Windows 7 - built in firewall or zone alarm?

ajf

ajf

ajf

Soldato
Joined
30 Oct 2006
Posts
3,067
Location
Worcestershire, UK
I understand the Win7 firewall is now pretty good for general use.
Any reason to install alternatives such as zone alarm?
Any config for win7 firewall that improves performance?

Andrew
 
Nothing at all wrong with Windows Firewall in Vista/7. Although assuming you are behind NAT, you shouldn't need to be adjusting anything at all.
 
I set up Windows Firewall ( wf.msc ) on a fresh Vista install on my laptop.

Carefully blocked all inbound connections, without exceptions.

Carefully blocked all outbound connections, then set up rules to allow a select few ( DNS, Firefox e.t.c. )

Imagine my surprise when I discovered that outbound rules for 'File and Printer Sharing' and, later, inbound rules for MSN Messenger had silently been (r)enabled!

Although I'd have preferred to go with the inbuilt solution, I couldn't trust it after that. I'm currently using a third party solution.

Maybe it's user error? Can anyone shed any light on this unwanted behaviour? :confused:
 
Did you configure the firewall, and then join a network with the "Home" or "Work" setting? I can only imagine it reconfigures the firewall for you automatically and hence opened it up again.

(pure speculation)
 
I'm strongly in favour of using a firewall with outbound filtering. By default, windows firewall doesn't do this unless you arse about with wf.msc like eXor did. I use Windows 7 firewall control [free] to implement this functionality.

Two little known free firewalls score as highly as anything in most tests - Online Armour and PCtools firewall.

The results of the internet security tests at Matousec will surprise a few people....

;)
 
Many thanks for the replies.
I will look at that app mentioned to configure outbound connections.
It is needed for one of our managers who purchased himself a nice shiny HP Envy, but as it has Windows 7 on it our own corporate software currently does not work with it and as he is not using it on our network I just need a sensible alternative.

On a similar topic, on a typical (cable) router is it usually neccesary to configure anythign extra in the firewall/security or does it generally work well 'out of the box'.

I am possibly guilty of never really looking at that, even on my own router, beyond WPA settings etc.

Andrew
P.S The Envy is VERY nice :)
 
Ratbag said:
I'm strongly in favour of using a firewall with outbound filtering. By default, windows firewall doesn't do this unless you arse about with wf.msc like eXor did. I use Windows 7 firewall control [free] to implement this functionality.
Click to expand...

That's not quite true. The inbuilt firewall in Windows Vista and Windows 7 provide the most benefit you are going to get with regards to outbound filtering by default. It filters unnecessary traffic for services due to Service Hardening.

Steve Riley said:
Client Firewalls and Security Theater:

Many people didn’t realize that the initial release of Windows® XP included a client firewall. That’s not really surprising since the firewall was switched off by default and it was buried behind too many mouse clicks. In its own rather stealthy way, the firewall just showed up without any real indication of its purpose or guidance on how to use it. But it did work. If you had enabled that firewall, it would have saved you from Nimda, Slammer, Blaster, Sasser, Zotob, and anything else that tried to hurl unsolicited traffic at your network port. Realizing the importance of client protection, Windows XP Service Pack 2 (SP2) enabled the firewall by default, created two profiles (Internet and corpnet), and allowed for Group Policy enablement.

Unfortunately, two barriers slowed the adoption of the Windows XP SP2 firewall: application concerns and security theater. Many people worried that the firewall would stop their applications from working correctly. This was rarely the case, though, because of the firewall’s design. The firewall allowed all outbound traffic to leave your computer, but blocked all inbound traffic that wasn’t in reply to some previous outbound request. The only time this design would break an application on a client was if the application created a listening socket and expected to receive inbound requests. The Windows XP firewall allowed for simple configurations of exceptions for programs or ports (but, unfortunately, not through Group Policy).

