Firewall with adv security

[voidcoder]

Could someone please tell me how to configure the outbound rule
to apply for a "Service Only", not for "App Only", "App and Service"
etc. The help says that it is possible but I can't find a way
to do so, it looks like a rule wizard GUI bug. How do I set up
an outbound rule for, say, "Windows Update" service?

thanks

 

[Guest]

Sorry, I'm not sure I am seeing what you say is the problem. Here is what I
did:
1. Right-click Outbound Rules
2. Select "New Rule"
3. Select "Custom" and click next
4. Click the "Customize..." button under Services
5. Click the "Apply to this service:" radio button and select "Windows Update"
6. Click "OK"
7. You must now select "All programs." Yes, that's a bit counter-intuitive
but as long as the Program screen remains on a specific program path you
can't proceed.
8. Finish building the rule.

Is that what you are trying? Are you not seeing what I am seeing? I could
see how step 7 could be confusing. There really ought to be a radio button
next to "Services" on that screen.

BTW, most of the services that can be meaningfully restricted from outbound
communications have already been restricted by detauls. What are you trying
to achieve with this?

 

[voidcoder]

The confusing moment is that I have to select "All Programs"
in order to proceed with a single service. Haven't tried it
yet, but I would expect that the rule will apply to
"All Programs" as well, not only the selected service.
Otherwise what is the meaning of the "All programs" option
then?

I'm simply trying to use the outbound control and
can see that it is nothing but just useless feature
in vista firewall, mainly because of missing "learning"
mode or at least normal logging for the outbound traffic.
How do you determine what ports are used by some
program/service (and more important, how do you determine
the program binary and path) to add the corresponding outbound
rule manually?

Windows Update service has no default rule, so if you turn

 

[voidcoder]

To be more specific, what I mean is that in order to add
some rule you need to know at least something about the
program/service and its networking. Things like local endpoint
address/port, remote endpoint address/port, program/service
name and path etc. So how do you determine all of these
using the vista firewall? Normally I would expect to be
a way to enable the "learning" mode, when the firewall
will popup some alarm window and say that something that
doesn't much the defined rules is trying to access the
network so do you want to block it, allow or define a
new rule for it.

While it is somehow implemented for the inbound traffic,
but not implemented at all for the outbound. Not clear
what is the use of the outbound control then. Seems I'm
again forced to buy some third party firewall It was

 

[voidcoder]

No, I do not try to prevent Windows Update from doing
anything. I'm trying to *allow* it doing its job when
the outbound protection is turned on. Go to the firewall
settings, then select your profile and turn on the outbound
control. Next goto Windows Update and try to check for updates,
it will fail since there is no outbound rule for it.


You will not find too much information for the most
of native windows or third party software what ports
what exactly ports they are using internally nor what
addresses they are trying to connect and why they are
trying to connect. Run some normal firewall with outbound
control and you will be surprised how much native and
third party windows software is trying to connect somewhere
and send some data in background. Good if checking
for updates... That is why I'm actually like to have
an outbound traffic controlled as well, no only the
inbound.

Anyway in a half of situations you simply can't determine
what binary you have to specify in your rule. Some programs
are not a single binary exe located in the program folder.
Some a a gazillion of binaries calling each other and mixed
in the program folder, windows folders or elsewhere. You will
simply spend some days to determine what is related to the
app that you want to run and define a rule for each binary.

Another good example is when you install something that
need netwroking in order to install properly. Have you tried
to install say VS2005 with the outbound control turned on?
How do you know what ports VS2005 will be using while
installation, how do you implement a rule to allow all
the intermediate helper apps started in background by
the installer to run normally? In learning mode you can
just allow it to run while without it you have no chances.
Switching the outbound protection on/off every minute
is not an option.

The learning mode is not to popup on every inbound/outbound
packet. It is to help you to define quickly rules for the
programs that you trust (just because you can't know any
networking details for each native or third party program
to be able to do it manually). So once the rules are defined,
you wont see any popup for years until you don't install
something new.

 

[voidcoder]

Sorry Jasper, I do not agree. If the outbound control
is useless so why it is there at all in the first place?
Personally I'm using it since the days of win95 and
NT3 and not going to stop, doesn't matter what OS
I'm running on. I do not like that any piece of
software is able to send something in background
without to let me know what it is doing.

I do not understand why this is an open door for
the malware, actually it is preventing and notifying
you about any malware running on your PC, while
with the uncontrolled outbound *any* running
process can connect to *any* address on any port
and send some data and you will never detect it.

 

[voidcoder]

I would never ask for help with vista firewall, it is again
not exactly what the end user is expecting from the personal
firewall IMHO. That is why a wide range of third party firewalls
are dominating the market. Unfortunately the problem is that
my favorite years verified firewall is not running on vista
yet so I have to wait for an update or buy a new one which is
working correctly on vista. I'm using (actually the most of us
are using) the outbound protection for a long time and have
never had any problem with it. Do not understand why it is
confusing you.

