Microsoft firewall could be security risk

IT security experts and suppliers this week welcomed the introduction of Windows Firewall, part of Windows XP Service Pack 2...

IT security experts and suppliers this week welcomed the introduction of Windows Firewall, part of Windows XP Service Pack 2 (SP2), as a valuable way of protecting PCs. But while the firewall is an improvement, it falls short of the standard of protection expected of commercial firewalls, according to some industry observers.

Windows Firewall - which replaces the old Internet Connection Firewall - marks the first time all up-to-date PCs will have a firewall switched on by default, an important step in stopping the spread of viruses, according to industry analysts.

However, according to its critics the software suffers from two major flaws: it does not block outbound traffic, and it can be switched off by another application, possibly even by a clever worm.

Most commercial firewalls include a feature to stop all but authorised applications from sending data to the internet; this stops malicious code from sending unauthorised communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks.

Windows Firewall, however, only filters incoming traffic, allowing any application to send outbound packets, a fact which some industry observers have said makes it less useful for serious protection.

"It still isn't as robust as many third-party host-based firewalls," wrote Jeff Fellinge, information security officer at media company aQuantive in a recent analysis of the firewall.

More seriously, rival firewall makers claim that the API (application program interface) used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off. Major firewall makers, including Zone Labs, McAfee and Symantec, are releasing SP2-compatible versions of their applications which disable Windows Firewall when they are installed, and enable it again when they are uninstalled.

But if an installer can switch off Windows Firewall, so could an attacker, argues Zone Labs, maker of the popular ZoneAlarm firewall. The company said its own products are locked-down in such a way that third-party applications cannot disable firewall protection without uninstalling the software.

Microsoft admitted that, in some cases, malicious code could indeed switch the firewall off. However, this is not so much a flaw as a limitation on the role firewalls should play in a company's security system, Microsoft said.

"An attacker could misuse that [administrative] capability," said Microsoft technical specialist David Overton. "But you're already in a compromised state, if you're at that point." He said that Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it is been infected.

If malicious code makes it past the firewall, it is the role of anti-virus software to protect the machine, Overton said. Likewise, it is not the firewall's place to stop malicious code from sending outbound packets - Microsoft argues companies should use perimeter technologies to examine outbound traffic.

"The firewall is a management process, not a silver bullet," Overton said.

He said that Microsoft's user testing had shown that asking users to approve every application trying to communicate with the internet tends to backfire.

"If you flood the user with messages like that, they say 'yes' all the time," he said.

Rival firewall makers say they have various ways of dealing with this problem. McAfee, for example, has a "white list" of trusted applications, designed to reduce the number of messages a user receives.

Matthew Broersma writes for

Read more on Antivirus, firewall and IDS products