Internet Security Tips and Advice

Vista firewall: What you can expect

January 18th, 2007 by Igor Pankov

In the run-up to the launch of Windows Vista for home users, we’re taking a closer look at the firewall component to see what benefits the final version offers. This article also touches on some of the other security aspects of the new OS.

A more secure OS overall

Vista boasts a number of security reinforcements introduced to make the system more resistant to malware and other unauthorized activities. Among these are:

  • User Account Control (UAC) prevents sensitive system modifications or changing the way programs operate without supplying Administrator credentials (applicable to restricted users) or explicit permission (Admin rights). This effectively prevents malicious software from surreptitiously accessing critical areas of the Windows file system or interacting inappropriately with other applications.
  • Windows Defender focuses on spyware detection and removal. In rare instances, it can detect and remove other malware such as worms but is very weak at removing viruses.
  • The integrated firewall discussed further in this article performs bidirectional traffic monitoring.
  • Internet Explorer version 7, which we have already extensively reviewed. For Vista-specific use, the updated browser is further bolstered by Protected Mode, which ensures that file and program interactions initiated by the browser remain within the context of the browser and do not spill over into the broader Windows. This limits the impact browser problems can have on other parts of the OS.
  • The parental control tool helps parents better manage what children can access on the computer and when.
  • PatchGuard restricts access to the Windows kernel in 64-bit Vista implementations, isolating the kernel from malware (but also making it inaccessible to legitimate code interaction).

A first glance at the firewall

The integral Windows Firewall is active by default and provides automatic monitoring of all incoming connection requests. Accessible from the Control Panel, the firewall is intended to protect any type of Internet connection against abuse.

The Network and Sharing Center in Vista lets you profile your connections and specify whether they refer to Public, Private or Domain configurations. Appropriate sharing and security settings are assigned to them by the system relative to security; the corresponding configuration is adjusted by the firewall. This looks to be a useful attribute, as you can change the profile of any connection on the fly, and the system will accommodate the firewall setting changes automatically.

For example, if I designate my current connection type as “Public”, all file and printer sharing is automatically turned off, leaving me with just the minimum options needed to connect to the Internet. In this case, the most secure configuration is applied and I would not be able to see or share resources over a local network.

If I change the network status to “Private” (less secure, assuming the network you connect to is trusted and you can share resources), some sharing and network discovery services are turned on, and the firewall adds some categories of applications and services to its Exceptions list for which access will be granted.

The firewall has two available interfaces: one accessible from the Control Panel which provides a basic program suitable for novice users and those who don’t want to get involved with complex configuration issues, and a more advanced version which enables you to set up detailed firewall rules. The latter interface is accessible by several different methods, including the MMC (Microsoft Management Console). We’ll first take a look at the simple interface; interacting with the more complex interface is addressed later in this document.

Basic firewall settings and capabilities

Essentially, the simple interface just lets you enable and disable the firewall, specify a couple of exclusions, set up rules for monitoring inbound connections for custom applications using parameters such as port/protocol and remote hosts, and select which network connections you want the firewall to protect. The key point here is that, by default, the firewall doesn’t monitor outbound connections, so it can’t detect if your system has been hijacked to send out spam or viruses, nor can it prevent personal data from being transmitted to unauthorized third parties – both key issues in today’s insecure online world.

On a more positive note, Gibson Research’s open ports probe utility Shields UP!! revealed that all the ports on my computer were successfully stealthed (shielded, made invisible) by the firewall. This is a good thing, because if hackers cannot locate open ports (that might accept remote connections) on a computer, that computer will be much harder to link to and exploit.

However, the greatest risk lies in the way the firewall processes connection requests and controls the direction of data exchange; it assumes that if any outgoing data is permitted, the incoming data in response to that action must also be legitimate. So it will allow any inbound connection for any program, provided that the program has first initiated an outbound request and then expects packets in return. No warning or other notification is displayed, because the firewall assumes that the communication channel is trusted and lets all data in and out unrestrictedly. This one erroneous assumption means that your computer can easily be incorporated into a botnet; a simple outbound request made by a Trojan (and permitted by the firewall) would be enough to turn your PC into a compromised server accepting commands from a remote attacker.

I was able to easily demonstrate this vulnerability by launching an instant messaging application; without any alerts or other notifications, the program was able to communicate data in both directions. Most likely, as noted earlier, the program first established an outbound connection so that every subsequent connection request was permitted by the firewall. The netstat window shows some details.

The same proved true for other Internet-enabled programs, where applications as diverse as the Firefox web browser and the FTP transfer agent FileZilla were able to access the Internet and send data past the firewall without hindrance. In all honesty, I have not encountered a single firewall alert during the entire course of testing the basic capabilities. This is in stark contrast from the approach taken by third party firewalls such as Outpost, which control the initiator of activity and do not permit communication in either direction to take place without explicit user permission.

