Jump to content

Sphinx Windows er, 10, Firewall Control


NoelC

Recommended Posts

Thanks to the recommendation of xpclient I've bought a firewall management product for use on my Win 8.1 system et. al. called:

 

Sphinx Windows 10 Firewall Control

 

Yes, it works with Win 8.1.  It has Win 10 in the name because I guess they feel the need for it to sound current.  I think it was originally called Windows Vista Firewall Control. 

 

It's effective.  Here's a review.

 

Background

 

A few weeks ago I decided I'd take more control of my system security. 

 

Over the years I had already made many system changes to enhance privacy and maximize security.  These involved:

  • Deconfiguring all "participate in Customer Experience Improvement Program" settings.
     
  • Using only a local account.
      
  • De-installing software (e.g. OneDrive, Windows Store stuff, etc.), disabling services that intrude, disabling scheduled jobs that send data into Microsoft.
     
  • Not running any Metro/Modern Apps.  I simply don't need 'em.
     
  • Adding tens of thousands of lines to my "hosts" file to locally resolve server names known for providing badware and for snooping to 0.0.0.0 (i.e., to have network accesses to them by name fail).
     
  • De-configuring Internet Explorer's ability to run ActiveX and let scripts run wild.
     
  • De-configuring Windows Update from doing anything without my initiating it.

 

My goals are fairly simple

 

Allow anything initiated by me that I know needs to communicate online, while minimizing the risk of extra privacy-invading communications, and completely eliminating spurious communications not initiated by me.

 

I wasn't sure it was possible.  Would (my legitimately licensed) Windows 8.1 deactivate itself if it can't regularly contact the mothership?  Would Windows Update stop working?  Would the level of communications be so high that I would never be able to ferret-out what needs to be allowed and what needs to be blocked?

 

I'm here to say that the Sphinx software does allow enough control and management capability to accomplish these goals.  It does seem possible to shut the system the hell up and have it do only what *I* want!

 

 

Recent History

 

Unfortunately, looking over the amount network traffic my system was generating, I found it was still way too chatty.  Not like what we're hearing about Windows 10, mind you, but still WAY too promiscuous online.  Even Task Manager tallied up megabytes of data traffic overnight when I wasn't doing anything.  The dreaded telemetry?  Sending of my personal data to Microsoft to "help them make Windows better"?

 

I decided to see if it was possible to institute a "deny by default" outgoing firewall strategy that was 1) doable and 2) manageable long-term.

 

In another thread recently I outlined my initial attempts at this, which were somewhat successful but lacked the reporting and organizational capacity for me to be able to manage the process in an ongoing way.

 

Enter Sphinx.   Again, thanks to xpclient for the recommendation.

 

SphinxSettings.png

 

I started by evaluating the base edition in a VM.  Basically, download, install, and wonder what to do next - the standard stuff.

 

After a little while, looking over the package and reading the manual, the realization began to dawn how this firewall manager views the world: 

 

1.  It denies all communications by default.

 

2.  It defines Zones - basically groups of rules that accomplish something, such as "allow typical web browsing" or "allow LAN-only communications".

 

3.  It facilitates your defininition and management of a list of Programs.  Basically, an entry in this list says "let Program xxxxxxxx do what's in the Zone that's assigned to it". 

 

4.  It does NOT attempt to control anything you've already set up in the Windows Advanced Firewall.  It works completely separately, even though it uses the underlying security engine provided by Windows.

 

As an example, you might set up Internet Explorer to be in the WebBrowser zone, then make sure the WebBrowser zone allows only the communications you want web browsers to be able to do.

 

By crafty creation of Zones (and/or modification of the Zones provided, which are pretty good), one can build up a set of rules that allows what you define to be essential communications and nothing else.  The base version provides a few pre-defined Zones.  It turns out the more expensive editions have more (and more detailed) pre-defined zones.

 

SphinxZonesList.png

 

The program pops up a notification if it spots a Program it doesn't already have an entry trying to communicate online.  THAT access was denied, but using the pop-up you can define a new Program entry, so you can allow the next one - if you want to.

