Comment Articles

SP2's firewall is not good enough

Tags:
Windows XP,
SP2,
Service Pack 2

David Berlind ZDNet.com

Published: 12 Aug 2004 11:15 BST

Microsoft's entry into either the personal firewall or antivirus markets -- with minimally acceptable protection that could allow users to forgo third-party products -- could spell doom for scores of products and the one-trick pony vendors behind some of them.

But Zone Labs' Felman insists that while Microsoft can throw all the resources it wants at improving its firewall or developing a new product from the ground up, the software giant's offerings will still be light years behind the offerings of dedicated security vendors. Felman says that smaller, nimbler companies like Zone Labs can respond much faster to the market. Zone Labs' pre-SP2 launch of WMI-support is certainly evidence of that conviction.

The new Windows Firewall offers more evidence that Felman may be right. Ten percent of Windows users may be running a personal firewall. And though that number may go up after SP2 and its default-to-on firewall penetrates the market, the Windows Firewall falls so short of what a world class personal firewall should be capable of, that those relying on it (and those whose Security Centres show a firewall as being "on") may be led into a false sense of security. For the 90 percent of Windows users not running a personal firewall, the new and improved firewall in SP2 may be better than nothing, but it's just not good enough. I, for one, would never rely on it.

As I've reported before, the Windows Firewall lacks outbound blocking, a staple of most third-party personal firewall products and, I believe, an absolute requirement. Inbound blocking -- something which all firewalls (including Microsoft's new one) do -- is what keeps illegitimate traffic from entering systems and networks through networking channels known as ports. But what inbound blocking doesn't do is keep a malicious payload from piggybacking on legitimate traffic such as email or Web traffic going to Outlook or Internet Explorer.

Once a malicious payload gets in, your reliance to stop it shifts from the inbound firewall to something internal to your network or workstation -- like your antivirus or anti-spyware software. But, in the cat-and-mouse game of security solution developers vs. hackers, there are some pretty clever mice. And, as was demonstrated by at least one recent exploit of a vulnerability in Internet Explorer, there are certain exploits that anti-anything (virus, spyware, pop-ups, etc) products are powerless against. What's your last line of defence to keep one of these exploits from phoning home? Outbound blocking -- a feature that the Windows Firewall lacks.

As Zone Labs' implementation of SP2 compatibility demonstrates, absence of outbound blocking isn't the only significant vulnerability in the Windows Firewall. Should a third party firewall like Zone Alarm get uninstalled, Microsoft would obviously want the Windows Firewall to be turned back on. But Zone Labs' Felman says that as easy as it was for his company to programmatically turn the firewall back on, it can also turn it off as long as the user is logged in with administrative rights (which most Windows XP users are). In light of that, Felman poses the rhetorical question, "If we can turn it off, then why can't the hackers?" In addition, Felman notes that third-party software providers can programmatically make additions to the inbound blocking exception list.

Microsoft officials have repeatedly downplayed the significance of the outbound blocking feature's absence, arguing that once malicious code is on a system, it's a game-over situation anyway. This would be true in Microsoft's case even if the Windows Firewall had outbound blocking, because the firewall can be programmatically turned off. But Felman claims that more can be done and points to Zone Labs' "Total Lockdown" technology as evidence not only of how much further Microsoft must go to bring its firewall up to snuff, but how innovative security suite providers like Zone Labs might be able to stay steps ahead of Microsoft's ever-evolving security solutions.

Felman described Total Lockdown as a technology that prevents programmatic disabling of Zone Labs' firewall. "You can use commands at the Windows command prompt, such as NET STOP, to shut down our user interface," said Felman. "But, if the UI is disabled, our driver goes into a lockup mode, which makes it impossible for the rules that were set while the UI was active to be changed. Any in- or outbound network activity that isn't explicitly allowed by the pre-existing rules is blocked. Basically, there's no way to disable it unless you reboot the machine and uninstall the software."

Are the third party products from Zone Labs, Sygate and others as good as they can be?

Hardly. For example, there's still a glaring absence of actionable information when a personal firewall catches a software component trying to access the network for the first time. When this happens, firewalls generally ask the user if the behaviour should be allowed. But the information provided is often too cryptic for mere mortals to tell if it should be allowed or not. Just today, after running Windows Update on my system, Sygate Personal Firewall Pro detected that a component of the operating system was physically changed. But, what was missing was something that told the firewall that the change happened as a result of a legitimate update. When I was asked to approve or disapprove, I had no idea what to do.

Something similar started happening as a result of the latest Windows Update -- the one that finally addresses the Download.Ject vulnerability with a patch rather than a configuration change. Now, Internet Explorer double-checks with the user before it engages in any cross-domain activity. But the prompt to allow it or disallow it offers no clues as to whether the behaviour is normal for the site your visiting.

Yet another feature missing from firewalls is an easy way to whitelist and blacklist our browsers from reaching certain domains. It can be done, but you have to be a rocket scientist to do it. What would be better is a prompt so that every time our browsers try to reach a new domain on the Internet, it says, "Hey, I've never been here before, should we whitelist this site?" This offers a measure of comfort in knowing that some malware isn't going to come in, hijack my browser, and send some confidential information via the Web to a Russian organised crime site -- a transmission that would otherwise be allowed if all I did was tell my firewall that my browser is allowed to go out to the Internet (which is the level of granularity that most personal firewalls are configured to operate from).

Indeed, as Felman says, with so much work to be done on personal firewall technology, the dedicated vendors may indeed stay ahead of Microsoft. But, should Microsoft go out and buy a big security provider (as it is rumoured to be looking for), the entire game will change.