Jump to content
Sign in to follow this  
ArchangelOfTheLamb

Host firewall recommendations

Recommended Posts

Hi All,

 

I am looking to install a host firewall on my PC. Now, the PC in question is already behind two hardware firewalls and because of that, so far, Windows 10 Advanced Firewall has been good enough for my needs. However, it does require scrolling through long lists of rules or typing PowerShell/CMD commands to change firewall rules - this can be cumbersome and annoying, particularly when multiple ports, protocols and applications are in issue (coz then several rules need changing and they are not always near each other in the GUI).

 

I am doing a Masters in Cybersecurity and for my study, I will be developing exploits, payloads, etc. Some will do things like automatic port scans, attempted self-propagation (i.e. worms) and other things that I do not want on the rest of my network. I will also be reverse engineering existing malware as part of my uni course.

 

Whilst I do know I can hard-code my own exploits/viruses so that they do not break out of the virtual network in which I run them (and which die quietly if for some reason they do), exploit development is tricky and once you start playing with antivirus evasion and other more advanced stuff, results might not turn out as expected. Plus I am sure that for my malware reverse engineering course, I am going to have to load and run malware to reverse engineer on my own PC - I doubt the lab time we will get will be enough for me to do it all at the cyber labs at uni. Again, I do plan on doing this sort of stuff in a virtual environment. But even so, I may need to insert USBs or email myself files that have viruses on them lol.

 

I have considered air-gapping my PC to stop all stuff getting out, but this is not entirely feasible as I will need at least some internet access, at least HTTPS via the host machine itself. I have decided that aside from using the usual precautions (i.e. host-limited virtual network for the test VMs, separate VLANs and subnets, etc), I should have a firewall on the host that blocks outbound (not just inbound) traffic, save what I allow (e.g. HTTPS from host machine adapter's IP and MAC). I might want such packets to be logged or stored before they are discarded so I can analyse them. Ideally, I would also like to be able to play with packet headers and reroute things using something like the functionality that Linux's iptables' "raw", "mangle", "prerouting" and "postrouting" tables provide.

 

Can someone recommend a Windows firewall that can do these things (and basically behave like iptables) and which is reasonably easy to use? My preferences (not mandatory but will influence my decision:

1. Low memory, processing power and disk read/write overhead. I will be running VMs so something that uses too many resources is out of the question.

2. Allows total control of traffic depending on a range of traffic features, e.g. rules that apply by port, protocol, connection state, application, source or destination, etc.

3. Allows me to set up forwarding rules and "mangle" packets with custom changes.

4. Allows easy changes between rule sets I have previously defined. With iptables, I tend to use several scripts for different rulesets - changing rules is just a matter of running the reLevant script. Whilst I know I could do this with PowerShell scripts, it would be so much easier to just be able to select a ruleset from a menu.

5. Preferably a free product but not one with annoying ads, popup windows and other such bullshit.

6. A product that is ONLY a firewall - I don't want one that is part of some "security suite" also containing an antivirus, IDS, etc. which you also need to install to run the firewall. I got all that stuff covered and am not a fan of running multiple apps that do the same thing - it wastes resources. ;-)

 

Is there something around for Windows 10 that has these features? i have Googled and have been unable to find anything that gives me the level of control I want without too much extra baggage. I am kinda surprised about this as I am sure someone must have made an iptables for Windows with a GUI by now!

 

Or am I better off forgetting about a Windows localhost firewall and just sticking a Linux box with two network adapters between my PC and the rest of the network (i.e. use a gateway)? As I have noted, iptables is pretty much what I want - I just want the Windows version lolz.

 

Alternatively, I do have Ubuntu and Bash for Windows 10 on the subject PC. Does anyone know if running iptables as a daemon through that will work on all traffic that goes through the host? From what I can tell, although Ubuntu for Windows 10 has access to the whole Windows file system, it does run in its own PID and sub-shell so I am wondering whether it would have the right level of access (i.e. complete raw access to ethernet card traffic) to do what I need it to do.

 

Cheers!

Share this post


Link to post
Share on other sites

A Virtual machine shouldn't be affected by the host in any way.

It has direct access to the card.

 

Unless you're planning to try exploiting Specter or Meltdown and crossing memory barriers.

Personally, I'd just use something a little more manual. Like Peerblock and only allow port 80.

Maybe combine it with any reputable traditional firewall; which would also be a good test of their prducts.

 

ZoneAlarm used to be the go-to.

https://www.zonealarm.com/software/firewall/

 

Glasswire is also popular.

https://www.glasswire.com/

 

Or if you're trusting of Windows Firewall and just want it to be easier and stronger,

TinyWall.

Adds hooks, tamper protection, and a nice GUI to the windows firewall.

Share this post


Link to post
Share on other sites

A Virtual machine shouldn't be affected by the host in any way.

It has direct access to the card.

 

Unless you're planning to try exploiting Specter or Meltdown and crossing memory barriers.

Personally, I'd just use something a little more manual. Like Peerblock and only allow port 80.

Maybe combine it with any reputable traditional firewall; which would also be a good test of their prducts.

 

ZoneAlarm used to be the go-to.

https://www.zonealarm.com/software/firewall/

 

Glasswire is also popular.

https://www.glasswire.com/

 

Or if you're trusting of Windows Firewall and just want it to be easier and stronger,

TinyWall.

Adds hooks, tamper protection, and a nice GUI to the windows firewall.

The exploits I am developing (and will be testing) will use memory corruption techniques that may cross hypervisor boundaries - I am actually planning on seeing if I can put the Spectre and Meltdown proof-of-concepts into practice. This work is for a cybersecurity Masters degree at ADFA in which I want to get HDs, so I am going to be doing a bit of custom/manual binary exploitation and will be basing my work on malware like ZeroAccess and Stuxnet, both of which can spread like wildfire. That's why I want extra protection for my host. ;)

 

On a side note, does anyone in the cybersec field know which (reputable) site has the actual source for Stuxnet? I know it is a lot of lines of code, but I am expecting many of these to be difficult-to-follow hex. Whilst I have generally had good experiences with ExploitDB, I have also seen some things on there that are pretty dodgy. If anyone can point me to the *real* source (or at least source written by someone who reverse engineered it and didn't insert their own reverse C2 centre connections) then that would be appreciated. I could reverse it myself, but with exploits that complex it would take mucho effort lolz.

Share this post


Link to post
Share on other sites

Stuxnet, the code written by US and modified by Israel to attack Iranian nuke computers?

Share this post


Link to post
Share on other sites

Stuxnet, the code written by US and modified by Israel to attack Iranian nuke computers?

 

Yeah thats the one, I don't think he'll find it without it being 'close enough' reverse engineering only.

 

 

I guess AOTL, all you need is a firewall that will block ports on the host machine.

Whatever you create, be sure you don't let it touch port80, and just lock the host machine down whenever you're testing so you can surf the net, but that's all.

 

Also, hardware firewall time?

Raspberry Pi's are your friend.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×