There’s been a lot of heat, but little light, in the discussion over whether Microsoft has crippled the firewall in Vista. From what I can gather, it appears that they’ve made a big mistake in turning off a vital firewall feature.
The big complaint about the XP firewall was that it didn’t block outbound connections, and only handled inbound connections. That’s a big problem, because spyware, Trojans, and other malware frequently make outbound connections without your knowledge. Firewalls like ZoneAlarm block both outbound and inbound connections, and are far superior to the XP firewall.
So I was initially pleased to hear that Microsoft was including outbound protection in the Vista firewall.
But now, it’s not so clear that it will even include that protection. Business editions of Vista will have outbound protection — but that protection will be turned off by default. Sys admins will be able to turn it on, and perhaps individual users can as well.
That’s bad enough. Here’s a bigger problem, though: It’s not clear that consumer versions of Vista will include outbound firewall protection. I’ve heard rumors that it won’t. And on the beta of Vista that I have, there’s no outbound protection. There’s not a checkbox anywhere to turn it on — at least, not one I can find.
I’m hoping that’s just a beta problem; I’d prefer not to run a second firewall in addition to the one that ships with Vista. And I’m sure that I’m not alone.
I think that last paragraph, for me, would be "I don't want to have to buy a second firewall". Heck, if I did I'd just turn the Vista firewall off completely and use the third party product.
I think Microsoft is screwed whichever way they go: include a proper software firewall and annoy a lot of third-party security vendors; don't include a proper firewall, and piss off a bunch of customers who now have to buy one or go without.
The thing is, the consumer versions really need the outbound firewall.
Why, exactly, do people want outbound firewalls? (I'll shorten that to 'OBF').
Really. Stop and think about this for a minute. If malware is running on your system, against your wishes ... it has probably already attained Admin privs. So it can shut off the OBF. Bottom line, you are depending on an already compromised network node to protect all the other network nodes. Not smart!
If you want an OBF for some other reason, such as privacy concerns ("I want to know when ProgramX does that call home thing"), then, yes, you're being reasonable again. You've set your sights on an attainable goal.
Re-think your assumptions. Basically, an OBF maintains a list of things that are permitted to network, disallowing anything that's not on the list until some approves it. OK ... if we're going to maintain such a list, why not keep a list of things that are allowed to execute instead? Now, you can keep programs you did not approve from running at all, and protect your own network node as well as all the others! (Remember, an OBF does nothing to prevent malware from damaging your computer; it just tries to stop malware from getting onto other computers. Which, as I already noted, is kinda silly.
Check out prevx for a system that keeps malware from running in the first place. It's a much better way to go!
(And no, I don't have any relationship with prevx other than that I use their software.)
Administrative privlege is a phantom threat anyway.
At best, an outbound firewall can provide a warning that an attack is already under way. However, users are far more likely to blindly click "OK" than to read the warning -- most malware/spyware is installed via social engineering, and the user believes the application is doing what they want for it to do.
You don't need administrative access to do what most malware and spyware does -- you don't need it to read the user's mailbox, you don't need it to read their quicken/money files, and you don't need it to monitor keystrokes in the current session (and all of this goes for Linux and FreeBSD as well).
Using FireFox, browse to toolbar.google.com and install it. You'll find you don't need administrative rights to install it, and the page rank feature (if enabled) certainly allows them to know what sites you are browsing. It as easily could collect keystrokes.
Preventing outbound connection is like trying to put your finger in the dike -- the attacker can compromise Internet Explorer and FireFox, for example. They know these applications have permission, and they can use local IPC to communicate with them, which won't even be detected by a firewall program. They can send the data out via Internet Explorer or FireFox, in a background thread while the application is completely unimpacted.
When you put your finger in one hole, another hole opens.
As far as buying another firewall goes, Microsoft has to preserve the firewall market. The reason that they have to preserve it is that if they do something to eliminate it, they'll get hit with anti-trust again. It is a very fine line "how much do I provide" to have basic, adequate protection and not get slapped with a lawsuit by some heavy hitters (Symantec, etc.).
Admin privileges are not a "phantom threat", Dave. True, a lot of malware can do damage -- ranging from petty to not horribly inconvenient -- as a non-priv user account...but there are whole classes of damage (usually more long-term) that can be prevented if the malware can't escalate to admin privs. Rootkits, for example.
There's an awful lot of current malware that relies on being run as a local admin in order to get installed and do what it needs to do. Neutering this capability isn't 100% protection, but no measure is. It does, however, nullify a lot of crap immediately and reduce the effectiveness of much of the rest.
Point blank -user education and taking preventive measures is the key to keeping their one little machine protected. Just having anti-virus and anti-spyware isn't good enough if they don't ever update the virus definitions and strings. Your average user doesn't have a clue about the most commeon things like this.
I think Microsoft should include the Firewall on their Home Operating Systems with the default set to "Disable" and let the Home user decide whether to enable it or not. A home user would probably get angry if they can't get a program the just bought and installed to work properly because the firewall is blocking it.
Our computer is connected to the internet almost 24/7 and we can simply not use a firewall to protect ourself. At minimum, any computer connected to the Internet needs to have all current patches to its operating system and browser installed as well as personal firewall, antivirus and anti-spyware software. A more complete solution is taking a layered approach to protect your security and privacy.
A firewall prevents some communications forbidden by the security policy, analogous to the function of firewalls in building construction. A firewall is also called a Border Protection Device (BPD). A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust).
My place for free firewalls is therefore:
http://www.freespamfilter.nl/uk/firewall.htm
They always have the latest and best firewalls available and have good reviews of all firewalls.
Jennifer