Microsoft's entry into either the personal firewall or antivirus markets -- with minimally acceptable protection that could allow users to forgo third-party products -- could spell doom for scores of products and the one-trick pony vendors behind some of them.
But Zone Labs' Felman insists that while Microsoft can throw all the resources it wants at improving its firewall or developing a new product from the ground up, the software giant's offerings will still be light years behind the offerings of dedicated security vendors. Felman says that smaller, nimbler companies like Zone Labs can respond much faster to the market. Zone Labs' pre-SP2 launch of WMI-support is certainly evidence of that conviction.
The new Windows Firewall offers more evidence that Felman may be right. Ten percent of Windows users may be running a personal firewall. And though that number may go up after SP2 and its default-to-on firewall penetrates the market, the Windows Firewall falls so short of what a world class personal firewall should be capable of, that those relying on it (and those whose Security Centres show a firewall as being "on") may be led into a false sense of security. For the 90 percent of Windows users not running a personal firewall, the new and improved firewall in SP2 may be better than nothing, but it's just not good enough. I, for one, would never rely on it.
As I've reported before, the Windows Firewall lacks outbound blocking, a staple of most third-party personal firewall products and, I believe, an absolute requirement. Inbound blocking -- something which all firewalls (including Microsoft's new one) do -- is what keeps illegitimate traffic from entering systems and networks through networking channels known as ports. But what inbound blocking doesn't do is keep a malicious payload from piggybacking on legitimate traffic such as email or Web traffic going to Outlook or Internet Explorer.
Once a malicious payload gets in, your reliance to stop it shifts from the inbound firewall to something internal to your network or workstation -- like your antivirus or anti-spyware software. But, in the cat-and-mouse game of security solution developers vs. hackers, there are some pretty clever mice. And, as was demonstrated by at least one recent exploit of a vulnerability in Internet Explorer, there are certain exploits that anti-anything (virus, spyware, pop-ups, etc) products are powerless against. What's your last line of defence to keep one of these exploits from phoning home? Outbound blocking -- a feature that the Windows Firewall lacks.
As Zone Labs' implementation of SP2 compatibility demonstrates, absence of outbound blocking isn't the only significant vulnerability in the Windows Firewall. Should a third party firewall like Zone Alarm get uninstalled, Microsoft would obviously want the Windows Firewall to be turned back on. But Zone Labs' Felman says that as easy as it was for his company to programmatically turn the firewall back on, it can also turn it off as long as the user is logged in with administrative rights (which most Windows XP users are). In light of that, Felman poses the rhetorical question, "If we can turn it off, then why can't the hackers?" In addition, Felman notes that third-party software providers can programmatically make additions to the inbound blocking exception list.
Microsoft officials have repeatedly downplayed the significance of the outbound blocking feature's absence, arguing that once malicious code is on a system, it's a game-over situation anyway. This would be true in Microsoft's case even if the Windows Firewall had outbound blocking, because the firewall can be programmatically turned off. But Felman claims that more can be done and points to Zone Labs' "Total Lockdown" technology as evidence not only of how much further Microsoft must go to bring its firewall up to snuff, but how innovative security suite providers like Zone Labs might be able to stay steps ahead of Microsoft's ever-evolving security solutions.
Felman described Total Lockdown as a technology that prevents programmatic disabling of Zone Labs' firewall. "You can use commands at the Windows command prompt, such as NET STOP, to shut down our user interface," said Felman. "But, if the UI is disabled, our driver goes into a lockup mode, which makes it impossible for the rules that were set while the UI was active to be changed. Any in- or outbound network activity that isn't explicitly allowed by the pre-existing rules is blocked. Basically, there's no way to disable it unless you reboot the machine and uninstall the software."
Are the third party products from Zone Labs, Sygate and others as good as they can be?
Hardly. For example, there's still a glaring absence of actionable information when a personal firewall catches a software component trying to access the network for the first time. When this happens, firewalls generally ask the user if the behaviour should be allowed. But the information provided is often too cryptic for mere mortals to tell if it should be allowed or not. Just today, after running Windows Update on my system, Sygate Personal Firewall Pro detected that a component of the operating system was physically changed. But, what was missing was something that told the firewall that the change happened as a result of a legitimate update. When I was asked to approve or disapprove, I had no idea what to do.
Something similar started happening as a result of the latest Windows Update -- the one that finally addresses the Download.Ject vulnerability with a patch rather than a configuration change. Now, Internet Explorer double-checks with the user before it engages in any cross-domain activity. But the prompt to allow it or disallow it offers no clues as to whether the behaviour is normal for the site your visiting.
