So what's wrong with Vista Firewall?

Let's have a little story.

Let's pretend a firewall is a lock on a door. It's designed to stop thieves (malware, exploits, unauthorized instructions, etc) from going in and out through the door when it's locked.

Now let's pretend that the thief enters via an open window. He then smashes the lock, and proceeds to cart your valuables (ICQ number) through the now-open door. When you come back and see what happened, your conclusion was that: the door lock was faulty.

Yes, I see what you mean. I also think it's complete nonsense, though I won't challenge your right to believe in it.

 

Simply put, we have 2 general opinions here: 1. firewall should be a firewall & 2. firewall should be a security suite. Well as long as it works for you, good luck.

 

Nope, I don't agree on this. Firewall is a tool that must control inbound and outbound. In the early days being packet filter was enough (like being a castle was enough to protect from intrusion). But now, when we have atomic weapon, being a castle does not help. Neither a packet filter introduces acceptable protection level, especially on desktop system. Though, it can work on a server where only admin have access to and security policy is very strict.

 

Oh come on.

Firewalls control inbound and outbound well enough. It's when you call a malware attack as a "vulnerability" that things start to get really messed up.

 

What makes you say DNS/ICMP protocols bypass vista firewall, you would need to post an example, otherwise I see your statement as FUD.
Now if it is leak tests you ae looking at, well, dont waste your time. For leak tests I would add a HIPS if required.

The vista firewall needs to be set up correctly just like any firewall. The windows services, such as DHCP/DNS can be bound to a rule.


- Stem

 

I actually look at it this way:-

A firewall will filter packets from the PC NIC to the Internet, and then filter the replies, and I consider this to be "direct communication" and is to me what a packet filter firewall is all about. The leak tests look at internal/indirect communications before it gets to the NIC, which for me is the job of an HIPS.


- Stem

 

I have a question. If there were a user who controlled his services, shutting down unneeded ones. And also closing all ports let us say except netbios. And if the vista firewall were to have netbios ports only to apply to local subnet. That would leave applications to open ports. So a browser opens 80 or 8080 or 443. Also port 53 would be opened. How does this topic then answer to that situation?

And then let us suppose that we went further, and applied IPSEC rules, where outbound DNS was allowed only port 53 to your ISP dns serves. And that further you only wanted to allow ports 80,8080 and 443. This assumes you were to do no other outbound WAN requests. How does this topic then answer that question?

Is this topic based upon the supposition of a novice user having default system services and applications? Is it based upon the user not undestanding themselves how to properly secure it? Is the thought Vista firewall is not enough because of that?

I propose that an answer be given to what that opinion of Vista FW is not so good can be melted down to
Vista FW = not so good for default settings with novice user
Vista FW = sufficient in hands of advanced user

To be sure, this is a most interesting topic.

Sul.

 

DNSAPI.

 

What you are looking at is a restriction on what applications can access the DNS client. I dont see that as a packet filtering job, as it is internal comms. A number of suites do not have such an interception, and if there is seen some possible problem with applications accessing this service, then simply disable the service.

- Stem

 

What exactly is HIPS? Can you explain that to me in basic layman terms so a kid could understand it?

 

Some info on this is Here.

 

Exclusive cycle. I do not see firewall as packet-filter only. Neither main firewall vendors do it today.

BTW, can you explain what protection pure packet-filter introduces today ? What differense between being packet-filtered and going w/o firewall completely ?

I ran my Vista PC for a week without any firewall, I did a lot of surfing, I plugged into a big enough LAN (~50 computers) and I didn't start anything new. As a result I didn't notice any difference between being firewalled and being not. Just once I've got malware uploaded to my "allowed for everybody" shared directory, but it didn't went over it.

 

Lets us look at an example, lets us say Online Armor. It contains a number of modules, there is the firewall, the program guard etc. Now if you disable everything in OA apart from the firewall, will it block access to the DNS API or block the leak tests? No, as OA place that job for the application guard, the HIPS part/layer of the suite.

It is for the control/ filtering of direct communications to/from your PC.

