For months now, we've all been reading about the inadequacies of Windows Vista's firewall on the Web and in computer magazines. The big complaint is that while the firewall does indeed have ability to block both inbound and outbound connections, the default configuration is only set to block inbound connections — all outbound connections are allowed.Further stoking the flames is the fact that the task of configuring Outbound Rules in Vista's firewall seems to be next to impossible for the average computer user. (If you haven't yet attempted to figure out how configure Outbound Rules, see ZDNet Blogger David Berlind's Photo Gallery titled Windows Vista's Firewall offers false sense of security.
Based on the default configuration and the apparent difficulties in setting up the Outbound Rules in Vista's firewall, I draw two conclusions: Either Vista's developers really dropped the ball when it came to developing the UI for the firewall's Outbound Rule configuration or that Microsoft doesn't consider outbound filters to be really necessary in most typical situations under its newest operating system.
Of course, the former conclusion seems to be drawing the most votes based on the majority of the articles we've been seeing. However, I recently came across an article in the June 2007 issue of TechNet Magazine that, among other things, seems to promote the latter conclusion. The article is titled Exploring the Windows Firewall and is written by Steve Riley, a senior security strategist in the Microsoft Trustworthy Computing Group
In this piece, I'll present a synopsis of the points Mr. Riley makes in his article that are pertinent to the notion that having a default set of Outbound Rules in Vista's firewall isn't necessary. Keep in mind that my intent here is to use these highlights to spark some lively discussion now that we have a relevant explanation from someone at Microsoft on the topic of Outbound Rules. However, I do encourage you to read Mr. Riley's article in its entirety.
The case for Inbound Rules
Mr. Riley begins his discussion on firewalls by describing how the evolution of malicious threats and their means of dissemination on the Internet have made client firewalls on every computer a necessity in this day and age. He then reminds us that while the initial release of Windows XP included a client firewall, it was disabled by default. And even though that initial client firewall only included Inbound Rules, Riley claims that it would have been enough to protect us from such threats as Nimda, Slammer, Blaster, and Sasser had it been enabled by default. Having learned from that experience, Microsoft enabled the firewall by default in Windows XP SP2 — again this version of the firewall only provided inbound filtering.
Riley then alludes to the fact that the absence of any outbound filtering is SP2's firewall was done for application compatibility — Microsoft didn't want its firewall to break applications and drive users to disable the firewall in order to keep their applications running smoothly. The intent, Riley explains, was to have the firewall allow all outbound traffic and block any inbound traffic that wasn't in reply to some previous outbound request. Those applications that were designed to receive unsolicited inbound traffic could be enabled to do so by configuring exceptions in the firewall.
The Security Theater
Seeing the lack of any outbound filtering in the Windows firewall, third-party competitors in the client firewall arena were quick to make this out to be a huge security vulnerability and what Riley calls the Security Theater began. The message promoted by these competitors was that a good firewall should block all inbound and outbound traffic unless permission was specifically granted. To back up these assertions, their firewall products made a big show out of providing outbound protection. The notion implied here by Riley is that Microsoft's competitors in the client firewall business beat that drum so loudly and so long that most folks began to take it as a matter of fact that if you wanted real protection you should use a third-party firewall product and not rely on Microsoft's version. (It didn't help that during this time period it seemed that Microsoft was fixing and patching other security vulnerabilities in Windows XP on a regular basis.)
My sense is that when they were conjuring up Windows Vista, Microsoft's developers took on the attitude of, if they want cake, give them cake and so added the ability to configure outbound filtering to the firewall. This seemed to quell the furor a bit until it was revealed that there were no default outbound rules. Of course, the Security Theater began again.
In response to this drama, Riley responds with an axiom: "...protection belongs on the asset you want to protect, not on the thing you're trying to protect against." He then follows that up with this statement:
"The correct approach is to run the lean yet effective Windows firewall on every computer in your organization, to protect each one from every other computer in the world. If you try to block outbound connections from a computer that's already compromised, how can you be sure that the computer is really doing what you ask? The answer: you can't. Outbound protection is security theater-it's a gimmick that only gives the impression of improving your security without doing anything that actually does improve your security. This is why outbound protection didn't exist in the Windows XP firewall and why it doesn't exist in the Windows Vista firewall."
The outbound protection
You can set up Outbound Rules if you know exactly what it is you want to block and how to go about it. Vista's firewall has a very nice wizard driven interface for configuring Outbound Rules. Furthermore, there's full Group Policy support for firewall configuration and a new context to the Netsh command to allow both command line and scripting of firewall settings. Again, in order to make use of these options, you must know exactly what it is you want to block and how to go about it.
What's your take on outbound protection?
Do you think inbound filtering is enough? Do you think that outbound filter is necessary in all situations? What's your take on the idea of Security Theater? Is it possible that the huge emphasis on outbound filtering in a firewall is really a drama played up by marketing and overblown product features?