Jul 26 2017 04:46 PM
I have used Windows software for years. I have always purchased software to protect my Windows systems. I would really like to see Microsoft step up the protection for a home/portable PC, to meet the environment that a home/portable PC lives in. Plainly put, the internet is dangerous for what exists on a 24 hr. basis. The are people with bad intentions that are constantly scanning the internet, looking for vulnerable systems. Home/portable PC's do not have the capability of having IT experts monitoring their security needs, or providing ivulnerability detection scans. There are no 'red hat' teams running around scanning systems, to help protect the systems. There are plenty of 'black hat' teams scanning, to the detriment of normal computer owners. I installed a new wireless router and within five minutes, I had scans coming from Russia, Ukraine, and Pakistan.
Having worked with servers previously, I really would like more software control over what accesses my system. I would like to have contol to block:
I would be even happy having a single switch, which if flipped, would disallow any IP address outside of the United States. The reality though is that there are many bad people within the United States, using US addresses, who are attacking sites.
I would like to see a real functioning firewall developed for user control, built into Windows software. This software would perform blocking activities, internally & externally (i.e. if a user selected foreign country blocking, it would disallow foreign country access from the internet, and would block any attempt to connect to/communicate with a foreign system).
Yep, call me a dreamer!
Jul 27 2017 05:22 AM - edited Jul 27 2017 11:44 PM
Hello, Jack.
Erm... I am sorry, but what you are dreaming is far inferior to what we already have.
You are dreaming about an allow-by-default firewall. Windows already comes with a deny-by-default firewall... well, at least, as far the incoming traffic is concerned. (Outgoing traffic is still treated as allow-by-default.) In other words, not just Russia and Pakistan but everywhere is blocked by default. You get to tell the firewall about those places from which incoming traffic is allowed. The most simple routers already have this.
In addition, there was a time when Microsoft did indeed create a full-fleged firewall for entire networks. It is called Forefront Threat Management Gateway, formerly ISA Server. But it has been discontinued, since 2012.
Edit: Removed "blacklist-based" and "whitelist-based". While not inherently confusing, they do confuse me.
Jul 27 2017 08:40 PM
Well, thank you, my wish had been granted, before I even made it! I was not aware of that firewall. Subsequent reading has told me that it has been around for awhile and is highly regarded. I am now poking into all of its' corners.
Thanks for the feedback.
Jul 27 2017 11:54 PM
Jul 31 2017 10:16 AM
Aug 01 2017 06:58 AM
I had replied back, via email, but it did not register here, so I am copying what I said in the email here.
Interesting. I used to use something called 'Tiny Personal Fire Wall', some time ago. Are they related? I also used 'Zone Alarm' in the past. I will have to take a look at 'Tinywall'. Thanks for the information, as it seems that the product does some of the things that I would like to do.
As for Windows firewall, yes, it is more difficult to get 'under the hood'. In fact, I was looking for the IP/country blocking capability and did not find it. The 'help' section had no listing for such an item. I also wanted to look at the possibility of managing ports. The 'Microsoft Management Console' was not helpful in this regard either.
As for additional hardware, or a 'VM', I am not that motivated! I have been tempted to dig up a vulnerability scanner and point it at my system, just to see what I might see. I decided not to though, as I figured it might give me a headache, with false positives, and my not having full firewall control. I was going to use a Nmap.
Aug 01 2017 07:10 AM
Forgot to mention that one little item that I use to keep track of what is happening on my system is ' system explorer '. It provides information in real time, as to what is currently happening on items. Windows System Manager will also show processes, but does not do it in the same mannerism as system explorer, which I like better.
Aug 01 2017 08:29 AM
If you don't want to go the route of a VM you can simply replace your current router with a pfSense appliance. Check out "Netgate" products (They're partnered with the pfSense team) They just released a few budget friendly models.
Aug 01 2017 12:52 PM
With the Pfsense software being free, and the only need being to purchase the hardware, tailored to your situation, this is reasonable item. I took a look, seeing a SOHO firewall, with retail cost of $299. I have added the Pfsense software, and website to my 'to do' list for going through. I saw that they use 'Snort' also, which got me a little curious. I had a Netgear firewall at one point, which I had to get rid of, as they did not update the software and it became listed as 'vulnerable', due to a software problem. I think it died off, due to lack of consumer response though, resulting in lack of further software updates/development. It was removed from the market.
Aug 01 2017 01:03 PM
I personally buy old Dell Optiplex SFF towers refurbished locally, either with an i3 or an i5 depending on what it's being used for (The Core 2 Duo / Quads don't properly support AES) and I get them cheap too, around 150-250 each. I then throw a dual Intel Nic and a pair of Sandisk SSDs in them to take the total spent up about another 100 bucks. I install pfSense with the dual drives in a geo mirror. I've installed these as firewalls in several buildings that I handle IT work for, as well as my home and the company I work for. The appliances are great if you don't want something bulky or power hungry, but the small form factor towers are great if you have high speed connections with multiple vpns (almost every company I take care of has a vpn tunnel into my home and my office firewall in addition to telecommuters). pfSense is updated regularly and has shown no sign of falling off the grid like older devices do because it's a soft solution. The most recent update (2.4) will be utilizing freeBSD 11 as the back end (currently 2.3 uses freeBSD 10.3). If this software appeals to you, be sure to check out freeNAS as well. It's also freeBSD based and handles almost everything I need for home and small office.
Hope that sheds some light on the software!
Aug 01 2017 01:20 PM
Yes, I did see the mention of the freeNAS software, which I had planned to check out also. I am running a Dell Precision, T3500, which fits my home need, and gives me extra power. I purchased a second one, which I am just about done upgrading. I had thought about throwing VMWARE on my 2nd one, but decided not to regress. I had been running Linux/Windows at one point, as a dual booting system, on an old Optiplex. FreeBSD has a long track track record.
Thanks for the pointers. I have been cleaning the cobwebs out of my head, looking at solutions for the current day.