- Table of Contents
- Overview
- Web Application Security
- Operating System Security
- Operating System Overview
- OS Security Weaknesses
- OS Security Pointers
- Reverse Engineering
- How Antivirus Programs (Don’t) Work
- Malware
- Trojan Malware: From Non-profit to Commercial Criminals (A Brief History)
- Implementing IPSec under Windows Server, Part I
- Colinux
- Colinux, Part 2
- Colinux, Part 3
- Removing the Haxdoor.H Trojan: A Warez-misdirecting, Browser-hijacking, Porn
- Understanding Buffer Overflows
- Types of Overflows
- Inside Look at a 0-day Buffer Overflow
- Windows Genuine Advantage
- Windows Vista Security, Part 1
- Windows Vista Security, Part 2
- Windows Vista Security, Part 3
- Windows Vista Security, Part 4
- The Agony of Remotely Administering Vista Home Edition, Part 1
- The Agony of Remotely Administering Vista Home Edition, Part 2
- Windows 7 Firewall: A Glimpse of Light at the End of the Tunnel?
- USB Hacks
- Ulteo: Crossbreeding Your Favorite Operating Systems, Part 1
- Ulteo: Crossbreeding Your Favorite Operating Systems, Part 2
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Additional Resources
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
Windows 7 Firewall: A Glimpse of Light at the End of the Tunnel?
Last updated Jan 9, 2009.
There are two main protection programs the average end user will install on their computers to keep the bad guys at bay: Antivirus and Firewall. While this can be debated, the most important of these programs is the firewall. The reasoning for this is that an Antivirus program really only protects the user from themselves — meaning, if a user does not participate in activities that are risky, and they keep their operating system and software up to date, the AV software will only detect benign threats. For example, is an executable that arrives via email a serious risk if the user never opens unknown attachments? Secondly, AV software is only as good as the signatures it can recognize. As a result, most new viruses will slip right through the protection without a single warning.
On the other hand, the firewall is more of a preventive type of protection software, assuming the firewall is powerful enough and properly configured. In fact, a solid host-based firewall can protect a system much better than most AV software, especially from malware that incorporates some type of networking ability — which most currently do. Unlike AV, which is reactive in nature, the Firewall stops the threat before it ever has a chance to infect the protected system (barring a bug in the firewall).
Over the years software vendors have developed and released many firewall programs, many of which have been free for the home user. BlackICE, ZoneAlarm, Tiny, Comodo and others have long been recommended by security and IT professionals because they are easy to use and do the job right. Ironically, Microsoft’s very own Windows Firewall has not been part of this list — even though it is included with Windows XP and Windows Vista.
The reason for this is relatively simple: the Windows Firewall is not up to par. Specifically, a good firewall needs to be able to block both incoming attacks from an external threat as well as detect and block unauthorized communication originating from the host computer or network. While the Windows Firewall blocks incoming traffic, it does not attempt to do anything to block outgoing traffic. The end result is that if a system was infected by a rogue piece of software such as a Trojan or virus, the Windows Firewall would gladly let data generated by that malware to leave the "protected" system — that is until Windows 7.
Windows 7
Windows 7 is the next major operating system scheduled to be released by Microsoft. As of January 1, 2009, this operating system is in Beta, which basically means it is not quite ready for public consumption or production machines. It is however ready for computer geeks to test and play with, which is good for Microsoft because they can draw on the debugging abilities of thousands of computer professionals. Once the bugs have been worked out of the Beta release, you can expect Microsoft to pull out all the stops and push this operating system to the masses in a way that has never been seen before.
The reason for this is that its predecessor, Windows Vista, has been considered a complete flop by the majority of the IT world. The OS is slow, quirky, intrusive, frustrating for anyone but the casual user, and really doesn’t make life easier. In fact, you need about four times the hardware capability to run Vista as you did to run Windows XP. Incidentally, it is our belief that Microsoft might have just worked a miracle or two with Windows 7. Not only is this system much faster than Vista, but it operates in a way that is non-intrusive, customizable, and actually enjoyable to use.
The Windows Firewall (Old School)
The Windows Firewall, while simple to use, has been notoriously weak for the power user. While most users will either turn the firewall On or Off, Microsoft has provided an interface to setup "Exceptions" that can either be created based on a program or a port. For example, if you wanted to setup a web server on your computer, you could create an exception to allow incoming port 80 requests. Alternately, you could configure the firewall to allow the web server application, which would by default permit incoming port 80 traffic, or what ever port the web server was configured to use.
