I was reading a ZDnet article today about the Vista firewall being hobbled because it apparently wont support "Outbound firewall protection by default" - which is not quite correct. Of course it will still support inbound protection by default as in XP SP2. With more detail - the outbound firewall is "on" but the default ruleset protects against system services from communicating directly, not the interactive logon...
What!?...I hear you cry....
Its time to go back to basics here. What is a firewall designed to do?
For inbound traffic its designed to protect you from people or malicious content trying to attack and break into your machine. In this case the threat is going to be layer 3 connections - services trying to connect to open UDP or TCP ports on your machine that can then move up the stack. An inbound firewall is the best way to protect against this kind of attack. The only other way malware can then come into the machine is through a valid interactive application layer access like a downloaded application, web browser, IM or email client for example.
What are the threats that an outbound firewall could potentially protect?
Some scenarios are potentially something that hijacks a system service and tries to communicate and preventing applications being used ina business environment like instant messenger clients or games that you dont want your employees to be using in work time.
In the scenario of trying to prevent malware, spyware and trojans propagting, which affects the home user more than anyone, is an outbound firewall the best way to protect them? Of course not! It may be a last line of defense but shouldnt be the first line. Lets think about it...the malware has already infected the machine! The best place to protect the machine is to prevent it getting there in the first place.
In Vista's case we adopt a defense in depth approach - we have to because one mechanism doesnt protect every scenario.
- User Access Protection prevents the malware being able to simply install itself like it can today with Windows XP as the majority of users have local administrative access.
- Internet Explorer in Vista is sandboxed to prevent malicious controls "escaping" outside of the IE process into the machine itself.
- Windows Defender is installed by default to protect the machine in case the user has managed to let the malware get past these protection mechanisms
And thats just a few of them - outbound firewalling can provide for a vain last ditch attempt to protect against propagating the malware - but in reality if youre a clever malware writer, its trivial to find out what ports are open (generally port 80 is) and propagate through that instead. By default its aimed at ensuring that a hijacked service cannot propagate a trojan etc.
Outbound firewalling is actually much more useful in a corporate scenario - where you want to allow certain applications you have approved to be used - and prevent the ones you dont want to be blocked from network access. Outbound firewalling is not necessarily the best way to prevent malware propagating - the best way is to prevent it getting there in the first place through multiple layered defenses at various levels of the operating system.
Jesper talks about this too in his blog - take a look