When is a personal firewall not truly a firewall? How about when it's made by Microsoft? Last week I listed how home users won't see all of the "new" security features available within Windows Vista, the new operating system from Microsoft. One of those "new" security features is the Windows Firewall, available in all editions of Windows Vista. The Windows Firewall is of course not new; it's already available in Windows XP SP2, but it works only one-way, that is, it only blocks malicious inbound connections. In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that's hardly worth the upgrade.
What's what
Let's define terms. Within the new Windows Firewall with Advanced Security on Local Computer console, after clicking Continue on the trivial User Account Control dialog box, you will see that both inbound and outbound connections are now represented. Further, inbound and outbound connections are either allowed or blocked for three distinct profiles: Domain Policy (corporate networks), Private Profile (home networks), and Public Profile (Wi-Fi hot spots). Under each profile there are different icons followed by some legalese: For example, a "good" icon (a white check mark in a green circle) appears next to the sentence "Inbound connections that do not match a rule are blocked," and a "blocked" icon (the Not symbol in red) appears next to the sentence "Outbound connections that do not match a rule are allowed."
In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it added outbound protection, but a closer look reveals that this is more deceptive marketing spin.
It's confusing, so let's break it apart further. Basically, if there's a rule, inbound connections from the Internet to your computer are blocked, which is what you want: protection from malware. Thus, the blocked icon here makes sense. But for outbound--that is, those connections starting within your computer and going out to the Internet-- connections are allowed except when excepted. Here Microsoft uses the good icon. This is not good.
Outbound protection is…where?
In an e-mail, Rowan Trollope, Vice President of Consumer Engineering at Symantec, offered this interpretation: "We have discovered that though Vista's outbound firewall is 'on' by default, all outbound connects that do not match a rule are allowed. In the default configuration, there are no outbound 'block' rules, only allow rules. In other words, even though [the Windows Firewall outbound protection is] on, it is not doing anything."
Microsoft shouldn't be surprised to see these comments about its firewall in print. I've been voicing my Windows Vista firewall concerns for more than a year, and before that, I was pestering the company about having only one-way firewall protection in Windows XP SP2.
Home users of Windows Vista are again paying the price for having a stripped-down operating system designed for a corporate enterprise running on their PC.
Microsoft's defense
Matt Parretta, a former spokesperson for Microsoft's PR agency, Waggener Edstrom, offered this defense: "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network. After they upgrade to Windows Vista or purchase a new PC with that OS, they will be prompted on the first launch of every application that touches the network: Instant Messaging, IE, e-mail, Windows Media, iTunes, every self-updating app such as Adobe, and so on. Unless they click 'allow', the app will be broken and won't function properly. The out of box experience would be poor, and they would soon be desensitized to the prompts."
This is, I think, a weak defense, at best, of a flawed security implementation, considering that every other personal firewall on the market today doesn't do what Microsoft described above. Check Point ZoneAlarm keeps a database of known applications, as does Symantec, which goes the extra step in its Norton Internet Security 2007 by turning off all firewall alerts. You'd think Microsoft would have this ability as well. And that's why I think there's more to the story.
What's really happening under the hood
Microsoft derives most of its software income from its operating system, and most of that money is from is its volume licenses, its enterprise customers. Office software (Word, Excel, Access) is designed to share with various servers, such as the Sharepoint Server. This means Microsoft Office applications open various ports to allow outbound communications. Microsoft contends that when using other personal firewalls, there can be issues.
Microsoft hates customer support issues. The company would rather ship its products with as many features enabled as possible. In this case, having the outbound firewall allow just about everything suits Microsoft's enterprise customers best--and to hell with the home user trying to protection his or her credit card information. Using the Windows Firewall allows the corporate IT folks to create group policy rules specific to the applications in their corporate culture. That's where the "except where excepted" part comes in.
The downside?
Writing exceptions is fine, except if you are a solo home user with no idea what to block or even how to block it. Home users of Windows Vista are again paying the price for having a stripped-down operating system designed for a corporate enterprise running on their PC. Unless you are an IT administrator, unless you know where to look, you're unlikely to tweak the advanced firewall settings. (Update: Even if you are technically inclined, writes ZDNet Executive Editor David Berlind, finding out how the rules actually work can be a real pain. See David's image gallery for more details). Having an open, outbound connection means that once malware gets on your machine, it can broadcast out your personal data or use your machine as a part of a larger botnet, if not just relay spam through your machine. Microsoft says that inbound firewalls will keep such malware off your computer as will changes to Internet Explorer 7, but we're already seeing vectors that have nothing to do with the Internet.
Just this week, the satellite navigation company TomTom revealed that some of its GPS units included computer viruses, and late last year, Apple admitted that some iPods shipped with viruses as well; the viruses don't harm the gadget directly, they wait until you sync them with your PC. And it's possible to pick up a virus (or rootkit) from a simple CD or DVD or a trade show USB drive. So I want firewall protection for what's both coming and going; I want a real firewall. My recommendation remains ZoneAlarm, but really, just about any Internet Security suite on the market will protect you better than Microsoft's will.
Are you using the Windows firewall right now? Yes? No? Not sure? Talk back to me.