Yet another feature missing from firewalls is an easy way to whitelist and blacklist our browsers from reaching certain domains. It can be done, but you have to be a rocket scientist to do it. What would be better is a prompt so that every time our browsers try to reach a new domain on the Internet, it says, "Hey, I've never been here before, should we whitelist this site?" This offers a measure of comfort in knowing that some malware isn't going to come in, hijack my browser, and send some confidential information via the Web to a Russian organised crime site -- a transmission that would otherwise be allowed if all I did was tell my firewall that my browser is allowed to go out to the Internet (which is the level of granularity that most personal firewalls are configured to operate from).
Indeed, as Felman says, with so much work to be done on personal firewall technology, the dedicated vendors may indeed stay ahead of Microsoft. But, should Microsoft go out and buy a big security provider (as it is rumoured to be looking for), the entire game will change.
Talkback
SP2 Firewall doesn't block outbound traffic? Did you even TRY Windows Firewall out at all or were you just guessing?
I installed SP2, I uninstalled ZoneAlarm and tested Windows Firewall out with three programs. Kazaa Lite, Poser 4 and Agent. It blocked ALL three successfully and prompted me as to wether I wanted them unblocked.
The next time you write an article about something, how about actually TRYING the software out before you bash it. I've never been a huge fan of Microsoft's software, but I do like to be fair and so far SP2 has been really excellent and has given me a choice every step of the way as to what software I want. In fact, when I first installed SP2, I had ZoneAlarm (free version) running, SP2 detected this and it automatically DISABLED Windows Firewall. I thought this was very nice.
I'll know better than to trust any software reviews on this website again.
Don't like this kind of criticize. You should know that is their effort to help users stay away of viruses and worms while looking at their back for anti-trust laws. You can wonder yourself why they don't make a super function Firewall or Antivirus. They simply can't do that due to the anti-trust law. If they really make the super good one for free to give out to users, a lot company will sue them (symantec, mcaffee, ....). You should understand that before writing.
I think it is good and enough for normal users.
Neil Roy wote
SP2 Firewall doesn't block outbound traffic? Did you even TRY Windows Firewall out at all or were you just guessing?
I installed SP2, I uninstalled ZoneAlarm and tested Windows Firewall out with three programs. Kazaa Lite, Poser 4 and Agent. It blocked ALL three successfully and prompted me as to wether I wanted them unblocked
This is interesting but I don't know the program you used. I would like to try this for myself. How did these programs generate outbound traffic?
I think the warning displayed by the SP2 firewall was talking about the applications accepting INBOUND data, and asking if you want it to block the inbound ports.
Generally, I think MS is in a no win situation - They bring in a free firewall, thats bound to break things without the proper configuration, and they get slammed for breaking things. They don't have a firewall, and they get slammed for 'allowing' your PC to be hacked!
You've got to applaude MS for taking this step when they know the flak it will generate.
Hey Neil, open mouth, insert both feet.
Before jumping all over someone, you really should make sure that you've got your facts straight. As the author of the article wrote, the Windows Firewall does _not_ block outbound traffic. You obviously didn't read the message that the firewall threw up for you. It was telling you that an application was trying to listen to an inbound port and was giving you the chance to let it listen or block it from listening. Not even close to blocking outbound traffic.
This is a direct quote from one of the Microsoft docs on SP2:
"Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic."
Try to get your facts straight. Where do you work so I know to avoid the place?
Hi Mr. Berlind,
I enjoyed the article you wrote. I am learning more and more about firewalls as I go. Does Norton and Symantec have cloaking capabilities? If not, which ZoneAlarm product does? Does ZoneAlarm work and is it compatible with Norton? Or Do I have to eliminate Norton first before I buy ZoneAlarm to install? thanks. Im interested in complete cloaking here. l
ZoneAlarm has what you would call 'cloak mode' .. Zone Labs call it 'stealth mode'. Nice feature. It's in the free version.
ZoneAlarm's stealth mode is imperfect: it makes DNS lookups on the IPs of incoming probes. A sophisticated attacker could get access to these DNS packets and determine from them that your computer exists. Zone Labs do not provide a way to provide feedback directly to them about their free product -- only via forums, and the non-employee zealots there deny that this is even a problem -- so I am stumped how to log this as a bug with them.
ZoneAlarm is compatible with Norton AntiVirus. ZoneAlarm actually keeps an eye on AntiVirus's definitions file and warns you if you don't have the latest definitions.