 

SphinxPopup.png

 

Thus you can build up the list of Programs that try to do network access by doing the things you normally do, then make informed decisions about whether to allow them to communicate online.

 

The program also provides, besides the above pop-ups, a small one or two line status pop-up in the corner of the monitor that shows what's just happened, and an Events page where you can see a list of all networking activities attempted (blocked or allowed).  It's possible to get a pretty good feel for what's happening with this software.

 

Over time, just by using the system it becomes possible to build a list of just what you want to allow, and to either continue to log messages on the screen and in the Event log or hide the messages entirely from either place.

 

SphinxProgramsList.png

 

You can, for example, once you're confident in your WebBrowserZone settings, just hide the activity of your web browser from the Events tab and from popping up.  That way you can more easily concentrate on what's left.

 

SphinxEventsList.png

 

I reduced the rule set in the Windows Advanced Firewall to nothing.  Only the Sphinx setup now governs my entire system.

 

Which edition

 

As I mentioned above, Initially I installed the base version.  However, after evaluating that variant in a VM and seeing what I could do with it, I chose to buy the "Plus" edition, and with that achieved a pretty good configuration in which very little was getting out.

 

But I craved more control and asked the author (on their forum) whether it's possible to get more granularity (e.g., WHICH service is trying to communicate?).  They noted that their "Network/Cloud" edition gives more control and allowed me to upgrade the license for an incremental price.

 

Since the Network/Cloud edition allows you to set up firewalls on your main system and 3 additional "slave" systems, I've decided to set up my whole stable of systems and VMs with this software.  At this point I've found a minor glitch with the control setup (adding "Agents") and they're working on a bugfix.

 

-Noel

Edited by NoelC
Link to comment
Share on other sites


I understand you're using the MVPs hosts file as the starting point to build uour customized version, right?

Would you consider sharing the file to prepend their hosts file so as to replicate your curren one, Noel?

I'd like to test it on XP SP3 and on 7 SP1...

Link to comment
Share on other sites

Sure, here you go (the whole thing).  There are probably a few duplicates; I don't try to rid it of them, since that would make merging new data from various sources harder.

 

http://Noel.ProDigitalSoftware.com/ForumPosts/Win81/hosts.zip

 

Note that the September MVPS hosts file hasn't yet been released, but should be in a few days.

 

-Noel

Link to comment
Share on other sites

A lot of those came in with the high-end version.  And yes, I see justification in having every one of them.

 

I don't know whether the configuration from one variant of the software can be loaded into another variant - and I understand that one person's choices don't always reflect another's needs - but I'm willing to go into specifics and share my approach and settings if there's interest.

 

-Noel

Link to comment
Share on other sites

One need only find the site on the net and hit the [buy Now] buttons to see your localized prices.  For reference, I did that and came up with these US prices:

 

Free edition:  Free

Basic edition:  USD $14.95

Plus edition:  USD $24.95

Network/Cloud edition (the one I ended up with):  USD $39.95

 

At this point, given where we're going with the newest systems and that we have to start protecting ourselves from the OS vendor, I'd recommend the Network/Cloud edition.  It's keeping my private data off the net!

 

-Noel

Link to comment
Share on other sites

At this point, given where we're going with the newest systems and that we have to start protecting ourselves from the OS vendor, I'd recommend the Network/Cloud edition.  It's keeping my private data off the net!

As a side note, indirectly, and given that all the experiments/tests/reports by NoelC (and others) were made pro bono :thumbup , we can use these data to estimate the real cost :w00t: of free :whistle: update to  Windows 10, it costs no less than US$ 39.95.

 

On the other hand, more or less this amounts of money represents also the commercial value that the good MS guys attribute to ALL the data they will gather from your installation for the whole lifetime of it.

