Loading ...Is Windows Vista’s firewall crippled?
By Michael Pietroforte | 19 Comments | Permalink | Trackback | Previous | NextThere is an on going debate [1] [2] ever since Microsoft announced that outbound filtering in Windows Vista’s firewall will be turned off by default. Obviously, Microsoft again valued usability above security. Whereas I understand it in this context, I was a bit surprised how Microsoft staff justified this move.
Michael Kleef, for example, thinks that other security measures should be used to prevent malware from infecting the computer in the first place. He listed several new technologies of Windows Vista, like User Access Protection, Windows Defender and Sandbox of IE7, that should do the job.
I think, this is not a good argument. The more lines of defences you have, the better it is. If the malware manages to get around one defence line, there is still the next in line which stops the malicious program from causing more damage. So, enumerating other features of software to explain away a security weakness is not convincing.
A second argument, which was also put forward by Mitch Tulloch, is that outbound filtering is not important anyway since clever malware can simply use another open port like port 80 to connect to other computers in the network.
There is a big difference between personal firewalls and gateway firewalls. Good personal firewalls don’t just filter ports; they also allow you to specify which desktop applications can connect to the internet. This is very important in corporate networks. If a user starts an application which is infected by a virus or other malware from his USB stick, for example, it can’t infect other computers in the network even if it uses port 80 since the personal firewall will block this application. I wonder, if the firewall of Windows Visa has this feature?
In my view it only makes sense for the home edition of Windows Vista to disable outbound filtering by default. Usually, the configuration is too complicated and time consuming that most users would just turn off the firewall, anyway. This way usability does improve security since security software that is too complicated to handle will simply not be used. So the overall security of the internet wouldn’t be improved.
However, in a corporate environment outbound filtering is very useful even if there is gateway firewall. As network administrators can do the configuration, usability is not an issue here.
Leave a Comment | 
Subscribe RSS
| 
Newsletter
The conspiracy theory here is that MS simply doesn’t have time to finish up the enduser aspect of this to make it easy. MS is yanking out or cutting short on the features right and left to get Vista out quicker. This theory could very well be true due to the fact it really makes no sense why MS would not include an easy way to handle such a firewall. That and the fact that MS is struggling to get a stable version of Vista out there that will be still be compelling for consumers to buy.
It wouldn’t surprise me to see more much more appearing to be done halfassed once we get our hands on a finished copy of Vista.
Gack. Sorry about the bad formatting … 2nd try. I posted this on the Tilloch article too, and no, I’m not affiliated with Prevx).
You guys who call for outbound firewall protection baffle me.
First: by the time your outbound firewall kicks in, the malware is having its way with *your* computer, and you may be protecting others for a short while, but the malware will probably kill even that protection soon enough.
Second: in real life, outbound firewalls simply train most users to click YES on the ’should I let {X} software access the internet?’ message as soon as it pops up, without bothering to read it. For this class of user (the majority), the speedbump is terribly low.
If this kind of popupware is your idea of good protection, why not look at things like Prevx which not only stop the malware from dialing out - but also stop that same malware from diving in?
Jim, I think, it is almost impossible to create a user interface that makes outbound-firewall filtering easy to configure for end users. The problem, nowadays, are the countless applications that need to connect to the internet. Usually, it takes days to configure a personal firewall. Often, it is not clear for the average user which app wants to connect to the internet. In my view, it is simply too complicated for most users to configure outbound filtering.
Quux, I don’t agree with your first argument. Of course, no security software gives you a 100% guarantee, malware somehow manages to circumvent the protection. But if you take this argument seriously, then security tools are always useless.
I fully agree with your second point when it comes to outbound filtering configured by end users. However, in a corporate network, administrators have to know anyway which applications are allowed to connect to the internet.
Michael, think it through. The outbound firewall doesn’t prevent malware from executing … it just prevents said malware from connecting to any other computer.
