Firewall, ID Protection, VPN and Banking Protection

IceMan7
IceMan7 Posts: 22 Enthusiast
edited November 18 in Device Protection

HI

First of all... I've been using Fsecure (first SAFE, now Internet Security) for over 8 years and I'm very happy. Keep it up. For years, zero problems or anything on my computer (sometimes it scans with other tools and cleanly).

However, I have questions

  1. Why doesn't Fsecure have a Firewall? Each of your competitors like Eset, Kaspersky, Bitdefender and others have their own Firewall and this increases security. What is the reason for this?
  2. ID Protection, or Fsecure password manager. Why can you only import from other solutions and not export to other solutions? This makes no sense. Why should I use Fsecure password manager if it limits me to having to use it for the rest of my life, unless I transfer all passwords individually to another application? Really?
  3. VPN - Fsecure Freedom. Why is there still no Wireguard and only Open VPN? Do you foresee a change in the future? And do you plan on a function such as split-tunneling?
  4. Banking Protection. Why don't you use your own browser like Kaspersky or Bitdefender, which has SafePay? The weakest link to a browser with bugs, zero-day problems, etc. is Chrome or Firefox. Isn't it better to have your own, which increases security?
    Does Banking Protection work the same on MacOS as on Windows?

I am glad that the Fsecure Total solution is not a Christmas tree or an overcomplicated creation created by your competitors. More and more antiviruses want to be for everything. This is bad. But it would be nice if Fsecure improved existing products.

If I created a topic in the wrong place, please move it ;)

Answers

  • Ukko
    Ukko Posts: 3,737 Superuser

    Hello,

    If discussion among F-Secure users is allowed, then I would try to express my opinion or feelings.

    About FIREWALL.

    I would start with arbitrary things.

    It depends on what someone means by Firewall. If the most basic and essential things (which, in general, is a firewall), then at least starting from Windows 8 - the built-in Windows firewall is quite good and not bad, coping with its duties perfectly. Especially for home users, who most often will still be protected by something like NAT from their ISP (and other settings that can sometimes even be done directly on your own router, since most often now home users will not only have an Ethernet connection , wired, but also Wi-Fi and router for this). In recent years, F-Secure Windows solution has taken advantage of this functionality / feature, sometimes adding additional layers of protection on top of or near. At the same time, in theory, giving a specific user the opportunity, if desired (and possible), to use a third-party firewall. This would require (possibly) exceptions and permissions for the existence of both software complexes.

    Anyway, since the built-in Windows Firewall is essentially part of the system and is developed directly by the "same" company as the OS itself, it is most likely the easiest way to avoid any unpleasant incompatibilities or problems here. As such, I think this increases security. Although there are probably known weaknesses... but third-party developments may also have them (and be unknown). All in all, adhering to general security practices such as using the system as a local user (and not an administrator) for everyday needs removes many of them.

    Firewall is an important thing. And it's very good that such a popular OS as Windows includes it by default. If, of course, nothing has changed in Windows 11 (haven't used it yet).

    Now what if we talk about other companies’ own(?) firewalls (including cyber security) and the described examples. Let's say I think that two of the three named are able to provide a reliable level of protection and may have the resources to implement the solution relatively correctly. But is it that easy? After all, even a network driver with some inaccuracies can cause a lot of problems, both "technical" and "security".

    What exactly can a third-party firewall provide more? Some specific features that are indirectly related to the firewall? A clearer interface or a more frequent demand for attention from the user? Some pre-prepared rules and profiles? More often than not, this will really be very convenient for the user, and I would love this myself. I have often used and continue to use third-party firewalls as a test, but I constantly get stuck in all sorts of incompatibilities or "unreliability" (which can also be with Windows Firewall - but fixing them is somewhat easier and faster for Microsoft).

    Let's say if F-Secure started using a Firewall (rather than relying on the Windows Firewall), what would your requirements be for such a turnaround? Completely their own development from scratch? Or, maybe, interaction / cooperation with some partner who will provide a set of tools to implement this level / layer of protection? It should replicate all the basic and advanced functionality of Windows Firewall obviously, but what's in addition to that?

    Up until F-Secure Internet Security 2012 (I think) - this solution had "its own" firewall and, to be honest, looking at the Community pages, it created a lot of questions for users (both due to the complexity of configuration and the correct use of the firewall by users). And this is taking into account that, in principle, the same thing could be done using Windows Firewall (and some things are simply "by default" in this form there, since in fact they are super recommended).