Anyway, thanks for your help.

 

[Alun Jones]

I do not understand why this is an open door for
the malware, actually it is preventing and notifying
you about any malware running on your PC, while
with the uncontrolled outbound *any* running
process can connect to *any* address on any port
and send some data and you will never detect it.

If you don't trust the software that's installed on your machine, don't run
it.

Once you've got malware on your machine, it can pretend to be any other
trusted piece of software that you run - it can run that other trusted piece
of software and then inject its own code into that other piece of software.

So, as outbound filtering becomes more popular, malware that requires an
outbound connection simply uses Internet Explorer to make the outbound
connection for it. Bingo, your outbound firewall filtering is useless.

Now, outbound filtering may be a useful piece of policy restriction -
perhaps, for example, to prevent employees from running IRC chat programs,
or peer-to-peer file theft networks - but if your users control what gets
filtered (through accepting or rejecting dialog messages), that's no
protection at all, either.

Outbound filtering cannot prevent your machine from getting infected by
malware. It cannot prevent malware from getting further instructions or
downloading extra components (because, after all, if the original malware
code had a route into your system, it can exploit that route again for
further parts of itself, or to receive updated instructions).

Outbound filtering can only prevent _well-behaved_ programs from making
connections - and if you need to do that, then you generally should either
uninstall or re-configure the program, rather than make your firewall more
complex.

I'm not even sure that I agree with Jesper that outbound filtering in Vista
is terribly useful or important. I can see a couple of places wherein it
might prove useful for preventing tools and services from going outside the
local network, where those tools and services have no ability to be
configured that way. [For instance, for preventing File and Printer Sharing
from accidentally going outside the local network.] But that's probably
better configured at the edge firewall than on each individual PC within a
network.

Alun.
~~~~

 

[voidcoder]

Sorry guys, I do not agree with you both. For some
reason you are thinking that you know better than me
what exactly I need to be happy. Somehow the outbound
protection is serving me very well for years, no plans
to change anythings here. I'm asking how to use the
build in outbound protection in vista firewall while
you are convincing me that outbound protection is not
useful, unsafe etc. It is not more unsafe than the
inbound protection. There is nothing that is 100%
safe, everything can be hijacked. But thinking so you
can simply not worry about the protection at all.

Yes, you are right of course. The outbound filtering
cannot prevent your machine from getting infected
(again there is nothing that can 100% prevent it),
I'm not expecting more than it can do for me.
However it can warn you that there is something
running on your PC that is trying to communicate
with the outside network in background without letting
you know. It is really enough for me to start looking
what is it and why is it. Note that without the outbound
protection that "something" will be be able to do it
forever, unless some day will be detected differently
using the anti-virus, some changes on your credit
card account etc.

Defining the inbound/outbound rules in learning mode
for some particular binaries in conjunction with
checking that the binary isn't modified (a standard
function for the most today firewalls) is all I need
to be happy. Bad thing is that learning mode is for some
reason only implemented for inbound filtering, otherwise
I would stop any research in this field and stay with
vista firewall. Unfortunately it is not there so I'm
forced to spend some additional $ and buy a third party
solution to fill my needs.

Only installing software that I trust is not an
option for me. How do you decide that you trust
or not trust some software from unknown vendor? Mine
is usually installing a demo/trial/whatever to see what
is it, how it works, is it exactly what I need, is it safe
etc, and finally I decide that I trust it and need to buy
or just need to uninstall and forget about it. For me it looks
like a right tactic, not sure about others. A friend of mine
is even checking everything new on Virtual PC first prior
installing it on the main machine, but it is a little
overhead for me.

I do not understand why this is an open door for
the malware, actually it is preventing and notifying
you about any malware running on your PC, while
with the uncontrolled outbound *any* running
process can connect to *any* address on any port
and send some data and you will never detect it.

If you don't trust the software that's installed on your machine, don't run
it.

Once you've got malware on your machine, it can pretend to be any other
trusted piece of software that you run - it can run that other trusted piece
of software and then inject its own code into that other piece of software.

So, as outbound filtering becomes more popular, malware that requires an
outbound connection simply uses Internet Explorer to make the outbound
connection for it. Bingo, your outbound firewall filtering is useless.

Now, outbound filtering may be a useful piece of policy restriction -
perhaps, for example, to prevent employees from running IRC chat programs,
or peer-to-peer file theft networks - but if your users control what gets
filtered (through accepting or rejecting dialog messages), that's no
protection at all, either.

Outbound filtering cannot prevent your machine from getting infected by
malware. It cannot prevent malware from getting further instructions or
downloading extra components (because, after all, if the original malware
code had a route into your system, it can exploit that route again for
further parts of itself, or to receive updated instructions).

Outbound filtering can only prevent _well-behaved_ programs from making
connections - and if you need to do that, then you generally should either
uninstall or re-configure the program, rather than make your firewall more
complex.

I'm not even sure that I agree with Jesper that outbound filtering in Vista
is terribly useful or important. I can see a couple of places wherein it
might prove useful for preventing tools and services from going outside the
local network, where those tools and services have no ability to be
configured that way. [For instance, for preventing File and Printer Sharing
from accidentally going outside the local network.] But that's probably
better configured at the edge firewall than on each individual PC within a
network.

Alun.
~~~~

 

[Alun Jones]

Sorry guys, I do not agree with you both. For some
reason you are thinking that you know better than me
what exactly I need to be happy.

