SP2's new firewall: Not good enough?

commentWindows XP Service Pack 2 (SP2) is here, and the spotlight is now firmly thrust onto the personal firewall and anti-virus sectors.
Written by David Berlind, Inactive
With Microsoft having released Windows XP Service Pack 2 (SP2) to manufacturing, the technology that some have nicknamed "Security Pack 2," coupled with recent rumblings from Microsoft, are spinning the spotlight towards the personal firewall and anti-virus sectors.
For starters, after installing SP2, users of XP will notice the addition of a security dashboard to Windows' Control Panel known as the Security Center. This simple status report on your system's defenses answers such basic questions as whether your firewall and anti-virus systems are turned on, whether your anti-virus solution is using the most recent signature file, and whether your operating system has received all available critical updates.
Today, Windows will tell us that critical updates are waiting to be downloaded through an indicator that pops up from the Windows tray, or following a "scan for updates" that takes place after Windows Update is manually invoked. Until SP2, users could never go to one central location to get an easily scannable status report on their systems' readiness to deal with the most prevalent threats. Barring any known compatability problems between SP2 and your company's computing infrastructure (like that which has been reported to have occurred at IBM), this feature alone makes SP2 worth the upgrade.
The security dashboard is less of an innovation than it is the re-use of an existing Windows API known as the Windows Management Interface (WMI). During a video interview, Microsoft spokesperson Greg Sullivan said that "WMI is used mostly by IT managers to enforce policies broadly across their domains." But, as it turns out, the API is flexible enough that it can be used to interrogate the status of firewall and anti-virus products as long as the developers of those products support that sort of WMI-based interrogation.
Knowing that third party vendors of personal firewalls such as Zone Labs and Sygate may need some time to support the interface, Microsoft jerry-rigged a connection between the Security Center and most of the popular third party security products -- a sign of the lengths to which Microsoft will go to deputise customers in the battle against hackers.
Quietly, however, even before SP2 had officially shipped, Zone Labs became one of the first to jump on the WMI bandwagon. Within the past few days, the company issued WMI-compatible updates to the freely downloadable Zone Alarm personal firewall, Zone Alarm Pro (the paid version) and Zone Alarm Security Suite (includes anti-virus technology licensed from Computer Associates). If you're running any of those products and the product hasn't already notified you of the update's availability, you should be able to get the update from Zone Labs' site. Though I haven't checked with every firewall vendor, Sygate product manager Elisha Riedlinger told me that Sygate expects to have WMI support in its firewall sometime in the fourth quarter.
According to Zone Labs' vice president of business development Fred Felman, "Our update accomplishes two things. First, our firewalls and anti-virus solutions can now report their status to SP2's Security Center. [Also,] we can turn off the Windows Firewall when we are installed and we turn it back on if we're uninstalled."
This is the way Microsoft would want it to be. According to Microsoft's Sullivan, only 10 percent of Windows users have a personal firewall on their systems. In the interview, he said Microsoft had to ask itself, "What can we do to make sure that this system right out of the box is as rock solid as we can make it, so that the user doesn't have to do anything?" At least part of the answer for Microsoft was to make improvements to the firewall built into Windows and turn it on by default -- which is exactly what the Windows Firewall does once it's installed. As I've posited before, improvements to the Windows Firewall are a controversial issue, the flames of which are being fanned by recent revelations that another answer to Sullivan's "What can we do?" may be "a Microsoft anti-virus product."
Microsoft's entry into either the personal firewall or anti-virus markets -- with minimally acceptable protection that could allow users to forgo third party products -- could spell doom for scores of products and the one-trick pony vendors behind some of them.
But Zone Labs' Felman insists that while Microsoft can throw all the resources it wants at improving its firewall or developing a new product from the ground up, the software giant's offerings will still be light years behind the offerings of dedicated security vendors. Felman says that smaller, nimbler companies like Zone Labs can respond much faster to the market. Zone Labs' pre-SP2 launch of WMI-support is certainly evidence of that conviction.
The new Windows Firewall offers more evidence that Felman may be right. Ten percent of Windows users may be running a personal firewall. And though that number may go up after SP2 and its default-to-on firewall penetrates the market, the Windows Firewall falls so short of what a world class personal firewall should be capable of, that those relying on it (and those whose Security Centers show a firewall as being "on") may be led into a false sense of security. For the 90 percent of Windows users not running a personal firewall, the new and improved firewall in SP2 may be better than nothing, but it's just not good enough. I, for one, would never rely on it.