Outbound firewalls basically always boil down to a list of that software which is allowed to connect outbound. My point is simply this: if you’re going to be making such a list, why not change it to that software which is allowed to execute - and protect yourself, as well as every other net connected computer in the world?
(please feel free to delete my badly formatted post @ 2:30 AM)
Quux, of course it is always better to prevent malware from being executed in the first place. There are tools which specialize on this, like antivirus software. My point is that these tools might fail to do their job at times. Thus, it is better to have another line of defence which, at least, helps to prevent malware from infecting other computers on your network or sending confidential information from your computer to its programmers. For example, your word processing program is allowed to execute, but usually it doesn’t have to connect to the internet. If a virus that is not recognized as such by your antivirus tool infects this program, your personal firewall can at least prevent the virus from causing further damage.
Not sure if we are saying the same thing in different ways, or if I have failed to make my point in a clear way.
By default, any executable that’s on your system is allowed to execute.
Prevx (and similar tools, there are a couple others that have the same theory of operation) is something I suggest as a better extra line of defense than an outbound firewall can be.
Instead of putting itself in front of the network stack and saying ‘only things on my list are allowed to access the network’ (in which case the virus can still wreak havoc locally to your system), a prexv-type ‘execution firewall’ it puts itself in front of the system and says ‘only things on my list are allowed to run at all’.
So. Same principle; deeper level of protection. You could run both a Prevx-type ‘execution firewall’ and an outbound firewall if you really wanted an extra moat. But since both are list based, if both had the same list, the outbound firewall would never see a single packet. Because the malware would never run. If I had a choice, ‘oubound firewall’ or ‘execution firewall’, I would clearly choose the ‘execution firewall’ since it protects both my system and all others. While the outbound firewall leaves me unprotected!
I think, the interesting question in our debate is, if there might be cases where your execution firewall allows the malware to run, but your network firewall doesn’t allow it to access the network. I think, I gave such an example. The point is that sometimes you simply don’t know, if a program is malware by just inspecting the executables or defining a list of programs which are allowed to execute. But if a program which is not supposed to connect to the internet suddenly shows this suspicious behaviour, you’d better stop it from proceeding. However, the program can only show this behaviour if you allow it to execute. So your execution firewall can’t find the malware by definition in this case. To sum it up: the list of the execution firewall might be different from the one of your network firewall.
Besides, there are cases when a program is not malware, but you don’t want it connected to the internet, for example, because it loads ads or sends information to the vendor. Your execution firewall is useless here.
I do see your point. Well spoken.
However, for most folks the test is
’do I trust the program?’
not
‘do I trust the program to network?’
For most users, the simpler choice is the better one. Especially as more and more software becomes dependent on network use, if for no other reason than to check for security updates at regular intervals!
You mentioned that a program would need to execute before we can see if it tries to start outbound networking. That’s true. But it’s also true that we’d have to let it establish that network connection, and then we’d have to sniff that connection, before we could determine whether there was some malicious intent. That’s still a task better suited to humans than to software. Luckily we have a lot of experienced humans on the job doing just that; which is why most outbound firewalls and execution firewalls have the ability to download big lists of ‘allowable’ and ’suspect’ programs from some (presumably trustworthy) source.
For those who wish to allow a program to run but not give it permission to network, I totally agree with you. An outbound firewall is what these folks need. I suspect a lot of these people are using their outbound firewall not for security purposes, but for privacy protection purposes. Or maybe as a way to escape licensing fees. I also suspect this class of user is by far the minority and that mainstream users would be better served by an ‘execution firewall’ than by the ability to selectively choose which programs can or cannot initiate outbound network sessions.
But hey, I’m just one (opinionated) guy!
Finally - what if one program had both execution firewalling and outbound net firewalling? Check out http://free.prevx.com for just that.
You are right, there are more and more programs that need network access, but there are also still many which don’t. I estimate that on my PC at least half of the programs I use don’t need network access. They are allowed to execute, but if they ever try to connect to the internet they will be automatically blocked, since there is a high chance that they might be infected by malware. Signature-based malware detection is useful, but sometimes heuristics does a better job. If notepad.exe suddenly needs networks access, something is wrong, even if the execution list gives a go.
