Predefined zones (thinking of the security once) or enable step-by-step (making decision many times on-the-go)
Many times we received a question regarding W7FC predefined zones concept.
The concept is thinking about the security, choosing a proper zone from the predefined set from the start, on the application detection and adjusting/changing the zone later if required.
However traditional approach is enabling a required (current) activity only on the application detection and prompting the user every time later if the permissions are not enough even the application is already listed.
Trying to find a compromise the latest Plus edition is added with the blocked events pane,
where the users can adjust the permissions adding precise permitting rules to the application zone one by one.
The question is whether it’s suitable and compromises enough or you do want to be prompted every time a listed application is blocked. Should it be a separate per-application or a global option? In other words it’ suitable enough to think carefully settings a zone to an applications initially? Or enabling listed application step-by-step on-the-go should be added to the functionality as well.
The only evident drawback of the enabling on-the-go is the users may enable nearly everything required by applications just to get rid of the annoying popups
Please share thoughts with us.
vistafirewallcontrol.freeforums.org
VistaFirewallControl (Windows7 and Vista firewall) support forum
| Welcome | ||
|---|---|---|
| Welcome to vistafirewallcontrol You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today! |
||
Predefined zones or enabling step-by-step
6 posts
• Page 1 of 1
Predefined zones or enabling step-by-step
by VistaFirewallControl » Wed Feb 02, 2011 1:57 pm
- VistaFirewallControl
- Site Admin
- Posts: 624
- Joined: Fri Mar 27, 2009 11:25 am
Re: Predefined zones or enabling step-by-step
by RangerXus » Sat Feb 18, 2012 3:46 am
Greetings:
This is an old post but I'd like to comment anyway as you ask a good question.
I have used many firewalls over the years, each with different behaviors when it comes to prompting.
There are two ways I like to be prompted
1) For those programs I know and trust I usually just enable all outgoing, all incoming, or both. I don't want to be prompted any more.
2) For other programs I like to be prompted for each new type of request. For example, a program may go out on port X to perform it's normal function and also go out on port Y (or to another IP) to do auto-updates. I may not want to allow the auto-update function but want to allow the normal function. The problem is that I may not know what port/IP is used for each function until the program attempts to do each. In this case I want to be notified for each request.
W7FC does not give me option 2. Once the block window appears for the first time, from then on any request by the program that was not permitted in the rules originally set will then be blocked. I'd like the option to set rules for a program each time a new request type (that does not meet already defined rules for the program) by being prompted.
Of course this means that W7FC would have to support both allow rules and deny rules for each program. For example, if a new request by a program occurs and the block window appears for me to enter more rules, I may want to deny that specific request and should it happen again, W7FC know that I have previously blocked that request so do not display the block window. That same program would also have some allow rules for the functions that I have previously said are okay to do so I should not be prompted for these rules any more either.
To me, it is expected that if I do not use enable all outgoing, incoming, or both, then that implies I want to be prompted for each type of request if the existing rules for the program do not allow access. But for others they may not want all those messages.
So I think to meet the needs of all uses, if the above feature was enabled then you would want to give the user the option globally to be prompted for each request and then also for each program give them the option to override the global setting for that program when the block window appears. Another way do to this is to add a new feature to the zone definition default. Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
Just my thoughts...
This is an old post but I'd like to comment anyway as you ask a good question.
I have used many firewalls over the years, each with different behaviors when it comes to prompting.
There are two ways I like to be prompted
1) For those programs I know and trust I usually just enable all outgoing, all incoming, or both. I don't want to be prompted any more.
2) For other programs I like to be prompted for each new type of request. For example, a program may go out on port X to perform it's normal function and also go out on port Y (or to another IP) to do auto-updates. I may not want to allow the auto-update function but want to allow the normal function. The problem is that I may not know what port/IP is used for each function until the program attempts to do each. In this case I want to be notified for each request.
W7FC does not give me option 2. Once the block window appears for the first time, from then on any request by the program that was not permitted in the rules originally set will then be blocked. I'd like the option to set rules for a program each time a new request type (that does not meet already defined rules for the program) by being prompted.
Of course this means that W7FC would have to support both allow rules and deny rules for each program. For example, if a new request by a program occurs and the block window appears for me to enter more rules, I may want to deny that specific request and should it happen again, W7FC know that I have previously blocked that request so do not display the block window. That same program would also have some allow rules for the functions that I have previously said are okay to do so I should not be prompted for these rules any more either.
To me, it is expected that if I do not use enable all outgoing, incoming, or both, then that implies I want to be prompted for each type of request if the existing rules for the program do not allow access. But for others they may not want all those messages.
So I think to meet the needs of all uses, if the above feature was enabled then you would want to give the user the option globally to be prompted for each request and then also for each program give them the option to override the global setting for that program when the block window appears. Another way do to this is to add a new feature to the zone definition default. Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
Just my thoughts...
- RangerXus
- Posts: 10
- Joined: Tue Mar 15, 2011 4:14 am
Re: Predefined zones or enabling step-by-step
by VistaFirewallControl » Mon Feb 20, 2012 11:00 am
>1) For those programs I know and trust I usually just enable all outgoing, all incoming, or both. I don't want to be prompted any more.
W7FC prompts once per application, does not it?
> I'd like the option to set rules for a program each time a new request type (that does not meet already defined rules for the program) by being prompted.
Reasonable, definitely reasonable, but originally W7FC is application centric, not resource centric.
So what are the “request types”? just ports?
Anyway we need a formal criterion for prompting/skipping?
How to distinguish outgoing port 80 for the normal web access (for instance) from the same for an update?
>So I think to meet the needs of all uses, if the above feature was enabled then you would want to give the user the option globally to be prompted for each request and then also for each program give them the option to override the global setting for that program when the block window appears. Another way do to this is to add a new feature to the zone definition default. Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
You are right, the implementations of the feature should go that way.
But it’s still unclear what the “request type” means formally.
W7FC prompts once per application, does not it?
> I'd like the option to set rules for a program each time a new request type (that does not meet already defined rules for the program) by being prompted.
Reasonable, definitely reasonable, but originally W7FC is application centric, not resource centric.
So what are the “request types”? just ports?
Anyway we need a formal criterion for prompting/skipping?
How to distinguish outgoing port 80 for the normal web access (for instance) from the same for an update?
>So I think to meet the needs of all uses, if the above feature was enabled then you would want to give the user the option globally to be prompted for each request and then also for each program give them the option to override the global setting for that program when the block window appears. Another way do to this is to add a new feature to the zone definition default. Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
You are right, the implementations of the feature should go that way.
But it’s still unclear what the “request type” means formally.
- VistaFirewallControl
- Site Admin
- Posts: 624
- Joined: Fri Mar 27, 2009 11:25 am
Re: Predefined zones or enabling step-by-step
by RangerXus » Tue Feb 21, 2012 12:00 am
>1) For those programs I know and trust I usually just enable all outgoing, all incoming, or both. I don't want to be prompted any more.
W7FC prompts once per application, does not it?
>>> Yes. I didn't mean to imply it doesn't. And the way W7FC works makes it very easy to do this.
> I'd like the option to set rules for a program each time a new request type (that does not meet already defined rules for the program) by being prompted.
Reasonable, definitely reasonable, but originally W7FC is application centric, not resource centric.
So what are the “request types”? just ports?
Anyway we need a formal criterion for prompting/skipping?
How to distinguish outgoing port 80 for the normal web access (for instance) from the same for an update?
>>> If a program performs all functions using the same local port, same remote IP, and same remote port then there is nothing that can be done from a FW standpoint.
>>> But often a program will use one set of remote IP and ports for it's primary function and use different IP or remote ports for secondary functions (auto update, etc.). So I would think if the local port, or remote port, or remote IP is different than any previously allowed/blocked request for that program then that would warrant displaying the Application window so the user can allow or block that request. There is always the question of how to handle different local ports - "well known ports vs. dynamic ports" - does the user care if the local port changes if it is a dynamic port? This question gets muddy since W7FC does not support specifying local and remote ports in the same rule. You might have to begin supporting local and remote ports in the same rule to effectively support allowing multiple prompts for an application.
>So I think to meet the needs of all uses, if the above feature was enabled then you would want to give the user the option globally to be prompted for each request and then also for each program give them the option to override the global setting for that program when the block window appears. Another way do to this is to add a new feature to the zone definition default. Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
You are right, the implementations of the feature should go that way.
But it’s still unclear what the “request type” means formally.
>>> To me, as I said above, a request type is an application performing multiple functions with each function using a different local port, remote IP, or remote port, or any combination of these.
W7FC prompts once per application, does not it?
>>> Yes. I didn't mean to imply it doesn't. And the way W7FC works makes it very easy to do this.
> I'd like the option to set rules for a program each time a new request type (that does not meet already defined rules for the program) by being prompted.
Reasonable, definitely reasonable, but originally W7FC is application centric, not resource centric.
So what are the “request types”? just ports?
Anyway we need a formal criterion for prompting/skipping?
How to distinguish outgoing port 80 for the normal web access (for instance) from the same for an update?
>>> If a program performs all functions using the same local port, same remote IP, and same remote port then there is nothing that can be done from a FW standpoint.
>>> But often a program will use one set of remote IP and ports for it's primary function and use different IP or remote ports for secondary functions (auto update, etc.). So I would think if the local port, or remote port, or remote IP is different than any previously allowed/blocked request for that program then that would warrant displaying the Application window so the user can allow or block that request. There is always the question of how to handle different local ports - "well known ports vs. dynamic ports" - does the user care if the local port changes if it is a dynamic port? This question gets muddy since W7FC does not support specifying local and remote ports in the same rule. You might have to begin supporting local and remote ports in the same rule to effectively support allowing multiple prompts for an application.
>So I think to meet the needs of all uses, if the above feature was enabled then you would want to give the user the option globally to be prompted for each request and then also for each program give them the option to override the global setting for that program when the block window appears. Another way do to this is to add a new feature to the zone definition default. Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
You are right, the implementations of the feature should go that way.
But it’s still unclear what the “request type” means formally.
>>> To me, as I said above, a request type is an application performing multiple functions with each function using a different local port, remote IP, or remote port, or any combination of these.
- RangerXus
- Posts: 10
- Joined: Tue Mar 15, 2011 4:14 am
Re: Predefined zones or enabling step-by-step
by VistaFirewallControl » Tue Feb 21, 2012 4:13 pm
>Create a new option called "prompt" meaning that if none of the existing rules explicitly block or allow the request, then display the block window to the user so new rules can be added.
We will try to schedule the option. Thank you, stay tuned
We will try to schedule the option. Thank you, stay tuned
- VistaFirewallControl
- Site Admin
- Posts: 624
- Joined: Fri Mar 27, 2009 11:25 am
Re: Predefined zones or enabling step-by-step
by VistaFirewallControl » Wed Feb 22, 2012 5:55 pm
check 5.0.0.2 please
- VistaFirewallControl
- Site Admin
- Posts: 624
- Joined: Fri Mar 27, 2009 11:25 am
6 posts
• Page 1 of 1
Return to What is VistaFirewallControl, features
Who is online
Users browsing this forum: No registered users and 0 guests