Please accept my apologies for arguing with you.

Had I known that the purpose of outbound firewall filtering was simply to
make you happy, I would have quite happily ceded the point to you, as only
you can know what makes you happy.

Somehow the outbound
protection is serving me very well for years, no plans
to change anythings here.

Might I suggest that you also buy some of my purple elephant defence spray?

User testimonials indicate that no users of my purple elephant defence spray
have ever been trampled by purple elephants.

I'm asking how to use the
build in outbound protection in vista firewall while
you are convincing me that outbound protection is not
useful, unsafe etc.

If I have given you the impression that I am arguing that outbound filtering
is unsafe, then I apologise.

I believe that outbound filtering merely offers too little in the way of
security (i.e. close to none) when compared with the added complexity
introduced by implementing it. Since that's a value judgement, you should
feel free to disagree.

It is not more unsafe than the
inbound protection. There is nothing that is 100%
safe, everything can be hijacked. But thinking so you
can simply not worry about the protection at all.

Asking for outbound filtering to protect you from malware is like asking for
keyed locks on the inside, as well as the outside, of your house doors, to
protect you from murderers and thieves. Too late! The criminals are already
on the inside, and are holding the door open!

Yes, you are right of course. The outbound filtering
cannot prevent your machine from getting infected
(again there is nothing that can 100% prevent it),
I'm not expecting more than it can do for me.

Perhaps you can explain what it can do for you?

However it can warn you that there is something
running on your PC that is trying to communicate
with the outside network in background without letting
you know.

For most users, such warnings are generally useless - either they are
dismissed, because the user doesn't understand them, or they put the user
into a frightened state, because the user doesn't understand them. When the
first outbound firewalls were introduced, I was forever having to calm down
users who had become really upset that their ISP was running malware on
their computers, because for why else would their system be repeatedly
trying to make a contact to the ISP on port 53?

[For those who don't want to figure it out, that is simply a normal part of
resolving names, so that you can use www.microsoft.com in a browser instead
of the truly memorable 207.46.225.60]

It is really enough for me to start looking
what is it and why is it. Note that without the outbound
protection that "something" will be be able to do it
forever, unless some day will be detected differently
using the anti-virus, some changes on your credit
card account etc.

And, with the outbound protection, that "something" will be able to connect
outbound on the Universal Firewall Tunneling Protocol (port 80), or the
Secure Universal Firewall Tunneling Protocol (port 443) through Internet
Explorer, or the Sneaky Firewall Tunneling Protocol (port 53) - unless you
think that we should be warned every time we load up a web browser, or an
application goes to check a DNS name. What about Ping? Are you looking for
the firewall to complain about that on the way out, too? There are endless
numbers of protocols that your outbound filter shouldn't be filtering, and
which malware can use to phone home.

Defining the inbound/outbound rules in learning mode
for some particular binaries in conjunction with
checking that the binary isn't modified (a standard
function for the most today firewalls) is all I need
to be happy.

This component of Vista doesn't appear to have been designed with the goal
of keeping you - or me - happy. Jesper's a little happier about it, but
then I think he may have had some input in the design

Bad thing is that learning mode is for some
reason only implemented for inbound filtering, otherwise
I would stop any research in this field and stay with
vista firewall. Unfortunately it is not there so I'm
forced to spend some additional $ and buy a third party
solution to fill my needs.

Every now and again, the default operating system tools will not satisfy
your innermost desires. That's what third party tools are for. In the
eighty/twenty rule, you have just migrated across the boundary from eighty
to twenty. You're special. Keep telling yourself that as you pay for a tool
that I'm convinced is completely useless.

Only installing software that I trust is not an
option for me. How do you decide that you trust
or not trust some software from unknown vendor?

I go by reputation, documentation, testing and need.

Mine
is usually installing a demo/trial/whatever to see what
is it, how it works, is it exactly what I need, is it safe
etc, and finally I decide that I trust it and need to buy
or just need to uninstall and forget about it. For me it looks
like a right tactic, not sure about others. A friend of mine
is even checking everything new on Virtual PC first prior
installing it on the main machine, but it is a little
overhead for me.

It's all a risk/benefit analysis, but too many people don't realise that
they should be considering risks versus benefits.