 

If you are not currently a Windows 7 or 8.1 user (still using good ol' XP or Vista), the "current" US$ 119/199 for the "full" license of Windows 10 Home/Pro could be compared to the price a full license of the Windows 7 US$199/299 Home/Pro (at the time and without taking into account inflation), with a net decrease of 80/100 US$, but if we compare them to the price of the Windows 8/8.1  license which was also 119/199 there is no difference, i.e. US$ 0.

 

It's up to you to decide if the value of ALL your data from now to any foreseeable feature has a value between US$ 0 and  39.95 or if it has a value between US$ 39.95 and 100.

 

On the other hand if you are currently a Windows 7/8/8.1 user, we could say that by giving away the upgrade for free the good MS guys are forfaiting an income corresponding to the simple upgrade fee, which was (from Vista to 7) 119/199 and dropped down to around US$ 70 for the upgrade to 8.

 

But in any case it cannot logically exceed the 100 US$ that you could even raise (considering inflation from 2009 to 2015):

http://www.usinflationcalculator.com/

to US$ 111.20.

 

Now let's put it another way, someone knocks at your door and proposes to sell him your soul, how much would it be an adequate price (provided that you actually like the idea of selling it)?

this-piece-paper-worth-your-soul-soul-mo

 

jaclaz

Link to comment
Share on other sites

Got an updated build today that fixed the one failure I had seen where I couldn't add a remote "Agent" system.

 

I now have my Win 7 system under control as well as Win 8.1.  Next stop will be to rework my Win 10 system to use the new Network/Cloud central point of control instead of the standalone trial version I had put on there before.

 

-Noel

Link to comment
Share on other sites

  • 1 year later...

Version 8 (8.1.15.0 specifically), which is the first to offer name-base firewall configuration setup and maintenance, has just been released.

http://sphinx-soft.com/Vista/index.html

I can't stress enough how much managing the configuration by name both simplifies the setup and greatly reduces ongoing maintenance.  I am a control afficionado and have what some would call quite a pedantic setup, where EVERYTHING is controlled to the finest point, and yet I have literally not had to make any changes to my Sphinx firewall configuration on my Windows 7, 8.1, or 10 systems for weeks at a time.  It really is possible to develop a practically "set it and forget it" configuration that lets you do normal things without exposing you to new threats.

  • Seeing what Windows tries to contact in the Events pane of this software gives a warm feeling of knowing what's happening on your system at all times.  Logging can be managed by application - meaning you can, for example, log everything your services do online but suppress logging of sites you visit with your browser.
     
  • It offers complex-enough configuration capabilities to set up most of the system to run in a deny-by-default mode, yet some parts (e.g., your browser) can be set to allow-by-default - with exceptions to both.  So, for example, no newly installed program will be allowed to contact online servers until you add a rule to allow it, yet your browser can be set to contact previously unseen websites without extra effort from you, and still be blocked from contacting certain ones (I have, for example, disallowed various telemetry reception servers, bing.com, and some others).
     
  • New / unexpected attempts to make network connections are blocked with a pop-up that has a kind of unique "horror movie" violin sound effect, at which point you can choose to either allow future such attempts or continue to deny them.  Thus ongoing maintenance is mostly reactionary.  In this day and age, knowing communications you haven't specifically allowed ahead of time will NOT succeed is comforting.
     
  • A configuration change to allow or disallow Windows Updates is trivial for me.  I just change the zone assigned to the Host Process for Windows Services (svchost) and it's done.
     
  • This software manages the Windows Filtering Platform / Base Filtering Engine to do the "dirty work" of actually blocking or allowing connections.  The WFP is a very mature, working system component that's been around for a while now, and is what is used by the (normally allow-by-default) Microsoft-provided Windows Advanced Firewall.  The Sphinx Firewall Control package actually can work alongside the Windows Advanced Firewall setup software, though I don't know why you'd want to do that.  I found it is best to completely shut off the Windows Advanced Firewall and manage firewall operations entirely with the Sphinx software.  That way no matter what rules software installers might try to add, you're still in complete control of what is being allowed or denied by the Sphinx Firewall Control software.

