A good outbound firewall in Windows Vista wouldn't replace the need for layered security
In case you missed it, my post on when a firewall really isn't a firewall (hint: When it's Windows Vista's firewall) drew a firestorm of response from ZDNet's readers many of which agreed and many who did not (be sure to see the screen gallery I prepared as my proof-point). But some disagreements (both in the comments thread and in my inbox) adhered to a common theme. It's the one where the outbound firewalls that default to letting nothing out onto the network, all of which invariably need to be trained by the end-user on what can be allowed out, will eventually get trained by the end-user to let everything out.
It's true that training an outbound firewall can be a royal pain in the you know what. Out of the box, a decent outbound blocking firewall that defaults to letting nothing out will bombard users every time it sees something on the PC trying to access the network for the first time. And when I say bombard, I mean bombard. To some users, the number of dialogs that pop up that basically say "Hey you, XYZ application is trying to get out to the network. Do you want to allow it this time, forever, or never?" will be overwhelming. In fact, it's this chattiness that Microsoft claims will spoil Vista's out of the box experience for many users -- spoilage that Microsoft doesn't want to have happen. Many of the notes and comments are different twists on this theme. Here's what one ZDNet reader, t_mohajir, had to say in his comment:
- David, does an outbound firewall really help? I stated this as a reply to another post, but I'll restate it here. Assuming Microsoft implemented an outbound firewall, the easy way for malware writers to work around it is to have an executable called iexplore.exe (or any other common program) send outbound on port 80. How is the home user supposed to know to block that when it pops up? This very simple action on the part of malware writers renders an outbound firewall worthless, and you can be sure that the moment Microsoft made an outbound firewall standard all malware that doesn't already do this would quickly be modified to use port 80 with a common application name.
- The bottom line is that emphasis should be placed on preventing spyware/malware from getting installed in the first place. Once it's there, a non-technical user is toast. So I'd have to disagree with you on the criticality of an outbound firewall to a home user.
- Businesses on the other hand should implement an outbound firewall, but it shouldn't be configurable by common users, and most likely it shouldn't be a software firewall at the desktop level, but rather be a sophisticated hardware firewall and/or web proxy.
- In either case, for "most" people an outbound software firewall doesn't add much value.
t_mohajir cc:ed my inbox as well. For me, his post raises two issues. First, the need to think about security (desktop, network, or both) in terms of layered security (making sure all layers are addressed) and second, how the user has to accept some responsibility and inconvenience if they want maximize their chances of secure computing. Here's how I responded:
An inbound/outbound firewall alone is not the end-all be-all protection for a system. Unless there is a really compelling reason not to, users should run Vista in a lesser privileged user mode (not as an administrator). This by itself would prevent new exe's from getting surreptitiously installed or overwritten without being noticed by the user. Even if you are running in administrative mode, any decent antivirus system (as well as most firewall solutions) would spot a change to iexplore.exe and flag it as a potential problem. What the user does with that information next comes back to what a user's role is in securing their system. As a side note, news surfaced today that two common antivirus solutions -- one from Microsoft, the other from McAfee -- failed in one researcher's test to detect an entire collection of viruses currently circulating the net (eek! I run McAfee).
Outbound firewalls may be chatty out of the box as a part of their training. But I believe that should be an activity that users should be accustomed to engaging in as they look to keep their systems protected. There's a list of things we do while we're driving to keep ourselves from getting into car accidents, or being hurt by them. For some people, the list is longer than others. For the most part, the longer the list, the less risk. Using convenience as the scapegoat, some people bypass certain list items that are known to be effective in most situations (nothing is guaranteed). For example, wearing seat belts. Checking your blind spot. The user bears some responsibility here.
t_mohajir responded to me saying that I didn't quite understand his comment. He wasn't referring to the replacement of the authentic iexplore.exe (or other software) with rogues under the same name. He was referring to what happens if a distinctly separate executable under the same name was loaded onto the system. In that case, said t_mohajir, the end-user could easily end up being socially engineered into approving the rogue software's outbound communication since it makes sense to let something name iexplore.exe or firefox.exe get out to the Internet.
But in this case, my initial response still applies. Most antivirus systems and firewalls do not key off filename alone. They key off the file itself. Some anti-malware solutions for example will do the equivalent of file fingerprinting. Subsequently, when users approve outbound communications, they're approving it for a particular fingerprint, not for a particular file. An authentic software component and a like-named rogue would not have the same fingerprint and thusly, would get flagged as "new software" that requires the end-user's attention. Not only that, for the end-user to actually use the impostor instead of the authentic components, the shortcuts (used by most users) would have to be reprogrammed.
Furthermore, I was notified by several readers that it's possible to reverse the "polarity" of Vista's outbound firewall. In other words, it can be set to block everything. Only there's one problem (according to one reader). When the firewall is set to block everything, it doesn't pop-up any dialogs when something tries to get out (thereby giving the end-user a user-friendly way to train the firewall with exceptions). Vista's firewall does however offer such dialogs when something is trying to get in.