I was reading the August edition of PC World magazine and found a short piece written by Erik Larkin on the Windows Vista firewall. Erik agrees with Microsoft’s decision to disable outbound connection filtering by default in Vista. The exact quote was “But Microsoft was right: You don’t need outbound filtering.” What????? I tend to agree with the decision to disable it, but not because we do not need it.
Eirk lists some reasons why you do not need to filter outbound connections.
1. There is little value in that protection if you have good antivirus, don’t open unknown attachments and don’t use Internet Explorer.
2. For it to be worth while the user must know what each program is that is trying to connect outbound.
3. It is more likely to break something when the user clicks “NO”.
4. Users are conditioned to click on the OK button.
The number of people who have a good ( and updated) AV, who do not open unknown attachments and who do not use IE is likely to be pretty small. We are still seeing 100,000+ botnets so there are still a hell of a lot of unprotected desktops out there. PDF spam is going crazy and it looks like downloads for Acrobat Reader are up as well. That tells me people are trying to read those unknown attachments, PDF’s in this case. Plus there are so many other ways to get infected….P2P, IM, XSS web sites, etc. Internet Explorer still has a significant browser market share as well.
I agree that the user needs to have more than the executable name when making a decision to block an outbound request or not. Not giving the user more information will result in help desk calls and busted applications. I also agree that to a certain extent users are accustomed to clicking the OK button, especially when a dialog prompt comes up after launching an application.
I think Eric is wrong in saying that you have more firewall than you need, when talking about the Vista firewall. In its current form it is just the opposite, you do not have enough firewall. The firewall doesn’t give the user enough information to make an informed decision and makes no recommendations on its own. Therefore the user is likely to make a bad decision, either blocking a legit application or allowing a malicious one.
Microsoft was probably right in turning it off by default but that decision has nothing to do with not needing outbound filtering. I believe that it was all about usability and breaking things that will cause more help desk calls and lost productivity.
–Chris
Technorati Tags: windows vista, firewall, egress filtering, security
July 27th, 2007 at 2:01 am
Hi there
By the time programs are trying to establish outbound connections it is probably too late anyway!! Rather stop the machine from being infected in the first place.
Kind regards from the tip of Africa
-Bruce
July 29th, 2007 at 9:21 am
Hi, Chris.
Thanks for interesting post! I totally agree with you about Vista firewall. It was odd to see one-way firewall in Windows XP (inbound filter only), but the same thing in Vista looks crazy. Eeveryone have to use firewall and antivirus at least while being online. Just to protect PC from being zombie in botnets sending spam. I use Agnitum Outpost Security Suite, for example. I guess, securuty suites with firewall, anti-virus, anti-spam, anti-spyware, etc, are the future of security applicatons.