An Analysis of Windows Firewall: Is it really good enough?

For a while now, I've seen people talk about Windows Firewall (WF) and how it's good enough for normal users. The main argument usually rests on whether the person believes outbound filtering is important. I'm writing this to help bring up the issue of outbound filtering and also whether WF is "good enough for the average consumer". Hopefully others will get involved and we can sort through some of this mess. As always, keep it civil.

First off, WF does not really offer any outbound protection without Onecare from Microsoft for $50 a year. I say not really, because technically you could write rules protecting yourself from malware. Unfortunately, creating your own rules is an impossible task. It would require one to know all the present malware, exactly how they work, and be able to predict all future attacks. I don't think many will dispute the lack of outbound security on WF.

Typically, the argument in favor of WF is based on one of these, mainly two or three:
1. All firewall should do is protect you from inbound security risks.
2. Outbound filtering is useless because if you get infected there goes your protection.
3. People are annoyed by firewall pop-ups and don't understand what they are or what to do.

A firewall's only task should not be to only protect you from inbound security treats. It should provide per-application security. Let's think about this a little bit. Do you really think wordpad should have access to the internet? Should that program you downloaded be able to change system files? No and no. A firewall is designed to stop programs from doing things you don't expect and allow them to do what they are supposed to do.

Generally, people use the argument that outbound filtering is useless. They state that your anti-virus, anti-spyware, etc is sufficient protection from avoiding malicious programs from being installed. The problem with these programs is that they primarily utilize definitions to identify threats. Furthermore, it can take anywhere from a day to months for a new threat to be recognized. Let's not forget how quickly Microsoft likes to release security patches. Only outbound filtering has a chance against such attacks. A good firewall will recognize a malicious program is trying to access the net through an allowed program, such as Firefox, and stop it (this also underscores why leak tests aren't worthless). It's true that most anti-virus and anti-spyware to a lesser extent have some kind of heuristics installed. However, it is usually based on existing malicious software and can only respond to small modifications of the pre-existing threats. Outbound filtering on a firewall is the only real way to stop such attacks from phoning home or causing damage to you OS.

As an aside to this, it's generally remarked that if a malicious program gets installed, it will shut off your firewall. 3rd party firewalls are designed to combat such an attack. There are even termination tests to verify that your firewall can protect itself. Security providers know their product is useless if it gets turned off and have developed counter-measures. Remember that 3rd party firewalls also have pre-application security so the user would first have to allow the program access to the firewall which would pop-up a big warning from the firewall.

Lastly, I've heard the remark that users would just click allow everything/firewalls are too technical and there are too many pop-ups. Most 3rd party firewalls I've tested have advise on which programs to allow or deny. The user isn't making a blind choice based on blah.exe wants access to internet. For instance, OA has different colored prompts and warnings telling a user whether something is wrong or not. 3rd party firewalls also have something akin to definitions to help avoid pop-ups, to automatically deny known malicious programs, and automatically allow known safe programs. The second argument is that there are too many pop-ups. It's true when a firewall is first installed and in its learning process there are pop-ups. However, these all but disappear after a few days. Heck, you might not even see any after your first day if you know which programs need access to the internet. As stated above, most firewalls greatly reduce this process through their definition file.

In closing let me remind everyone that Microsoft also believes outbound protection and per-application security is important, but they want you to pay $50 per year. I'll end by citing Microsoft's description of its firewall in OneCare and they're definition of a firewall:

Two-way Windows Live OneCare Firewall monitors incoming and outgoing programs

A firewall is software or hardware that acts as a gatekeeper for your PC, letting in connections you trust and keeping out ones you don’t. OneCare's two-way managed firewall automates updates and janitorial tasks for your computer, and also manages firewall policies.

This not only prevents bad things from getting into your system, but also keeps bad programs that might have slipped onto your machine from sending your data out.

The firewall can be configured to manage and monitor up to three computers in your home network, and its settings can be adjusted for specific applications using the OneCare firewall configuration wizard.

http://onecare.live.com/standard/en-us/prodinfo/protectiondetails.htm#FW

By the way, I'll write this up, but I'm too lazy to finish my research paper.

 

nice writeup. a rep for you.

 

Thanks for the info!

 

Actually, the outbound protection is good, too, it is just a PITA to configure, not impossible, though.

 

Excellent Post +Rep

Yeah, I really dunno why Microsoft designed it like that, that's just silly, IMO

 

It's not good enough for me. While the Windows Firewall has the advantage of starting before the network driver, lack of outbound protection is killer, like you said. I may not have 20 trojans calling home, but it's good to know when untrusted programs are trying to send data. I use Sygate Firewall on my XP system - there's no Vista version because Symantec bought out the company and discontinued the free firewall . I'm sure I can get hacked, since i'm not longer behind my WRT54G router, but i'd rather not use something heavier and more annoying that needs to be trained.

 

Windows Fire does have outbound protection. Some is even activated by default. It is just downright unfriendly to add to it or modify it.

 

Huh??? What outbound protection is activated by default? Where can I see this setting?

EDIT: Oh, there are some rules enabled by default... but they don't really take effect by default as I understand it, because by default it's set to "Outbound connections which do not match a rule are allowed." And all the rules are "allow" rules. So I don't think the rules are really doing anything under the default configuration.

I think the default set of rules is just there so that if you decide to change the setting to "Outbound connections which do not match a rule are blocked", you'll have a decent starting point from which to add new rules.

 

hey..can any of u guys tell me how i can configure comodo pro firewall to not block my webcam? coz my webcam image freezes whenever i do a video call or watever, and ive been told that its my firewall doing this. im not sure i want to rely on windows firewall, so i'd like to configure comodo to allow my cam, but im unsure!

 

Yes, well I do not use the Windows FireWall after all.

 

Thanks for the info.

 

Do you have it in Train with Safe Mode?

 

If you guys want out bound filtering, there are stand alone products like System Safety Monitor.