With Microsoft having released Windows XP Service Pack 2 (SP2) to manufacturing, the technology that some have nicknamed "Security Pack 2", coupled with recent rumblings from Microsoft, is spinning the spotlight towards the personal firewall and antivirus sectors.
For starters, after installing SP2, users of XP will notice the addition of a security dashboard to Windows' Control Panel known as the Security Centre. This simple status report on your system's defences answers such basic questions as whether your firewall and antivirus systems are turned on, whether your antivirus solution is using the most recent signature file, and whether your operating system has received all available critical updates.
Today, Windows will tell us that critical updates are waiting to be downloaded through an indicator that pops up from the Windows tray, or following a "scan for updates" that takes place after Windows Update is manually invoked. Until SP2, users could never go to one central location to get an easily scannable status report on their systems' readiness to deal with the most prevalent threats. Barring any known compatibility problems between SP2 and your company's computing infrastructure (like that which has been reported to have occurred at IBM), this feature alone makes SP2 worth the upgrade.
The security dashboard is less of an innovation than it is the reuse of an existing Windows API known as the Windows Management Interface (WMI). During a video interview, Microsoft spokesperson Greg Sullivan said that "WMI is used mostly by IT managers to enforce policies broadly across their domains." But, as it turns out, the API is flexible enough that it can be used to interrogate the status of firewall and antivirus products as long as the developers of those products support that sort of WMI-based interrogation.
Knowing that third-party vendors of personal firewalls such as Zone Labs and Sygate may need some time to support the interface, Microsoft jerry-rigged a connection between the Security Centre and most of the popular third party security products -- a sign of the lengths to which Microsoft will go to deputise customers in the battle against hackers.
Quietly, however, even before SP2 had officially shipped, Zone Labs became one of the first to jump on the WMI bandwagon. Within the past few days, the company issued WMI-compatible updates to the freely downloadable Zone Alarm personal firewall, Zone Alarm Pro (the paid version) and Zone Alarm Security Suite (includes antivirus technology licensed from Computer Associates). If you're running any of those products and the product hasn't already notified you of the update's availability, you should be able to get the update from Zone Labs' site. Though I haven't checked with every firewall vendor, Sygate product manager Elisha Riedlinger told me that Sygate expects to have WMI support in its firewall sometime in the fourth quarter.
According to Zone Labs' vice president of business development Fred Felman: "Our update accomplishes two things. First, our firewalls and antivirus solutions can now report their status to SP2's Security Centre. [Also,] we can turn off the Windows Firewall when we are installed and we turn it back on if we're uninstalled."
This is the way Microsoft would want it to be. According to Microsoft's Sullivan, only 10 percent of Windows users have a personal firewall on their systems. In the interview, he said Microsoft had to ask itself: "What can we do to make sure that this system right out of the box is as rock solid as we can make it, so that the user doesn't have to do anything?" At least part of the answer for Microsoft was to make improvements to the firewall built into Windows and turn it on by default -- which is exactly what the Windows Firewall does once it's installed. As I've posited before, improvements to the Windows Firewall are a controversial issue, the flames of which are being fanned by recent revelations that another answer to Sullivan's "What can we do?" may be "a Microsoft antivirus product".
Talkback
SP2 Firewall doesn't block outbound traffic? Did you even TRY Windows Firewall out at all or were you just guessing?
I installed SP2, I uninstalled ZoneAlarm and tested Windows Firewall out with three programs. Kazaa Lite, Poser 4 and Agent. It blocked ALL three successfully and prompted me as to wether I wanted them unblocked.
The next time you write an article about something, how about actually TRYING the software out before you bash it. I've never been a huge fan of Microsoft's software, but I do like to be fair and so far SP2 has been really excellent and has given me a choice every step of the way as to what software I want. In fact, when I first installed SP2, I had ZoneAlarm (free version) running, SP2 detected this and it automatically DISABLED Windows Firewall. I thought this was very nice.
I'll know better than to trust any software reviews on this website again.
Don't like this kind of criticize. You should know that is their effort to help users stay away of viruses and worms while looking at their back for anti-trust laws. You can wonder yourself why they don't make a super function Firewall or Antivirus. They simply can't do that due to the anti-trust law. If they really make the super good one for free to give out to users, a lot company will sue them (symantec, mcaffee, ....). You should understand that before writing.
I think it is good and enough for normal users.
Neil Roy wote
SP2 Firewall doesn't block outbound traffic? Did you even TRY Windows Firewall out at all or were you just guessing?
I installed SP2, I uninstalled ZoneAlarm and tested Windows Firewall out with three programs. Kazaa Lite, Poser 4 and Agent. It blocked ALL three successfully and prompted me as to wether I wanted them unblocked
This is interesting but I don't know the program you used. I would like to try this for myself. How did these programs generate outbound traffic?
I think the warning displayed by the SP2 firewall was talking about the applications accepting INBOUND data, and asking if you want it to block the inbound ports.
Generally, I think MS is in a no win situation - They bring in a free firewall, thats bound to break things without the proper configuration, and they get slammed for breaking things. They don't have a firewall, and they get slammed for 'allowing' your PC to be hacked!
You've got to applaude MS for taking this step when they know the flak it will generate.
Hey Neil, open mouth, insert both feet.
Before jumping all over someone, you really should make sure that you've got your facts straight. As the author of the article wrote, the Windows Firewall does _not_ block outbound traffic. You obviously didn't read the message that the firewall threw up for you. It was telling you that an application was trying to listen to an inbound port and was giving you the chance to let it listen or block it from listening. Not even close to blocking outbound traffic.
This is a direct quote from one of the Microsoft docs on SP2:
"Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic."
Try to get your facts straight. Where do you work so I know to avoid the place?
Hi Mr. Berlind,
I enjoyed the article you wrote. I am learning more and more about firewalls as I go. Does Norton and Symantec have cloaking capabilities? If not, which ZoneAlarm product does? Does ZoneAlarm work and is it compatible with Norton? Or Do I have to eliminate Norton first before I buy ZoneAlarm to install? thanks. Im interested in complete cloaking here. l
ZoneAlarm has what you would call 'cloak mode' .. Zone Labs call it 'stealth mode'. Nice feature. It's in the free version.
ZoneAlarm's stealth mode is imperfect: it makes DNS lookups on the IPs of incoming probes. A sophisticated attacker could get access to these DNS packets and determine from them that your computer exists. Zone Labs do not provide a way to provide feedback directly to them about their free product -- only via forums, and the non-employee zealots there deny that this is even a problem -- so I am stumped how to log this as a bug with them.
ZoneAlarm is compatible with Norton AntiVirus. ZoneAlarm actually keeps an eye on AntiVirus's definitions file and warns you if you don't have the latest definitions.
In case I misunderstood your question, I guess ZoneAlarm is INcompatible with Norton Personal Firewall (NPF). I tried NPF, though, and found it considerably lacking compared to ZoneAlarm.
While I write this, I would like to thank Joe Smith for his comment on this topic. Neil Roy's unsubstantiated comment threw into doubt for me whether SP2's firewall blocks outgoing traffic or not, even though David Berlind is quite clear that it doesn't. I am keen to learn what exactly SP2's firewall does before deploying it on clients' computers. I think I am clear now: SP2: no outbound blocking; ZoneAlarm: outbound blocking.
Well Gentelmen.All i can say is simply this,every computer i have installed sp2 on has been jacked since ive taken this move. I have known for many years that windows itself is just a poorly made rip off and a bunch of third party sofware bundled together that hasnt cost bill gates even remotly close to what he has made off microsoft. With the Windows Firewall and even the Disk Defragmenter,in which case its actually a stripped down version of Diskeeper,made by Executive Software.Bottom line is when and if i do actually buy a microsoft product,i expect it to be the best it could possible be.I have been let down more than once on microsoft and for the money the corporation has,we all should expect BMW- Lamborghini quality class systems but always seem to be let down when we get Renault Fuego or Chevy Chevette quality.
Commenting on the first user comment,
"I installed SP2, I uninstalled ZoneAlarm and tested Windows Firewall out with three programs. Kazaa Lite, Poser 4 and Agent. It blocked ALL three successfully and prompted me as to wether I wanted them unblocked."
I beg to differ. I went to play and Internet game (Command & Conquer Renegade) and was expecting to see the windows firewall ask if I wanted to let it access the Internet. However, despite using a anti-cheat patch with the game (renguard) which also needed the internet, it did not ask if I wanted to let this pass, and after 2 hours of playing I noticed windows firewall had asked me whether I wanted to unblock Renegade to play, but I managed to play 2 hours on Renegade (before I was disconnected by my ISP), despite the dialogue coming up to ask whether I wanted to ‘unblock’ it.
After this event, I wouldn’t trust windows firewall with a bag of peanuts anymore, not that I ever did. I always had my doubts about windows firewall, and its just a good thing I had Zone Alarm working, otherwise I could have been in big trouble.
Am I to understand that if you have Zone Alarm installed, that the Windows XP SP2, like a gentleman, just lets ZA do the job?
First I'm not an expert at all. But I would recommend the alphashield hardware firewall. It does not need upgrading, It does not slow down your connection, it closes/stealths all 65535 ports on your computer, your IP is hidden except to the site your visiting, others won't know your on the net, the firewall itself cannot be screwed around with as with some software firewalls - and if your real paranoid it will also work with a software firewall of your choice with no problems at all - if interested out there in some hightech no nonsense hard to calibrate firewall take a look at the alphashield.
Worth every damn currency.
On the sideline I would like to suggest also a terrific piece of software called Norman Antivirus. It's got a special Sandbox technology that's out of this world.
Hope any of you guys out there can use this.
Regards.
Van Hoof
P.S. alphashield.com - Norman.com
Neil Roy wrote: "In fact, when I first installed SP2, I had ZoneAlarm (free version) running, SP2 detected this and it automatically DISABLED Windows Firewall. I thought this was very nice."
This is not a feature of Windows but a feature of Zonealarm itself. Zone Labs coded in their application to the Windows WMI API to automatically turn off the Windows Firewall and to turn it back on if Zonealarm gets uninstalled. If you think that MS did that you are sadly mistaken.
As for the notion thas MS is in a no win situation, if they did not try to bundle everything in to the OS and had proper methodolgies in place for their software engineering they would not be having all the problems with security in the first place. They would not have had to hastly put together this version of their firewall. Admittedly since the Trusted Computing effort MS has gotten better in their software but they have not released too many full version upgrades to most of their software yet. After that has happened, we will really see how well the Trusted Computing initiative has worked.
Windows "Firewall" failed several leak tests which I imposed; even the age-old grc.com test.
The only thing Window's firewall does do is make you appear invisable on the Internet [stealth mode]. It doesn't, however, block all outgoing traffic, only traffic it deems to be bad or threat worthy and even then it just blocked it anyway, without your consent. As a sort of ironic twist, it even tried to block Internet Explorer from going on the network.
If you want a Firewall which allows you, the user, to decide whether or not a programme should be connected to the Internet [which should be none, really, apart from Internet browsers] then choose a good quality Firewall, like ZoneAlarm.
But if you're an ignorant computer user with little knowledge and feel that Window's Firewall is okay, then use it.