- Stem

 

Totally agree with it

 

Ok thanks

 

Agree. But this is just implementation. It can be implemented differently giving no way to disable any part. There is not a standard on what functionality firewall should implement and there is not standard implementation. Since there is not a standard we have to come from a practice. And the practice says us that any popular modern firewall is integrated with HIPS in this or other way. Some of them allows to disable HIPS part, some of them don't, but the general trend is obvious and allows to extend "modern firewall" definition. Why this does happen is also obvious. Packet filtering only is not a way for a regular user to increase security, and this is security regular user is concerned about rather than a "good network management". Good network management is for the experts and sysadmins.

 

Some AV vendors (e.g. Rising, Kaspersky, Norton, AVG) have already integrated some sort of HIPS to their AVs/Suites.
Does this mean, that a HIPS is an AV

If so, then AV=HIPS=Firewall.

IMHO there is a difference between application filtering and packet filtering.

Cheers

 

I think yes. This does mean that modern AV needs HIPS funtionality to do its job successfuly.

Yep, there is also difference between application filtering and intrusions prevention

There are not strict bounds. I know, people like strict definitions, but we have not such definitions neither for FW nor for AV. The only definition for FW that covers all the range is "inbound and outbound traffic control", and for AV "catches viruses". The means are secondary, functionality is primary. Something like what hapens with the modern cars. Eurostandrd for the modern cars differs much from what the very first cars were, to say nothing about hybrid or electric cars

 

You have already put forward there is an increase in security due to packet filtering;-

All the above is made possible with packet filtering.

Your main point of argument is the fact that the vista firewall does not prevent leak tests, and I have clearly stated that I am looking at the packet filtering ability and not HIPS functions. I also clearly stated that if required, then on such a setup I would then add an HIPS for leak prevention (if wanted/required).


- Stem

 

Hi Stem,

If Vista firewall is a "twist-needed" firewall,can you write an instruction or maybe recommend an article?

I'm using Vista firewall and I'm the "click button once guy" with it at the moment.

 

So can we become clear with this thread?

It is understood that Vista FW may not have a great HIPS type application control. It is in debate what today a 'Firewall' should do. Some say it filters network connections plain and simple, some say it should do much more, to offer security, especially for novice users. These are both points of view that offer no clear truth of fact. Of course lol, that is my opinion.

But for the sake of learning, and the sake of future peeps who view this thread to gain some information. Let us answer a very basic question regarding the Vista firewall.

Does it stop tcp/udp/icmp packets from coming or going if told to do so?
Does it filter tcp/udp/icmp packets and allow or deny based off of parameters such as local subnet only or remote ip only, or even direction only?

In those 2 questions, can we sum up, does Vista FW actually work? If it can achieve those 2 items, why would it be considered inadequate for those uses. Disregard the application monitoring. Straight up, does it control the I/O of the NIC?

Sul.

 

I have not seen any article that I would consider helpful, certainly not for setting up rules/ polices. Maybe other members may know of some links?

As for instruction, I am putting together an help post/thread, but it is taking longer than I first thought.

- Stem

 

Yes to both

I have not seen anything to give me concern. When I installed Vista, I left it will all default services active, just to see if anything would leave the PC on a "block all apart from what is allowed", and I only allowed a browser/ DHCP/DNS client. I have not seen any comms not allowed by rule.


- Stem

 

Looking forward to this thread when it is ready

 

Hello all,

I do have a question for those using, or thinking of using the Vista firewall.

Within vista firewall there are 3 profiles which make up the firewall policy, its intention is so that the user can have a ruleset for a private LAN, a ruleset for public connection (Wan/ untrusted) and a ruleset for a domain.
I am curious at to how users would actually set this up, would you set up the different profiles and set the PC for "Network discovery", or would you just set one ruleset with restrictions made in the rules.

I am currently just going through booting Vista into different IP ranges to see how the firewall reacts, and to see what comms are made for the "Network discovery".

I will still be adding this info, but was just curious as to how many would use a 2 or 3 profile(ruleset) setup.

- Stem