Microsoft takes down barrier in Vista firewall
Posted by Dice on 28 April 2006 - 02:18 · 48 comments & 27573 views
About the Author
Full name: Unknown
Forum name:
Dice
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
DiceContact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(3 replies)
#1 Posted by Sam FT on 28 Apr 2006 - 02:51
- I wish they would change XP to check outgoing as well.
-
#1.1 Posted by Windam on 28 Apr 2006 - 03:01
- then that would be like stripping out another feature of vista.
-
#1.2 Posted by BigBoy on 28 Apr 2006 - 04:23
- It's called Windows OneCare - it comes with a bidirectional firewall, installs on XP.
-
(1 reply)
#2 Posted by JadeWolf324 on 28 Apr 2006 - 02:59
- well then maybe the consumer needs to be a tad more educated about using their computer beforehand...its not nearly as hard as driving a car or filing your taxes...come on now..
-
#3 Posted by qdave on 28 Apr 2006 - 03:27
- probably cool. still organisations have people to do that sort of things.
-
(2 replies)
#4 Posted by ZTrang on 28 Apr 2006 - 03:29
- Not to be a "this is old news!" freak, but wasn't this already posted as news - on the front page, no less - a short while ago?
-
(1 reply)
#5 Posted by Sam FT on 28 Apr 2006 - 03:35
- I do internet tech support, then you should talk and listen to our customers then you will see why I would like to see outgoing firewall in XP. But yes I agree with you...about the taxes and driving a car.
-
#5.1 Posted by semifamous on 28 Apr 2006 - 15:54
- Quote - Sam FT said @ #2.2I do internet tech support, then you should talk and listen to our customers then you will see why I would like to see outgoing firewall in XP. But yes I agree with you...about the taxes and driving a car.I also do internet tech support, but you should talk and listen to our customers. Then you will see why I would hate to see outgoing firewall in XP.
Do you know how many calls we get here from people with some other firewall (Norton, McAfee) who don't understand why they can't get Internet Explorer/Outlook Express/"The Internet" to work until they turn their firewall off because the firewall decided to block all traffic?
-
(2 replies)
#6 Posted by dhan on 28 Apr 2006 - 04:05
- This is Bad, very bad. Enterprise customers already have easy way to control using group policy. Why screw home users for this ?
(Personally I never used/needed a firewall, always kept it off) -
#6.1 Posted by oatmeals on 28 Apr 2006 - 15:05
- Your answered your own question:
"(Personally I never used/needed a firewall, always kept it off)"
-
(1 reply)
#7 Posted by Mike Frett on 28 Apr 2006 - 04:14
- Any of you know if you can turn it off? I have a hardware firewall and would not like to be bothered with this.
-
#8 Posted by Nidonocu on 28 Apr 2006 - 04:49
- Of course you can turn it off. And if Microsoft put in an 'easy' firewall program in the base O/S, a billion and one Firewall companies would sue them for unfairness. Silly really if you think that its Microsoft's holes that keep them in business.
-
(2 replies)
#9 Posted by Fubar on 28 Apr 2006 - 07:04
- well lets hope they try , although i doubt vista will be popular with alot of people considering it will make dual booting fustrating with btilocker , the more and more i read about vista the less and less i want to get it
-
#9.1 Posted by bobbba on 28 Apr 2006 - 09:09
- enabling bitlocker is not compulsary from what i understand. if you dual boot, don't enable it.
-
#9.2 Posted by Sub on 28 Apr 2006 - 14:04
- Did everyone who read the Digg story take it to heart. Guys, Bitlocket locks VOLUMES. It locks a certain partition, it does not lock the whole hard drive. Duel booting will be just as easy as it is now. The only diffrent is, READNTFS and other linux programs that read NTFS partitions will not work. Unless of course the encryption is cracked.
-
(2 replies)
#10 Posted by Jugalator on 28 Apr 2006 - 07:31
- OK, I can understand the default, although permitting any outbound traffic in a firewall isn't something a user should strive for.
However, what I don't understand is why this process will be less than trivial (according to this article). Shouldn't it just be a checkbox; if on to block, you start getting "outgoing traffic" dialog boxes letting you create rules or just allow for that time, and if off to disable, just ignore any blacklists you've built and never show any dialogs, allowing everything outgoing. -
#10.1 Posted by mrbester on 28 Apr 2006 - 09:53
- You mean like ZoneAlarm or any other decent software firewall product? That would be too easy; it's much better to allow users to (probably unintentionally) install trojans that zombiefy their box that clog up the net rather than incorporate any variety of easily configurable security. It would be easy for a user to click a link in the popup that says something like "You want to know what this program is?" for those that don't immediately recognise the offending program to see whether it is valid or not. But that concept is obviously too controversial, after all it allows the user to control what their box does and we can't allow that can we?