Alun.
~~~~

 

[voidcoder]

Oh I see we are quite far a way now from the original
question about the particular firewall option

Are you against the outbound protection? Just don't use
it then. In my opinion disabling it will remove one additional
level in your security, being somehow protected is always
better than nothing. Why do you think this feature has been
included into windows firewall at all and is there in every
third party firewall? It is likely due to some customer demand,
I'm sure MS wont spend time coding something for fun without
some serious market analysis. Yep, a half of users wont worry
about the outbound protection, as well as a good
piece wont worry about the firewall at all. Don't understand
why I should follow this scenario.

Yes, I'm going to buy a third party firewall, among the purple
elephant, if it makes sense for me

Sorry guys, I do not agree with you both. For some
reason you are thinking that you know better than me
what exactly I need to be happy.

Please accept my apologies for arguing with you.

Had I known that the purpose of outbound firewall filtering was simply to
make you happy, I would have quite happily ceded the point to you, as only
you can know what makes you happy.

Somehow the outbound
protection is serving me very well for years, no plans
to change anythings here.

Might I suggest that you also buy some of my purple elephant defence spray?

User testimonials indicate that no users of my purple elephant defence spray
have ever been trampled by purple elephants.

I'm asking how to use the
build in outbound protection in vista firewall while
you are convincing me that outbound protection is not
useful, unsafe etc.

If I have given you the impression that I am arguing that outbound filtering
is unsafe, then I apologise.

I believe that outbound filtering merely offers too little in the way of
security (i.e. close to none) when compared with the added complexity
introduced by implementing it. Since that's a value judgement, you should
feel free to disagree.

It is not more unsafe than the
inbound protection. There is nothing that is 100%
safe, everything can be hijacked. But thinking so you
can simply not worry about the protection at all.

Asking for outbound filtering to protect you from malware is like asking for
keyed locks on the inside, as well as the outside, of your house doors, to
protect you from murderers and thieves. Too late! The criminals are already
on the inside, and are holding the door open!

Yes, you are right of course. The outbound filtering
cannot prevent your machine from getting infected
(again there is nothing that can 100% prevent it),
I'm not expecting more than it can do for me.

Perhaps you can explain what it can do for you?

However it can warn you that there is something
running on your PC that is trying to communicate
with the outside network in background without letting
you know.

For most users, such warnings are generally useless - either they are
dismissed, because the user doesn't understand them, or they put the user
into a frightened state, because the user doesn't understand them. When the
first outbound firewalls were introduced, I was forever having to calm down
users who had become really upset that their ISP was running malware on
their computers, because for why else would their system be repeatedly
trying to make a contact to the ISP on port 53?

[For those who don't want to figure it out, that is simply a normal part of
resolving names, so that you can use www.microsoft.com in a browser instead
of the truly memorable 207.46.225.60]

It is really enough for me to start looking
what is it and why is it. Note that without the outbound
protection that "something" will be be able to do it
forever, unless some day will be detected differently
using the anti-virus, some changes on your credit
card account etc.

And, with the outbound protection, that "something" will be able to connect
outbound on the Universal Firewall Tunneling Protocol (port 80), or the
Secure Universal Firewall Tunneling Protocol (port 443) through Internet
Explorer, or the Sneaky Firewall Tunneling Protocol (port 53) - unless you
think that we should be warned every time we load up a web browser, or an
application goes to check a DNS name. What about Ping? Are you looking for
the firewall to complain about that on the way out, too? There are endless
numbers of protocols that your outbound filter shouldn't be filtering, and
which malware can use to phone home.

Defining the inbound/outbound rules in learning mode
for some particular binaries in conjunction with
checking that the binary isn't modified (a standard
function for the most today firewalls) is all I need
to be happy.

This component of Vista doesn't appear to have been designed with the goal
of keeping you - or me - happy. Jesper's a little happier about it, but
then I think he may have had some input in the design

Bad thing is that learning mode is for some
reason only implemented for inbound filtering, otherwise
I would stop any research in this field and stay with
vista firewall. Unfortunately it is not there so I'm
forced to spend some additional $ and buy a third party
solution to fill my needs.

Every now and again, the default operating system tools will not satisfy
your innermost desires. That's what third party tools are for. In the
eighty/twenty rule, you have just migrated across the boundary from eighty
to twenty. You're special. Keep telling yourself that as you pay for a tool
that I'm convinced is completely useless.

Only installing software that I trust is not an
option for me. How do you decide that you trust
or not trust some software from unknown vendor?

I go by reputation, documentation, testing and need.

Mine
is usually installing a demo/trial/whatever to see what
is it, how it works, is it exactly what I need, is it safe
etc, and finally I decide that I trust it and need to buy
or just need to uninstall and forget about it. For me it looks
like a right tactic, not sure about others. A friend of mine
is even checking everything new on Virtual PC first prior
installing it on the main machine, but it is a little
overhead for me.

It's all a risk/benefit analysis, but too many people don't realise that
they should be considering risks versus benefits.

Alun.
~~~~

 

[Guest]

Been following this thread for some time now, and must say I’m with voidcoder
– all the way!