If you want to be able to control both directions of transmission and configure advanced access rules for different applications, you must use the “Windows Firewall with Advanced Security” interface, which is where we are headed in this final part of today’s review.

Advanced firewall settings and capabilities

First-time experience

The advanced firewall interface is available at Control Panel | Administrative Tools | Windows Firewall with Advanced Security. Alternatively, you can type WF.msc command into the Windows Run menu, or you can invoke mmc.exe (from the same menu), select Add/Remove Snap-in, browse to Windows Firewall with Advanced Security and click Add. Then select Local Computer and click Finish. After confirming OK, the corresponding snap-in is displayed in an MMC. Double clicking the item will display the interface.

The firewall has three profiles, one for each type of network connection mentioned earlier, and you can assign specific settings to each profile. Clearly, you would want to assign the most secure configuration to the Public profile and use less secure settings for the Private profile, where a level of trust exists between members of the network to which you are connected. The advanced settings enable you to do this.

The first dialog box, displayed by selecting the Windows Firewall properties menu, enables you to block outgoing connections. The key here is to correctly select the profile you intend to make changes to in order to see the effect. I selected Public (my current type of connection) and opted to block all outgoing connections.

The immediate effect was that all the programs I had been using lost Internet connectivity and I had to manually configure the corresponding outbound rules for each one of the affected applications in order to restore access. Not a good start.

Application access rules

The Advanced firewall has an extensive list of pre-configured Outbound and Inbound program access rules, but, naturally, none of the applications I frequently use were on the list. With outbound block on, this essentially meant I had to create the outbound rules manually for each and every program I wanted to continue to use. This is an excruciating task, as almost every program today requires some type of Internet access. This situation could so easily have been avoided if the firewall had used the procedure regarding asking for access permissions as used in third-party firewalls. Being denied such a “luxury”, I had to resort to manual tweaking. Below is the process I had to go through to restore Firefox access; other applications required similar treatment:

First click Outbound rules and make sure Firefox is not already listed (affirmative in my case), then in the right pane entitled Actions select the “New Rule” item and click Custom.

Then browse to the location of Firefox.exe. Note that, on the screenshot below, the entry “Program Files” is interpreted as a variable, which is a big plus since it doesn’t depend on the current location of the program folder.

Other settings that I altered in the course of moving through the Wizard were “Allow the connection”, which I had to make applicable to all the three profiles, and finally supply a custom name. The new rule appeared in the complex and rather overwhelming list of other outbound rules.

After completing these above steps, I was finally able to get Firefox back online again. It’s obvious that it is next to impossible to do this for every application you want to work with under the firewall’s “block outbound mode”, so it’s not advisable to ever select this highly restrictive option. Even though it carries a big security risk, most users will likely find it a greater hassle to go through this process over and over again.

Miscellaneous options

You can configure the Advanced firewall to support secure connections with encryption and authentication (IPsec rules), but this complex topic is for a separate discussion and we won’t go into details about it here.

The Advanced firewall supports logging of events for troubleshooting purposes, but the log data doesn’t provide records of per-application activity, so its usefulness is somewhat limited from that perspective.

Nor does the Advanced firewall incorporate a database of known attack types, which means it’s unlikely to provide any protection against denial-of-service attacks distributed across a local area network

Summary of Vista firewall capabilities

Positives:

  • Supports multiple connection profiles;
  • Supports advanced firewall rules;
  • Supports data authentication for secure connections;
  • IPv6 support;
  • Pre-configured access rules for internal system software and services.

Negatives:

  • Advanced settings require too much effort to use;
  • Doesn’t control and secure outbound connections by default;
  • Incoming connections are not filtered if they follow a previously initiated outbound request for a session applicable to the requesting program;
  • Doesn’t prompt the user for action in regard to outbound requests; it can either allow or block a connection;
  • No time-based rules;
  • No advanced control of inter-process communication for outbound program access. Partially covered by UAC, but programs exist that can establish outbound access bypassing UAC;
  • No Intrusion Detection System (IDS);
  • Primitive logging;
  • No monitoring of active connections.

Conclusions

Microsoft’s move to improved OS security has been long awaited – some might say long overdue - and will bring some benefit to users. Certain of the new security measures introduced will undoubtedly make users safer, although at a cost - increased prompts triggered by UAC or IE Protected Mode, as well as other distractions. But it’s clear one thing that won’t ever bother most users: the Windows Vista firewall. It doesn’t control outbound activity, and so it is inherently incapable of delivering real-time control over network traffic. The fact that it can only allow or block connections creates a sizeable security risk if the firewall allows outbound connections and a serious interference with productive PC usage if all outbound traffic is blocked.

Unsurprisingly, then, it’s my view that users would be better advised to use a dedicated, time-proven third party firewall like Outpost to protect their online activities.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Security Insight

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

All rights reserved © 2009, Agnitum Ltd. Internet security tips and advice