Saturday, 14 April 2007

Windows Vista Firewall Myths

Windows Vista comes with a firewall. This is good news, because it means you don't have to install a third-party software program to stop hackers and automated network attacks connecting to your PC. This pre-installed firewall is more powerful than the one included with Windows XP, which was pretty basic (although effective). It is more powerful because it doesn't just block unwanted incoming connections - it can also control traffic flowing from your PC.



Sounds great, doesn't it? With Windows XP, the firewall only controlled incoming connections and you had to install a product like ZoneAlarm to monitor outgoing traffic. Now you can rely on the software included with Windows.



But wait one second...



While Windows Vista's firewall can control outgoing connections, it doesn't. That is to say, by default it allows all programs to make outgoing connections to the internet. If you have a piece of spyware, or some other bad program running on your computer, it can leak your personal data out to the internet and the firewall won't care. You can use a fairly advanced control panel to lock down the outgoing traffic, but it's not very easy to get a regular working system to run happily this way.



At this point it is only fair to point out that, if some malware attempts to run, the User Access Control system might prevent it from causing a disaster. This is, of course, assuming that you have not disabled UAC in a fit of frustrated fury.



When most of us think about personal firewalls controlling outgoing traffic, we assume that the firewall checks which programs are trying to make a connection to the internet and then allows or denies them by following some simple rules. Preferably it will ask us what it should do first, and then remember our preferences. That's how ZoneAlarm and just about every commercial personal firewall works. But not the one you get in Windows Vista.



Microsoft does produce a firewall that behaves in the way we'd expect. The problem is, you have to pay for it. It is only available with the underwhelming Microsoft Live OneCare product and, considering that the other parts of this package are so disappointing, it seems a bit rich to pay for what we consider to be a basic firewall.



So in the end, despite claiming that the enhanced, new Windows firewall "supports filtering for both incoming and outgoing traffic", sensible users will install better, free options such as ZoneAlarm or turn to the firewall components of their internet security packages.