Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Two-Way Firewall in Windows Vista and Microsoft OneCare

Published: 2006-01-31
Last Updated: 2006-01-31 19:59:20 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

With client-side exploits so plentiful, it sure would be nice to have some form of serious outbound firewalling built into Windows, wouldn't it?  The XP firewall blocks inbound traffic, but is of little use in outbound defenses.  As Handler Queen Lorna Hutcheson points out, since Win2K, you can filter outbound using the so-called IPSec filters of Windows.  However, such filters are: 1) Really badly named -- they don't have to use IPSec crypto; 2) Really hard to define (what an ugly GUI); and 3) Not limiting to specific applications to use specific ports and protocols.  So, the existing outbound filtering of Windows is extremely limited.


But, here's a nice article about how Microsoft plans on including outbound filtering in the Windows Vista firewall. Let's see, we've had such features with free solutions for over a decade.  But only in 2006 will we get it standard in Windows. 

In Microsoft's defense, though, once an attacker infiltrates via a client-side exploit, their evil code can simply alter the firewall config.  True.  But, still, security is all about raising the bar.  We raise the bar, they jump over it.  We then raise it again.  It's the natural order of things.  I hear some arguments that say, "We shouldn't do this from a security perspective, because they'll jump over this bar."  But, if the cost of such solutions is miniscule, why not raise the bar anyway, knowing that it still can be jumped?  Let's make the bad guys work a little harder if it doesn't cost us anything.

A related story involves Microsoft's OneCare technology, an attempt at a comprehensive set of anti-virus/anti-spyware/firewall tools that help provide an envelope of protection around a user's PC.  A blog post here talks about ways to dodge the defenses of OneCare, primarily by using Java and/or signed code to bypass the firewall restrictions.  Some Microsoft personnel respond here, saying that their goals were to pull security configurations together in one place and offer protection while minimizing application breakage.  It's all about trade-offs.  And I, for one, welcome our new OneCare overlords.  There are many copies.  And they have a plan.

Keywords:
0 comment(s)
Diary Archives