The bigger deterrent was the security theater performed by manufacturers of other client firewalls. Some people believed that the design of the Windows XP firewall—namely allowing all outbound traffic to leave unfettered—was insufficient functionality for a client firewall. The argument was that a sufficient client firewall should block all traffic, inbound and outbound, unless the user has specifically granted permission.
Now, let’s think this through for a moment. Two scenarios emerge.

  • If you’re running as a local administrator and you are infected by malware, the malware will simply disable the firewall. You’re 0wn3d.
  • If you aren’t running as a local administrator and you get infected by malware, the malware will cause a third-party firewall to raise a dialog filled with a foreign language involving ports and IP addresses and a very serious question: "Do you want to allow this?" The only answer, of course, is "Yes, you stupid computer, stop harassing me!" And once that dialog goes away, so does your security. Or, more commonly, the malware will simply hijack an existing session of a program you’ve already authorized, and you won’t even see the dialog. Again, you’re 0wn3d.
There’s an important axiom of security that you must understand: protection belongs on the asset you want to protect, not on the thing you’re trying to protect against. The correct approach is to run the lean yet effective Windows firewall on every computer in your organization, to protect each one from every other computer in the world. If you try to block outbound connections from a computer that’s already compromised, how can you be sure that the computer is really doing what you ask? The answer: you can’t. Outbound protection is security theater—it’s a gimmick that only gives the impression of improving your security without doing anything that actually does improve your security. This is why outbound protection didn’t exist in the Windows XP firewall and why it doesn’t exist in the Windows Vista™ firewall. (I’ll talk more about outbound control in Windows Vista in a bit.)
Click to expand...

Steve Riley said:
Controlling Outbound Connections:

Earlier, I said that the typical form of outbound protection in client firewalls is just security theater. However, one form of outbound control is very useful: administratively controlling certain types of traffic that you know you don’t want to permit. The Windows Vista firewall already does this for service restrictions. The firewall allows a service to communicate only on the ports it says it needs and blocks anything else that the service attempts to do.

*Snip*
Click to expand...

Exploring The Windows Firewall

Jesper M. Johansson said:
Outbound Filtering:

The lack of outbound filtering in the Windows XP SP2 firewall was held out as the primary proof that the built-in firewall was inadequate for security. There must be thousands of articles written about how insecure the Windows XP SP2 firewall is due to its lack of outbound filtering. This is in spite of the fact that no firewall on Windows XP could securely provide outbound filtering.

The fundamental functionality that transforms outbound filtering into a useful security feature from a mere speed bump—or policy enforcement tool, as I used it earlier—simply does not exist in Windows XP. It does exist, however, in Windows Vista. It is only logical, therefore, that the new firewall makes use of this feature. By default, most inbound traffic is blocked and most outbound traffic is allowed.

By default, outbound filtering in the new Windows Vista firewall blocks only unnecessary traffic from services. This is actually all that can be done to provide protection against a compromise on the host that provides the outbound filters, and doing this on Windows XP would have been meaningless.

Services in Windows Vista can run with a highly restricted token. In essence, each service has its own security identifier (SID), which is unique to that service. This Service SID can be used to restrict access to resources, such as network ports. This is the same functionality we saw earlier when we looked at restricting traffic to users. This means that even though two services may run as NetworkService, they cannot manage each other's processes and the firewall can be configured to allow only one of them to communicate out. If the one that is blocked is compromised, it cannot hijack the allowed service and use its allowed port to communicate out because the port is restricted by Service SID.

This functionality is another one of the very cool security features added to Windows Vista, and the new firewall uses it to actually provide real security value by outbound firewall filtering.

In fact, firewall filtering on service SIDs is enabled by default in the new firewall. However, there is no GUI to configure it. The rules are predefined in the HKLM\System\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\RestrictedServices registry key. You should be very careful, however, with modifying that key manually, as this is unsupported.
Click to expand...

Managing the Windows Vista Firewall

There is also a section directly under the section I have just quoted above from the "Managing the Windows Vista Firewall" article regarding the sort of benefit you receive from outbound filtering which is worth reading too.
 
You must log in or register to reply here.
Back
Top Bottom