-
#10.2 Posted by mram on 30 Apr 2006 - 22:36
- Frankly, mrbester, you make it sound too easy. The reality is that many many people find zonealarm highly annoying, and most of them are novice users.
Your sarcasm aside, I'm sure MS wants to make it as secure as possible while making it as easy as possible. Configuring outbound security is the most annoying element of firewall management, and also the most controversial. Novice users just can't handle it, that's the plain and simple truth. But since it's included, even if not on, most of your argument is moot -- if you really wanted it, you could just, you know, turn it on.
The flat fact is for novice users, antivirus, inbound firewalls, and patch management are really the three pillars needed for good security. This would definitely fall into the realm of "advanced" and "best" security, but it's arguable if you really need it. As many has said here, I sure don't... and I like many others just don't want to be annoyed. I'll stick with autoupdates, inbound firewalls, and antivirus. That's worked great for me and many others for a few years now, and until there's a good cause to change that, I don't see the need to be annoyed by more prompts by default.
-
#11 Posted by Peter McGrath on 28 Apr 2006 - 07:53
- as long as there is a checkbox that says "stop blocking connections AND never ask me again" I'll be happy
-
(4 replies)
#12 Posted by Daninku on 28 Apr 2006 - 08:20
- I can see Microsoft buying Zone Labs in the future.
-
#12.1 Posted by Jon on 28 Apr 2006 - 08:39
- That would involve MS buying Checkpoint. Can't see it happening!
-
#12.2 Posted by HawkMan on 28 Apr 2006 - 12:07
- Why would they buy one of the worst firewalls though ?
if they bought anythign they would do liek they did with spyware and just buy the best one.
unfrotunately Tiny/Kerio was allreadybought and killed, even if there was that company who was going to make a nw Kerio/tiny under a different name. -
#12.3 Posted by Havin_it on 28 Apr 2006 - 12:20
- Yeah, whatever happened with that? I heard much good about Kerio, but I wouldn't want to jump to a product without a future...
-
#12.4 Posted by HawkMan on 28 Apr 2006 - 14:49
- ah, found the guys who bought Kerio. knew it was somethign with sun in it
http://www.sunbelt-software.com/Kerio.cfm
-
(2 replies)
#13 Posted by ahhell on 28 Apr 2006 - 10:50
- Big deal. Who cares about outbound traffic?
It's the inbound traffic that you have to worry about. -
#13.1 Posted by SMeK on 28 Apr 2006 - 19:18
- not really, if you get infected with a drone and the firewall missed it. it could detect masses of information going to one source and could theoreticaly stop your pc from being part of a denial of service attack
-
#13.2 Posted by mram on 30 Apr 2006 - 22:37
- That's what antivirus is supposed to catch -- at least good antivirus products.
Additionally not running as administrator will prevent these kinds of installations from happening, which is why Vista runs IE as a least-privilaged user, and in general is a great administrative practice anyway.
-
(1 reply)
#14 Posted by cork1958 on 28 Apr 2006 - 12:34
- I think it should be turned on by default. That way, at least when it pops up it's first warning, a user will have to at least LOOK at what it is. If not turned on by default, joe blow user will never even know it exists!
Hasn't MS learned from these kind of dumb mistakes yet? -
#14.1 Posted by DefensiveCore on 28 Apr 2006 - 12:41
- Actually Joe Blow will get to the point they will no longer even look at the warning, and allow everything that pops up, defeating the purpose anyways.
-
#15 Posted by sphbecker on 28 Apr 2006 - 13:25
- In some ways I like the idea of a two-way firewall, but its really not a big deal to me (its interesting to see what random apps try to "call home" ).
I do have one concern with the safety of two-way firewalls. Let’s say you start using a program, junk.exe, and junk.exe tries to use the internet. My two-way firewall alerts me and asks if I want to allow access. I know that junk.exe needs to check for updates so I say I want to allow it access to the internet. Everything is fine so far, but here is my issue. The firewall now has an acceptation saying that junk.exe traffic can go through the firewall. The problem is that junk.exe really is junk and it opens listening ports which make my computer valuable. With a one-way firewall junk.exe would not have needed an acceptation and inbound would have still been blocked; with the two-way I need to grant it access to get out, but doing so also allows inbound to that app.
Perhaps some firewalls already work this way, but I would like to see two different prompts. One asking if a process can use the network/internet connection and another with a strongly worded warning message asking if you want to allow the process to open listening ports and allow other computers from the internet to connect to your computer. The second prompt should also allow you to choose between “All computers including those from the internet” and “only computers on my local subnet.”
