Google
 

Thursday, January 26, 2006

Microsoft Readies Two-Way Firewall for Vista

Robert McMillan, IDG News Service Wed Jan 25, 7:00 PM ET

For its upcoming Windows Vista operating system, Microsoft is readying a new, highly configurable firewall designed to give administrators much greater control over which applications can run on the systems they manage.

After just over a month of testing by users of Microsoft's Community Technology Preview (CTP), the firewall is "very much on track" to be in the final Vista release scheduled for later this year, and the company is considering adding a similar feature for its consumer users, said Austin Wilson, a director in Microsoft's Windows client group.

Two-Way Details

The new firewall is called "two-way" because it filters both incoming and outgoing network traffic, so it can block outside machines that are trying to connect to the Windows PC as well as applications on the PC that are trying to connect to other systems on the network.

Windows XP can't block outgoing traffic, but this ability will give Vista administrators powerful options, Wilson said. By using the firewall, administrators could (for example) ensure that their PCs used only a preferred instant messaging application. "If you tried a different instant messaging application, it would be blocked," he said. "It's really something that we're targeting toward enterprise administrators in corporations."

Though Microsoft has previously discussed plans to include the firewall in Vista, it has only recently provided details on how the software will work.

More Extensive Than Expected

The new firewall capabilities first appeared in last month's CTP build 5270, but they were difficult to access and turned out to be much more extensive than testers had expected, according to Windows blogger Ed Bott, coauthor of the book Microsoft Windows XP Inside Out.

"After installing Windows Vista Build 5270 and examining all security options in Control Panel, you might conclude that Windows Firewall hadn't changed at all," he wrote in a January 14 blog posting.

To access the new firewall features, Vista users must create a customized management console and configure it to load the "Windows Firewall with Advanced Security."

How It Works

The console can operate in two ways. In single-machine mode, it manages only the PC it has been installed in; but when configured using Active Directory, it can set up policies that apply to a large number of machines. "If I have 10,000 machines, I can set up a policy, one time, to block a given application. And that would propagate across all of my 10,000 machines," Wilson said.

Though many security products already have similar capabilities, building outbound blocking into the operating system will make life much easier for enterprise system administrators, who will now be able to create custom scripts and group policies to restrict the uses of Windows PCs, Bott said.

Though the underlying firewall code--called the Windows Filtering Platform--has been rewritten for Vista, Wilson said that most users will not notice major differences between XP and the new operating system. "There are really two different firewall consoles in Vista. If you go to Control Panel/Firewall, you get the traditional one that was there in Windows XP," he said. "If you go to the other console, which is called Windows Firewall with Advanced Security, you see both the inbound and outbound filtering."

both firewall consoles use the Windows Filtering Platform, which has been rewritten to improve how Windows intercepts network traffic and to make the software work more efficiently with the Windows kernel, Wilson said. "We wanted to have a flexible platform that we could use and that third parties could use for filtering," he said.

Consumer Version?

Microsoft is thinking about adding outbound filtering for consumers to a post-Vista Windows product, but work needs to be done to ensure that such a two-way firewall is easy to use, Wilson said. "First of all, we have to make sure that application compatibility is very good when that's enabled," he said.

Such a firewall must also do a "great job of helping users make good decisions on what applications would be allowed to talk outbound, and make that decision without overwhelming them with dialog boxes," he said.

0 comments: