In case you’ve never seen it, here’s Microsoft spin (published in TechNet Magaine as “Deconstructing Common Security Myths”) on why it doesn’t matter that Windows Firewall doesn’t filter outbound connections:
[b]Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.[/b]
Speaking of host firewalls, why is there so much noise about outbound filtering? Think for a moment about how ordinary users would interact with a piece of software that bugged them every time a program on their computer wanted to communicate with the Internet. What would such a dialog box look like? "The program NotAVirus.exe wants to communicate on port 34235/tcp to address 207.46.225.60 on port 2325/tcp. Do you want to permit this?" Ugh! How would your grandmother answer that dialog box? Thing is, your grandmother just got an e-mail with an attachment that promises some rather sexy naked dancing pigs. Then this crazy dialog box appears. We promise: when the decision is between being secure and watching some naked dancing pigs, the naked dancing pigs win every time.
The fact is, despite everyone’s best efforts, outbound filtering is simply ignored by most users. They just don’t know how to answer the question. So why bother with it? Outbound filtering is too easy to bypass, too. No self-respecting worm these days will try to communicate by opening its own socket in the stack. Rather, it’ll simply wait for the user to open a Web browser, then hijack that connection. You’ve already given the browser permission to communicate, and the firewall has no idea that a worm has injected traffic into the browser’s stream.
Outbound filtering is only useful on computers that are already infected. And in that case, it’s too late—the damage is done. If instead you do the right things to ensure that your computers remain free of infection, outbound filtering does nothing for you other than, perhaps, to give you a false sense of being more secure. Which, in our opinion, is worse than having no security at all.
Is it any wonder that security is so bad in Microsoft products?
“Outbound filtering is too easy to bypass, too. No self-respecting worm these days will try to communicate by opening its own socket in the stack. Rather, it’ll simply wait for the user to open a Web browser, then hijack that connection. You’ve already given the browser permission to communicate, and the firewall has no idea that a worm has injected traffic into the browser’s stream.”
There’s something called HIPS and it will warn you about the worm accessing your browser… 88)
I guess they’re still thinking in the AV era?
“Outbound filtering is only useful on computers that are already infected. And in that case, it’s too late—the damage is done. If instead you do the right things to ensure that your computers remain free of infection, outbound filtering does nothing for you other than, perhaps, to give you a false sense of being more secure.
Which, in our opinion, is worse than having no security at all.”
People make mistakes. So, they infect their PC by mistake. Outbound protection will sure stop the infection from getting worse than it already is. Maybe to the point where you can actually control it.
They obviously haven’t researched more and don’t realize that Firewalls have evolved now. Like Comodo Firewall went from a Traditional Firewall, To a Firewall/HIPS Product. I agree that a using just a Firewall and no HIPS is not a good idea in our days, But their statement is wrong and maybe someone could suggest Comodo to them?
“What would such a dialog box look like? “The program NotAVirus.exe wants to communicate on port 34235/tcp to address 207.46.225.60 on port 2325/tcp. Do you want to permit this?””
Comodo Internet Security, rated 90%, Level 10+, Very good
Windows Live OneCare, rated 5%, Level 1, Not recommended One of the worst products tested, March 2008
(Windows Firewall {XP} wasn’t even tested)
“So, what does it mean if the product fails even the most basic tests
of our challenge? It means that it is unable to do what its vendor
claims it can. Such a product can hardly protect you against the
mentioned threats.”
Not only outbound security. MS is replacing OneCare with its free 2009 “Morro”…the quality of it…we’ll see…but at least they’re taking a step in the right direction.
Mystifying average users and grandmothers appear to be a widespread fallacy
Thing is, your grandmother just got an e-mail with an attachment that promises some rather sexy naked dancing pigs. Then this crazy dialog box appears. We promise: when the decision is between being secure and watching some naked dancing pigs, the naked dancing pigs win every time.
The fact is, despite everyone’s best efforts, outbound filtering is simply ignored by most users. They just don’t know how to answer the question. So why bother with it?
On a related account it looks like vista firewall implemented an allow by default outbound filtering ???
We have discovered that though Vista's outbound firewall is 'on' by default, all outbound connects that do not match a rule are allowed. In the default configuration, there are no outbound 'block' rules, only allow rules. In other words, even though [the Windows Firewall outbound protection is] on, it is not doing anything."
An oxymoron indeed
On the other hand the recent introduction of Vista UAC would be somewhat among the lines of bug them every time although before final release there was an effort to reduce the nagging. :-X
In 2006 this article was viable , but not now because Firewalls become much more modern and harder to bypass ( HIPS , Self Defense …) remember Bifrost firewall bypasser system ? , with Hips it simply doesnt work but it is very effective.
I doubt it, based on both past performance and current products.
GiantAnti-Spyware was a very good product, so when Microsoft acquired Giant, I had high hopes when it morphed into Windows Defender, but Microsoft screwed up the interface, and it’s now so poor at detection that I no longer recommend it.
I likewise had high hope for Windows Live OneCare, got involved as a beta tester, but eventually gave up on it in disgust. (The on-line Safety Scanner is based on the same technology.)
Twice burned, thrice shy – I’ll be surprised if the upcoming free Microsoft anti-virus turns out to be a high-grade product – I’d have to see glowing reports over time before I would even take the time to try it.
I don’t think that article was valid even back in 2006 (if ever) – there were a number of better software firewalls available that included outbound filtering, which had long since been established as a valid approach to security.
That article reflected Microsoft’s piss-poor attitude and performance on security, an attitude and performance that hasn’t really changed all that much (witness Windows Live OneCare) notwithstanding all its subsequent spin on security.
I completely understand the article. I know people who still say, “I have anti-virus, and so I’m safe.” Despite the “enlightened” microsoft bashing, newbies CLICK ON EVERYTHING! A pure firewall with outbound connection protection needs a good HIPS that most people won’t, or don’t want to learn how to use. Then you get lead to behaviour based blockers like threatfire which can be good for a newbie.
