Outward bound with Vista's new firewall

Robert Vamosi CNET

Published: 06 Jun 2006

• 
• 
• 
• 
• 

I feel passionately about having a personal firewall on a desktop PC --especially a home PC. A fair number of malware programs can be stopped at the Internet gateway, before they get to your desktop, creating an in-depth defence. Recognising this, Microsoft changed the default setting for its Windows Firewall in Windows XP SP2 from Disable to Enable. But the Windows XP SP2 firewall blocks only inbound connections -- useful, yes, but this also means that if you have spyware living on your PC, it'll still be able to phone home as an outbound connection.

So I recommend that everyone using Windows XP SP2 also use trusted third-party firewalls from CheckPoint (makers of ZoneAlarm) or security vendors, such as Trend Micro. With Vista, Microsoft says it's finally including 'bidirectional filtering as well as integrating IPSec protocols'. Microsoft also assures me that in Windows Vista all inbound connections will be blocked by default, whereas all outbound connections will be allowed by default, other than by exception. What does that mean? Well, it's less than you might think.

Two firewall consoles
Because I'm running the current Windows Vista beta 2, which contains every available feature, I'm able to access both Windows Firewall controls. Both? Yes, Microsoft has two different locations within Vista to configure your Windows Firewall -- and they do different things.

First, there are the familiar Security Center firewall settings, which, oddly, make no mention of inbound or outbound blocking. There's the General tab, with options to turn the firewall on or off; the Exceptions tab, with pre-selected choices; and the Advanced tab, which can enable ICMP or reset the default settings. Given the basic nature of this console, I fear that for convenience, Microsoft is planning to provide Home versions of Windows Vista with this console only. There is no opportunity to configure outbound settings and no mention of outbound Internet traffic at all.

For a more granular view of Internet traffic, you'll need the second firewall configuration tool, named Windows Firewall With Advanced Security. Sadly, I suspect this second control panel will be left out of the Home editions and available only in the Business and Enterprise editions because, among other things, you can import and export group policy. Most home users will not need to set group policies.

One, two, three different rule sets
Yet, it is here within this second console that you can configure the inbound and outbound traffic settings: from within the Windows Firewall With Advanced Security screen, click Windows Firewall Properties. But wait, there's more. With Windows Vista, Microsoft has wisely decided that when you are on a corporate network, you should have one set of firewall rules; when you're out at an Internet café, you'll need another set of rules; and when you're at home, you'll need a third.

Many personal third-party firewalls currently differentiate connection scenarios, but they do so behind the scenes. Microsoft seems to be making the process of configuring a personal firewall much more complicated than it needs to be. And by allowing all outbound traffic other than by exception, there's no way you can anticipate malicious behaviour running on your PC to create rules against it. For example, if you run or install a CD laden with rootkits or spyware on your Vista desktop, you might regret not having true two-way protection.

So?
Over at ZDNet (US), my colleague at TechRepublic George Ou disagrees with me that the lack of outbound blocking in Vista's new firewall should be a big deal. George argues that Vista already runs all users in a restricted mode, runs IE 7+ in 'a jail cell', and stops new exploits with hardware-enforced DEP. His principal argument is that third-party firewall applications, such as ZoneAlarm, actually expose users to the very exploits they are supposed to guard against by creating an external layer of security over the operating system layer of security. George also notes that the Windows Firewall built into XP SP2 has never had any remote exploits.

I agree with what George says for the most part. But he goes on to state that what's left out of Windows XP and Vista firewalls can easily be centrally managed via Microsoft Active Directory. While that may be so, if you're on a home PC without a network, what good is that?

Think different, demand better
I think that the Windows Firewall in Vista could and should be better. And there's still plenty of time before the final release of the product (now expected in January 2007). But in the next few months, look for third-party firewalls to eclipse the current capabilities found in the Vista Windows Firewall. According to ZDNet's Dan Farber, this year's upcoming release of Symantec Norton Internet Security will be less noisy. He quotes John Thompson, CEO of Symantec, as promising that the new Norton firewall 'will know where you go frequently. If we can tag that you have been before, we won't bother you'. And CheckPoint ZoneAlarm 6.5 products will have even more protection features than are currently available.

In Windows Vista, Microsoft will provide the very minimum in security. But if you really want to secure your computer, you'll need to factor in the cost of a good third-party application.

Related articles

• 
• 
• 
•