The problem with applying the defense-in-depth principle to host-based outbound filtering is that if all the other defenses fail to prevent malware from being loaded on your machine, then the game is already up…your box is already compromised.
Given that, your outbound firewall will simply be shut off if the malware elevates itself to admin via exploit or if the user is already running as admin.
This is a fundamental and common misunderstanding…
The malware has to be prevented from getting onto your box in the first place, prevented from executing if it does, and then damage mitigated if it still manages to. The outbound firewall cannot help you if those 3 scenarios fail as the box is completely under the control of the malware already.
Andrew - well said. I agree 100%.
As previously mentioned, most of the people I’ve met who use outbound firewalls are really more interested in preventing software from ‘phoning home’ for privacy protection and/or to escape various licensing fees. Once they’ve gotten that far, they tend to defend their choice as a security measure.
But as you’ve shown, depending on the compromised system to protect other systems is, well, not clear thinking in my humble opinion.
@Andrew
„The problem with applying the defense-in-depth principle to host-based outbound filtering is that if all the other defenses fail to prevent malware from being loaded on your machine, then the game is already up…your box is already compromised.“
This is wrong for three reasons: First, the firewall may still prevent the malware from sending information to its masters. Second, the firewall might prevent the malware from compromising other systems on your network. Third, the alarm of the personal firewall could be a hint that your system has been compromised, which is very valuable information.
It is just a theoretical scenario that malware circumvents outbound filtering, once the system is compromised. The point is that in practice, malware has not always enough rights to shut down the firewall. Plus, malware is often not clever enough to circumvent outbound filtering. So, in some cases, outbound filtering of a personal firewall helps, and in some it doesn’t. Just like in some cases antivirus software helps against malware, and it some cases it doesn’t. You wouldn’t give up your antivirus software, would you?
It is just not enough to show that there are some cases where outbound filtering of a personal firewall is useless. You have to make me believe that there is no case where it is useful.
I will reply in-line below…
This is wrong for three reasons: First, the firewall may still prevent the malware from sending information to its masters.
(adidell - If the box is compromised, there is no way for the outbound firewall to do this, especially if the malware contains a rootkit. The malware can make the firewall also not alert you by intercepting the dialog box or by simply hijacking an existing session at the network layer.)
Second, the firewall might prevent the malware from compromising other systems on your network.
(adidell - For the same reasons above, this is not possible. For example, if you received an attachment in an email that contains an executable, and you are silly and don’t have current and updated AV software running on your system that could block code execution, at the exact moment your outbound firewall alerts you it is already too late…i.e. the code has already executed. While you have the potential to block the *initial* attempt by clicking "No"at the warning dialog box, just because you don’t see another box on your screen does not mean the malware has been prevented from traveling outbound and affecting other systems or "dialing home.")
Third, the alarm of the personal firewall could be a hint that your system has been compromised, which is very valuable information.
(adidell - In the absence of an AV product on the system, I agree with you 100% that the alert is important…but the underlying block may not prove effective once the malware is executed.)
It is just a theoretical scenario that malware circumvents outbound filtering, once the system is compromised.
(adidell - Actually, this is seen everyday by security support groups at many software firms. For NDA reasons, I cannot disclose any more. At a minimum, the malware hijacks an existing session and rides it out with no notification and makes no attempt to shut down the actual firewall.)
The point is that in practice, malware has not always enough rights to shut down the firewall.
(adidell - If the user is running as admin, it has all the rights it needs. If the user is running as non-admin but the malware has an escalation of priv exploit, it can obtain those rights.)
Plus, malware is often not clever enough to circumvent outbound filtering. So, in some cases, outbound filtering of a personal firewall helps, and in some it doesn’t. Just like in some cases antivirus software helps against malware, and it some cases it doesn’t. You wouldn’t give up your antivirus software, would you?