On my XP setup (now as SP2) I’ve been using Agnitum Outpost Pro for years,
plus a hardware firewall. Yes, at times it gets a tad annoying when yet
another warning / request window is popped up by Outpost – whether inbound or
outbound.

However, at least I AM AWARE WHAT IS GOING ON!

And that, Jesper and Co, gives me, like many other users, some well deserved
peace of mind. Something severely lacking in any Windows OS – including the
not all too shabby Vista (RTM Ultimate version).

Jesper’s and Alun’s insistence that the user doesn’t need to know about
outbound traffic and preferably shouldn’t even bother, let alone be allowed
to play with its apparently secret settings, makes we wonder, wonder a lot,
actually!

Why should I trust Microsoft all of a sudden? Hell, Redmond’s previous
attitude to security has been somewhat lacking in more than just one area.
And I haven’t even mentioned Redmond’s past snooping attempts. Now that
Microsoft is tackling the issue, granted an applaudable attempt, they still
continue looking at users like children that need to be kept under strict and
ruthless parental control – all of the time, no questions answered, fullstop!

Do I want to be able to filter outbound traffic just like inbound traffic?
Hell yes! Agnitum Outpost Pro kept me safe (and sane) over the years, and
looking at its rather detailed logs (another thing completely and utterly
missing from Vista’s so-called out-of-the-box security experience) Agnitum
Outpost Pro not only has warned me about a fair few suspicious outbound
traffic attempts, but also has saved me from numerous attacks that could have
been potentially disastrous!

So much for Jesper’s and Alun’s claims that outbound filtering, the use of
and the knowledge of how to configure it, is useless for the user. What a
load of claptrap!!

Granted, some users may not want it, and indeed might find it annoying to
say the least. However, perhaps Microsoft in its utter graciousness accepts
that not all users are automated morons contend with using what and how
Microsoft allows them to. An inbuilt option for advanced users to configure
the firewall, would not only be very much in order, but even more appreciated
by many, I’m sure!

Besides, now that Microsoft has finally gone the security way and seen the
light by offering something that approaches a half usable firewall, why not
go the whole hog, admit to the well documented fact that there are numerous
users out there more than capable of setting up / using correctly a fully
blown software firewall, and offer us the same. Rather than giving us a
half-hearted attempt of a firewall, crippled on purpose simply to keep some
sort of control over the user. It stinks.

Like voidcoder, I will definitely continue paying for a decent third-party
firewall as soon as it becomes available for Vista – can’t wait, in fact!

Meantime, voidcoder, this little free utility might help you gaining more
control over programs attemptiong outbound connections. Its free, and works
like a charm with Vista Ultimate RTM:
• Designed for Windows Vista
• Free
• Protection from incoming and outgoing threats
• Simplicity of operation
• Per-application security settings

Go get it here: http://sphinx-soft.com/Vista/index.html

One more tool to consider, voidcoder: Ad Muncher – great utility to stop
them annoying on-line ads, including Microsoft's petty banners on hotmail et
al.

Go here to get it: http://www.admuncher.com/

Oh I see we are quite far a way now from the original
question about the particular firewall option

Are you against the outbound protection? Just don't use
it then. In my opinion disabling it will remove one additional
level in your security, being somehow protected is always
better than nothing. Why do you think this feature has been
included into windows firewall at all and is there in every
third party firewall? It is likely due to some customer demand,
I'm sure MS wont spend time coding something for fun without
some serious market analysis. Yep, a half of users wont worry
about the outbound protection, as well as a good
piece wont worry about the firewall at all. Don't understand
why I should follow this scenario.

Yes, I'm going to buy a third party firewall, among the purple
elephant, if it makes sense for me

Sorry guys, I do not agree with you both. For some
reason you are thinking that you know better than me
what exactly I need to be happy.

Please accept my apologies for arguing with you.

Had I known that the purpose of outbound firewall filtering was simply to
make you happy, I would have quite happily ceded the point to you, as only
you can know what makes you happy.

Somehow the outbound
protection is serving me very well for years, no plans
to change anythings here.

Might I suggest that you also buy some of my purple elephant defence spray?

User testimonials indicate that no users of my purple elephant defence spray
have ever been trampled by purple elephants.

I'm asking how to use the
build in outbound protection in vista firewall while
you are convincing me that outbound protection is not
useful, unsafe etc.

If I have given you the impression that I am arguing that outbound filtering
is unsafe, then I apologise.

I believe that outbound filtering merely offers too little in the way of
security (i.e. close to none) when compared with the added complexity
introduced by implementing it. Since that's a value judgement, you should
feel free to disagree.

It is not more unsafe than the
inbound protection. There is nothing that is 100%
safe, everything can be hijacked. But thinking so you
can simply not worry about the protection at all.

Asking for outbound filtering to protect you from malware is like asking for
keyed locks on the inside, as well as the outside, of your house doors, to
protect you from murderers and thieves. Too late! The criminals are already
on the inside, and are holding the door open!

Yes, you are right of course. The outbound filtering
cannot prevent your machine from getting infected
(again there is nothing that can 100% prevent it),
I'm not expecting more than it can do for me.

Perhaps you can explain what it can do for you?

However it can warn you that there is something
running on your PC that is trying to communicate
with the outside network in background without letting
you know.

For most users, such warnings are generally useless - either they are
dismissed, because the user doesn't understand them, or they put the user
into a frightened state, because the user doesn't understand them. When the
first outbound firewalls were introduced, I was forever having to calm down
users who had become really upset that their ISP was running malware on
their computers, because for why else would their system be repeatedly
trying to make a contact to the ISP on port 53?

[For those who don't want to figure it out, that is simply a normal part of
resolving names, so that you can use www.microsoft.com in a browser instead
of the truly memorable 207.46.225.60]

It is really enough for me to start looking
what is it and why is it. Note that without the outbound
protection that "something" will be be able to do it
forever, unless some day will be detected differently
using the anti-virus, some changes on your credit
card account etc.

And, with the outbound protection, that "something" will be able to connect
outbound on the Universal Firewall Tunneling Protocol (port 80), or the
Secure Universal Firewall Tunneling Protocol (port 443) through Internet
Explorer, or the Sneaky Firewall Tunneling Protocol (port 53) - unless you
think that we should be warned every time we load up a web browser, or an
application goes to check a DNS name. What about Ping? Are you looking for
the firewall to complain about that on the way out, too? There are endless
numbers of protocols that your outbound filter shouldn't be filtering, and
which malware can use to phone home.

Defining the inbound/outbound rules in learning mode
for some particular binaries in conjunction with
checking that the binary isn't modified (a standard
function for the most today firewalls) is all I need
to be happy.

This component of Vista doesn't appear to have been designed with the goal
of keeping you - or me - happy. Jesper's a little happier about it, but
then I think he may have had some input in the design

Bad thing is that learning mode is for some
reason only implemented for inbound filtering, otherwise
I would stop any research in this field and stay with
vista firewall. Unfortunately it is not there so I'm
forced to spend some additional $ and buy a third party
solution to fill my needs.

Every now and again, the default operating system tools will not satisfy
your innermost desires. That's what third party tools are for. In the
eighty/twenty rule, you have just migrated across the boundary from eighty
to twenty. You're special. Keep telling yourself that as you pay for a tool
that I'm convinced is completely useless.

Only installing software that I trust is not an
option for me. How do you decide that you trust
or not trust some software from unknown vendor?

I go by reputation, documentation, testing and need.

Mine
is usually installing a demo/trial/whatever to see what
is it, how it works, is it exactly what I need, is it safe
etc, and finally I decide that I trust it and need to buy
or just need to uninstall and forget about it. For me it looks
like a right tactic, not sure about others. A friend of mine
is even checking everything new on Virtual PC first prior
installing it on the main machine, but it is a little
overhead for me.

It's all a risk/benefit analysis, but too many people don't realise that
they should be considering risks versus benefits.

Alun.
~~~~

 

[Alun Jones]

Jesper's and Alun's insistence that the user doesn't need to know about
outbound traffic and preferably shouldn't even bother, let alone be
allowed
to play with its apparently secret settings, makes we wonder, wonder a
lot,
actually!

I applaud your ability to misconstrue what I'm saying in this thread. I am
saying this:

Outbound filtering firewalls do not protect you from attack.

That's all.

I have no problem with you using outbound filtering to learn what your
applications are doing. Education is a fine thing, and you would do well to
increase your own.

Why should I trust Microsoft all of a sudden?

If you're running Windows, you already trust Microsoft - to the hilt. Every
application you run under Windows, every piece of data you store on a
Windows machine, is already given over to Microsoft's code. If you distrust
Microsoft, you should not run code from them - the same goes for any third
party that you distrust. Do not run code from untrusted individuals, groups,
organisations or companies.

Hell, Redmond's previous
attitude to security has been somewhat lacking in more than just one area.

And yet now they've had a "road to Damascus" conversion, and they're leading
the field, particularly in regards to development practices and processes
that are designed to produce secure code and protect privacy.

How are other companies doing on this track? What company has a better
process than Microsoft for securing their code?

And I haven't even mentioned Redmond's past snooping attempts. Now that
Microsoft is tackling the issue, granted an applaudable attempt, they
still
continue looking at users like children that need to be kept under strict
and
ruthless parental control - all of the time, no questions answered,
fullstop!

Microsoft makes a lot of money out of making operating systems that any
idiot can use. As a result, of course, many idiots use their operating
system, along with others who have better understanding of what they are
doing. The defaults are set for the majority of Microsoft's users to remain
safe and secure for the most part; advanced users can modify the defaults or
use third-party utilities to get the extra capabilities that they feel they
need.

Do I want to be able to filter outbound traffic just like inbound traffic?
Hell yes! Agnitum Outpost Pro kept me safe (and sane) over the years, and
looking at its rather detailed logs (another thing completely and utterly
missing from Vista's so-called out-of-the-box security experience) Agnitum
Outpost Pro not only has warned me about a fair few suspicious outbound
traffic attempts, but also has saved me from numerous attacks that could
have
been potentially disastrous!

It may have saved you from attacks, but not by outbound filtering - once you
see the outbound filtering messages, you're already attacked - you're
already running untrusted third-party code.

"The calls are coming from inside the house." - your computer is owned.

So much for Jesper's and Alun's claims that outbound filtering, the use of
and the knowledge of how to configure it, is useless for the user. What a
load of claptrap!!

Jesper's claims are subtly, but distinctly, different from my own. My claim
is simply that the use of outbound filtering does not prevent attacks; it
may be useful as a policy filter within an organisation (disallow outbound
traffic on ports commonly associated with chat applications, stolen file
sharing and so on, for instance), but adding it to your firewall sticks
unnecessary complexity into what should be a simple enough application that
you can prove its security.

Granted, some users may not want it, and indeed might find it annoying to
say the least. However, perhaps Microsoft in its utter graciousness
accepts
that not all users are automated morons contend with using what and how
Microsoft allows them to. An inbuilt option for advanced users to
configure
the firewall, would not only be very much in order, but even more
appreciated
by many, I'm sure!

"netsh firewall" along with the GUI should provide you with most of what you
want. After that, as you've pointed out, there are numerous third-party
tools.

Besides, now that Microsoft has finally gone the security way and seen the
light by offering something that approaches a half usable firewall, why
not
go the whole hog, admit to the well documented fact that there are
numerous
users out there more than capable of setting up / using correctly a fully
blown software firewall, and offer us the same. Rather than giving us a
half-hearted attempt of a firewall, crippled on purpose simply to keep
some
sort of control over the user. It stinks.

You have been party to the conversations inside of Microsoft when they were
designing the firewall? You know that this was "crippled on purpose simply
to keep some sort of control over the user"? Is this information first hand,
second hand, or merely supposition on your part?

From my perspective, I'm guessing that outbound filtering was added on the
basis that there were too many self-labeled "security experts" saying that
"outbound filtering is where it's at, man, if you don't have that, you're
not a secure firewall" - it's a marketing feature to me.

Every feature you add to a firewall makes it more complex, and more likely
that there's a bug that can be exploited to bring down the firewall. I like
my firewalls simple and strong, rather than complex knitting.

Like voidcoder, I will definitely continue paying for a decent third-party
firewall as soon as it becomes available for Vista - can't wait, in fact!

That's for you to decide, and it's up to you as to whether you feel it's
necessary. But don't be saying that outbound filtering prevents your system
from being attacked without expecting people like me to jump up and tell you
that you're wrong.

In fact, given the pluggable nature of Windows Vista's firewall stack, it
should even be _easy_ for a firewall vendor to produce an outbound filter
for Vista. All you have to do is write a device driver, following the sample
code that's already in the DDK. If you're a developer, try it - it's
insanely easy.

One more tool to consider, voidcoder: Ad Muncher - great utility to stop
them annoying on-line ads, including Microsoft's petty banners on hotmail
et
al.

Or, you could actually pay for your email, and not have to worry about
advertising that subsidises the free service you're using. Eventually, the
free service providers will find a way to guarantee that their adverts are
tied to their email in a way that you aren't ready to extract.

Alun.
~~~~

 

[Alun Jones]

Are you against the outbound protection? Just don't use
it then. In my opinion disabling it will remove one additional
level in your security, being somehow protected is always
better than nothing.

That's the purple elephant protector commercial's line - you're "somehow
protected" against stampeding purple elephants, even if you can't actually
say how.

Yes, I'm against extra "protection" that adds complexity to something that
needs to be robust. Robustness in code comes through simplicity - code that
is too simple to be significantly wrong. Add complexity and, even if you
disable it, you have added more chance for mistakes.

Why do you think this feature has been
included into windows firewall at all and is there in every
third party firewall? It is likely due to some customer demand,

I'm sure it is due to some customer demand. I don't think it's due to any
sound application of security theory.

After all, if customers demand protection from purple elephants be built
into their cars, what are you going to do - build a car with purple elephant
protection built in, or spend a lot of time and effort telling people that
there's no such thing as a purple elephant?

I'm sure MS wont spend time coding something for fun without
some serious market analysis. Yep, a half of users wont worry
about the outbound protection, as well as a good
piece wont worry about the firewall at all. Don't understand
why I should follow this scenario.

Yes, I'm going to buy a third party firewall, among the purple
elephant, if it makes sense for me

Your prerogative - but it's not because it will protect you from malware.

