Windows Firewall With Advanced Security
Tuesday 25th July, 2006 13:53 Comments: 0
I\'ve been playing with Windows Vista Beta 2, and I\'ve noticed some odd things to do with networking.
Since XP SP2 was released nearly two years ago, I\'ve been a big fan of the Windows Firewall. It's doesn\'t make your system grind to a halt (yay!), it silently drops things (a good thing), and it doesn\'t let anything in that it shouldn\'t (people have complained about the lack of outgoing filtering, but by then it's too late and it's fairly trivial to add exceptions in most other firewall software).
Along came Vista Beta 2 (I never properly tested Beta 1 as I figured the code might change). The firewall now supports outgoing filtering (I suspect to keep people happy, more than anything else). Vista itself now natively supports IPv6. The problem is this brand new network stack and improved firewall don\'t appear to work very consistently with each other. But it does block access to the things you disallow, so it could be worse.
When the Vista's Windows Firewall is on, instead of silently dropping requests it sends back a reply so you know that something is listening on that port on the other side of the firewall. Quirky, but it's probably something that can be fixed by getting the firewall to silently discard those requests. The thing I noticed today was UDP scanning. In the past Windows didn\'t behave like Linux or Unix, so UDP scans of default ports with nmap could be completed in well under a minute. The RFC says this shouldn\'t happen, but Microsoft have ignored this for years. Well with the Windows Firewall off Vista behaves like Linux, and the scans take about 20 minutes instead of 30 seconds. Very good, I thought. And then I tried it again with the firewall back on. 30 seconds later and I\'ve completed a scan. Hmm, odd, I thought to myself, but perhaps it's another example of the firewall sending replies to the things it's blocking (just like TCP). So I kept the firewall on, but I allowed all incoming and all outgoing traffic. This means that the firewall is on, but it shouldn\'t be stopping anything. It should behave exactly the same as having the firewall off. 30 seconds later, I\'d finished my UDP scan again. It seems that the core Windows networking code handles requests properly, but the firewall doesn\'t match the behaviour. It doesn\'t even match the behaviour of XP SP2's firewall. It's basically a mess. I hope they sort it out by RC1.
Since XP SP2 was released nearly two years ago, I\'ve been a big fan of the Windows Firewall. It's doesn\'t make your system grind to a halt (yay!), it silently drops things (a good thing), and it doesn\'t let anything in that it shouldn\'t (people have complained about the lack of outgoing filtering, but by then it's too late and it's fairly trivial to add exceptions in most other firewall software).
Along came Vista Beta 2 (I never properly tested Beta 1 as I figured the code might change). The firewall now supports outgoing filtering (I suspect to keep people happy, more than anything else). Vista itself now natively supports IPv6. The problem is this brand new network stack and improved firewall don\'t appear to work very consistently with each other. But it does block access to the things you disallow, so it could be worse.
When the Vista's Windows Firewall is on, instead of silently dropping requests it sends back a reply so you know that something is listening on that port on the other side of the firewall. Quirky, but it's probably something that can be fixed by getting the firewall to silently discard those requests. The thing I noticed today was UDP scanning. In the past Windows didn\'t behave like Linux or Unix, so UDP scans of default ports with nmap could be completed in well under a minute. The RFC says this shouldn\'t happen, but Microsoft have ignored this for years. Well with the Windows Firewall off Vista behaves like Linux, and the scans take about 20 minutes instead of 30 seconds. Very good, I thought. And then I tried it again with the firewall back on. 30 seconds later and I\'ve completed a scan. Hmm, odd, I thought to myself, but perhaps it's another example of the firewall sending replies to the things it's blocking (just like TCP). So I kept the firewall on, but I allowed all incoming and all outgoing traffic. This means that the firewall is on, but it shouldn\'t be stopping anything. It should behave exactly the same as having the firewall off. 30 seconds later, I\'d finished my UDP scan again. It seems that the core Windows networking code handles requests properly, but the firewall doesn\'t match the behaviour. It doesn\'t even match the behaviour of XP SP2's firewall. It's basically a mess. I hope they sort it out by RC1.