I have been working closely with the author all through the beta testing period of the name-based software, and I have run the package through all kinds of harsh tests.  He's a smart, careful engineer who has been very responsive to my feedback.  The software really works.  I've been running late 8.x betas now literally for months on end without any problems.

Note:  For reference, I have NO commercial ties with this product whatsoever.  It does exactly what I need from a firewall control package and I would like nothing more than to see people who have developed truly good products succeed.

-Noel

Link to comment
Share on other sites

  • 4 months later...
On 12/1/2016 at 7:44 PM, NoelC said:

For reference, I have NO commercial ties with this product whatsoever.  It does exactly what I need from a firewall control package and I would like nothing more than to see people who have developed truly good products succeed.

-Noel

Thanks for sharing your knowledge...

I downloaded it but found it not intuitive as something like Bandwidth Meter firewall, Can I use it to block Chrome, Skype from Auto-update, but not the entire Internet ?

Link to comment
Share on other sites

As far as I can tell, you can do most anything with it.  The configuration capabilities are VERY powerful. 

But yes, I do understand that it is dauntingly complex at first.  It took me months to finally become comfortable with all it does.  The author maintains a good forum site if you want to ask questions:

http://vistafirewallcontrol.freeforums.org/vistafirewallcontrol-f6.html

When I first got the package I deleted all zones and application entries, then started over from scratch.  Keep in mind I have an entire career of data communications behind me to rely upon, so a "start over" approach might not be your best path.

The philosophy of this firewall is overall "deny by default", meaning if you haven't pre-approved a particular kind of communication it isn't allowed.

I have populated the Domains list to allow, for all applications system-wide, communications with security/certificate servers.  There are quite a few different certification authorities out there, and installers, services, and applications need to be able to communicate with them as needed in order to verify certificates.

Then there's the Programs list, which allows you to set up specific communications capabilities for individual applications.  I created a zone called "SysOps" that allows all LAN communications (by address range).  I consider systems inside my LAN all trusted, and I want to freely allow communications between my systems.  The entries in the Programs list I assign the SysOps zone include System, svchost, and various other system functions.

Another zone I created is "Web Browsing", which allows http and https comms (by port number) and assign that to whatever browser needs to reach the web.  That zone is actually very permissive by doing that, so it also contains several sites/domains that I never want contacted.

I actually settled on fairly few zones - 16 in all - that cover pretty much all the kinds of communications I want any part of the system doing, from full denial (e.g., "Block All") to fully permissive ("Allow All").  The whole list is:

  • Adobe - for allowing communications to the Adobe Creative Cloud
  • All Applications Default Zone - just a placekeeper that allows nothing.
  • Allow All
  • Application Self Update - just allows http and https communications applications use to download their own updates.
  • Block All
  • BowPad - A special zone for the BowPad editor that I use to verify the firewall is working and logging correctly.
  • Classic Shell Update - allows only updates from the sites Classic Shell needs to contact to get its own updates.
  • Defender - Allows Windows Defender / MSE to get definitions updates.
  • DWM Symbol Download - allows access to Microsoft's debug symbol servers.
  • eMail and Web Browsing - basically what's needed by Outlook to send/receive eMail.
  • MalwareBytes - What's needed for MalwareBytes to get its updates.
  • Safari Browsing - Pretty much the same as Web Browsing below, but with a few telemetry sites blocked.
  • SysOps - Allows LAN comms, ICMP (ping) with the world, and other basic system operations such as time sync.
  • SysOps *WU* - Same as SysOps but also allows comms with Windows Update servers.
  • Visual Studio - Allows comms with the servers Visual Studio needs to work.  Similar in kind to Adobe.
  • Web Browsing - Allows http and https comms, as well as specific ports I've found are needed for e.g., a speed test.

I haven't come across an application I have needed to create another zone for in a long time (probably most of a year).

If you'd like to try out a configuration I've developed, I've published one online here:

http://Noel.ProDigitalSoftware.com/files/Sphinx8Win10Config.zip

I don't expect these profiles to work for anyone but me out of the box, but they could be imported and you could poke around to see how I've set things up.  Conceivably with some adjustments they could be made to work for another person's system.

