Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Secure is Windows Firewall?

Posted by michael on from the better-than-nothing dept.

Garret writes "Though Microsoft is doing their part in protecting Windows users from internet attacks by including a firewall in their latest service pack, one has to wonder just how secure is the Windows Firewall from XP Service Pack 2? Not too good according to Flexbeta. Their recommendation is to turn off Windows Firewall and get an alternative such as ZoneAlarm or Sygate PF. Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again." PCWorld also has a story about the new firewall capability.

17 of 620 comments (clear)

  1. Zone Alarm? Blech by Anonymous Coward · · Score: 5, Informative

    Kerio Personal Firewall is much much better.

    1. Re:Zone Alarm? Blech by timothv · · Score: 5, Informative

      I agree. Kerio PF (even the post-trial free version) is a great tool for Windows. I've only had a problem with it on Windows ME (don't ask) where it made the system unbootable except to safe-mode.

    2. Re:Zone Alarm? Blech by Anonymous Coward · · Score: 5, Funny

      Please, Windows firewall works so much more elgantly than kerio personal Firewall.

      The main technique microsoft is using is that they made a shitty firewall so it would get mentioned in the IT topic section of slashdot. They knew all of the would be hackers would read it, and have their eyes burned out by the hidious brighter than the sun sand brown color scheme. How clever Bill, how clever.

    3. Re:Zone Alarm? Blech by Anonymous Coward · · Score: 5, Insightful
      I just uninstalled; no one's hacked my box. It's not like there's anything good on it.

      When will people learn that the contents of your computer may be irrelevant to many viruses and hacks? If the goal of the virus writer is to hijack your machine in order to use it as a spam relay or zombie, you don't have to have anything interesting on your computer at all...the virus will conveniently come with its own interesting stuff to install on your machine!

    4. Re:Zone Alarm? Blech by Jameth · · Score: 5, Funny

      Doesn't let WindowsME boot? Sounds like it's working fine.

  2. Stealth? *ARGGGH* by Anonymous Coward · · Score: 5, Insightful

    Why are windows users so obsessed with "stealth"?

    It's annoying on two levels, firstly it breaks the requirements of the rfc's leaving other nodes on the network hanging waiting to see of a connection is going to succeed or be rejected, waiting for timeouts isnt fun. secondly, THERE IS ABSOLUTELY NO POINT, it is trivial to find out if there is a node at that address, all sufficiently intelligent scanners can tell if there is a machine there, nmap for example. YES WINDOWS USERS, I'M TALKING TO YOU, get rid of that stealth crap, if there is no machine there the nearest router will return no such host...if there's no icmp from the router, we know that there's a windows user there (of course, we cant determine the operating system of the node, but everyone knows only windows users do this)...

    It's pointless, it's only used because having a "stealth" computer sounds cool on proprietory firewall marketing material (would it be so desirable if it were called "filtered"), please turn it off...

    1. Re:Stealth? *ARGGGH* by mdamaged · · Score: 5, Insightful

      Not true at all, proper tools can ignore these 'stealth' techniques. Timeouts for example.

      What about net or port unreachables? You block all those then you end up making the users wait extra before their _insert client here_ built-in timeout occurs. Same with host unknowns. It also creates a pain to the netops whom need to run diagnostics.

      There are some ICMPs which have little or no place in most networks and are OK to block for the most part.

      And lets not even get into PMTU issues. (do not frag/frag needed), especially with microsofts brain-dead implementation of PMTU in short order.

      And blocking destination-unreachable, source-quench, time-exceeded, parameter-problem, can realy make a networks response times to these conditions suck ass.

      Again pushing security through obscurity is a BAD idea, whether used alone or in conjunction with other security measures. If a windows users thinks his machine is invincible (i am not saying _you_ do) than they will be less likely to further secure his or her machine. Good habits form good conditions. Blocking all icmps is BAD practice.

      There are hundred of papers on this and none but the most pedestrian sites (i.e. marketers to the windows user) advocate blocking ALL ICMPs.

      You fell for pure marketing and ignore real-world network operations.

      --
      Someone asked me the difference between ignorance and apathy, I told them I don't know and I don't care.
  3. I turned it off. by sqrt(2) · · Score: 5, Funny

    With the firewall, and the security center it was using an extra ~20 MB of memory that I need to play Doom3 faster!

    --
    If you build it, nerds will come. Soylentnews.org
  4. SP2 is a security hole in itself. by ChrisKnight · · Score: 5, Insightful

    I've installed SP2 on two machines now. In both cases SP2 had me reboot, and before offering a log-in prompt it presented a screen where I could enable or disable automatic updates. This is an administrative setting, and it should not have presented itself prior to an authenticated login. Sure, it only happens once, but by design it violates secure computing practices.

    -Chris

    --
    -- This sig is only a test. If this were a real sig it would say something witty. --
    1. Re:SP2 is a security hole in itself. by Anonymous Coward · · Score: 5, Funny
      2. The OS should not allow input when there isn't anyone logged in.

      lemme tell you, that'll make it a bitch to log in.

  5. No outbound blocking by dj245 · · Score: 5, Interesting
    The reason there is no outbound blocking is because XP Firewall is for the average user. Not the average Slashdot user. The average user can't determine whether Claria should be given internet rights or not. We know better.

    So for average users XP firewall is a good thing since you don't have to know anything, but we (Slashdot users and internet savvy) demand more.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  6. Ridiculous. by Daleks · · Score: 5, Insightful

    Wait, a commercial firewall developer thinks Microsoft's free firewall isn't up to the challenge? Wow, what a surprise! What if Microsoft had put a full-fledged firewall into SP2? The same companies would be whining about how Microsoft bullied them out of the market.

  7. Former Microsoftie Here by einhverfr · · Score: 5, Insightful

    Hi;

    The Windows Firewall is probably adequate if you only have a single computer and are connecting to the internet.

    It is not built for network (ICS traffic bypasses any ICF filters) and so has absolutely no value for perimeter value.

    Like most commercial products from Microsoft, supportability in Windows Firewall is more important than security. If you need security over supportability by Microsoft staff, this is not the product for you. But it is not bad for what it does.

    It also has no outbound controls, unlike other personal firewalls. This is a slight issue, but I don't think it is major (what about hijacking IE to make the connections?)

    --

    LedgerSMB: Open source Accounting/ERP
  8. Re:Get a grip by Anonymous Coward · · Score: 5, Funny

    My box has never been hacked into.

    This can also be read as:

    I never got a popup reading "ZOMG! J00ve b33n h4xx043d by da ch1n33z3!!1!1one!eleven lolololz"

  9. Ignorant and Misleading by Anonymous Coward · · Score: 5, Insightful

    It's incredible how ignorant and misleading this article is.

    First of all, if the user using the machine is running as an admin, there is ABSOLUTELY NO WAY TO PREVENT THE FIREWALL FROM BEING DISABLED BY A 3RD PARTY PIECE OF SOFTWARE. Period. Guess what! Zonealarm and Symantec's stuff has the same 'fault'. If I have admin privs, and I run a piece of software (unless it's managed like .NET code), it can do ANYTHING I can do. That includes turning off firewalls.

    Software running as a non-admin user CANNOT TURN OFF THE FIREWALL. That's all you can expect.

    Second, outgoing protection just makes stupid people feel better. Any programmer with a clue can write software that gets around outgoing firewall protection. It took me about 20 minutes with VB (yeah, VB!!!) to write a proof of concept app that is able to do whatever it wants on the net even with Zonealarm installed.

    The only way to reliably restrict outgoing communications is at the borders of the network, not on the machine generating the traffic.

    All this FUD makes me sick.

  10. Re:Better than nothing? by Beryllium+Sphere(tm) · · Score: 5, Insightful

    Like the advice wilderness survival instructors have about knives. What's the best survival knife? The absolute best? It's the one you have with you. All the others are useless.

    Being installed by default is a "feature" more important in real life than any other.

    (Yes, I'd run something else in addition).

  11. Misinformed review by Bob+Ince · · Score: 5, Insightful

    > Simply the fact that Windows Firewall can be turned off by another application is enough to tell me Microsoft has goofed again.

    Balls. The fact the Windows Firewall can be turned off makes it exactly the same as every other personal firewall, including ZA and Sygate.

    Malware has been disabling the firewalls of machines it infects for years. It is simply not possible for a firewall to remain an effective security measure on a machine where hostile code has been run at the same level of privilege.

    Once the attacker's code is running on your machine, the game is over and you have lost. Until we get full operating-system level sandboxing (whereby applications and users are fully protected from each other's interference until the user/admin explicitly grants rights), this will always be the case.

    The main difference between the Windows Firewall and other personal firewalls is that it only blocks incoming traffic. But so what? An outgoing traffic block is of no use if the outgoing traffic is generated by hostile code on the local machine, as it can just as easily shut the firewall down completely.

    Other firewalls still provided the feature because it figured most malware wouldn't bother detect and kill all the different brands of firewall. But Windows Firewall, soon to be very widely installed due to its default-on nature, would present a much more attractive target; soon every new virus, worm and piece of spyware would turn the block off as the first thing it did. Therefore the feature would be offer zero additional security.

    Flexbeta's reviewer seems to have grasped the vocabulary of security countermeasures with no actual grasp of their practical implications. In summary: feh.