dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
18
slajoh01
join:2005-04-23

1 recommendation

slajoh01 to therube

Member

to therube

Re: Is this good Layered Security?

But I have been looking through all the DoD STIGs and those settings are really really locked down to the bone. So how do they bare with convinience versus security? Almost ALL of their Internet Zone Security Settings are disabled or set to HIGH setting.
»iase.disa.mil/stigs/app_security···nce.html

So how do they browse the internet if IE is so locked down?
Most pages break and do not function with these STIG settings being to set at a maximun of HIGH.

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?
The reason I like to stick with the Win7 FW, because most of these bundled firewall programs come with AV and other stuff which I dont want.

therube
join:2004-11-11
Randallstown, MD

therube

Member

> So how do they browse the internet if IE is so locked down?
> Most pages break and do not function with these STIG settings
> being to set at a maximun of HIGH.

Ah, the 'ol catch-22.

> And what better firewall

Well of course Windows Firewall can block outgoing too.
Just that you need to be a rocket scientist to use it in that manner.

You might say, ah, the 'ol catch-22.

There are some "shells" into WF that could help. I've been exploring Windows Firewall Control but that has come with its own issues (for me) & the free version is more limited then the pay. Another is Windows7FirewallControl though I have not looked into it.

> a better firewall which blocks outgoing stuff.
> a decent firewall without any of the AV stuff. Only I want the firewall

Another good question. That's the way I would want it too - without AV stuff.
Suppose there's a firewall poll around these parts?

StuartMW
Premium Member
join:2000-08-06

StuartMW to slajoh01

Premium Member

to slajoh01
said by slajoh01:

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?

You should be able to create you're own outbound firewall rules in your router. I have. I allow most standard ports from LAN to WAN but everything else is blocked. Sites that want to use non-standard ports (e.g. 8080 for HTTP) get blocked while 99.9% of stuff works fine. That won't stop malware that uses standard ports but it's just another precaution. Also outgoing stuff is allowed/blocked by LAN IP.

Most people don't bother doing anything with outgoing traffic since most routers/firewalls don't provide any (default) rules for it. I've created my own (custom) rules.

As you know security must layered. Using browser plug-ins is just one layer IMO. I'd still use EMET to mitigate a browser vulnerability.

Rebrider
Been There Done That
Premium Member
join:2000-11-23

1 recommendation

Rebrider to slajoh01

Premium Member

to slajoh01
said by slajoh01:

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?
The reason I like to stick with the Win7 FW, because most of these bundled firewall programs come with AV and other stuff which I dont want.

I have been using ZoneAlarm free for years. I like to see what programs want out and be able to deny outbound connections.
I use only the firewall, no bundle with AV.

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

1 recommendation

antdude

Premium Member

Firewalls only for W7

said by Rebrider:

said by slajoh01:

And what better firewall do u recommend that blocks outgoing stuff which is better than the Win7 firewall?
The reason I like to stick with the Win7 FW, because most of these bundled firewall programs come with AV and other stuff which I dont want.

I have been using ZoneAlarm free for years. I like to see what programs want out and be able to deny outbound connections.
I use only the firewall, no bundle with AV.

»A free firewall for 64bit W7 like Kerio, Outpost 2009, etc.? might be useful, but outdated?
slajoh01
join:2005-04-23

2 edits

slajoh01

Member

If I keep my Windows and Software up to date with security patches and updates, have a decent running AV on scanner, and a firewall router, then I would keep the bad stuff coming into my system in the first place. So why do I need to have outbound protection? This topic of concern has came up alot here in this forum and never know why if one keeps the bad stuff from coming into ones machine, then why do we need to worry about outbound firewall protection? Especially when I always keep my system up to date with patches.

Also ONE VERY IMPORTANT NOTE: Whenever I install Windows, I NEVER NEVER EVER install with the LAN or network being active. I just DONT!!!! And after I get everything on there like programs, and all my security software like AV, then I update Windows and Software and then make an image, and then finally, browse the network.

So whats the point if I dont have any malware in the first place, then why is outbound protection needed?

I tend to use the NETSTAT -B command once every while with first closing ALL running programs and to make sure no malware programs are "phoning" home.

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

said by slajoh01:

If I keep my Windows and Software up to date with security patches and updates, have a decent running AV on scanner, and a firewall router, then I would keep the bad stuff coming into my system in the first place. So why do I need to have outbound protection? This topic of concern has came up alot here in this forum and never know why if one keeps the bad stuff from coming into ones machine, then why do we need to worry about outbound firewall protection? Especially when I always keep my system up to date with patches.

Also ONE VERY IMPORTANT NOTE: Whenever I install Windows, I NEVER NEVER EVER install with the LAN or network being active. I just DONT!!!! And after I get everything on there like programs, and all my security software like AV, then I update Windows and Software and then make an image, and then finally, browse the network.

So whats the point if I dont have any malware in the first place, then why is outbound protection needed?

I tend to use the NETSTAT -B command once every while with first closing ALL running programs and to make sure no malware programs are "phoning" home.

Do you like software to phone home and to other places? I don't.

GILXA1226
MVM
join:2000-12-29
Dayton, OH

GILXA1226 to slajoh01

MVM

to slajoh01

Re: Is this good Layered Security?

said by slajoh01:

But I have been looking through all the DoD STIGs and those settings are really really locked down to the bone. So how do they bare with convinience versus security?

Keep in mind, those STIGs are guidelines, I've never ever seen a system with those settings fully in place.