Newsletter Archives

  • Sphinx Windows Firewall Control

    A guest post from Noel Carboni:

    Firewall software is responsible for blocking or allowing network communications.

    A lot of folks who care about security and privacy visit, so I want to let everyone here know about a good piece of 3rd party firewall software that’s just been released:  Sphinx Windows Firewall Control version 8

    Essentially Sphinx Windows Firewall Control offers, for Win 7, 8, and 10 users, the practical ability to set up and manage a “deny outgoing connections by default” configuration.

    The Sphinx Windows Firewall Control application works with the Microsoft-provided Windows Filtering Platform / Base Filtering Engine, where the “dirty work” of actually gating network connections is done.  The filtering platform is a mature, working system component that has been around for a while now.

    Out of the box, Windows of course provides the Windows Advanced Firewall, but in its default configuration it really doesn’t do much to enhance users’ privacy and security, since it allows all outgoing communications by default.  That made some sense when we actually trusted the OS maker to have our backs.  Now…

    Think of the Sphinx Windows Firewall Control software package as a different, better, user interface for managing the firewall configuration on the PC, and in fact it CAN run alongside the Windows Advanced Firewall – there is no coupling between the two – though in practice you really want to just shut off the Windows Advanced Firewall and manage firewall operations entirely with the Sphinx software.  Having both active would just lead to confusion.

    But the really neat part – the thing that’s really special about this new version 8 release – is that the firewall configuration can now be managed using names, not addresses.  That’s very significant.  It changes the effort in setting up and maintaining a firewall configuration from impractical to almost trivial, given today’s networking that’s rich with server banks and content delivery networks (where a given host name can resolve to many different addresses).

    It means, in layman’s terms, that if you want to allow site to be contacted you just enter the name svc.anksvn.netinto a zone rule and you’re done.  You don’t have to figure out that this name can resolve to any of multiple different network addresses and enter them all.  And you don’t have to try to figure out when a new server at a different address is added or one of them is taken offline in the future.

    sphinx-1 I can’t stress enough how much managing the firewall configuration by name simplifies the setup and greatly reduces ongoing maintenance.  It literally changes it from practically impossible to something that can be taken to a very detailed level and still kept up.

    I personally am a control aficionado and have what some would call quite a pedantic setup, where EVERYTHING is controlled to the finest point.  The Sphinx software sets up a workable default configuration, but I’ve developed my own configs completely from scratch.  I’m quite willing to share them if it can be helpful to others to see what I’ve set up.

    I have literally not had to make any changes to my Sphinx firewall configuration in weeks.  It really is possible to develop a practically “set it and forget it” configuration that lets you do normal things without exposing you to new threats.  Some observations, after using this software for quite a while:

    • Seeing what Windows tries to contact in the Events pane of this software gives one a warm feeling of knowing what’s happening on your system.  Logging can be managed by application – meaning you can, for example, log everything your services do online but suppress logging of sites you visit with your browser.  There’s a UI panel for the events (that you can, for example, clear or filter for certain things), and there’s a bona fide geek level log put in a file as well.
    • It offers complex-enough configuration capabilities to set up most of the system to run in a deny-by-default mode, yet some applications (e.g., your browser or Skype) can be set to allow-by-default – with exceptions to both of course.  So, for example, no newly installed program will be allowed to contact online servers until you add a rule to allow it, and conversely your browser can contact previously unvisited websites without any pop-up, yet still be blocked from contacting certain bad ones.
    • New / unexpected attempts to make network connections are blocked with a pop-up that has a “horror movie” violin sound effect (which you can change if you like), at which point you can choose to either allow future such attempts or continue to deny them.  What this means is that once you’ve got things initially set up, ongoing maintenance because of changes e.g., installing new software is essentially reactionary.  In this day and age, knowing communications you have NOT allowed ahead of time will NOT succeed is comforting.  This software has your back.
    • There is a rich configuration interface.  A change, for example, to allow or disallow Windows Updates is trivial for me.  I just change the zone assigned to the Host Process for Windows Services (svchost) and it’s done.  Thus no update will occur unless I specifically set the system up to do it.


    • Through the Domain Names tab you can set up a list of security servers that are always allowed system-wide (e.g., machines serving the ocsp protocol that your system contacts when verifying code signing certificates, etc.).  You can also set up a list of servers that are never allowed system-wide.


    • Getting an indication of when an unapproved connection is attempted, by what application, and to what server, is very valuable in learning what needs to be reconfigured or tweaked via registry settings to make a system more private.  Do that for a while and you end up with a Windows system that doesn’t even try to spill the beans.
    • No matter what rules a software installer (e.g., a telemetry update) might try to add to the Windows Advanced Firewall they don’t affect the Sphinx Windows Firewall Control configuration, so you’re still in complete charge of what is being allowed or denied.

    I have been working closely with the author all through the beta testing period of the name-based software, and I have run the package through all kinds of harsh tests.  He’s a smart, careful engineer who has been very responsive to feedback.  As a result, the software really works.  I use the Network/Cloud edition on all my systems.

    I am not associated commercially with this product in any way.  The only connection I have is that I have been a beta tester all through the development of version 8 and some time before that.

    Noel Carboni