Windows firewall: Good enough?

Is it time to hail Microsoft's Windows-bundled firewall as a worthy competitor to commercial firewalls yet? David Berlind provides some answers as he examines the features and future of the product.
Written by David Berlind, Inactive
If your business has turned the use of personal firewalls into a required countermeasure, now's a good time to start thinking more strategically before buying any more personal firewall technology from a third party.
Although it still has a serious flaw that Microsoft will have no choice but to fix, the morphing of Windows XP's built-in personal firewall from a toy into a more serious security technology means that now's also a good time for the remaining independent personal firewall vendors like Zone Labs to be thinking about long term survival strategies. For the cottage industry of personal firewalls that includes giants like Symantec and McAfee (a division of Network Associates) and smaller players like Zone Labs, Sygate, Internet Security Systems (makers of BlackICE), and Panda Software, this was an inevitable turn of events.
They say history repeats itself.
Back in the mid-1990's, Microsoft was dogged by memory management problems in its Windows operating system products. Sure, there were third party products for getting the job done, like Quarterdeck's QEMM-386, Qualitas' 386MAX, and Helix's NetRoom. But, so fragile was Windows when it came to handling memory that the slightest change to the operating system (for example, an update) or even the introduction of a new third party software product could destabilize the operating system and send the memory management vendors back to the drawing board to restore the delicate balance that had existed before. With IBM's OS/2 -- which many considered to be technically better than any graphical operating system Microsoft had to offer at the time -- still lurking in the market, Microsoft couldn't afford to leave its "memory" in the hands of others. And so, another cottage industry disappeared as a result of Microsoft's controversial decision to building memory management directly into its operating system.
Before building QEMM/386MAX/NetRoom-like functionality into Windows, Microsoft first included a trimmed-down version of Helix's NetRoom with Windows. By doing so, Microsoft was telegraphing its plans to eventually handle memory management on its own; I remember asking then-Qualitas CEO Mary Stanley what her company was going to do when and if that day came. Although the expression on her face changed from enthusiasm to distress, Stanley held her head high as she spoke of forthcoming enhancements that would keep Qualitas one step ahead of anything Microsoft would be building into its operating systems.
Fast forward.
In spite of the wishful thinking on behalf of Mary Stanley and her contemporaries, those memory management companies are gone now.
Beyond that, the current market conditions in the personal firewall market are eerily reminiscent of the pre-collapse market conditions of the memory management market.
Instead of OS/2 lurking about, the desktop version of Windows has a similarly minor threat (including motivated backers) in Linux which, in the enterprise-ready distributions, happens to come with an industrial strength firewall (IPTables). Whereas Microsoft in the mid-1990's made a conscious decision to tackle memory management on its own, today almost all of Microsoft's forces have been marshaled to the cause of security. Microsoft has already bypassed the NetRoom-esque step of including a trimmed down version of some third party firewall provider's product in Windows by building its barely usable Internet Connection Firewall (ICF) into current versions of XP. By all accounts, the next version of ICF -- simply called Windows Firewall (due when XP Service Pack 2 is released later this year) -- will draw it much closer in functionality to third party stalwarts such as ZoneAlarm and BlackICE.
Want the icing on the cake? Although I'm rather certain the executives at the various personal firewall companies have privately lamented Microsoft's increasingly serious attitude about personal firewall technologies, at least some of the third party firewall makers (in a bout of Mary Stanleyism?) are downplaying Microsoft's double-down on ICF as though it presents no threat. According to Zone Labs marketing vice president Fred Felman, "Having to [develop and include a personal firewall] and being able to are two different things. Look carefully around the Net and notice that the new firewall over-promises and under-delivers. Usability, functionality and security are all at issue."
Feature count
Even Greg Sullivan, lead product manager for Microsoft Windows, is careful not to oversell Windows Firewall. "It's still very rudimentary," he told me. But compared to version 1.0, Windows Firewall is a huge step forward. And while it may not have all the bells and whistles of the more mature third party offerings, most observers agree that Windows Firewall will have what it needs for the price to stifle demand for the more mature products. For example, using either network login scripts or Active Directory, businesses will find a modicum of centralized manageability in the new firewall (a feature found in some of the more advanced third party offerings).
According to Sullivan, between the new firewall and many of the other ultraconservative security settings in SP2 that address network security, browsing, protection from buffer overflows, and safer e-mail and instant messaging, the new Windows will cover a lot of security bases that were never covered before without the addition of third party products.
But Dan Ingevaldson, director of research and development at Internet Security Systems (makers of both consumer and enterprise-class desktop firewalls) gives Microsoft some respect. "How Microsoft's firewall will affect personal firewall vendors is a valid question," said Ingevaldson. "The same question goes for the antivirus market now that Microsoft has acquired that European signature-based antivirus solution provider (Romanian technology developer GeCad). The vanilla personal firewall is in danger of going away. Microsoft has a track record of making technologies like this disappear. [Microsoft] only needs to have 95 percent of the functionality [of leading third party products]."
Ingevaldson said the one-trick pony personal firewall and antivirus providers, of which he claims ISS isn't one, should be worried. Based on what he knows of the forthcoming Windows Firewall with its default-to-on-position, wizard-driven configuration, and improved help, Ingevaldson expects a shakeup in the consumer firewall business where ISS' BlackICE PC Protection plays, but he sees less vulnerability for the more enterprise-targeted offerings such as ISS' RealSecure Desktop.
In contrast to its position on firewalls, Microsoft seems content so far to leave antivirus to third party companies. As a part of its security dashboard, SP2 uses some hard-wired code to determine whether a workstation is running any of the third party firewall and antivirus products. But sources tell me that beyond SP2, antivirus vendors will be asked to support a standard, API-like function that will make it easier for the operating system and other software (applications, network interfaces, and management consoles) to retrieve information about a system's current state of protection.
Ingevaldson feels ISS' diversity into enterprise security, where the company's products are more deeply integrated and centrally managed, gives ISS a measure of protection from Microsoft's moves in the firewall market that other companies like Zone Labs and even Symantec may not enjoy. "We're not concerned about this eating away at our bottom line," he said.
I'm not so sure. While secure computing is of great import to consumers, the biggest challenge to Microsoft's largess is on the enterprise front where corporate patience with the seemingly never-ending onslaught of Windows' vulnerabilities is running thin. To hope that Microsoft will rest on the various laurels of its Trustworthy Computing initiative as long as critical enterprise needs remain unmet is an underestimation of how determined Microsoft is to not only lock down the enterprise, but also to beat back Linux, Unix or any other would-be contenders. Although Microsoft's Sullivan wouldn't comment on plans beyond SP2, he conceded that "contrary to what many people may think, [Microsoft] is pretty paranoid. It's fair to assume that we'll continue to evolve our products in a way that makes them competitive."
Patrick Hinojosa, CTO at security solution provider Panda Software, agreed that Windows Firewall will probably be good enough; and where it's not, Microsoft will make improvements (more on that in a moment). Panda's main focus is antivirus, but both of its offerings -- Platinum Seven and Internet Security -- include a firewall. Hinojosa told me, "Looking at SP2 and the specifications and from what is being touted, I would try to use that as my sole [personal] firewall." Hinojosa concurred that as Windows Firewall penetrates more of the user base, the need for third party personal firewalls would begin to wane. However, he wouldn't hazard a guess as to whether a penetration threshold existed that would cause Panda to stop including a personal firewall as a part of its products.
ISS' Ingevaldson asks if Microsoft, whose priorities include a plethora of issues beyond security, can lead the market in the way that smaller, nimbler, security-focused vendors can. My answer: Microsoft may not provide the ultimate checklist that an independent developer can, but it's likely to provide enough--eventually.
Where's outbound filtering?
One reason I say eventually is because the new Windows Firewall in SP2 is missing something that all third party firewalls have: outbound filtering. Outbound filtering is important because it can prevent an infected workstation from spreading whatever it has caught to other workstations on an enterprise network.
The omission is surprising since, during a demonstration of SP2 at a recent RSA conference, Microsoft chairman Bill Gates emphasized quarantining as an important factor of enterprise security. SP2 adds a type of inbound quarantining technology that, by default, prevents Internet Explorer and Outlook users from downloading or launching certain files that can't be traced back to trusted sources.
For example, if an executable file arrives via e-mail from a domain in the "Internet Zone," a zone which inherently shouldn't be trusted (and isn't by default), the technology in SP2 will prevent the user from opening it. Since many infections like Sobig are e-mail borne, the result is a form of quarantining that prevents a virus from spreading itself after a user double clicks on an attachment. But if an infection somehow gets by this first line of defense and onto an enterprise workstation - which is not unlikely to happen in corporate situations where telecommuters and mobile workers may not always be behind the corporate firewall or may be opening infected files through other means -- then that workstation's membership in the trusted zone will cause SP2's quarantining technology to overlook communications from it as a potential source of infection and allow files from it to be opened.
Gates' mention of quarantining makes it clear that Microsoft understands that containment can be equally if not more beneficial to enterprise security than providing the sort of shielding from outside threats that firewalls are also typical of. Indeed, in an interview with Chris Blask, vice president of business development for security startup Protego Networks, I learned how a network that can autonomically respond with a quarantining action is the key to stopping outbreaks dead in their tracks.
Microsoft's Sullivan said the company has no plans at this time to add outbound filtering to Windows Firewall. This is a big mistake. It's hard to take Microsoft's Trustworthy Computing Initiative seriously when the company is excluding a technique that's so fundamental that even Bill Gates is talking about it. When I explained the aforementioned scenario, where infections could be caught and spread by a trusted source, Sullivan agreed that Microsoft may need to give the matter more attention.
If Microsoft is as paranoid as Sullivan says it is, then Microsoft will undoubtedly have to address the omission. Once it does, history is assured of repeating itself.
Editorial standards