When a firewall is not a firewall

[Beerman]

Whereas one job of a personal firewall is to block potentially malicious inbound connections to your machine, another is to block potentially malicious outbound connections. For example, if some malware does find its way onto your system and then it attempts to "phone home" with whatever sensitive data it may have found, a good personal firewall should stop most outbound communications dead in their tracks until the end-user explicitly allows it (one problem with such conditional blocking is that end-users are rarely presented with enough information on which to base a decision).

 

An old theme with the personal firewall that Microsoft offered for Windows XP (Service Pack 2) is how it was pretty useless given the way it only offered inbound blocking. In fact, back when that firewall first came out, I pointed out how it was worse than having no firewall at all. With no firewall, at least you know you have no firewall. But, with a firewall that doesn't work, you're led into having a false sense of security.

 

So, while Microsoft's anemic firewalls are an old them, you'd think the problem would have been corrected in Microsoft's Windows Vista. According to CNET's Robert Vamosi, perhaps you should think again. Writes Vamosi:

 

In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that's hardly worth the upgrade.

 

Vamosi goes onto describe how Vista's personal firewall has the blocking and tackling of outbound connections backwards.

 

With most personal firewalls (and network firewalls), an outbound connection is only allowed when the firewall wall has been programmed with a rule that allows it. That's good. From the moment such a firewall is installed, nothing is allowed until a user (or network administrator) says it's allowed. The first time after most personal firewalls are installed, those firewalls present users with a rules wizard each time an application on their PC tries to connect to the Internet. In most cases, the wizard makes it pretty easy for users to make one of four choices:

 

* Block the type of outbound communication (specific application accessing a specific network port) this time.

* Block the type of outbound communication permanently.

* Allow the type of outbound communication this time.

* Allow it permanently

 

But, with Windows Vista's firewall, it works the other way around. All outbound communications are allowed permanently until a rule has been created to explicitly block it. Despite Vamosi having routinely voiced his concerns about Vista's firewall before Vista shipped, Microsoft moved forward with what he believes to be a "half-cocked" design anyway. According to Vamosi, Microsoft's explanation for its decision has been that having to walk through the many wizard-driven pop-ups that would occur shortly after the first time Vista gets installed would be a poor out-of-the-box experience and that users would become de-sensitized to the prompts. Vamosi disagrees and so do I. Offering an outbound-blocking that, out-of-the-box blocks nothing until an end-user or network administrator takes explicit and deliberate steps to block it.

 

But it gets worse.

 

Vamosi goes on to note the difficulty in taking those deliberate steps and to validate his findings, I tried it myself and created an image gallery so you can trace my steps. But first, here's what Vamosi said:

 

Writing exceptions is fine, except if you are a solo home user with no idea what to block or even how to block it. Home users of Windows Vista are again paying the price for having a stripped-down operating system designed for a corporate enterprise running on their PC. Unless you are an IT administrator, unless you know where to look, you're unlikely to tweak the advanced firewall settings.

 

And, as you will see from my image gallery, adding outbound blocking rules to Vista's personal firewall couldn't be more unintuitive. Even for experienced users. For starters, after I installed Firefox, nothing stopped it from accessing the Web (confirming that applications are, by default, allowed outbound access). Looking to disallow Firefox from accessing the Internet, I clicked on what, to me, was the most obvious thing to click on in order to engage the "block": a link in Vista's Control Panel that says "Allow a program through the Windows Firewall" that appears under some big bold text that says "Windows Firewall." Seems obvious enough, right? But, as you will see from the the various firewall configuration dialogs I encountered, not only won't intuition get you nowhere, the dialogs are actually counter-intuitive. For example, when one goes down this rather obvious path to configure the firewall, there is no context whatsoever when it comes to distinguishing between inbound and outbound blocking. Vista users can expect to encounter advanced terminology like "exceptions" and "ports" which is doubly confusing because of the following explanation:

 

Exceptions control how programs communicate through Windows Firewall. Add a program or port exception to allow communications through the firewall.

 

First, as I just mentioned, it makes no reference to inbound or outbound blocking. But just the fact that it says "programs communicate through Windows Firewall" sounds "outbound" to me. It doesn't say "how remote computers and sites communicate through Windows Firewall."

 

So, in contrast to what Vamosi says, it sounds like in order for an application to communicate through Vista's firewall, it has to be added to the list of programs and explicitly "allowed." How else would you interpret the above language? But, as I already told you, within seconds of installing Firefox, it was given carte blanche access to the Internet thus disproving my interpretation. My first assumption was that maybe the text has it backwards; Perhaps this exceptions list works the other way around and anything that's on it is blocked from communicating. But adding Firefox to the list had no impact. So then, what is this list for? Thinking I might be able to get my answer by studying a single entry on the exceptions list a little more closely, I went back to the exceptions list (which is pre-programmed with a bunch of stuff I don't recognize), single-clicked on the only item that was checked (Core Networking), and clicked the "Properties" button which yielded the following graphic:

 

ZDNet article