Menu
New Vista firewall fails on outbound security

New Vista firewall fails on outbound security

Windows Firewall offers little outbound protection against spyware, Trojans and bots

Microsoft has touted Windows Vista as giving significant security improvements over Windows XP, and it offers the Windows Firewall, with its new two-way filtering feature, as one reason for that better security.

But as shipped, the Windows Firewall offers little outbound protection, and it's not clear how outbound protection can be configured to protect against spyware, Trojans and bots.

Firewalls such as the Windows Firewall work by halting dangerous connections a PC makes over the Internet. The Windows XP firewall offered inbound protection, but did not offer outbound protection. Some malware makes unwanted, invisible outbound connections with hackers, which let them take control of a PC.

In some cases, a computer can be turned into a "zombie" or a "bot," spewing out thousands of pieces of spam over outbound connections without the owner's knowledge.

Competing firewalls such as ZoneAlarm, the Norton Personal Firewall and the McAfee Internet Security Suite offer user-configurable outbound protection, also known as outbound filtering. When Microsoft reworked its firewall for Windows Vista, it added the ability to perform outbound filtering.

But by default, most outbound filtering in the Windows Vista firewall is turned off. In addition, there may be no practical way to use outbound filtering to stop all unwanted outbound connections.

Normally, to configure the Window Vista Firewall, you choose Control Panel -->Security --> Turn Windows Firewall on or off. You'll see the screen shown in the nearby figure.

There is no way to configure outbound filtering --- you can only turn inbound filtering on or off, and through the various tabs, configure how inbound filtering works.

To work with outbound filtering, you instead have to use the Microsoft Management Console, specifically the Windows Firewall with Advanced Security Group Policy applet, by typing wf.msc at the Search box or command prompt and pressing Enter. It's shown in the nearby figure.

If you look in the various profiles in the Overview area, you'll see that for each profile, "Outbound connections that do not match a rule are allowed."

Every rule in the Windows Firewall allows outbound connections, though. Click the Outbound Rules icon on the left side of the screen, and you'll see all the outbound rules. As you can see from the nearby figure, every outbound rule allows outbound connections. None block connection.

Making matters worse, there is no way for an individual or IT staff on their own to create an all-purpose rule that will block malware from making outbound connections. You can only create a rule to block a specific piece of malware, and doing that is an extremely difficult task, requiring that you know quite a bit of information about that piece of malware, including its location on your PC, the port it uses to make outbound connections, and so on.

To stop all malware from making outbound connections, you'd have to know all those details of all the thousands of pieces of malware in existence, and create rules for each one individually. But even that wouldn't work, because you wouldn't know about malware that has not yet been detected.

In short, as a practical matter, it's an impossible task.

Competing firewalls often use built-in intelligence to allow certain programs to make outbound connections, and then issue alerts when other programs make connections. You're told the program name and executable, and given a recommendation as to whether the program should be allowed. You can then block or allow the program to make a connection on a one-time or permanent basis.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments