Vista Firewall Isn't Quite What It Seems
Posted by: Stephen Wildstrom on January 22, 2007
In a recent column on Window’s Vista security, I wrote:”And the Windows Firewall is much enhanced. The XP version could block incoming attacks, but the Vista edition watches traffic both in and out of your system, which can help stop malicious programs from stealing data or spewing spam e-mails.” It turns out this information, given to me by Microsoft just before Vista was shipped off to manufacturing in November, was wrong, or at least not meaningful.
In fact, Vista's firewall can monitor and selectively block both inbound and outbound network connections. But its default settings allow any outbound connection that isn't blocked by a specific rule, and there are no rules prohibiting connections. In other words, it does absolutely nothing.
Asked about the discrepancy, Vista group product manager Greg Sullivan says, "I'm sorry if I misunderstood your question." He goes on to make a case for the configuration Microsoft chose. First, he says, the firewall could give a false sense of security because malware installed on the computer could change firewall settings to allow itself to connect." Second, "It’s a high cost to pay for what we thought was not that much benefit. [Outbound filtering] breaks a lot of applications. The support burden it would generate for us and our partners, mostly manufacturers, is a very high cost to pay for very little benefit."
Some security experts agree, at least on the second point. Consultant Jason Fossen, who teaches classes on securing Windows for the SANS Institute, says and outbound firewall is "far less important than inbound filtering, good patching habits, frequent anti-virus/spyware updates, IE 7.0 Protected Mode, Vister user account control, or even using good passwords... It's a security issue of secondary importance at best."
One problem with outbound filtering is that it is very difficult for the software to know what to allow. Typically, firewalls are configured to allow connections by common applications, such as Outlook, Internet Explorer, or Firefox. Other programs generate questions for users to allow or block them--and most people have no idea what program is asking for permission or whether they should grant it. The normal tendency is to say yes to everything, which defeats the whole purpose.
Microsoft, however, could have made it a lot easier for people who want to tighten their firewall settings to do so. Strangely, the firewall control panel, part of the Windows Security Center, does not let you set up outbound filtering. To do that, you have to grapple with the Microsoft Management Console, a tool designed strictly for IT professionals."We could have made it easier," admits Sullivan. "It's pretty obtuse how to get that turned on for the average user."