Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Best Practices

Best Practices

Postby rjlabs » Wed Jan 18, 2017 5:54 am

Been running Win 10 Firewall Control for a couple of month now. It works very well but I'm afraid I'm missing many "best practices" to keep security at a high level.

* I program but am not a Windows "internals" expert. I manage a small network but and not well versed in all things TCP/IP etc.
* I work with client financial data so I'm most worried about theft of information from my laptop that I use all day / every day. .
* Sensitive data is kept encrypted but is perhaps exposed when in use / subject to key logging. Its encrypted locally and backed up to private servers via Internet.
* Confidential data is frequently transferred during the day with https.
* Largest fear: Trojans or other exploits slipping on to this machine prior to an anti virus update that detects and eradicates them.
* Worry about dormant code that can be installed now, "woken up" later, update itself, lay low and go undetected, siphoning of sensitive info.
* I don't want even encrypted files to get exported, where they might be cracked open elsewhere via very large computers
* The vast majority of my data doesn't need elevated security. Only a tiny portion requires strong locking up.
* All data is backed up. All encryption and passwords are strong. Passwords are changed frequently.
* I personally believe in a high level of personal privacy. The less "big data" that is out there the better. Endlessly cumulating personally identifiable information is a large risk. Spear-Phishing based on high quality "Big Data" is a significant risk, a low profile" is therefore ideal.

Challenges specific to Win 10 Firewall Control
* There is a wonderful, fine level of control, but discerning between friend and foe seem to be very hard / require expertise to do well.
* Worry about unfriendly software that masquerades as something you use every day and is necessary (hidden in windows like dlls, with official sounding names). Would it be easy to have something labeled as a necessary OS component but really have it malware?
* The OS itself (windows 10) seems to "need" many network connections (can't tell which are legit for the OS to run and what are just MSFT big data collections)
* A complex HTML page seems to load from 10+ or more different sites (with the browser managing all the far flung connections) - can you just trust all that?
* the assorted video players, Flash, PDF readers, browser add in's - trustworthy?
* Running Java, doing Java updates, running Java aps - risky?
* Anything that auto updates its own software - an ongoing new vulnerability every time there is an update?
* If I download a new program and its network active can I sniff packets to sample and see what is actually sent back and forth?
* Is there a way to block any inbound or outbound connection that is to/from a foreign country?
* what you need to do over time? (Restrict all and open only what you need again, periodically?)
* how do you quickly clear some application requesting network access when you are not certain?
* how to manage software that you use from "second tier" sources, GNU, Sourceforge, smaller software vendors, etc.

So, was wondering if there are any "best practices" write ups that might cover any of the above, or tips out there to keep secure over time?

Rick
rjlabs
 
Posts: 1
Joined: Sun Jan 15, 2017 11:05 pm

Re: Best Practices

Postby VistaFirewallControl » Wed Jan 18, 2017 10:25 am

Some inline comments with the main paradigm below.

>. Would it be easy to have something labeled as a necessary OS component but really have it malware?

Even if a malware is labeled as a necessary OS component and launched, the firewall will catch
new network activity, new network destinations etc. So you will be able to manage the activity properly.


> The OS itself (windows 10) seems to "need" many network connections (can't tell which are legit for the OS to run and what are just MSFT big data collections)

You are right, every next OS relies on the next level of network activity.
But such activity can be limited with the firewall generally successfully.
Actually if a legitimate (safe) application connects to (say so) abc.com, abc.com may be expected safe as well. Anyway another application would hardly need the abc.com for any purpose. A malware would hardly need the same abc.com as well.
As the firewall recognizes applications and network destinations at once, unwanted activity can be distinguished and managed adequately.


>* A complex HTML page seems to load from 10+ or more different sites (with the browser managing all the far flung connections) - can you just trust all that?

Browsers are specific entities; they can be treated as “sandboxes” generally.
So even if a browser is able to connect to an unwanted destination, it would hardly be able to send an arbitrary local file to the destination. The browser just could hardly have an access to a local file. Those 10+ different sites can be allowed/rejected individually though.


> the assorted video players, Flash, PDF readers, browser add in's - trustworthy?

Vendor dependent generally. Just do not install a “random” addin. All the rest is per-site manageable.

> Running Java, doing Java updates, running Java aps - risky?

As addins generally. Java itself is harmless, A Java program may be harmful only, so unique network behavior, unique destinations requested,

> Anything that auto updates its own software - an ongoing new vulnerability every time there is an update?

The risk obviously exists, but… It covers all the online (auto or manual) updates, including WindowsUpdate, JavaUpdate all the others.
The first decision should be made is the following. Do you need updates at all if everything works as expected?. If you don’t generally, the updates can be just blocked by the firewall.
Every individual update can be managed (permitted) later when the need arises.

The second question is what application requests update (an online connection).
If you know the app and trust it, the update can be enabled.
Do not know the app, there is a reason to block it.
Also any update destination is linked to the under-update entity. WindowsUpdate (for instance) connects to Windows related sites only. JavaUpdate will connect to the java update sites. However Java would hardly connect to WindowsUpdate related sites.
That means the question of trust to an online destination is important.
Needless to say that a malware would hardly try to connect to WindowsUpdate farm, for instance.





>* If I download a new program and its network active can I sniff packets to sample and see what is actually sent back and forth?

You can with a separate tool. There is a lot of them on the network. Some of them are free and very powerful.
However packet sniffing may produce zero results as the traffic is very often encrypted.
Sniffing is a time consumptive operation though,

>* Is there a way to block any inbound or outbound connection that is to/from a foreign country?

Technically by IP blocking is the main firewall feature. The by-country managing success strongly depends on IP-by-country database quality. There is a set or companies provide with such databases. However it may make no sense due to proxies and VPNs. Public IP address can be delegated and obfuscated.

>* what you need to do over time? (Restrict all and open only what you need again, periodically?)

Probably periodic revising of permanent permission could make more sense and be less time consumptive. Otherwise you could have a lot of required management for every individual connection on demand.

>* how do you quickly clear some application requesting network access when you are not certain?

By deleting the application from the Programs List, by settings it to DisableAll or by setting Mode:DisableAll (stops the entire network activity)

>* how to manage software that you use from "second tier" sources, GNU, Sourceforge, smaller software vendors, etc.

Exactly as all the other applications.
However GNU, Sourceforge, small vendors do not increase the risks significantly.
Any legal vendor, in spite of its size and business model, takes a significant care about a “pest” never included. Generally applications with unknown origin are the most dangerous (e-mail attached ones for instance)


>So, was wondering if there are any "best practices" write ups that might cover any of the above, or tips out there to keep secure over time?

Abstractly security is a feeling based on trust (a feeling as well) and understanding of possible/required (vital)/requested network activity.
There can be no a single-click “protect me” solution principally.
Every firewall is as good as the used limitations. Firewall just detects every network activity and offers you to decide whether you want to allow it or deny.

So firewall detects a new requested activity or new application. What to do.
If you know the requestor, trust the requestor, you can allow the activity to pass.
If you have a doubt, there is a reason to block. If something does not work as expected in connection with the application, you can investigate the blocked network requests and reconsider the permissions anytime.
The same can be used for known/trusted application as well, so the initial state may be blocking.

When you find a network dependent functionality that does not work, you can analyze the blocked activity, try to understand whether it is actually required and reconsider the permissions anytime.
Periodical revising the used permissions is important.
Allowed network events are gathered by the firewall as well.
Could it be time consumptive? It could be obviously. The more exact permissions you want to have finally, the more time you should spend on the permissions quality. The firewall is just an instrument in your hands.

All the rest depends on you security policy, trust and understanding and a subject to configure on per-application basis. If you need a specific comment or suggestion, please do not hesitate to contact us.

But first you should realize your network security policy, i.e. what you finally want to block or allow. So the policy first, the implementation then.

For instance about a half of our users treat WindowsUpdate is a must to be allowed unconditionally. All the others prefer to block WindowsUpdate as the most dangerous thing.
Such decisions are yours.

If we could be of any help, please contact us
VistaFirewallControl
Site Admin
 
Posts: 1479
Joined: Fri Mar 27, 2009 11:25 am


Return to What is VistaFirewallControl, features

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred