XP SP2 brings a new firewall, and one that is enabled by default. Two items in particular were big red flags for me: there is no egress monitoring, and the firewall itself can be turned off by other applications. This latter is one of my favorite It’s a Feature! comments in some time, as MS explains it “isn’t so much a flaw as a limitation on the role firewalls should play in a company’s security system.” These two Features might be okay in a world without trojans and bots and spyware.
Two things help me to make sense of this strange perspective on firewalls. First, MS’s primary customer is IT, and the PC firewall must first of all fit easily into organizational deployment and administrative processes (which are often heavily automated, to support managing what might be thousands of machines). The functionality is there for the company’s benefit, not the individual user, who doesn’t even own the machine in this context.
Second, and more important, is the MS view of empowering the user. Regarding the lack of monitoring outbound traffic, David Overton, a Microsoft technical specialist, says:
Microsoft’s user testing showed that asking users to approve every application trying to communicate with the Internet tends to backfire. If you flood the user with messages like that, they say ‘yes’ all the time.
Which is true for some segment of PC users, but I think this generalization captures the dominant MS view of the people at the keyboard. If I indulge my own generalizations, I think MS thinks we need more black boxes, and I think we need more white ones.
In the case of ZoneAlarm, there is no flood. When a popup comes, I have to see if I’m surprised by an application trying to reach the net at that moment. If not, I accept, and if I want to trust this app, I simply check the “remember this decision” box. I will never see it again for that app. If I’m not quite sure, I don’t check the box. Very quickly, there are very few popups, and the ones that persist are the ones I want to continue seeing, until I understand what the app is doing. If things stay mysterious, I look at the traffic in a sniffer (okay, admittedly not many users are ready for this one, but the point is empowerment). There is very little hassle if you simply give a thoughtful response to the popup.
Overton continues:
“An attacker could misuse that (administrative) capability […] But you’re already in a compromised state, if you’re at that point.” He says Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it’s been infected.
If malicious code makes it past the firewall, it is the role of anti-virus software to protect the machine, Overton adds. Likewise, it is not the firewall’s place to stop malicious code from sending outbound packets–Microsoft contends that companies should use perimeter technologies to examine outbound traffic.
He doesn’t describe a resilient approach to security, and he certainly doesn’t describe personal empowerment and responsibility. Perimeter technologies?