In case I misunderstood your question, I guess ZoneAlarm is INcompatible with Norton Personal Firewall (NPF). I tried NPF, though, and found it considerably lacking compared to ZoneAlarm.
While I write this, I would like to thank Joe Smith for his comment on this topic. Neil Roy's unsubstantiated comment threw into doubt for me whether SP2's firewall blocks outgoing traffic or not, even though David Berlind is quite clear that it doesn't. I am keen to learn what exactly SP2's firewall does before deploying it on clients' computers. I think I am clear now: SP2: no outbound blocking; ZoneAlarm: outbound blocking.
Well Gentelmen.All i can say is simply this,every computer i have installed sp2 on has been jacked since ive taken this move. I have known for many years that windows itself is just a poorly made rip off and a bunch of third party sofware bundled together that hasnt cost bill gates even remotly close to what he has made off microsoft. With the Windows Firewall and even the Disk Defragmenter,in which case its actually a stripped down version of Diskeeper,made by Executive Software.Bottom line is when and if i do actually buy a microsoft product,i expect it to be the best it could possible be.I have been let down more than once on microsoft and for the money the corporation has,we all should expect BMW- Lamborghini quality class systems but always seem to be let down when we get Renault Fuego or Chevy Chevette quality.
Commenting on the first user comment,
"I installed SP2, I uninstalled ZoneAlarm and tested Windows Firewall out with three programs. Kazaa Lite, Poser 4 and Agent. It blocked ALL three successfully and prompted me as to wether I wanted them unblocked."
I beg to differ. I went to play and Internet game (Command & Conquer Renegade) and was expecting to see the windows firewall ask if I wanted to let it access the Internet. However, despite using a anti-cheat patch with the game (renguard) which also needed the internet, it did not ask if I wanted to let this pass, and after 2 hours of playing I noticed windows firewall had asked me whether I wanted to unblock Renegade to play, but I managed to play 2 hours on Renegade (before I was disconnected by my ISP), despite the dialogue coming up to ask whether I wanted to ‘unblock’ it.
After this event, I wouldn’t trust windows firewall with a bag of peanuts anymore, not that I ever did. I always had my doubts about windows firewall, and its just a good thing I had Zone Alarm working, otherwise I could have been in big trouble.
Am I to understand that if you have Zone Alarm installed, that the Windows XP SP2, like a gentleman, just lets ZA do the job?
First I'm not an expert at all. But I would recommend the alphashield hardware firewall. It does not need upgrading, It does not slow down your connection, it closes/stealths all 65535 ports on your computer, your IP is hidden except to the site your visiting, others won't know your on the net, the firewall itself cannot be screwed around with as with some software firewalls - and if your real paranoid it will also work with a software firewall of your choice with no problems at all - if interested out there in some hightech no nonsense hard to calibrate firewall take a look at the alphashield.
Worth every damn currency.
On the sideline I would like to suggest also a terrific piece of software called Norman Antivirus. It's got a special Sandbox technology that's out of this world.
Hope any of you guys out there can use this.
Regards.
Van Hoof
P.S. alphashield.com - Norman.com
Neil Roy wrote: "In fact, when I first installed SP2, I had ZoneAlarm (free version) running, SP2 detected this and it automatically DISABLED Windows Firewall. I thought this was very nice."
This is not a feature of Windows but a feature of Zonealarm itself. Zone Labs coded in their application to the Windows WMI API to automatically turn off the Windows Firewall and to turn it back on if Zonealarm gets uninstalled. If you think that MS did that you are sadly mistaken.
As for the notion thas MS is in a no win situation, if they did not try to bundle everything in to the OS and had proper methodolgies in place for their software engineering they would not be having all the problems with security in the first place. They would not have had to hastly put together this version of their firewall. Admittedly since the Trusted Computing effort MS has gotten better in their software but they have not released too many full version upgrades to most of their software yet. After that has happened, we will really see how well the Trusted Computing initiative has worked.
Windows "Firewall" failed several leak tests which I imposed; even the age-old grc.com test.
The only thing Window's firewall does do is make you appear invisable on the Internet [stealth mode]. It doesn't, however, block all outgoing traffic, only traffic it deems to be bad or threat worthy and even then it just blocked it anyway, without your consent. As a sort of ironic twist, it even tried to block Internet Explorer from going on the network.
If you want a Firewall which allows you, the user, to decide whether or not a programme should be connected to the Internet [which should be none, really, apart from Internet browsers] then choose a good quality Firewall, like ZoneAlarm.
But if you're an ignorant computer user with little knowledge and feel that Window's Firewall is okay, then use it.