Windows Firewall with Advanced Security (Guide for Vista)

I appreciate the detailed reply, Stem . I do use AntiVir Personal as antivirus software, and it's no problem for me to use a third-party firewall. My main concern was that Vista Firewall was full of holes and could easily be bypassed by an experienced hacker.

So I guess my primary concern is more along the lines of inbound filtering. For example, when I connect to a public, unsecured wireless network, can the firewall protect me just as well as any other basic firewall (configured properly and with Advanced Mode, but compared to a firewall with no HIPS), should Mr. Black Hat attempt to try to hack in?

 

The Vista firewall for filtering inbound is better than most 3rd party implementations I have looked at, and is actually open less to possible misconfiguration if correctly set up. Actually, the inbound filtering of the XP firewall is better than some 3rd party firewalls.

As a simple example, I personally would not use a 3rd party firewall with Vista unless it was filtering the current implementation of IPv6


- Stem

 

Well I'm giving it a try, experiencing a little learning curve but, so far so good. I have all my apps and some services configured. Windows time, windows update, windows help. Any other suggestions as to windows services that I should be letting through other than core networking and network discovery? I am on a home network by the way with network discovery on and password protected sharing.

 

It certainly sounds like you are doing well with configuration. The main point to remember with any of the windows services is to bind them to the rule, and there are not many that actually need Internet access to function.

Do you now have a "Block all not allowed" policy in force?

I just set up the firewall on a "Public" profile with just 4 rules, to see how it behaves.

Thanks for the feedback.

- Stem

 

Hi Stem,

Thanks for the guide.

I just hope I don't get disc by changing to block outbound connection. I'll try it later.
Is vista's firewall log clear enough for me to figure out what rule I need to add if something doesn't work any more?

 

Hi bonedriven,

You should be OK. Just take your time. Set up your browser rules first, as shown earlier in the thread, then set all policies to "block all outbound", and set the logging to log any blocked packets.
Blocked packet will show the protocol, local/remote IP/Ports, so rules can be made. If you do have problems, then just go back to allow all outbound and post info on what application cannot connect and the log details.

There is a bit of a learning curve, but as I mentioned earlier, most updater's usually only require outbound TCP remote port 80, so that is a starting point for most applications.



- Stem

 

Network Discovery and Core Networking were preconfigured for inbound and outbound. I wasn't sure if I should disable the inbound for those two, so I left them alone. I am thinking that inbound is needed for those two because I am on a home network behind a router, but I dont know that for sure. Everything else has been configured by me for outbound only (scvhost windows time, windows help, scvhost update) and applications. I am running vista x64 and was not sure if I should allow either %SystemRoot%\SysWOW64\svchost.exe or %SystemRoot%\System32\svchost.exe or both, so I configured rules for both 32 and 64 bit winupdate and wintime. Some of the rules I don't have ports assigned to them because I just don't know which ports to assign (can they be any ports or specific ports?) I am not sure which protocal to use either so I just used TCP for everything that I configured. Network discovery and Core networking were preconfigured with various ports and protocols.

 

I didn't read this post until after I submitted mine. I have to reconfigure a little then. So viewing the blocked traffic will give you your ports and protocols. ok

 

It is dependent on user needs. The inbound core networking is based mainly around IGMP and the IPv6 current implementation. Network discovery is the equivalent of the Win_XP SSDP/uPnP.

I do not currently have a 64 bit windows OS, I have read up on such but do not advise based on reading, only on actual setup/ tests.

For win_updates I showed the config of protocol /ports in the first posts on thread. Ensure that such services are bound to the actual service as shown.


- Stem

 

AVG8.0 can't update after I block outbound by default with additional rules for avgtray.exe

According to the log file,my rules were as follows:

TCP:allow my ip to any ip destination port:80

UDP:allow my ip to any ip destination port:53

I don't know why but log still showed that traffic that fires my rules was blocked.


I wanted to check if avgtray is the right file to make rules for,then I changed my rules to:

Tcp: allow my ip to any ip any port to any port
Udp: allow my ip to any ip any port to any port

Then I saw these logs which I had no clue at all.What is 10.1.1.2 anyway?

