locked
"OneCare Firewall: a light-weight approach to a heavy-duty problem." RRS feed

  • Question

  • I'm still in the trial period of Windows OneCare. So far I haven't made up my mind one way or the other but in my search for comparison between various firwall products I came across the whitepaper published by "Agnitum.com."

    The paper dates back to Oct. 2006 and states that: "any competent piece of malware would have no problem staling data from a PC ‘protected’ by OneCare…" I'm a bit concerned about that.

    Have the issues in the paper been addressed? How?



    For your convenience, here's the text of the paper from ZDNet.com:
    "

    OneCare Firewall: a light-weight approach to a heavy-duty problem

    Introduction

    Since Microsoft released its Windows Live OneCare security kit in June, there has been much discussion as to how the product would benefit ordinary PC users and whether it really delivers on its mission of providing reliable, yet easy-to-use, PC protection for consumers. On top of those discussions came accusations (http://sunbeltblog.blogspot.com/2006/06/microsoft-practices-predatory-pricing.html) that Microsoft was engaging in predatory pricing intended to drive off competition and stifle innovation in the security space for consumers.

    In order to fully understand the ins and outs of the debate, we decided to go ahead and install the product and conduct our own in-house assessment of the OneCare-bundled firewall protection. We are pleased to share the results of this test run with you in this month’s Security Insight.

    A brief glance

    The OneCare interface looks sophisticated and well-organized; it has a colorful information window from which all program settings and commands can be accessed. The program is based on Microsoft’s proprietary .Net technology and requires users to install the .Net package before using it.

    As we were primarily interested in the firewall component, we went first for the Firewall tab - available from the Settings menu. The remainder of this article is a description of our experience and the impressions we garnered while using the OneCare firewall.

    A firewall’s applications treatment

    By default, OneCare firewall is set to address programs in an automatic mode – every program access is managed through the Microsoft-created and supplied application behavior policy. Programs that are allowed to connect to the Internet are included in that policy and the firewall simply lets them connect without restriction.

    The problem with this policy is that it covers a very limited number of applications, so the user is forever having to respond to notifications from other quite legitimate programs as they attempt to access the Internet. Another weakness of this approach is that, no matter whether the firewall is in automatic or user-definable access mode, it first blocks the application from accessing the Internet and then asks whether the program should be permitted to access the Internet on subsequent occasions.

    What this means is that a legitimate program soliciting first-time access to the Internet, in our case an IM chat program, cannot connect to the Internet; after a brief delay, a message to this effect appeared on the screen. It’s really not very user friendly to deny connections to programs accessing the Internet for the first time, and it limits the program’s functionality until a restart restores programs’ operations to a normal state. The way unknown programs are treated by the firewall leaves users with the impression that every application is presumed guilty - by being blocked - until proven otherwise.

    The same cannot be said of how OneCare fares with leaktests (http://www.firewallleaktester.com, http://www.pcflank.com). After OneCare has worked for a couple of hours and created a reasonable-sized database of application access rules, we subjected the firewall to a slate of leaktests intended to verify how the program would protect users against imaginary malware attempts to upload data from the host computer. The results were very poor, with the OneCare firewall passing only the most basic and simple leaktests and failing the rest. Amusingly, it treated leaktests as if they were normal Windows Explorer (explore.exe), Internet Explorer and other credible applications widely used on a Windows-based computer, failing to detect the tests’ tendency to imitate, implant its code in, or hijack a credible application on which behalf it subsequently gained access credentials.

    The implications of this poor performance are far-reaching: any competent piece of malware would have no problem stealing data from a PC ‘protected’ by OneCare, and the firewall uttered not a single peep to prevent this from happening. This is a pretty serious shortcoming, since one of the primary functions of a firewall is to protect against unauthorized program connections – both incoming and outgoing; OneCare on this basis does not even meet the minimum requirements for an effective firewall.


    1

    The OneCare firewall is so basic that it doesn’t even provide for the creation of advanced application access rules – you can either allow an application to access the Internet or deny it. You cannot make a rule, that, for example, would enable Internet Explorer to access some websites and not others (on the basis of IP address, for example). Nor can you specify, for example, time-based access permissions and apply advanced access parameters to the way applications are allowed to connect to the Internet, such as stipulating trusted access ports and protocols for a particular application.

    Despite these major failings, OneCare does have other qualities, both good and bad, that it is worth mentioning.

    Network configuration and intrusion prevention

    OneCare firewall detects your network configuration and can limit access to the user’s files and printers to members of the same network (a subnet), with access from the Internet being restricted. Just as with granting applications Internet access, this is very basic; you cannot create advanced rules or specify advanced whitelist and blacklist settings of remote locations for Internet or complex network domain access. The same limitations apply to access through the Remote Desktop.

    Amazingly, OneCare lacks the accepted industry standard of Intrusion Detection and Protection systems used by most third-party firewalls (Outpost Firewall Pro, Norton Personal Firewall). This is a serous omission, as there are many hacker tools available today which can generate automated, wide-scale intrusion attempts on thousands of PCs in the hope of finding inadequately-protected PCs that can be exploited in the future. These tools are being constantly improved and expanded, and it is very quite disturbing that Microsoft does not provide any kind of protection against such attacks for their OneCare customers.

    OneCare’s packet filtering is on a par with its competition, and the ability to select a port range for any chosen protocol is a useful feature.

    Performance and compatibility

    Although the program works quite fast on a mid-range PC, the way it handles programs launched for the first time is less than satisfactory. By default, all executed programs undergo an initial spyware scan with OneCare’s Windows Defender (currently in its Beta 2 version), which delays program execution by as much as ten seconds. We also found, towards the end of our evaluation, that this may not be limited to the first program run. Windows Defender is updated separately from the main program update, and may start at any time, regardless of how much bandwidth you may be using – for example, if it starts up when the user is at a crucial point in an online game, the gameplay could be badly interrupted.

    We also found compatibility issues with OneCare – but not the ones you’d expect. Before installing the software, we already had a running firewall on our computer (of course – as would most people). Guess what happened next? OneCare neglected to warn us of any need to first de-install the existing firewall before proceeding with the installation of OneCare. So, we found that OneCare worked smoothly alongside Outpost Firewall Pro, and that Outpost Firewall was the first to monitor the system, ask questions and protect the user – not OneCare. That’s not good news for OneCare.

    Before we finished our testing, yet another unfortunate incident occurred – OneCare blocked Internet access for our installed browsers (IE, Firefox) altogether and only permitted them to connect to the Internet in idle (switched off) firewall mode. This is when we finally parted company with the entire OneCare suite.

    Conclusion

    Although the program is very intuitive, nice to look at, and easy to use – which is good for the program’s target audience of inexperienced users – its functionality is a big let-down and does not serve that inexperienced user audience well. It reminds us of those a colorful and feature-rich Graphical User Interfaces (GUI) with nothing behind them that you sometimes see at exhibitions, because the vendors couldn’t finish the whole program in time. Microsoft OneCare needs a serious overhaul before it can be considered anything more than just a fancy interface with no real security under the hood.

    ."



    Tuesday, July 22, 2008 4:33 AM

Answers

  • Though I understand why you are researching a security application before accepting it, looking at ancient information like this is really pointless. Even at the time, the vested interest of a firewall vendor such as Agnitum (Outpost) made this article suspect and simply showed their lack of understanding of the product and how it really operates.

     

    In general, the OneCare firewall isn't a standalone firewall, so analyzing it separately makes no sense. It is tightly integrated into the suite and intended to operate with the other components as part of a complete protection system. For that reason, it's not expected to operate using some of the methods that a stanalone firewall product might use.

     

    In fact, at the time the core system of using digital signatures to identify software had not been completely accepted by many software vendors. However, the then impending release of Windows Vista was just beginning to change that and has now become a standard software industry practice. Since both the firewall and AntiMalware (AntiVirus/AntiSpyware) engines use this as a core means of identification, issues of software recognition are largely non-existant for current software. Also, the firewall policy database has been adjusted for the most common software used over time, so only unidentified or rarely used software still requires interaction by a user.

     

    So most of the article you reference had little true meaning at the time it was written and virtually none in today's context. The reason you don't find discussions of this here is that the decision was made early on to remove the posts from previous versions of OneCare as new versions released, since in most cases these became inaccurate and confusing with the potential of causing a user to do something wrong based on old information. The negative result of this is that most of the history is lost, so earlier discussions of this same article are no longer available.

     

    For this reason, I suggest you limit your research to more recent reviews of only the most current versions of OneCare, specifically version 2.0 or later, since that's been around since eaarly this year. As you've already discovered the 2.5 version is quite recent and doesn't have much direct effect on most users since it primarily added the OneCare for Server functionality I mentioned elsewhere.

     

    OneCareBear

    Tuesday, July 22, 2008 9:34 AM
    Moderator

All replies

  • Though I understand why you are researching a security application before accepting it, looking at ancient information like this is really pointless. Even at the time, the vested interest of a firewall vendor such as Agnitum (Outpost) made this article suspect and simply showed their lack of understanding of the product and how it really operates.

     

    In general, the OneCare firewall isn't a standalone firewall, so analyzing it separately makes no sense. It is tightly integrated into the suite and intended to operate with the other components as part of a complete protection system. For that reason, it's not expected to operate using some of the methods that a stanalone firewall product might use.

     

    In fact, at the time the core system of using digital signatures to identify software had not been completely accepted by many software vendors. However, the then impending release of Windows Vista was just beginning to change that and has now become a standard software industry practice. Since both the firewall and AntiMalware (AntiVirus/AntiSpyware) engines use this as a core means of identification, issues of software recognition are largely non-existant for current software. Also, the firewall policy database has been adjusted for the most common software used over time, so only unidentified or rarely used software still requires interaction by a user.

     

    So most of the article you reference had little true meaning at the time it was written and virtually none in today's context. The reason you don't find discussions of this here is that the decision was made early on to remove the posts from previous versions of OneCare as new versions released, since in most cases these became inaccurate and confusing with the potential of causing a user to do something wrong based on old information. The negative result of this is that most of the history is lost, so earlier discussions of this same article are no longer available.

     

    For this reason, I suggest you limit your research to more recent reviews of only the most current versions of OneCare, specifically version 2.0 or later, since that's been around since eaarly this year. As you've already discovered the 2.5 version is quite recent and doesn't have much direct effect on most users since it primarily added the OneCare for Server functionality I mentioned elsewhere.

     

    OneCareBear

    Tuesday, July 22, 2008 9:34 AM
    Moderator
  • Thank you, OCB

    That answered all the questions I had about the firewall.
    :-)

    MD
    Tuesday, July 22, 2008 5:37 PM