Microsoft touts Windows Vista as giving significant security improvements over Windows XP, and it offers the Windows Firewall, with its new two-way filtering feature, as one reason for that better security. But as shipped, the Windows Firewall offers little outbound protection, and it’s not clear how outbound protection can be configured to protect against spyware, Trojans and bots.
Having Software firewalls are a decent thing to have, but shouldn’t be relied on as the soul protection.
Some people use these things as front line protection, and don’t care what they do because: they have a firewall, and must be 100% protected.
Nothing is going to beat a hardware firewall that’s been configured to block everything in and out, and then go and open just the ports they need.
It does not really surprise me with the Windows Firewall, XP’s firewall was next to useless, I’ve never seen it block anything yet, and when I was testing Vista I didn’t notice it doing much either.
MS aren’t all that great security wise, let some of the other companies do that.
For soul protection, I’d recommend a church.
That’s an interesting stance to take, the only real difference between a software firewall and a hardware firewall is that the second usually runs, in software, on an embedded computer.
Of course some software firewalls allow silly things like UPNP and application-specific settings, but for a decent software packet filter, it doesn’t really matter if it runs on a black box or on your local system, apart from, I guess, the danger of malware disabling a local firewall from within.
Nothing is going to beat a hardware firewall that’s been configured to block everything in and out, and then go and open just the ports they need.
Maybe 10 years ago. The bad guys figured out quickly that the easiest way through corporate/institutional firewalls was to fall back to port 80 if nothing else works, that’s why a lot of networks had a hell of a time blocking napster use back in the day. The corporate/institutional customers are now using firewalls with deep packet inspection and no longer rely on port requests alone for access control determination, but that tech just isn’t there yet for home users relying on linksys or netgear cable modems.
Even so, a lot of companies are rolling out third-party software firewalls for internal desktop use or require them as a prerequisite for remote users on vpns. I wouldn’t discount their value. For home users, regulating outbound at the system level is far more effective with the drawback that it can be confusing figuring out which apps should be permitted.
But I agree that security is best left to third parties. Relying on Microsoft is better than absolutely nothing else, but far from ideal. Better to have a layer of isolation between your application and security vendors.
How can Microsoft fail to write a good firewall? Do they hire monkeys?
Or as so many with or without tinfoil hats say, why make it more secure if they can make more money by selling it as a standalone product? (Live OneCare)
I think they might get a hard time if this thing gets dragged into a court.
While its true outbound is not blocked by default… In fact YOU CAN block all outbound unless it matches a rule…
1. Control Panel, Administrator Tools, Windows Firewall with Advanced Security, Windows Firewall Properties. Outbound connections: BLOCK
or
2.from an administrative command prompt: netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
Edited 2007-02-08 22:52
or
3) Just type “Windows Firewall with Advanced Security” (no need to type the whole thing) from the Start Menu and configure as stated in the previous post.
Blocking outbound connections is mainly a technique to cut down on bot-net style infestations. The kind of users who are most likely to be unknowing bot-net members are those who don’t know how to, and aren’t interested in configuring Windows firewall.
The kind of users who are most likely to be unknowing bot-net members are those who don’t know how to, and aren’t interested in configuring Windows firewall.
That’s the hell of it. If you’re knowledgeable enough to know which programs/services should be granted access to the net and which shouldn’t, then you’re also probably someone who already follows sensible practices for avoiding malware anyway.
“While its true outbound is not blocked by default… In fact YOU CAN block all outbound unless it matches a rule… […] Outbound connections: BLOCK”
What action exactly does “block” refer to? As far as I know, if you do a portscan on a machine, all ports that are not in service answer a connection attempt with a RESET packet instead of doing nothing (which makes packets disappear).
…because your average “user friendly” Linux or Mac OS X system has no outbound firewall whatsoever*, they only block inbound traffic (and even that is turned off in a default OS X installation).
* I know you can set one up if you’re a 1337 h4x0r, but if it’s not in the UI, it practically doesn’t exist for 99% of the users.
And even if you had UI tools like in most commercial software firewalls in windows, what good it is if people just click Allow on everything? Main problem with firewall is that most people don’t know what programs they need and thus click Allow in all programs to make sure they work.
I’m kind a amazed that we haven’t seen any antivirus type firewalls. So instead of letting customer to choose if program is good or bad there would be list of commonly known programs that will be blocked always. Maybe 1337 h4x0r wouldnt want it but then he could just make his own config, but atleast make stuff easy for common people.
In many cases these ‘extra security’ features stuff up basic operations of a mail application – I worked at an ISP, and the number of people who used to ring up, unable to logonto the mail server after installing a ‘security suite’ was more than I could imagine.
The better thing is this; tell end users, don’t open up attachments, don’t go to dodgy websites, and voila, instant security; for me, I strip off all attachments; if you want to give me something, you can copy and past it into the email or upload it to a filesharing facility for me to download it off – aka Yahoo Briefcase for example.
Every recent version of Suse, Fedora, and RHEL that I’ve tried insisted on enabling their default firewall rules at install time, and gave dire warnings if I chose to disable it.
Your average Linux or Mac is MUCH less susceptible to trojans in the first place, which makes outbound blocking MUCH less important than on Windows.
That said, ANY Linux firewall can be configured to block outbound fairly easily.
why write articles like this when they are false.
Microsoft has a very good outbound/inbound firewall… however due to massive gripes during early betas they decided to disable the outbound firewall by default.
The firewall is present but outbound checking is turned off…
Look at the gripe they got over the UAC dialogs and im sorry but those are the least obtrusive things ever i don’t mind them a bit, but the world was in uproar over them like idiots, you wanted more dialogs for new outbound connections as well? Give me a break
BTW i work at an ISP and i agree with kaiwai, i’ve had hundreds of calls over mail issues because people dont actually understand their firewall or security suite.
“What action exactly does “block” refer to? As far as I know, if you do a portscan on a machine, all ports that are not in service answer a connection attempt with a RESET packet instead of doing nothing (which makes packets disappear).”
NMAP reports the same result as scanning a dummy IP when the Vista firewall is turned on, even with -P0 option.
BTW, this has nothing to do with outbound filtering.
“Every recent version of Suse, Fedora, and RHEL that I’ve tried insisted on enabling their default firewall rules at install time, and gave dire warnings if I chose to disable it.”
I think the point is that while all major OS’s have a firewall few if any impliment outbound filtering by default.
From Fedora’s documentation…. “By default the firewall is enabled, with a simple set of rules that allow connections to be made from your system to others….”