firewall you like/ your system like, configure the outbound protection you need and make sure to Allow all incoming connections should you need to 'disable' incoming monitoring.
     
  4. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I couldn't find the thread that I had read before, that mentioned a firewall that you could shut off inbound monitoring by way of options-menu. I ask because I was thinking of trying out the firewall, got distracted and forgot about it. Now I can't remember which one it waso_O Yes, I realize the "allow all" rule...
     
  5. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum

    I believe Look'n'Stop and/or Kerio 2.x will do this or you could just run a HIPS program like System Safety Monitor, Prosecurity, and AppDefend.
     
  6. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    This has already been discussed here several times; here are two such discussions and I'm pretty sure you could find more using the forum search.

    https://www.wilderssecurity.com/showthread.php?t=177234&highlight=outbound

    https://www.wilderssecurity.com/showthread.php?t=174914&highlight=outbound
     
  7. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    In my humble opinion the benefits from disabling inbound monitor are quite delusive. 0.1-1% at most depending on the implementation. If you look for the outbound protection it seems HIPS features are more important than anything else because firewall without HIPS does not really protect outbound and can be easily tricked by not too skilled intruder.
     
  8. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Aha, this is the thread I had read!!! LnS was the one, I'll dLo right now b4 I forget again! Thanx 4 ur replies!!!
     
  9. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I agree, and I forgot to mention that I have HIPS already. I had read a thread about a firewall that would be a good starting point. After my last re4mat, I decided to stop changing my security set-up so often. I've been reading so many different posts (at several forums) trying to narrow down my list of possible f/w's down to 3-4. Thanx for all ur replies!
     
  10. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    The latest trend in malware is to disable the firewall altogether. That makes outbound filtering and leak testing an illusion from the perspective of using it as last ditch detection of malware. Its only useful to keep media players and odd components of Windows from phoning home.
     
  11. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    One guy made some tests concerning protection deactivation. I think it can be interesting: http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm
     
  12. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    OK, so now I need security for my security apps. And who will protect this pc from me...I feel the need to "over-load" on security apps again! lol
     
  13. Beavenburt

    Beavenburt Registered Member

    Joined:
    Dec 17, 2006
    Posts:
    566
    Threatfire might be worth a try. You can make advanced rules for outbound network access. It's a pain to create the rules but it works.
     
  14. herbalist

    herbalist Guest

    Even when used with a hardware firewall, a software firewall is still useful for inbound control. A software firewall allows you to control inbound and outbound connections for applications individually. A separate hardware firewall works on an overall basis. If an app on your system needs to receive incoming traffic, a software firewall can permit that traffic for the app that needs it while blocking that traffic from connecting to anything else. Hardware firewalls can control inbound traffic based on its protocol, the IP it comes from, and the port it uses, but not on a "per application" level.

    HIPS programs with network access components have a similar problem. They can control whether a specific app can have internet access but not the port and protocol it uses or what IP(s) it can connect to. With HIPS, it's yes or no.

    Hardware firewalls, software firewalls, and HIPS with network access components all have different strengths. Each is a poor substitute for the other. The hardware firewall is best suited for blocking attacks from the internet. Software firewalls are the best for controlling traffic of legitimate applications. HIPS are best for making sure that the apps (and their traffic) are legitimate and not under the control of another unwanted process. You'll achieve the most secure results if you choose and configure apps/hardware with this in mind.
    Rick
     
  15. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Well, I didn't install the software firewall. I continued along the path that I had originally intended. (A good days sleep helps :thumb: ) I got hardening-tools to secure the OS itself by closing the open holes of unneeded services, etc. I also remembered an app. Bellgamin had recommended to me, called Tiny Watcher that monitors installations. As far as s/w-firewalls are concerned, that'll hafta wait. I'm gonna use ThreatFire's protection with advanced rulesets to tighten some more. Might as well stick with the devil I know.... P.S.-Thanx for the food for thought ideas, it helped narrow my search and clear my thoughtso_O
     
  16. tisungho

    tisungho Registered Member

    Joined:
    May 27, 2007
    Posts:
    148
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
  18. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Actually, he was saying outbound control isn't that important, in relation to the Vista-firewall only needing the default inbound control. I would still say HIPS are important, but I don't use Vista to know if that is important with the new OSo_O
     
  19. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408

    Absolutely, I would not connect online without one installed. :thumb:
     
  20. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Some interesting stuff here. The malware unhooking test was against HIPS programs, not firewalls or AV's. If this stuff can disable some rarely used HIPS, I wonder what it could do to a widely used firewall or AV.

    A magazine article cited is dismissive of outbound filtering and at least one member here that is dismissive of that article.

    There is a link to Sphinx Vista Firewall control, I am going to try that. Also several members have been raving about Sandboxie. I don't know how much that would improve on IE7 in Vista, but it might be worth a try with Firefox.
     
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    No, not this way. Unhooking test was against ANY security software that uses kernel hooks. It tried to unhook kernel hooks and then do something. In case an attempt was successful it could do whatever it wished. AV or FW just didn't see it.
     
  22. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Sandboxie can be configuered to "act as a firewall" quite easily, but I've in their forum some issues with it in Vista. (I have Sandboxie also)
     
  23. Save_the_USA

    Save_the_USA Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    1
    Clearly, reasonable inbound perimeter protection can be accomplished by using one of many good hardware devices, some of which are very inexpensive and designed for use in the home.

    When personal firewalls first came on the scene they were a welcome addition. They gave basic inbound protection to the average user, savvy enough to at least take basic precautions. They also provided a moderate level of outbound protection for all personal computers, including those already protected by perimeter firewalls.

    Then came a period of mergers and buyouts. Many of the trusted personal firewalls once produced by innovative, small businesses were now owned by large publicly traded security companies. No longer eager to provide "free" personal firewalls to individual users, they began shaving features which eventually rendered the "free" personal firewall nearly impotent and reduced the paid versions to mere skeletons.

    Thus, few remain today and many of the best are disappearing from the infosec marketplace, just as malware is becoming more sophisticated in response to Microsoft's bundling of basic protection with its OS's.

    Here's an interesting discussion on the current state of affairs with Leo LaPorte and Steve Gibson: http://www.twit.tv/sn105

    Download the mp3 for show #105, August 17, 2007 and go to the 20 minute mark in the program where the discussion begins.
     
Thread Status:
Not open for further replies.