Sygate / Coreforce Alternatives for Win7

[N4N01D]

Having used Sygate for years until it was bought over and killed by Symantec I then moved to Core Force. Sadly neither are in development or work with Windows 7.

If anyone could recommend a good alterative (Free or Feeware) it would be a great help?

It must have -

• The ability to open inbound / outbound ports to specific applications and protocols
  

• Have a secure setting that blocks everything and prompts for access via popup that can be selected to "remember" the setting
  

• The ability to port forward i.e. 80 to 8080 inbound
  

• Ideally not have any other junk installed with it, i.e. AV, Malware Scanner etc
  

• Ideally not have a gui thats desiged for idiots that dont know what a firewall really can do.
  

So far the closest thing I've found in Zone Alarm Pro (Free does some of the above). I wasnt a fan of Tinywall or Comodo either.

Anyone got any tips please?

[+BudMan MVC]

"The ability to port forward i.e. 80 to 8080 inbound"

So this software also has to do NAT? or are you using the built in internet sharing for this?

I would never in a million years connect my windows 7 box directly to the internet - it would be behind my border router/firewall, I currently run pfsense on VM. It provides all the firewall features you could need.

Host firewalls have there uses to be sure, for boxes that roam to different networks - but stationary computers, I see little need of host firewalls unless the network they are connected to is hostile.

Its much easier to manage your network at the border, use of IPS if so desired -- The built in firewall seems more than sufficient as a host based firewall if you ask me. You will find that most of these software/host firewalls cater to selling to the uneducated and use scare tactics to sell their product.

I am curious if your using your windows7 box as your border device or is it behind a nat router already? The use of the term port forward lends me to believe its your router/gateway to boxes behind it?

[N4N01D]

"The ability to port forward i.e. 80 to 8080 inbound"

So this software also has to do NAT? or are you using the built in internet sharing for this?

I would never in a million years connect my windows 7 box directly to the internet - it would be behind my border router/firewall, I currently run pfsense on VM. It provides all the firewall features you could need.

Host firewalls have there uses to be sure, for boxes that roam to different networks - but stationary computers, I see little need of host firewalls unless the network they are connected to is hostile.

Its much easier to manage your network at the border, use of IPS if so desired -- The built in firewall seems more than sufficient as a host based firewall if you ask me. You will find that most of these software/host firewalls cater to selling to the uneducated and use scare tactics to sell their product.

I am curious if your using your windows7 box as your border device or is it behind a nat router already? The use of the term port forward lends me to believe its your router/gateway to boxes behind it?

God no its not directly on the net, it sits behind a hardware fw in a different segment. Its just internally I dont like to open standard ports (when I can avoid it) sorry i guess I should have said 8080 to 80 on a one-to-one relationship rather than NAT one-to-many for example.

TBH the main reason I want a host FW is to be able to block specific applications from having internet access but still having local network access on my "lan". The moment someone writes an agent that can sit on a host and set the config on a dedicated FW to block src, dst, port and application (executable) I'd buy it straight away rather than have multiple host fws with different policies etc.

Currently im in the middle of trying to get an ESXi box built so I can do pretty much exactly what your doing with something better than the cr@p FW built into the router, but still doesnt get round my .exe requirement.

Hope this makes this a little clearer?

[togermano]

If you need a nat then maybe wingate proxy

[+BudMan MVC]

"8080 to 80"

What? That is still a forward on a nat.. If its just the host, then you would have the application listen on said port ;) Or you would have your border router forward 8080 to 80 to your box listening on 80, etc.. That statement still makes no sense.

As to blocking exe -- I fail to see a reason this is ever required other than circumvention of some phone home licensing scheme.

If you don't want something talking on the net, then you shouldn't be running said exe in the first place. Once a exe runs all is lost to be honest, what keeps said exe you ran from just turning off said firewall and or opening up the ports it needs on the local firewall. Sure a firewall can keep legit software from talking on the net, but its not a valid security method for preventing malware, etc. You don't run the malware in the first place is the idea ;)

So are there hostile boxes on your local network segment? If not - I still not seeing the need for host firewall. All of mine are off -- it makes management more difficult for no reason. My network is secure at the trust border (internet) All devices are trusted and managed/secured by me that are on my network - ports that would be used in transfer from one machine to another machine if a worm did get in are open anyway. Since I file share between machines. Services I do not use are not running in the first place. I only run software that I trust, and have a IDS running so that if for say any weird exe did slip through and started sending weird traffic I would be notified, etc.

Good luck in your search, but the firewall that came with your box is more than sufficient for a host firewall. Why should you trust or think that some 3rd party could hook into the OS better than the maker of the OS?? I never got that mentality. Funny how in the linux world there is no firewall prevents exe from talking on the net. They all just do what they should do an block protocol and ports, or you can block a specific userid - I don't know of one that works on say a hash of the exe that is trying to talk on the network. Now you could secure the box with SELinux or use Apparmor and lock down applications from doing things they should not do - but that is not a firewall. In windows you could use applocker, part of the OS to limit what exe can run in the first place. This seems like a better approach then letting the exe run - and then either blocking or allowing its network access. What I have seen with these sorts of firewalls is the user just allows everything that pops up, or they block stuff that they should be allowing ;) Have seen where they blocked box from being able to get dhcp address or even lookup up dns because they did not understand what some exe was doing.

I have been asking for years and years around here for an example of why you need to block exe from talking to the network, when said exe is something you choose to run in the first place. If not something you choose to ran, blocking it from talking to the network is pointless and a defeatist attitude in security. Now if you want to lock your box down to NOT run applications you have not ok'd, I get that - and that is good policy. But trying to just block network access and allow anything that you click on to run or that tries to run on its own is looking at it the wrong way if you ask me.

edit: Here is something that might help, you seem interested in something that tells you what is trying to go outbound, and then allowing you to block or allow said application. Take a look at this - this uses just the built in firewall to accomplish what your after

http://www.howtogeek.com/113641/how-to-extend-the-windows-firewall-and-easily-block-outgoing-connections/