(adidell - AV is not analogous to this because AV attempts to prevent the execution of malware…outbound firewalls only attempts block traffic once the malware has executed.)
It is just not enough to show that there are some cases where outbound filtering of a personal firewall is useless. You have to make me believe that there is no case where it is useful.
(adidell - It is useful if your OS’s services architecture is integrated with the firewall’s monitoring capabilities, as in Vista and I’m sure in the future on other platforms. It could prevent poorly written malware from calling home if if doesn’t have any code to hijack existing connections. However, the trend in malware is that they are becoming incredibly sophisticated relative to malware less than a year old. So, while this may have been valuable in the past, its use in the future is diminishing.)
Andrew, I think, we only have to discuss the last point. If there are some cases where the Personal Firewall’s outbound filter prevents malware from causing further damage, then this would prove that outbound filtering is useful. I’ve already seen such cases, and I guess, I am not the only one. I just gave some examples above. Those were real scenarios not just theoretical considerations.
So, the question is, will this change in the near future? Of course, malware gets more and more sophisticated. This should not surprise us. We encounter more and more sophisticated viruses that can disable anti-virus software, and cause a lot of damage afterwards. Is this a reason to uninstall my anti-virus software? I guess, not. Vendors of anti-virus software improve their products too. This doesn’t mean that malware won’t succeed in fooling anti-virus software in the future. It is quite obvious that there will always be malware that is more sophisticated than the security software I use in my network.
But this is not the point. As long as my outbound filter helps against some malware out there, I will keep on using it, no matter how sophisticated malware will be in the future. I bet, the programmers of Personal Firewalls will get better, too.
I think, the problem is that security experts often think like hackers or malware writers. They think of ways to crack a certain system. If they think it is easy for them, then a security solution seems useless from their point of view. A sysadmin should think differently. If a security solution helps in some scenarios, it is already useful. In the end, it doesn’t matter how sophisticated the malware was that crashed my whole network.
Obviously, personal preference should be respected.
My main goal in this discussion has simply been to point out the basic weaknesses in the outbound firewall strategy. Certainly it can do some good - however, those who use it should be aware of these weaknesses so they have an accurate understanding of what they’re doing. Too many proponents of the outbound firewall appear to be unintentionally ignorant of these fundamental weaknesses.
quux, I fully agree on this with you.
I can’t believe people are seriously debating the value of outbound filtering. The “It’s too late if you are catching it at outbound” argument is insane. That is like saying that testing for STD’s is useless because if you test positive you already have the disease. In plenty of scenarios malware will be unable or unwilling to reconfigure the OS to avoid detection. That detection will then allow you to clean up your computer and stop infecting others.
Moreover, the now routine collecting of personal information by big corporations and phoning it home cannot be stopped without outbound filtering. I for one don’t trust MSFT, Adobe, etc. etc. all of which liberally phone home regularly sending god-knows-what back to their vast databases unless you block it.
Because Windows Vista offers no way to do outbound filtering on-the-fly (no outbound notifications are possible), it is entirely crippled for outbound. The only way to do it is if I know in advance the exact name of the program that will be attempting to phone home, etc. If I knew all that in advance, I wouldn’t need outbound filtering!
The good news for the firewall makers is this will keep them in business for another 5 years as any serious computing user will still have to purchase a 3rd party firewall. Really a shame. It would take only a few lines of code to enable on-the-fly outbound notification, MSFT has all the other needed outbound filtering capabilities in place. I kind of laugh when I see the option for _inbound_ notification with a parallel outbound option conspicuously absent. It’s like, “Hello guys, you seem to have forgotten something!” Ridiculous.
>> In plenty of scenarios malware will be unable or unwilling to reconfigure the OS to avoid detection. That detection will then allow you to clean up your computer and stop infecting others.
Ronald, I fully agree. The problem is that security experts often don’t acknowledge this argument. They assume that all malware avoids detection by outbound filtering. Experience shows that this assumption is simply wrong.