If you notice, nothing in the above indicated any control over outgoing traffic. This represents the significant lack of control and power of the Windows Firewall. Figures 1 and 2 illustrate these limitations. In figure 1, you can see that your options are reduced to a list of pre-existing programs and the ability to add a program or port — again, this is only incoming permissions, not outgoing. Figure 2 illustrates the screen you can use to add a port exception. Note the lack of a "Both" option for the Protocol.
)
Figure 1: Reviewing Exceptions in Windows Firewall
)
Figure 2: Adding Port Exceptions to Windows Firewall
In short, the Windows Firewall is a rather poor example of what existing firewall technology is capable. Fortunately, Windows 7 has changed all this.
The Windows Firewall Reborn
As previously mentioned, a firewall should offer a solid obstacle for incoming attacks, outgoing attacks, and be easily and completely customizable for all the odd things that you might want to permit on your host/network. For example, if I want my OS to permit only TCP outgoing from port 25 on my machine to port 65500 on a computer on the other side of the world, I should have that ability. Or, if I want to block all IPv6 and allow GRE, the firewall should be able to handle these requests. Simply put, a Windows desktop system should have many more firewall protocols than just TCP and UDP (as with earlier versions).
So, let’s start with the Windows 7 main firewall screen (Figure 3). The first thing you can note is that the screen is clearly laid out and easy to read. There are two distinct areas, each clearly labeled: Home or work (private) networks and Public networks. The separation of these two areas is a subtle indication that a user's security needs are different depending on where they are connected. In other words, there are numerous dangers that exist at a public hotspot that should not exist in your work network. In addition, there are many features and functions that you will need access to (i.e. file sharing and printing) in a secure private network that should not be generally available in public locations.
)
Figure 3: Windows 7 Firewall Dialog Window
The second item to note is the left side of the window that lists other options related to the Windows Firewall. This is a short list of the most common functions or features that you will need to adjust as a user. Of the items on this list, the Advanced Settings option is the one that interests us the most.
Upon viewing the Advanced Security screen, you will either think there is to much information, or you will be amazed by the detail: the former represents the typical user, the later the power user. There is no better or worse in this case; in fact, this is exactly why Windows 7 is refreshing and exciting. In other words, it gives the typical user the access to the resources they want without a million "Are you sure?" pop-ups and a bunch of confusing and scary warnings. At the same time, the power user can quickly drill down into the configurations and settings they want access too and really have full control over their computer. It is the best of both worlds.
As mentioned earlier, previous versions of the firewall had no intrinsic method of blocking outbound connections. As Figure 4 illustrates, this is no longer the case. Included with the default install of Window 7 are a list of comprehensive rules that will keep the typical user secure, but at the same time allow them to actually use their computer on a network. But what if you are a power user or system administrator?
)
Figure 4: Windows 7 Firewall with Advanced Security — Outbound Rules
To illustrate, let’s say I want to allow outbound FTP access to machines on the Internet, but do not want users to FTP to internal servers or printers. With the Windows 7 Firewall, it is now possible to setup this type of control. All you would need to do is select the Outbound Rules option from the left, and then click on New Rule on the right. From here there are a few routes you can take. The first is to walk through the basic wizard and block port 21, and then once built, access the rule properties window and manually adjusting the Scope. Alternately, you can select Custom Rule in the wizard and manually set up your rule by blocking TCP port 21 access to all remote 192.168.1.0/24 IP addresses. Incidentally, you can even configure this rule to apply to certain local IP addresses or interfaces, incase the computer is dual homed (more than one network card/connection). Figure 5 provides a shot of the New Outbound Rule Wizard. Note the list of available protocols. Figure 6 provides a shot of the FTP Test Properties dialog window with the Scope configured as we discussed (block all internal FTP use — but allow Internet FTP use).
)
Figure 5: New Outbound Rule Wizard – Protocol Options
)
Figure 6: FTP Test Properties Window
Summary
If Microsoft improves the rest of Windows 7 as it has the Firewall, they may just be able to redeem their reputation as a company that understands consumer operating systems. If nothing else, Firewall vendors will need to consider how they will combat the end of their market. Given the number of users that are skipping Vista, it is our guess that Windows 7 will be quickly accepted and implemented by both the consumer and business community. Once this happens, there will be little need for a third party firewalls like Norton, ZoneAlarm, or McAfee.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart