Forum Discussion
My Wish: A full fledged firewall for Windows 10
I have used Windows software for years. I have always purchased software to protect my Windows systems. I would really like to see Microsoft step up the protection for a home/portable PC, to meet the environment that a home/portable PC lives in. Plainly put, the internet is dangerous for what exists on a 24 hr. basis. The are people with bad intentions that are constantly scanning the internet, looking for vulnerable systems. Home/portable PC's do not have the capability of having IT experts monitoring their security needs, or providing ivulnerability detection scans. There are no 'red hat' teams running around scanning systems, to help protect the systems. There are plenty of 'black hat' teams scanning, to the detriment of normal computer owners. I installed a new wireless router and within five minutes, I had scans coming from Russia, Ukraine, and Pakistan.
Having worked with servers previously, I really would like more software control over what accesses my system. I would like to have contol to block:
- Countries
- IP addresses
- Scripts
- Crawlers
I would be even happy having a single switch, which if flipped, would disallow any IP address outside of the United States. The reality though is that there are many bad people within the United States, using US addresses, who are attacking sites.
I would like to see a real functioning firewall developed for user control, built into Windows software. This software would perform blocking activities, internally & externally (i.e. if a user selected foreign country blocking, it would disallow foreign country access from the internet, and would block any attempt to connect to/communicate with a foreign system).
Yep, call me a dreamer!
10 Replies
- There's a little app for windows firewall that handles the configurations for you. It turns off the Allow by default behavior and lets you do it on an app-by-app, port-by-port basis. You can even limit apps to internal networks only. Windows firewall is way stronger than people give it credit for, it's just not easy to configure manually. The app is called TinyWall. The other option you have is to run a freeBSD based firewall (my personal method) called pfSense. It requires its own hardware or VM.
Forgot to mention that one little item that I use to keep track of what is happening on my system is ' system explorer '. It provides information in real time, as to what is currently happening on items. Windows System Manager will also show processes, but does not do it in the same mannerism as system explorer, which I like better.
I had replied back, via email, but it did not register here, so I am copying what I said in the email here.
Interesting. I used to use something called 'Tiny Personal Fire Wall', some time ago. Are they related? I also used 'Zone Alarm' in the past. I will have to take a look at 'Tinywall'. Thanks for the information, as it seems that the product does some of the things that I would like to do.
As for Windows firewall, yes, it is more difficult to get 'under the hood'. In fact, I was looking for the IP/country blocking capability and did not find it. The 'help' section had no listing for such an item. I also wanted to look at the possibility of managing ports. The 'Microsoft Management Console' was not helpful in this regard either.
As for additional hardware, or a 'VM', I am not that motivated! I have been tempted to dig up a vulnerability scanner and point it at my system, just to see what I might see. I decided not to though, as I figured it might give me a headache, with false positives, and my not having full firewall control. I was going to use a Nmap.
If you don't want to go the route of a VM you can simply replace your current router with a pfSense appliance. Check out "Netgate" products (They're partnered with the pfSense team) They just released a few budget friendly models.
Hello, Jack.
Erm... I am sorry, but what you are dreaming is far inferior to what we already have.
You are dreaming about an allow-by-default firewall. Windows already comes with a deny-by-default firewall... well, at least, as far the incoming traffic is concerned. (Outgoing traffic is still treated as allow-by-default.) In other words, not just Russia and Pakistan but everywhere is blocked by default. You get to tell the firewall about those places from which incoming traffic is allowed. The most simple routers already have this.
In addition, there was a time when Microsoft did indeed create a full-fleged firewall for entire networks. It is called Forefront Threat Management Gateway, formerly ISA Server. But it has been discontinued, since 2012.
Edit: Removed "blacklist-based" and "whitelist-based". While not inherently confusing, they do confuse me.
Well, thank you, my wish had been granted, before I even made it! I was not aware of that firewall. Subsequent reading has told me that it has been around for awhile and is highly regarded. I am now poking into all of its' corners.
Thanks for the feedback.
- Glad to be of help.
But of course, as I did mention in my original reply, Windows Firewall has a shortcoming that makes it unsuitable for becoming a good personal firewall: Outgoing traffic is still treated as allow-by-default. Any app that runs can contact any server on the Internet. Most commercial personal firewall products offer interactive outgoing traffic filtering. This prevents Trojan horses and ransomware from contacting their masters.