    However, it is important to note that by this I mean the normal use of system by user. without 'violent' attempts to install any suspicious software on an incalculable scale. :) since otherwise you will need to use Windows Pro or Enterprise editions to obtain the appropriate options to "tailor" protection against this. In public networks - it always risky. Windows Firewall has its own profile, and it is possible to further restrict areas. Then, this is why important to use something like AV, privacy and browsing protection things.

    If I were trying to add some kind of 'firewall' protection for potentially dangerous use of the network (local), I would probably look towards a more hardware solution (something like Firewall Home Edition by Sophos as a free option).

    About PASSWORD MANAGER.

    I think you could. Or do you mean that other companies do not support importing from F-Secure solutions? But F-Secure does not support import from many other solutions as well.

    The format in F-Secure exported file is essentially a plain JSON format. If someone supports this, they will probably either be able to import the exported file or it will be easy to add support (per customer request, for example). It's hard to somehow say that it limits you to having to use it for the rest of your life (or even it is not much different from any other Password Manager)

    Or am I missing something?

    About VPN.

    There are, at least, these feature requests. You can try to vote them. Sometimes a random 'upvote' will give a quick response. :)

    Split tunneling for FreedomeVPN on desktop (Windows) β€” F-Secure Community

    Split tunnel / exclude app feature for windows Freedome β€” F-Secure Community

    WireGuard Protocol in VPN home products β€” F-Secure Community

    Support of WireGuard protocol in Freedome β€” F-Secure Community

    About BANKINGBrowser.

    Wouldn't your own have the same potential threat from bugs, zerodays and other things?

    I don't actually know if they use Chromium in their browsers, but if so, then using one of the supported ones is just as or almost as safe. I think their concept has more of an advantage in that it creates an isolated environment for the browser. Something like virtualization or sandboxing. This may give an increase in protection, but it may also cause inconvenience. For example, it would be inconvenient for me to launch yet another browser each time for any "banking transaction". And which may have some limitations.

    If we ignore the point of inconvenience of use, then I would see a more "secure" scheme as using a one-time remote desktop (or sort of). For example, to carry out a banking transaction or a online payment / surf, we would connect to a server / virtual machine (configured or on-the-fly created with the best protection and security settings, located somewhere under the physical protection of F-Secure), a one-time virtual restricted system or browser window. Likely it is possible to do via our own browsers (so, to connect and use 'remote' system / browser via tab/website in your browser). I don't know how many possible limitations or security miscalculations (that is, on the part of the user and his browser in the direction of "remote browser window" in your tab) there may be here. Something like that I would consider interesting. but simply using β€œown” browser dedicated to safepay, protected browser or banking... not so much. Sure, it's robust, but F-Secure Banking Protection covers a lot of tricky vectors. And everything else - in theory - should be captured by other levels of protection or cause more harm than just during a banking transaction (like if malware already in the system and similar).

    In fact, I haven't tried any of them in a while - I'm not sure what their current state is. Maybe better than I could have imagined.

    Thanks and sorry for my opinions!

  • IceMan7
    IceMan7 Posts: 22 Enthusiast
    edited November 19

    @Ukko

    Thank you for your answers.

    I will add to what you wrote.

    1. Firewall

    Everyone knows that Windows has a firewall. However, not everyone is always behind NAT if they use their laptop in different places where they use the Internet. For some reason, Eset, Bitdefender or Norton and others have a built-in firewall, even though Windows also has one. It is always some additional protection against attack.

    I understand that the operation may be complicated for some. After all, you can introduce user-friendly or advanced modes. It is always better to have additional protection in the form of a firewall than not to have it ;) Of course, there is DeepGuard, but it is still not a firewall ;)
    That is why I asked a question for an F-Secure employee to explain why there is no built-in firewall in Fsecure Total. What is the reason for this. I know that everything has its pros and cons, but I would like to know F-Secure's position, why they do not use a firewall in AV solutions and what their answer is to this.

    2. PASSWORD MANAGER

    I do not use the Total package so I do not have ID Protection. I am interested in the Total package and use all solutions, including the password manager. From what I have read and you have written, there is a .jon format
    Is that true?

    But where are the other formats? The most commonly used are CSV. There are also encrypted jon, xml or zip.

    A small number of formats, limits ID Protection export or import to other solutions. And this causes discomfort and attachment to one solution for years. Today people like to have a choice

    ID Protection is no longer in Fsecure's offer as of today. Password managers are becoming increasingly popular and ID Protection seems to be standing still.
    Does F-Secure have any plans to develop this product, even with greater export/import capabilities?

    Where are passwords saved in ID Protection? In the program on the computer or in the cloud? How does synchronization between devices, for example Windows 10 and Iphone IOS, look like?