I know that you can manually set this up, but the prompts are the key. The way in which the firewall can setup its self needs to follow good practices. IE, getting out to the internet isn't that big of a deal, but allowing listening ports requires direct user authority.
-
#16 Posted by P1R4T3 on 28 Apr 2006 - 13:55
- Now the EU will have a new reason to complain.
-
#17 Posted by fpd on 28 Apr 2006 - 16:38
- How will this be any more difficult than zonealarm?
-
#18 Posted by TwoTailedFox on 28 Apr 2006 - 19:26
- As long as I can turn it off, I don't care.
-
#19 Posted by RangerLG on 28 Apr 2006 - 20:06
- There's a shock. ZoneLabs trashing another company's firewall.
-
(1 reply)
#20 Posted by Coolme on 28 Apr 2006 - 21:46
- Quote -then that would be like stripping out another feature of vista.
Let me ask you a question, what is considered a 'feature' of vista? Is a program that adds security to the OS, which should be a free update to exsiting windows users considered to be a feature? I think not. I think a new 'feature' in an OS should not be something that patches or makes it more secure, instead it should be something like faster searching, virtual folders.... new and innovative programs and ways of doing things. Continual security related updates for an OS should never comes across as a premium. -
#20.1 Posted by toadeater on 29 Apr 2006 - 21:40
- Quote - Coolme said @ #1.3Quote -then that would be like stripping out another feature of vista.
Let me ask you a question, what is considered a 'feature' of vista? Is a program that adds security to the OS, which should be a free update to exsiting windows users considered to be a feature?
MS doesn't owe users anything other than what they have advertized. They don't have to include a firewall at all.
-
#21 Posted by TickleOnTheTum on 28 Apr 2006 - 22:16
- I think this is a great idea, and ZoneLabs, as RangerLG says, are just upset that it may decrease their sales. It's hardly surprising that they'd kick up a fuss but it is a little childish.
-
#22 Posted by Xavien on 29 Apr 2006 - 06:19
- in the end, hardware firewalls are pretty much the best out there and dont drain your computers resources and you only need one for the entire network. I have one, so quite frankly i dont care about vista's little firewall and ill be turning it off...
if i ever get vista that is (unless games come out that require DirectX 10/Vista im not switching for a long while)
-
(1 reply)
#23 Posted by Angel Blue01 on 29 Apr 2006 - 12:42
- I look foward to not having to install a third-party firewall
-
#24 Posted by shirike on 30 Apr 2006 - 07:55
- I think Microsoft need to take a different approach to their attempts at user-friendliness and stop relying so heavily on pop-ups.
Although, part of me also wishes Microsoft was as technically-challenging as Linux because I've learned so much from using Linux.
-
#25 Posted by tom5 on 30 Apr 2006 - 07:56
- "The reason for this is Microsoft has received strong feedback from its customers, especially from large organizations and government departments, saying that they would like to manage this feature from an administrator level."
<LOL>
They should better say: "Microsoft has received strong feedback from its customers, especially from large organizations and government departments, saying that they wouldn't be able to SPY ON YOU anymore"
"Because the nature of an outbound firewall is to restrict the traffic sent to specific ports, the outgoing access in the Windows Vista firewall is open by default," a representative for the software maker told ZDNet Australia. "The reason for this is Microsoft has received strong feedback from its customers, especially from large organizations and government departments, saying that they would like to manage this feature from an administrator level."
Configuring the Vista firewall to stop outgoing connections made by rogue applications and malicious software will require a varying degree of technical knowledge, depending on each user's security requirements, Microsoft said.
Firewall specialist Zone Labs said that people will require a "fairly high level of sophistication" in order to properly configure the Vista firewall. For consumers, the company said the task will be nothing less than "challenging."
"Outbound protection requires a fairly high level of sophistication to engage, and reports indicate that Microsoft expects that functionality to be used by IT professionals in a business-networking environment," Laura Yecies, general manager at Zone Labs, said.
Security specialist Michael Warrilow, director of Sydney-based analyst firm Hydrasight, believes that Microsoft has found it too difficult to create an all-encompassing firewall. However, he said that by not putting the capabilities of the firewall into full play, the company is not ignoring its nontechnical customer base.
"In effect, Microsoft is putting outbound (protection) in the 'too hard' basket for the time being," Warrilow said. "The firewall is to protect against inbound attacks--instead of protecting the rest of the world from you."
Vista's firewall is just one layer of security in the new operating system, according to Microsoft. "New features such as User Account Control, Windows Defender, and Internet Explorer Protected Mode, along with improvements to Windows Firewall and Windows Update, work together to help shield Windows Vista PCs from malware," or malicious software, the company's representative said.