So what's wrong with Vista Firewall?

Why cannot we all just use Vista Firewall?

Why the need for other firewalls?

 

Cos it's made by Micro$uck! Oh noes!

'Nuff said.

 

You can. You don't.

 

At least one reason (really they are many) for me is performance:

perfudp test

pure system:

1.) 22.978 sec
2.) 23.431 sec
3.) 23.103 sec

windows firewall on

1.) 25.038 sec
2.) 25.147 sec
3.) 25.225 sec

To say nothing about many things that can be done with just one click. For example my firewall allows to trust/untrust any computer on a LAN by "one click" which results in ability/inability remote to access my netbios and protects from some ARP related attacks. Also I can block all the network traffic by hot-key. Also I can use banking mode when I do my online banking. To say nothing about Vista firewall poor leaktests performance.

 

If you don't need a HIPS then keep your windows firewall. I think that's the only reason for a software firewall

 

Ahh, I was looking at post #3 which didn't specify like post #4 which did specify XP SP3...
https://www.wilderssecurity.com/showthread.php?t=237243

 

One can if one chooses to.

Personal preferance, at least here it is.

 

Yep, from the very beginning I didn't think it should make any difference. But the second set made me think it does .. Lerning learning learning

 

I have seen far too many times where a "one click" solution can actually compromise a system, or in some circumstances cause loss of internet.

- Stem

 

This also happens. But the same may happen with "go up and down, dance and sing and only then get what you need" solutions

To be serious, this rather depends on understanding than on the number of clicks.

 

You should also test system with other firewall for comparison. I use Windows Firewall because of its performance in comparison to Comodo.
As for leaktests, that is complicated, since it is testing mallware leakage via infected processes and so on and should be stopped on other layer.

 

I did ! Not too much testing though, but after all I did what I was interested in

https://www.wilderssecurity.com/showthread.php?t=237243

 

Thanks for the link, that one part with OA was missing here.

 

I do make some tests for packet handling, but have not used the tests you mention.
For such results to have any meaning to me, then there would have to be a side by side comparison of "firewall A" <-> "firewall B" and what I mean is, not just a performance test, but also a full check on what the firewall is filtering. For example. If "firewall A" is filtering all protocols just to IP/Port but firewall B is filtering TCP to flag or even sequence number level and/or such as DHCP/DNS returned packets are having checks made on extra info such as transaction ID, then I would expect some difference in performance. Another consideration for me is as to what the firewall is actually filtering. For very simple example, for me to replace the vista firewall with a 3rd party firewall, then that 3rd party firewall would need to filter IPv6.


- Stem

 

Yep, I understand. I do not try to move you to a different firewall. We talk here about the reasons and opinions. At the moment I don't care about IPv6 because I didn't encounter IPv6 based exploits, instead I encountered a lot of IPv4 exploits that can bypass windows firewall (including Vista firewall). Tastes and needs differ. I'm more practical than theoretical. I think when IPv6 support will make practical sense it will be added to the third-party firewalls. I do not see much problems with IPv6 except the main one - IPv6 support can turn UI to the true mess and IPv6 addresses can bring unprepared mind to a true disaster

 

Please explain.


As for IPv6, even on an home/trusted LAN I would want filtering where Vista is present, as at its core network function it makes ICMPv6 multicast/ solicitation/ advertisement. So just for good management I would want control/filtering of those protocols, and would certainly not want these simply sent out over the internet.

- Stem

 

To bypass Vista firewall all you need is to intrude into/replace a trusted process. When done firewall doesn't matter anymore. And there is a lot of malwares that use this. What should I explain ? I can describe a lot of malwares and what they do, does it make sense ?

Hm .. I just disable IPv6 on my interfaces and this allows to manage my network very well without buggering with very strange and completely useless at the moment IPv6 stuff.

 

Protection of process is not a packet filtering job. For that you add an Hips or other security application. Why would you call that an "IPv4 exploit"?

Running a LAN with Vista nodes would be better managed with its core networking functions actually working, so filtering is a better option than disabling such a base function. As in Vista firewall there are rulesets/single rules that can be enabled/disabled where/when required for such functions, there are no need to create rules.

- Stem

 

Just a note:

I do not currently have the vista firewall as a security layer on my setup. I only installed Vista due to a number of recent questions I have been asked concerning the inbuilt firewall. So currently I am just testing the firewall, it is not connected to the internet.

So for my personal choice of what packet filtering would be in place for Vista setup is still undecided.

- Stem

 

Because modern firewall is not only packet-filter. To be just a packet filter is not enough to be firewall today

http://en.wikipedia.org/wiki/Firewall_(networking)

===
A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
===

It's a pity the article didn't update since 1994. So much water flew since then.

===
First generation - packet filters
Second generation - "stateful" filters
Third generation - application layer

Subsequent developments

In 1992, Bob Braden and Annette DeSchon at the University of Southern California (USC) were refining the concept of a firewall. The product known as "Visas" was the first system to have a visual integration interface with colours and icons, which could be easily implemented to and accessed on a computer operating system such as Microsoft's Windows or Apple's MacOS. In 1994 an Israeli company called Check Point Software Technologies built this into readily available software known as FireWall-1.

The existing deep packet inspection functionality of modern firewalls can be shared by Intrusion-prevention systems (IPS).

Currently, the Middlebox Communication Working Group of the Internet Engineering Task Force (IETF) is working on standardizing protocols for managing firewalls and other middleboxes.

Another axis of development is about integrating identity of users into Firewall rules. Many firewalls provide such features by binding user identities to IP or MAC addresses, which is very approximate and can be easily turned around. The NuFW firewall provides real identity based firewalling, by requesting user's signature for each connection.
===

I believe to manage something good you need to understand it. I'm not ready to understand IPv6 addresses. More to say, I do not believe it will ever become popular, in the first place due to address comlexity. I believe this is dead-born standard. In any case I do not see any practical sense (aside from your theoretical speculations) to enable IPv6 support. I better sacrifice IPv6 in favour of security, because Vista firewall doesn't provide security level I expect from a modern firewall and I do not understand IPv6 well enough to feel secure.

 

While I won't question that claim, to say that a program needs to be able to protect files from malware attacks to be called a firewall sounds just a teeny-weeny bit far-fetched.

 

OK. Firewall must protect inbound and outbound, even from a tricky malware. Generally I do not care what means does it use to do this job, but it must do it. Vista firewall doesn't do it, so for me it doesn't do its job well. This is my approach. Let us return to the very beginning. The guy asked "why something else". I just explain why I use something else, these are my requirement to a firewall. Somebody else can have different requirement. In 30 min I can compile an example that will steal ICQ number and send it out bypassing Vista firewall. Though, it will not bypass ZA, OP, OA, Comodo, PCT etc. Do you see now what I mean ?

Information can be sent out using DNS, ICMP protocols. It can be sent out using BITS, svchost, IE, FF, Opera. Actually there is a lot of thicks to bypass Vista firewall. Vista firewall can help only in case you never start anything on your computer except native windows utilities. For most people this restriction is inacceptable.