    3. VPN

    Here's a brief summary of what I mean. Even Bitdefender, which doesn't have its own VPN (and probably like most AVs don't have their own) has Wireguard or split-tunneling (it uses HotShield).
    It's not even about comparing it to typical VPN solutions on the market like Express VPN, Nord VPN, CyberGhost or Proton. Most of them just live with VPN.
    I compare it to AV packages that have VPN and their VPNs are better developed in this respect than F-Secure VPN.

    VPNs are developing, new security features, connection quality or speed are added. Wireguard is a newer protocol and therefore faster.
    That's why the question for Fsecure - are they even thinking about improving their Freedom VPN? In fact, Fsecure VPN looks like it's standing still in development compared to the competition that counts.

    4. Banking Protection

    An additional browser is of course a sandbox.

    Maybe this protection from Fscure during banking is also a sandbox?

    I would like to ask Fsecure why and what is the reason for using Banking Protection as a plug-in, where the competition has dedicated browsers for this. Why does the current banking protection in F-secure make sense and is better than solutions with a dedicated browser?

  • Ukko
    Ukko Posts: 3,737 Superuser
    edited November 20

    Hello,

    Thanks for your response. Again, just as a discussion among users. And I apologize for not being the desired source of information.

    Let me explain, I'm not saying that own firewall is not needed or will not make sense. I expressed my impressions of why it might not be used by 'any' cyber security company in their package.

    And also for myself, I distinguish the difference between "own firewall", "completely own firewall" (in terms of development), and also "is it possible to do the same thing with the capabilities built into the system". Acceptable for me would be: "completely own" and "built-in" one. The first one will be difficult for me to check the real reliability and strength, the second one is "obliged" to be reliable (but it’s not a fact that it will be). Besides this, I see value in "own firewall" only if it provides capabilities that are wider than those built-in and available by default.

    For myself, I would try to use a hardware solution (as I mentioned in the previous comment), then any available layer in software.

    Everyone knows that Windows has a firewall. However, not everyone is always behind NAT if they use their laptop in different places where they use the Internet. For some reason, Eset, Bitdefender or Norton and others have a built-in firewall, even though Windows also has one. It is always some additional protection against attack.

    I mentioned NAT, since this is just one of the mitigations for home users (they won’t have to "strain" that their devices face the open outside and are accessible to discovery from the outside, for example by using well-known tools and resources). This, however, does not help in any way or helps against certain use cases (both for good and for bad).

    And this is why the use of additional security tools is also recommended (AV, BP, VPN and so on).

    For public networks, Windows Firewall has its own profile. More "strict", by default. If desired, you can change and customize almost any further. I admit that I don't really know what the listed companies can offer in their firewalls, which cannot be done without them. It's quite likely that there must be something "exclusive" - I just don't really know what. Do you have any information about what types of attacks they would be particularly useful against?

    // and, for example, if I do not trust Norton - it is always some additional 'backdoor' and 'hole' as well.

    Some companies have ready-made technologies (which can be further improved or which can continue to be milked until they are no longer capable of anything), some have a huge or simply rather large budget. Some are simply good specialists and have access to constantly expanding talents (good local education, respected employer, interesting tasks), naturally such people will do something serious and powerful.

    // first later edit and remark: this is also good marketing and PR, even if your own firewall is not much superior to the one built into the system and available for free.

    I am quite sure that if there was "one answer", then F-Secure representatives would have long ago answered why they currently rely on the system Windows Firewall. There is more than one answer. On all sides.

    It would be more interesting for me, as I wrote in the previous comment - to quote - let's say if F-Secure started using a Firewall (rather than relying on the Windows Firewall), what would your requirements be for such a turnaround? Completely their own development from scratch? Or, maybe, interaction / cooperation with some partner who will provide a set of tools to implement this level / layer of protection? It should replicate all the basic and advanced functionality of Windows Firewall obviously, but what's in addition to that?

    Or just the point of not using Windows Firewall will be satisfactory? Or will it raise questions about implementation?

    I do not use the Total package so I do not have ID Protection. I am interested in the Total package and use all solutions, including the password manager. there is a .json format

    Is that true?

    Sorry for the confusion, if anything. But what specific thing is true?

    When you decide to export a vault (entries) from F-Secure KEY / F-Secure ID Protection / F-Secure TOTAL's Password Vault - you are asked for a master password, warned that the "contents" in the exported file will be in plain text and it is recommended to store it "reliably" or remove immediately after use. The export file will have a .fsk extension. The file itself will have a JSON structure.

    JSON (as a file format) is considered an open standard in principle (https://en.wikipedia.org/wiki/JSON). So, it's not something tricky that might be like vendor locking or something like that.

