IT security experts and suppliers this week welcomed the
introduction of Windows Firewall, part of Windows XP Service Pack 2
(SP2), as a valuable way of protecting PCs. But while the firewall
is an improvement, it falls short of the standard of protection
expected of commercial firewalls, according to some industry
observers.
Windows Firewall - which replaces the old Internet Connection
Firewall - marks the first time all up-to-date PCs will have a
firewall switched on by default, an important step in stopping the
spread of viruses, according to industry analysts.
However, according to its critics the software suffers from two
major flaws: it does not block outbound traffic, and it can be
switched off by another application, possibly even by a clever
worm.
Most commercial firewalls include a feature to stop all but
authorised applications from sending data to the internet; this
stops malicious code from sending unauthorised communications, and
also prevents PCs from being hijacked and used to send spam or
participate in distributed denial-of-service attacks.
Windows Firewall, however, only filters incoming traffic,
allowing any application to send outbound packets, a fact which
some industry observers have said makes it less useful for serious
protection.
"It still isn't as robust as many third-party host-based
firewalls," wrote Jeff Fellinge, information security officer at
media company aQuantive in a recent analysis of the firewall.
More seriously, rival firewall makers claim that the API
(application program interface) used to manage the Windows Firewall
could also be used by attackers to modify the software or turn it
off. Major firewall makers, including Zone Labs, McAfee and
Symantec, are releasing SP2-compatible versions of their
applications which disable Windows Firewall when they are
installed, and enable it again when they are uninstalled.
But if an installer can switch off Windows Firewall, so could an
attacker, argues Zone Labs, maker of the popular ZoneAlarm
firewall. The company said its own products are locked-down in such
a way that third-party applications cannot disable firewall
protection without uninstalling the software.
Microsoft admitted that, in some cases, malicious code could
indeed switch the firewall off. However, this is not so much a flaw
as a limitation on the role firewalls should play in a company's
security system, Microsoft said.
"An attacker could misuse that [administrative] capability,"
said Microsoft technical specialist David Overton. "But you're
already in a compromised state, if you're at that point." He said
that Windows Firewall is designed to stop malicious transmissions
to the PC, rather than protecting the PC once it is been
infected.
If malicious code makes it past the firewall, it is the role of
anti-virus software to protect the machine, Overton said. Likewise,
it is not the firewall's place to stop malicious code from sending
outbound packets - Microsoft argues companies should use perimeter
technologies to examine outbound traffic.
"The firewall is a management process, not a silver bullet,"
Overton said.
He said that Microsoft's user testing had shown that asking
users to approve every application trying to communicate with the
internet tends to backfire.
"If you flood the user with messages like that, they say 'yes'
all the time," he said.
Rival firewall makers say they have various ways of dealing with
this problem. McAfee, for example, has a "white list" of trusted
applications, designed to reduce the number of messages a user
receives.
Matthew Broersma writes for Techworld.com