As I've reported before, the Windows Firewall lacks outbound blocking, a staple of most third party personal firewall products and, I believe, an absolute requirement. In-bound blocking -- something which all firewalls (including Microsoft's new one) do -- is what keeps illegitimate traffic from entering systems and networks through networking channels known as ports. But what in-bound blocking doesn't do is keep a malicious payload from piggybacking on legitimate traffic such as e-mail or Web traffic going to Outlook or Internet Explorer.
Once a malicious payload gets in, your reliance to stop it shifts from the inbound firewall to something internal to your network or workstation -- like your anti-virus or anti-spyware software. But, in the cat-and-mouse game of security solution developers vs. hackers, there are some pretty clever mice. And, as was demonstrated by at least one recent exploit of a vulnerability in Internet Explorer, there are certain exploits that anti-anything (virus, spyware, popups, etc) products are powerless against. What's your last line of defence to keep one of these exploits from phoning home? Outbound blocking -- a feature that the Windows Firewall lacks.
As Zone Labs' implementation of SP2 compatibility demonstrates, absence of outbound blocking isn't the only significant vulnerability in the Windows Firewall. Should a third party firewall like Zone Alarm get uninstalled, Microsoft would obviously want the Windows Firewall to be turned back on. But Zone Labs' Felman says that as easy as it was for his company to programmatically turn the firewall back on, it can also turn it off as long as the user is logged in with administrative rights (which most Windows XP users are). In light of that, Felman poses the rhetorical question, "If we can turn it off, then why can't the hackers?" In addition, Felman notes that third party software providers can programmatically make additions to the inbound blocking exception list.
Microsoft officials have repeatedly downplayed the significance of the outbound blocking feature's absence, arguing that once malicious code is on a system, it's a game-over situation anyway. This would be true in Microsoft's case even if the Windows Firewall had outbound blocking, because the firewall can be programmatically turned off. But Felman claims that more can be done and points to Zone Labs' "Total Lockdown" technology as evidence not only of how much further Microsoft must go to bring its firewall up to snuff, but how innovative security suite providers like Zone Labs might be able to stay steps ahead of Microsoft's ever-evolving security solutions.
Felman described Total Lockdown as a technology that prevents programmatic disabling of Zone Labs' firewall. "You can use commands at the Windows command prompt, such as NET STOP, to shut down our user interface," said Felman. "But, if the UI is disabled, our driver goes into a lockup mode, which makes it impossible for the rules that were set while the UI was active to be changed. Any in- or outbound network activity that isn't explicitly allowed by the pre-existing rules is blocked. Basically, there's no way to disable it unless you reboot the machine and uninstall the software."
Are the third party products from Zone Labs, Sygate and others as good as they can be?
Hardly. For example, there's still a glaring absence of actionable information when a personal firewall catches a software component trying to access the network for the first time. When this happens, firewalls generally ask the user if the behaviour should be allowed. But the information provided is often too cryptic for mere mortals to tell if it should be allowed or not. Just today, after running Windows Update on my system, Sygate Personal Firewall Pro detected that a component of the operating system was physically changed. But, what was missing was something that told the firewall that the change happened as a result of a legitimate update. When I was asked to approve or disapprove, I had no idea what to do.
Something similar started happening as a result of the latest Windows Update -- the one that finally addresses the Download.Ject vulnerability with a patch rather than a configuration change. Now, Internet Explorer double checks with the user before it engages in any cross-domain activity. But the prompt to allow it or disallow it offers no clues as to whether the behaviour is normal for the site your visiting.
Yet another feature missing from firewalls is an easy way to whitelist and blacklist our browsers from reaching certain domains. It can be done, but you have to be a rocket scientist to do it. What would be better is a prompt so that every time our browsers try to reach a new domain on the Internet, it says, "Hey, I've never been here before, should we whitelist this site?" This offers a measure of comfort in knowing that some malware isn't going to come in, hijack my browser, and send some confidential information via the Web to a Russian organised crime site -- a transmission that would otherwise be allowed if all I did was tell my firewall that my browser is allowed to go out to the Internet (which is the level of granularity that most personal firewalls are configured to operate from).
Indeed, as Felman says, with so much work to be done on personal firewall technology, the dedicated vendors may indeed stay ahead of Microsoft. But, should Microsoft go out and buy a big security provider (as it is rumoured to be looking for), the entire game will change.
Editorial standards