My Wish: A full fledged firewall for Windows 10

Copper Contributor

I have used Windows software for years.  I have always purchased software to protect my Windows systems.  I would really like to see Microsoft step up the protection for a home/portable PC, to meet the environment that a home/portable PC lives in.  Plainly put, the internet is dangerous for what exists on a 24 hr. basis.  The are people with bad intentions that are constantly scanning the internet, looking for vulnerable systems.  Home/portable PC's do not have the capability of having IT experts monitoring their security needs, or providing ivulnerability detection scans.  There are no 'red hat' teams running around scanning systems, to help protect the systems.  There are plenty of 'black hat' teams scanning, to the detriment of normal computer owners.  I installed a new wireless router and within five minutes, I had scans coming from Russia, Ukraine, and Pakistan.  

 

Having worked with servers previously, I really would like more software control over what accesses my system.  I would like to have contol to block:

  • Countries
  • IP addresses
  • Scripts
  • Crawlers

I would be even happy having a single switch, which if flipped, would disallow any IP address outside of the United States.  The reality though is that there are many bad people within the United States, using US addresses, who are attacking sites.

 

I would like to see a real functioning firewall developed for user control, built into Windows software.   This software would perform blocking activities, internally & externally (i.e. if a user selected foreign country blocking, it would disallow foreign country access from the internet, and would block any attempt to connect to/communicate with a foreign system).

 

Yep, call me a dreamer!

10 Replies

Hello, Jack.

Erm... I am sorry, but what you are dreaming is far inferior to what we already have.

 

You are dreaming about an allow-by-default firewall. Windows already comes with a deny-by-default firewall... well, at least, as far the incoming traffic is concerned. (Outgoing traffic is still treated as allow-by-default.) In other words, not just Russia and Pakistan but everywhere is blocked by default. You get to tell the firewall about those places from which incoming traffic is allowed. The most simple routers already have this.

 

In addition, there was a time when Microsoft did indeed create a full-fleged firewall for entire networks. It is called Forefront Threat Management Gateway, formerly ISA Server. But it has been discontinued, since 2012.


Edit: Removed "blacklist-based" and "whitelist-based". While not inherently confusing, they do confuse me.

Well, thank you, my wish had been granted, before I even made it!  I was not aware of that firewall.  Subsequent reading has told me that it has been around for awhile and is highly regarded.  I am now poking into all of its' corners.

 

Thanks for the feedback.

Glad to be of help.
But of course, as I did mention in my original reply, Windows Firewall has a shortcoming that makes it unsuitable for becoming a good personal firewall: Outgoing traffic is still treated as allow-by-default. Any app that runs can contact any server on the Internet. Most commercial personal firewall products offer interactive outgoing traffic filtering. This prevents Trojan horses and ransomware from contacting their masters.
There's a little app for windows firewall that handles the configurations for you. It turns off the Allow by default behavior and lets you do it on an app-by-app, port-by-port basis. You can even limit apps to internal networks only. Windows firewall is way stronger than people give it credit for, it's just not easy to configure manually. The app is called TinyWall. The other option you have is to run a freeBSD based firewall (my personal method) called pfSense. It requires its own hardware or VM.

I had replied back, via email, but it did not register here, so I am copying what I said in the email here.

 

Interesting. I used to use something called 'Tiny Personal Fire Wall', some time ago. Are they related? I also used 'Zone Alarm' in the past. I will have to take a look at 'Tinywall'. Thanks for the information, as it seems that the product does some of the things that I would like to do.

 

As for Windows firewall, yes, it is more difficult to get 'under the hood'. In fact, I was looking for the IP/country blocking capability and did not find it. The 'help' section had no listing for such an item. I also wanted to look at the possibility of managing ports.  The 'Microsoft Management Console' was not helpful in this regard either.

 

As for additional hardware, or a 'VM', I am not that motivated! I have been tempted to dig up a vulnerability scanner and point it at my system, just to see what I might see. I decided not to though, as I figured it might give me a headache, with false positives, and my not having full firewall control. I was going to use a Nmap.

Forgot to mention that one little item that I use to keep track of what is happening on my system is ' system explorer '.  It provides information in real time, as to what is currently happening on items.  Windows System Manager will also show processes, but does not do it in the same mannerism as system explorer, which I like better.

If you don't want to go the route of a VM you can simply replace your current router with a pfSense appliance. Check out "Netgate" products (They're partnered with the pfSense team) They just released a few budget friendly models.

With the Pfsense software being free, and the only need being to purchase the hardware, tailored to your situation, this is reasonable item.  I took a look, seeing a SOHO firewall, with retail cost of $299.  I have added the Pfsense software, and website to my 'to do' list for going through.  I saw that they use 'Snort' also, which got me a little curious.  I had a Netgear firewall at one point, which I had to get rid of, as they did not update the software and it became listed as 'vulnerable', due to a software problem.  I think it died off, due to lack of consumer response though, resulting in lack of further software updates/development.  It was removed from the market.

I personally buy old Dell Optiplex SFF towers refurbished locally, either with an i3 or an i5 depending on what it's being used for (The Core 2 Duo / Quads don't properly support AES) and I get them cheap too, around 150-250 each. I then throw a dual Intel Nic and a pair of Sandisk SSDs in them to take the total spent up about another 100 bucks. I install pfSense with the dual drives in a geo mirror. I've installed these as firewalls in several buildings that I handle IT work for, as well as my home and the company I work for. The appliances are great if you don't want something bulky or power hungry, but the small form factor towers are great if you have high speed connections with multiple vpns (almost every company I take care of has a vpn tunnel into my home and my office firewall in addition to telecommuters). pfSense is updated regularly and has shown no sign of falling off the grid like older devices do because it's a soft solution. The most recent update (2.4) will be utilizing freeBSD 11 as the back end (currently 2.3 uses freeBSD 10.3).  If this software appeals to you, be sure to check out freeNAS as well. It's also freeBSD based and handles almost everything I need for home and small office.

 

Hope that sheds some light on the software!

Yes, I did see the mention of the freeNAS software, which I had planned to check out also.  I am running a Dell Precision, T3500, which fits my home need, and gives me extra power.  I purchased a second one, which I am just about done upgrading.  I had thought about throwing VMWARE on my 2nd one, but decided not to regress.  I had been running Linux/Windows at one point, as a dual booting system, on an old Optiplex.  FreeBSD has a long track track record.  

 

Thanks for the pointers.  I have been cleaning the cobwebs out of my head, looking at solutions for the current day.