Agnitum provides “research” into Vista Firewall.
I need to preface this post by saying that the Agnitum article is a marketing tool for their Outpost firewall, so you do have to accept that there will be some bias in some of their comments.
Overall, Agnitum proclaimed the Vista firewall a step in the right direction but still a security risk and provided this list of pros and cons:
Positives:
- Supports multiple connection profiles;
- Supports advanced firewall rules;
- Supports data authentication for secure connections;
- IPv6 support;
- Pre-configured access rules for internal system software and services.
Negatives:
- Advanced settings require too much effort to use;
- Doesn’t control and secure outbound connections by default;
- Incoming connections are not filtered if they follow a previously initiated outbound request for a session applicable to the requesting program;
- Doesn’t prompt the user for action in regard to outbound requests; it can either allow or block a connection;
- No time-based rules;
- No advanced control of inter-process communication for outbound program access. Partially covered by UAC, but programs exist that can establish outbound access bypassing UAC;
- No Intrusion Detection System (IDS);
- Primitive logging;
- No monitoring of active connections.
The most interesting is that they see the lack of an IDS as a negative... I find this humourous given discussions back in October on IDS and it's usefulness ( Thomas Ptacek, Amrit Williams). As I said, they are marketing their product, so we have to watch out for bias.
Their biggest complaint (or "security risk") with the Vista firewall was that response data isn't checked. This one is interesting. Apparently, if I type in a request to Google in my browser, the firewall should prompt me to allow the response data from my request. I have issues with this... My issue is that the firewall at this point is set to "Allow outbound connection". If a firewall allows an outbound connection, then yes... it should allow the inbound response. Could you imagine a system where all inbound data trigged warnings... Even if initiated via an outbound request... one which the firewall was told to categorize as "Allowed". I'd never be able to use IRC, SMTP or even my bowser again... I'd be inundated with warning messages.
Now if Agnitum had said that the biggest problem was that the Vista Firewall allows all outbound connections by default... I would have agreed.. but they didn't... they turned it into a "vulnerability" (as they label it in their write-up)... This is pure marketing BS.
Another problem with the article that really made my skin crawl was this paragraph:
On a more positive note, Gibson Research’s open ports probe utility Shields UP!! revealed that all the ports on my computer were successfully stealthed (shielded, made invisible) by the firewall. This is a good thing, because if hackers cannot locate open ports (that might accept remote connections) on a computer, that computer will be much harder to link to and exploit.
Now last time I checked, a "stealthed port" was a closed port that didn't reply with a response... The packet is dropped instead of a RST being sent (Fyodor's nmap documentation allowed me to confirm this). So I question the last sentence. Was the author thinking that open ports could be stealthed? A listening port does not appear as a stealth port... a closed port that doesn't send a RST is stealthed.... which means it has nothing to do with "linking to and exploiting" the computer. The logic behind that paragraph doesn't make a lot of sense. They might as well have said, "The Vista Firewall is a Firewall... It blocks unauthorized access to ports on the PC". I also question the term "link to".... generally you connect to a computer, but I'll just assume that English isn't the authors first language.
As some of you may have guessed by this point, I'm irritated... Rather irritated. I'm definitely not a fan of Vista... I think that it's way too bloated... but taking shots like this write-up is doing, simply to do a little marketing... I can't agree with or tolerate that. Buried within the shameless self-promotion, biased attacks and misinformation... there's actually a decent walk-through of the features available in the Vista Firewall... It's a shame that walk-through was soured.
The last thing I'll mention is that the author had issues with manually adding allowances for programs when you set the firewall to block outbound connections. The author wanted a pop-up like most modern firewalls give, where you could simply click an allow button. I actually give kudos to Microsoft for not having this... for requiring that the rules be setup manually. Users become much to complacent in automatically clicking allow because the pop-ups annoy them... this forces them to not click allow... to actually set things up.
From what I read of the unbiased portions of the article... I'm actually impressed with what Microsoft is doing... It's actually shown me a bit of positive light in a product (Vista) that I saw primarily negatives in. I've also decided that I will never purchase an Agnitum product... I don't like their business tactics.
I agree, he kind of whined for a bit regarding the manual setup. All I could think when reading the write-up regarding the manual setup was “how many programs do you friggen use?” I mean come on… even with 50 programs that needed internet access you’d be sitting there for what… 25 minutes – that’s just a one time fee to fine-tune your firewall; no big deal.
Gimme a break… what makes anyone think security should be fast and free?
Also. Vista sucks. DRM piece of crap… hardly an OS.