Jump to content











Photo
- - - - -

Preventing Windows 10 and untrusted software from having full access to the internet

win10 virtual firewall

  • Please log in to reply
7 replies to this topic

#1 alacran

alacran

    Platinum Member

  • .script developer
  • 2710 posts
  •  
    Mexico

Posted 24 December 2015 - 02:14 AM

Preventing Windows 10 and untrusted software from having full access to the internet

Basically it is OpenBSD running in a Virtual Machine to block all outgoing traffic, but you can allow a browser as Firefox in order to have access to internet, or any other program you want.

 

I found this info interesting and wanted to share it here:

 

https://www.ibm.com/...nternet?lang=en

 

 

Best Regards

 

alacran


  • Brito and pscEx like this

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 24 December 2015 - 11:47 AM

Interesting approach. :thumbup:

 

:duff:

Wonko



#3 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 27 December 2015 - 12:59 PM

The writer sets a proxy in a vm and then sets choosen applications to use that proxy.

 

Unfortunately, not all applications will have settings to use a proxy.

 

Hence, I would propose a slightly different approach based on that article :

-setup a socks5 proxy tunnel using putty (or any other ssh client)

-use a proxifier application deciding on which application gets enabled on this tunnel

-dont forget to remove your default gateway ! you want your computer to be connected to your lan only (not routed to internet)

 

Pros :

-your computer is not connected to internet

-(almost) any application can be proxified

-you dont need to change any settings in your application(s)

-the proxifier will show you who does what

 

Cons :

-the proxy method can be problematic with UDP

 

About the ssh server, note that you dont forcibly have to build an openbsd vm (or any other linux).

You may already have an ssh server at home : a nas box (synology), a router (openwrt), etc ...

 

EDIT:

command line to setup a (socks5) tunnel with putty : putty -ssh -2 -P 22 root@MY_HOST -pw MY_PASSWORD -D 8080


  • Brito likes this

#4 Rootman

Rootman

    Frequent Member

  • Advanced user
  • 382 posts
  • Location:USA

Posted 28 December 2015 - 04:29 AM

I wonder how effective it would be to simply put a list of sites in the HOSTS file and redirect them to a bogus (or LOCALHOST) address? Or run your own internal forwarding address DNS server at your site that does specific bogus static addresses for the Windows update site list?

 

A quick Google turned up these sites, I am sure there are more.

 

http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.com

http://wustat.windows.com

http://ntservicepack.microsoft.com

http://stats.microsoft.com

https://stats.microsoft.com



#5 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 28 December 2015 - 08:22 AM

Using the hosts file is very unreliable:

 

-many applications/services bypass this file and use other means of name resolution (windows dns api allows that).

-some applications use hardcoded IP's (ugly but effective way to bypass dns filtering)

-I suspect that some applications/services even update this hosts file (trojans/viruses sure do that)

 

In short, relying on hosts file / dns is not safe, IMHO.



#6 alacran

alacran

    Platinum Member

  • .script developer
  • 2710 posts
  •  
    Mexico

Posted 31 December 2015 - 04:11 AM

The writer sets a proxy in a vm and then sets choosen applications to use that proxy.

 

Unfortunately, not all applications will have settings to use a proxy.

 

Hence, I would propose a slightly different approach based on that article :

-setup a socks5 proxy tunnel using putty (or any other ssh client)

-use a proxifier application deciding on which application gets enabled on this tunnel

-dont forget to remove your default gateway ! you want your computer to be connected to your lan only (not routed to internet)

 

Pros :

-your computer is not connected to internet

-(almost) any application can be proxified

-you dont need to change any settings in your application(s)

-the proxifier will show you who does what

 

Cons :

-the proxy method can be problematic with UDP

 

About the ssh server, note that you dont forcibly have to build an openbsd vm (or any other linux).

You may already have an ssh server at home : a nas box (synology), a router (openwrt), etc ...

 

EDIT:

command line to setup a (socks5) tunnel with putty : putty -ssh -2 -P 22 root@MY_HOST -pw MY_PASSWORD -D 8080

 

Would you please give some links and more detailed info about how to implement your approach?

 

All info is welcome.

 

Thanks in advance.



#7 Guest_AnonVendetta_*

Guest_AnonVendetta_*
  • Guests

Posted 03 January 2016 - 08:15 PM

Why not just use a firewall (implemented as either software or hardware), since using the hosts file, proxies, or routing things thru a VM isn't near-bulletproof? I really can't think of any other method to fully prevent an app from either sending or receiving data from the Internet. It also must be considered that a firewall can prevend inbound/outbound access, but it can't prevent the app from sending requests for data or waiting to receive data. I use such a strategy on all my Android devices to prevent apps from Net access. It must be tackled both ways. Fortunating rooting Android is usually easy and opens up all kinds of possibilities for preventing inbound/outbound Net access, as well as preventing apps themselves from making requests or waiting for them. The latter can be accomplished by limiting/disabling/killing certain services/receivers/etc that these apps use, as well as editing the app's properties directly by modifying its' APK and data files.



#8 erwan.l

erwan.l

    Platinum Member

  • Developer
  • 3041 posts
  • Location:Nantes - France
  •  
    France

Posted 04 January 2016 - 06:50 PM

To me, there are plenty of different ways to restrict/filter your internet connection.

 

Some will want it easy, some other will want it advanced.

And there already, there will be lots of debates on what is easy or not : perspective...

 

Also, when it comes to firewall, the default behavior is usually to trust outbound access (you trust what is inside) and restrict inbound access (evil is out there).

In our particular case (windows 10 & untrusted software), the evil is inside : rather than containing the evil, best would actually be to get rid of it, but this is another, probably passionate, discussion :)

My saying here is that, apart from monitoring in real time what goes out and adapt your firewall every now and then, trying to block outbound access on a windows platform is quite some effort, if not mission impossible.

 

Last, we may want to look at how profesionals secure their network.

My humble experience showed me that usually there is no direct internet connection.

The internet is usually proxified : only http/https is allowed.

This is very restrictive and users tend to moan about it but if it works for major companies out there, why not follow the same line at the individual level?

My guess is that individuals actually dont want to put up with restrictions.

 

My 2 cents...





Also tagged with one or more of these keywords: win10, virtual firewall

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users