2009-04-24 22:54:51 DROP TCP 192.168.11.89 10.1.1.2 49587 2186 0 - 0 0 0 - - - SEND
2009-04-24 22:54:52 DROP TCP 192.168.11.89 10.1.1.2 49587 2186 0 - 0 0 0 - - - SEND
2009-04-24 22:54:53 DROP TCP 192.168.11.89 10.1.1.2 49587 2186 0 - 0 0 0 - - - SEND

So frustrated. I think I'm giving up here.

 

Does it deal with IP level (ARP etc) ?

 

I am just downloading AVG free to set up. The download is quite slow so will post back findings once done.


- Stem

 

There is no ARP filtering.


- Stem

 

Stem, is it possible for you to explain hierarchy or usage in this situation. I have 2 teamspeak servers up online. One is using a firewall (Outpost Pro), the other XPFW and IPsec. Both are xp pro sp2 machines. The one using Outpost is not in question. The one using IPSec is.

In my ipsec rules, I have stated that LAN traffic, router traffic and DNS traffic to my DNS servers are allowed. Then I state that any remote IP can communicate to this machine only on port XYZ. And of course the obligatory block all rule.

This is an easy method to lock down all traffic except what I want. As there are no other ports open, no file sharing, no programs, and it is never used for anything, I don't worry about needing to watch applications. Besides, port forwarding in the router probably hinders attacks on ports if they were open.

So, if this machine were running vista, would you create rules in the firewall, perhaps for the application (and bind them I believe). Or would you continue to use the simple IPSec approach. Not which would you do, but from what you know, which would prove most secure/stable/etc.

Sul.

 

Hi Sul,

If you are setting up a secure connection in Vista, then it is a case of first creating rules in the firewall for the outbound and inbound(if required) placing the application within the rule. In the firewall rule you then enable the option in the rule preferences to "Allow only secure connections", there is also an option for "Require encryption" if applicable. You then set up a rule in the "Connection Security Rules" which gives you various options for the connection type (such as tunneling), and then other info such as endpoints can be placed.

- Stem

 

Thanks Stem.

 

Only Avgupd.exe requires direct internet access for updates.

There does appear to be some problem due to the AVG linkscanner, I will need to see what the problem is and what the firewall is intercepting. If you disable the linkscanner then the connections/updates can be made.


edit:
With the AVG linkscanner enabled even the browsers will fail to connect. This problem needs attention from AVG


- Stem

 

OK,so I added a wrong execution file.

I don't use Linkscanner.

Now I understand what a third party firewall worths for. It has a more friendly GUI!
Besides,you can't refresh vista's firewall log as it is only plain text and you can't read what program is blocked.
But you said Vista firewall's inbound protection was better than most third party ones. That is a surprise.

 

Then use a 3rd party firewall.

You could use the free vista firewall control that will give popup for 3rd party applications being blocked.


- Stem

 

Thanks. You should have told us earlier.

 

I thought I had. Unfortunately it was posted to another thread.


- Stem

 

Is there any case or evidence of anyone bypassing Vista firewall? What was his name and what news report reported on it?

 

I think the answer depends much on what you personally regard as "bypass".
Technically speaking I'm sure Vista firewall does its job pretty good. Though, it definitely fails most of the advanced leaktests. Why ? Just bcause it was never designed to handle them (and hardly ever will be).

 

What you need to keep in mind is that those "Leaktests" are a scam, and only there to promote and sell particular firewalls, and in realistic terms, are not a genuine threat in the "real world" of the internet.

I been using the Internet since it began, and I have never ever been affected by any "leaks", and I have only ever used the Windows XP and now Vista Firewalls.

It's all one big scam to deceive the ignorant into paying money.

 

I'm sorry, but your logic "I was using XXX much and I never was YYY" is a bit flawed. Actually, leaktests are leakests, not more and not less. They demostrate the ways to transfer information in an unauthorized way. Trust me, I have used inet not less than you and I believe my sensitive information never left my computer (but let us be fair, how can one know it for sure ?) Though, despite of my personal experience I saw a lot of the cases where info leaked. In the most cases the leasks were relatively harmless, like address book, ICQ and email accounts passwords etc. Also this is not a secret that sometimes more important information leaks. It can be bank account credentials, important documents. What I want to say we are here not to make the conclusions from somebody's personal experience, but to discuss security approaches in general, trying to understand what is "true security" for one. And disregarding leaktests (as a part of the many other security tests), you do not get closer to the answer.