Vista Firewall hobbled? I think not.

I was reading a ZDnet article today about the Vista firewall being hobbled because it apparently wont support “Outbound firewall protection by default” – which is not quite correct. Of course it will still support inbound protection by default as in XP SP2. With more detail – the outbound firewall is “on” but the default ruleset protects against system services from communicating directly, not the interactive logon…

What!?…I hear you cry….

Vista is different and is all about layered defenses…

Its time to go back to basics here. What is a firewall designed to do?

For inbound traffic its designed to protect you from people or malicious content trying to attack and break into your machine. In this case the threat is going to be layer 3 connections – services trying to connect to open UDP or TCP ports on your machine that can then move up the stack. An inbound firewall is the best way to protect against this kind of attack. The only other way malware can then come into the machine is through a valid interactive application layer access like a downloaded application, web browser, IM or email client for example.

What are the threats that an outbound firewall could potentially protect?

Some scenarios are potentially something that hijacks a system service and tries to communicate and preventing applications being used ina business environment like instant messenger clients or games that you dont want your employees to be using in work time.

In the scenario of trying to prevent malware, spyware and trojans propagting, which affects the home user more than anyone, is an outbound firewall the best way to protect them? Of course not! It may be a last line of defense but shouldnt be the first line. Lets think about it…the malware has already infected the machine! The best place to protect the machine is to prevent it getting there in the first place.

In Vista’s case we adopt a defense in depth approach – we have to because one mechanism doesnt protect every scenario.

  • User Access Protection prevents the malware being able to simply install itself like it can today with Windows XP as the majority of users have local administrative access.
  • Internet Explorer in Vista is sandboxed to prevent malicious controls “escaping” outside of the IE process into the machine itself.
  • Windows Defender is installed by default to protect the machine in case the user has managed to let the malware get past these protection mechanisms

And thats just a few of them – outbound firewalling can provide for a vain last ditch attempt to protect against propagating the malware – but in reality if youre a clever malware writer, its trivial to find out what ports are open (generally port 80 is) and propagate through that instead. By default its aimed at ensuring that a hijacked service cannot propagate a trojan etc.

Outbound firewalling is actually much more useful in a corporate scenario – where you want to allow certain applications you have approved to be used – and prevent the ones you dont want to be blocked from network access. Outbound firewalling is not necessarily the best way to prevent malware propagating – the best way is to prevent it getting there in the first place through multiple layered defenses at various levels of the operating system.

Jesper talks about this too in his blog – take a look


Comments (4)

  1. Anonymous says:

    There is an on going debate [1] [2] ever since Microsoft announced that outbound filtering in Windows Vista’s firewall will be turned off by default. Obviously, Microsoft again valued usability above security. Whereas I understand it

  2. Anonymous says:

    Segurança foi uma área que recebeu atenção especial no desenvolvimento do

  3. tony says:

    ok with the new windows activation crap being foister upon us outbound connections need to be monitored no matter what you say. Yes WA is not currently opening a session with a server but we can’t trust ms at all on this.  And I’m an ms fan so just think what the rest of the linuts are thinking.   Yes what rights does somebody have when they are utilizing stolen software? Well they have none.  Heres a good question why turn it off whats the reasoning? its just one more layer of protection that has very little if any impact on the overall user negative experience.

  4. mkleef says:

    Ah! So theres two statements youve made here:

    1. Windows Activation is not about security. Additionally aside from the initial activation nothing else happens. The Outbound firewall additionally doesnt monitor anything and if switched on will prompt for each application to be allowed.

    2. Youve assumed that the impact to the user would be low if we switched it on by default. A relative of mine has Zonealarm. She was so annoyed and confused by the continual prompts for access and applications that would work that she asked me to take it off. For the novice user a constantly prompting firewall is an annoyance and provides limited security benefit due to their low understanding of what its prompting about. That said we do plan to have OneCare Live services manage the firewall both incoming and outgoing that the user can subscribe to. It can automatically configure it based on what applications you have.