    But where are the other formats? The most commonly used are CSV. There are also encrypted jon, xml or zip. A small number of formats, limits ID Protection export or import to other solutions. And this causes discomfort and attachment to one solution for years. Today people like to have a choice

    You probably can't import encrypted ones to another password manager.

    More like for a backup (hence .zip mentioned). You can export with F-Secure password manager, then zip .fsk by 7zip or any tool to make an encrypted archive as well.

    I agree that F-Secure could try and write (implement) support for exporting their storage to (all) other solutions. But more often than not, this other solution must support and implement imports from other solutions.

    Especially if, in principle, there is nothing (probably) difficult in the format used specifically for this example. If the export format to F-Secure password manager were something wild and incomprehensible, difficult to support, then yes.

    Even more, I think JSON is quite a better choice than CSV. Perhaps others use it because it allows them to store some additional information as part of the functionality.

    Does F-Secure have any plans to develop this product, even with greater export/import capabilities?

    I saw in their 'publicly' available legal documents and 'investors' stuff (or elsewhere, but still publicly available on the site) - that - ID Protection is claimed to be "important" vector. As well as all-in-one type of solution (as F-Secure TOTAL is).

    // second later edit and remark: probably I got it wrong. I think it was not "ID Protection", but ID Monitoring and ID Theft things as mentioned by me 'important' vector.

    which doesn't have its own VPN (and probably like most AVs don't have their own) has Wireguard or split-tunneling (it uses HotShield).

    is this HotShield a Hotspot Shield?

    So, what if F-Secure also uses it someday? Is this suitable?

    Or should F-Secure implement Wireguard and split-tunneling support on its own?

    Does this introduce new security threat vectors for the user or the F-Secure infrastructure?

    An additional browser is of course a sandbox. Maybe this protection from Fscure during banking is also a sandbox? I would like to ask Fsecure why and what is the reason for using Banking Protection as a plug-in, where the competition has dedicated browsers for this.

    If Windows Home Edition took the β€œSandbox” feature (from the Pro, Enterprise and Educational editions) - then cybersecurity solutions could easily try to utilize this too. Without the need to maintain the browser build, test its functionality and, alternatively, fix bugs and vulnerabilities common to the engine used.

    A brief description of F-Secure Banking Protection design is available on website's pages and in Help/How-To guides and manuals.

    Banking Protection as a plug-in is the way to trigger 'feature', not the implementation of 'actions' or 'measures'.

    "in theory" - quite a lot of vectors are closed. One of the recent additions was the disabling of some Remote Control tools, which were often used by scammers in various schemes involving banking transactions.

    Thanks! And it will be good if specialists from F-Secure answer you. With more accurate, authentic and precise answers.

  • IceMan7
    IceMan7 Posts: 22 Enthusiast

    Hi
    I'm waiting and waiting.....No one from Fsecure will take up the gauntlet and explain with answers to the questions and threads asked? ;)

  • TVC15
    TVC15 Posts: 70 Active Engager
    edited November 30

    Hello @IceMan7

    With the detailed answers @Ukko replied with, you may not get any follow-up answer from an employee, or mod here, but in regards to your question, look through the thread below. Don't let the thread title throw you off, there are some good links in it that answers your question and more, in the replies posted.

    Where are passwords saved in ID Protection? In the program on the computer or in the cloud? How does synchronization between devices, for example Windows 10 and Iphone IOS, look like?

    As far as the Firewall, just consider it a done deal, F-Secure is never going to bring that back or start including one. What other vendors may do is their philosophy, F-Secure is well, F-Secure and you understand that going in purchase wise. When I was using Total and Internet Security, I was using the free version of Glasswire just to monitor the first outbound connection of an app and for the other information Glasswire contained. They got along nicely together :)

    Cheers :)

  • Ville
    Ville Posts: 736 F-Secure Product Expert

    I can give some answers but have to be a bit vague on certain topics, sorry.

    1. Windows firewall is perfectly good firewall and we don't see a reason to have our own.
    2. Having a CSV export would make sense, I'll make internal ticket about it. Passwords are saved in the cloud but we don' t save the master password to decrypt them.
    3. We are working on the VPN functionality, but I can't promise any dates or features.
    4. Here I would challenge the value of separate browser. The secure browser will anyways be based on open source engine, like Chromium, so it has the same bugs as the real browser. However, real browser will be patched immediately whereas the secure browser will need to be integrated to the security solution and released that way. Additionally, banks have all kinds of extra security applications for their logins and they are tested to work only with the main browsers, so secure browser could create all kinds of incompatibility problems with several banks.

    Also I would point out that the standalone applications Freedome and ID protection have been deprecated and the functionality is integrated to Total.

    Ville

    F-Secure R&D, Desktop products

Feedback on New Design