Firewall that restricts program access for the whole network?

[ssibal]

ZoneAlarm seems pretty good at blocking programs from accessing the internet (it asks if you want to allow) but this only works for the machine it is on. Is there a firewall that you can have running on one machine (a gateway) and when a program on another computer wants to access the internet it asks on the main machine rather than the client?

 

[arcticpenguin]

Yes.

The machine running the firewall has to be between the inside network with the clients and the outside network attached to the Internet. You can buy special devices to serve this purpose, or you can set up a PC with 2 ethernet cards.

 

[shanek]

Well, no, not like what ssibal is talking about.

ZoneAlarm and other personal firewalls can do this because they're running on the same machine as the program you're trying to restrict. The hardware firewall AP is talking about can't do that. That computer never sees the program itself, only its traffic. So the best you can do is is filter by the type of traffic. For example, you can allow outgoing TCP Port 80 requests so people can browse the web, but you can't control whether or not they do so with Mozilla or IE or Opera.

 

[ssibal]

So the best you can do is is filter by the type of traffic. For example, you can allow outgoing TCP Port 80 requests so people can browse the web, but you can't control whether or not they do so with Mozilla or IE or Opera.

Thats what I was thinking, except someone could write a nasty program that communicates on port 80. My best bet is to have every computer with a software firewall, password protected and set to automatically block every program except those I explicitly allow on each machine. It is too bad someone has not come up with an easier solution.

 

[ShowMe]

Thats what I was thinking, except someone could write a nasty program that communicates on port 80. My best bet is to have every computer with a software firewall, password protected and set to automatically block every program except those I explicitly allow on each machine. It is too bad someone has not come up with an easier solution.

Thin client, then you can restrict access to only the programs you load on the server.

Citrix and Terminal Services would both do this.

 

[jimlintott]

ssibal - Why do you want to do this?

 

[shanek]

Thats what I was thinking, except someone could write a nasty program that communicates on port 80.

That's true. And if that's a concern, you could go to a proxy server. The difference between a firewall and a proxy server is that a proxy server understands the HTTP protocol and therefore can do some more advanced filtering. It would HAVE to be web traffic, it could filter out known types of HTTP exploits, even prevent you from going to certain sites.

A very simple and free one is available from AnalogX. And from there they go up to several hundred dollars and even higher as you need more advanced features.

 

[ssibal]

ssibal - Why do you want to do this?

Because I do not want internet bandwidth wasted with unnecessary programs connecting to the internet, nor do I want malicious programs connecting to the internet.

 

[shanek]

Because I do not want internet bandwidth wasted with unnecessary programs connecting to the internet, nor do I want malicious programs connecting to the internet.

Then the personal firewall is what you need. I use & recommend ZoneAlarm.