Alun.
~~~~

 

[Jeff]

Well said Alun

I applaud your ability to misconstrue what I'm saying in this thread. I am
saying this:

Outbound filtering firewalls do not protect you from attack.

That's all.

I have no problem with you using outbound filtering to learn what your
applications are doing. Education is a fine thing, and you would do well
to increase your own.


If you're running Windows, you already trust Microsoft - to the hilt.
Every application you run under Windows, every piece of data you store on
a Windows machine, is already given over to Microsoft's code. If you
distrust Microsoft, you should not run code from them - the same goes for
any third party that you distrust. Do not run code from untrusted
individuals, groups, organisations or companies.


And yet now they've had a "road to Damascus" conversion, and they're
leading the field, particularly in regards to development practices and
processes that are designed to produce secure code and protect privacy.

How are other companies doing on this track? What company has a better
process than Microsoft for securing their code?


Microsoft makes a lot of money out of making operating systems that any
idiot can use. As a result, of course, many idiots use their operating
system, along with others who have better understanding of what they are
doing. The defaults are set for the majority of Microsoft's users to
remain safe and secure for the most part; advanced users can modify the
defaults or use third-party utilities to get the extra capabilities that
they feel they need.


It may have saved you from attacks, but not by outbound filtering - once
you see the outbound filtering messages, you're already attacked - you're
already running untrusted third-party code.

"The calls are coming from inside the house." - your computer is owned.


Jesper's claims are subtly, but distinctly, different from my own. My
claim is simply that the use of outbound filtering does not prevent
attacks; it may be useful as a policy filter within an organisation
(disallow outbound traffic on ports commonly associated with chat
applications, stolen file sharing and so on, for instance), but adding it
to your firewall sticks unnecessary complexity into what should be a
simple enough application that you can prove its security.


"netsh firewall" along with the GUI should provide you with most of what
you want. After that, as you've pointed out, there are numerous
third-party tools.


You have been party to the conversations inside of Microsoft when they
were designing the firewall? You know that this was "crippled on purpose
simply to keep some sort of control over the user"? Is this information
first hand, second hand, or merely supposition on your part?

From my perspective, I'm guessing that outbound filtering was added on the
basis that there were too many self-labeled "security experts" saying that
"outbound filtering is where it's at, man, if you don't have that, you're
not a secure firewall" - it's a marketing feature to me.

Every feature you add to a firewall makes it more complex, and more likely
that there's a bug that can be exploited to bring down the firewall. I
like my firewalls simple and strong, rather than complex knitting.


That's for you to decide, and it's up to you as to whether you feel it's
necessary. But don't be saying that outbound filtering prevents your
system from being attacked without expecting people like me to jump up and
tell you that you're wrong.

In fact, given the pluggable nature of Windows Vista's firewall stack, it
should even be _easy_ for a firewall vendor to produce an outbound filter
for Vista. All you have to do is write a device driver, following the
sample code that's already in the DDK. If you're a developer, try it -
it's insanely easy.


Or, you could actually pay for your email, and not have to worry about
advertising that subsidises the free service you're using. Eventually, the
free service providers will find a way to guarantee that their adverts are
tied to their email in a way that you aren't ready to extract.

Alun.
~~~~

 

[Jeff]

well put

Jeff

That's the purple elephant protector commercial's line - you're "somehow
protected" against stampeding purple elephants, even if you can't actually
say how.

Yes, I'm against extra "protection" that adds complexity to something that
needs to be robust. Robustness in code comes through simplicity - code
that is too simple to be significantly wrong. Add complexity and, even if
you disable it, you have added more chance for mistakes.


I'm sure it is due to some customer demand. I don't think it's due to any
sound application of security theory.

After all, if customers demand protection from purple elephants be built
into their cars, what are you going to do - build a car with purple
elephant protection built in, or spend a lot of time and effort telling
people that there's no such thing as a purple elephant?


Your prerogative - but it's not because it will protect you from malware.

Alun.
~~~~

 

[voidcoder]

I do understand very clear how it works and what the
outbound filtering exactly does. There is really no need
to explain anything, may be except of why I'm simply
asking a particular question about the vista firewall
settings but getting almost propagation on why I should
not use the outbound filtering.

Again, I do not expect from the outbound filtering more
than it can do for me. I know what it does and I do
need this function independently on what the others are
thinking about it.

I agree, once you've got something running on your machine,
there is NOTHING (including the outbound filtering) that may
prevent it sending out some data. However the most of software
of that sort (not necessarily malware, just any software that
is trying to pass some data without to let me know) is really
not that smart and tricky to deceive a simple outbound filtering.
Sure there may be some monster malware capable to pass your
firewall, antivirus or whatever. But it is totally a different
song.

 

[Jeff]

akita,
personally objective here actually-have used all manner of firewalls in
xp-and i m actually impressed with MSFT's design;this go round.
Pay for outbound gui's if ya want-not for me;at least in Vista,
In XP, yes-definetly needed a 3rd party app, but I see no need in Vista-so
far,
Preventing certain things from dialing home; is all well and good, however
certain "legit" apps will shut down your pc,
if you deny them outbound in Vista.
Which is what many people are looking at-no doubt.

..
So, no high horse here, do what ya like, no need for me to spend good $$$ on
something not needed

Jeff