-Noel

Edited by NoelC
Link to comment
Share on other sites

  • 3 weeks later...

What do you mean by "name base"?

And don't you have a problem with the underlying engine actually being Microsoft's?
Who knows what special secret rules it has, or what changes might be applied to it by a random Windows update.

 

Link to comment
Share on other sites

It's name-based, meaning if you want to allow communications with definitionupdates.microsoft.com it will allow communications with that server, no matter what address DNS provides for it at any given time.  That's huuuuge when it comes to maintenance, since a single server name is how the software is coded, even though it could be a monstrous network of servers.*

It's a reasonable concern that Microsoft could have built in back doors (or could in the future), but there's no magic; the underlying Base Filtering Engine is a known quantity.  In fact there ARE secret rules.  To counter them, the Sphinx firewall package makes sure, by selection of priorities, not to allow the Microsoft secret rules to have precedence, and it lets you know with an alert if something tries to load new ones.  See this for more info, and note specifically the response from the Site Admin:

Quote

W10FC priority is higher.
So disabling by W10FC is final in spite of WF rules (if any)

-Noel

* I specifically mentioned definitionupdates.microsoft.com...  I did so on purpose.  This is the list of IP addresses, courtesy my DNS logs, that my systems have resolved it into over the past couple of years:

23.14.84.114
23.14.84.155
23.14.84.160
23.14.84.161
23.14.84.162
23.14.84.163
23.14.84.169
23.14.84.170
23.14.84.176
23.14.84.179
23.14.84.184
23.14.84.186
23.14.84.187
23.14.84.192
23.14.84.193
23.14.84.194
23.14.84.200
23.14.84.201
23.14.84.202
23.14.84.203
23.14.84.208
23.14.84.216
23.14.84.217
23.14.84.219
23.14.84.225
23.14.84.227
23.14.84.233
23.14.84.234
23.14.84.241
23.14.84.242
23.14.84.243
23.14.84.43
23.14.84.48
23.14.84.80
23.14.85.19
23.14.85.25
23.14.85.27
23.14.85.33
23.14.85.49
23.14.85.51
23.15.5.105
23.15.5.115
23.15.5.121
23.15.5.197
23.15.5.200
23.15.5.213
23.74.2.112
23.74.2.120
23.74.2.58
23.74.2.98
23.74.8.176
23.74.9.73
96.16.98.11
96.16.98.19
96.16.98.27
104.96.220.113
104.96.220.137
104.96.220.145
104.96.220.98
104.96.221.115
118.214.160.16
118.214.160.185
118.214.160.224
118.214.160.248
157.238.91.17
184.26.136.104
184.26.136.123
184.26.136.137
184.26.142.136
184.26.142.27
184.26.142.42
184.26.142.48
184.26.142.57
184.26.142.58
184.26.142.66
184.26.142.75
184.26.142.80
184.26.142.88
184.26.142.89
184.26.142.90
184.26.142.97
184.26.142.99
184.26.143.106
184.26.143.121
184.26.143.129
184.26.143.138
184.26.143.146
184.26.143.163
184.26.143.98
184.51.126.123
184.51.126.194
204.2.132.50
204.2.178.160

Imagine trying to manage an address-based firewall setup by tracking the above list of addresses, just to specifically allow Windows Defender updates.  With the Sphinx firewall, it's just one entry that works now and into the future...  Set it and forget it.

Edited by NoelC
Link to comment
Share on other sites

  • 3 weeks later...

Isn't it common, being able to use domain names? I seem to recall that even AtGuard, in the late 90s, supported it.

Sadly, and strangely, domain names don't work in Jetico Firewall v2, at least not on Win8. Not even when alerting on access attempts in "learning mode". But I think it worked in v1 on WinXP.

It's a sad state of affairs when it comes to Windows firewalls. Not only there are no good ones available, there's barely anything available, unless you consider anti-virus-combined system-monopolizing monstrosities a valid option.



 



 

Edited by shae
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...