Vista's Windows Firewall Equals Peers

Microsoft is scheduled to release a Community Technology Preview (CTP) version of Windows Vista sometime in February, and although there won't be a formal Beta 2, we can expect at least two more previews (both of which, according to Microsoft's Jim Allchin, co-president, Platform Products & Services Division, can be considered as Beta 2 releases) in the first half of this year.

When the next preview does become available, it will have some new security features, in particular a greatly improved firewall. Windows Firewall will finally gain some features that have long been on people's wish lists. The new features will bring Windows Firewall into relative equality with a sea of mature desktop- and server-based firewall solutions.

First and foremost, Windows Firewall will finally support control over both inbound and outbound traffic. The new support for outbound control could put a serious damper on information leakage and will undoubtedly reduce the number of systems that become assimilated into botnets. Why outbound control wasn't part of the original Windows Firewall I don't know for sure. Maybe Microsoft thought that not placing restrictions on outbound traffic might result in fewer Help desk calls for its customers. But the potential for increased support calls over some period of time didn't put much of a damper on third-party firewall sales over the years, so the "half-baked" firewall in Windows Server 2003 and Windows XP makes little sense to me.

Adding to better traffic control in the improved Windows Firewall is the ability to create a number of new exceptions (rules), including ones based on traffic source and destination as well as protocol numbers. The new firewall also offers increased control over port-based rules, so for example, you'll be able to define a rule for a group of ports instead of just one port. For even greater flexibility, the firewall will offer control at the interface level. If you have multiple network interfaces in a system, you can applies rules to a specific interface. Yet another new feature of the firewall is integration of IPsec settings, which previously had to be configured separately and sometimes created situations in which policies conflicted.

A new Microsoft Management Console (MMC) snap-in will provide an interface for configuring Windows Firewall's new "advanced features" and configuring the firewall on remote systems. You won't be able to perform either of those tasks by using the standard Control Panel Windows Firewall configuration applet. Configuration of the new features will also be possible by using the Netsh command-line tool, and of course through Active Directory (AD). As you probably suspect, all the new tools and features will also be available in the upcoming version of Windows Server, code-named "Longhorn."

It's clear that the improved firewall will reduce the overall number of threats to your systems. The enhancements bring Windows Firewall much more in line with our experience over the years in using third-party firewalls. Of course there is still plenty of room for improvement. For example, third-party firewalls can block ActiveX, JavaScript, and Java scripts and components before they ever reach our browsers. They can also filter access to specific URLs, block pop-up windows and cookies, quarantine message attachments, cache DNS requests, and more.

For a more detailed perspective on the new features and a peek at the new MMC GUI, be sure to read "The New Windows Firewall in Windows Vista and Windows Server 'Longhorn,'" at the Microsoft TechNet Web site.

http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish