locked
how to disable outbound firewall or 'what good is an outbound firewall anyway'? RRS feed

  • Question

  • Hi,

     

    I rather like OneCare, but it got one 'feature' preventing me from recommending it to any user: the outbound firewall.

     

    For a technically adept user running as computer admin an outbound firewall sounds like a good idea, but to a user without much technical knowledge running without admin rights it is just a nasty pain in the ***, reminding the user every so often that he got no clue about technical stuff and having him call his admin/tech support to allow some program that got an update.

     

    You see, in days of auto update, a program like firefox, or a clickonce application, will install an update of itself. After this, the outbound firewall will either disallow the program from network access, or pop up some message which is of no use to the non-technical users.

    So the user can either not use the program anymore, or has to make a choice about it that can't be made (hey, who says the program saying 'FireFox is trying to send data' is really *the* firefox browser and not a virus just calling himself firefox?)

     

    So if the user does not allow programs, after a short while he will not be able to work with his programs anymore, since these had updates.

    Since the user cant really make a wise decision what programs to allow, and what to deny, the only solution is to allow everything, which in turn makes the whole outbound firewall obsolete.

     

    And what good is it anyway? Will an outbound firewall help to protect your PC against anything? No, it won't, your PC will just as easily be infected, it might just help against spreading more, but any decent virus, trojan, whatever, will just add itself to the firewall rules anyway, or just disable it if possible. Or mask itself as internet explorer.

     

    It's like adding an ID scan to an exit door: it will not stop any burglar from entering or leaving the building, it will just be annoying to those who have to use it for work.

     

    Honestly, my real advice to anyone who's got an outbound firewall installed by someone else, is to call him whenever the outbound firewall pops up a question and ask what the right choice would be in this case.

     

    Really, OneCare should have a way to disable the outbound firewall, so everyone can use it. Just try and deploy it in any corporate network with custom apps and many updates.

     

    just my 2 cent,
    Sam

    Thursday, October 11, 2007 9:11 AM

Answers

  • Sam, you're wrong. Jim, you're forgetting some important points about the OneCare firewall that make it different from every product that's come before.

     

    The OneCare firewall is different because it doesn't depend entirely on the user to make the decisions, it only uses this as a last resort. First the file is checked for a digital signature and if it exists and can be verified the program is automatically allowed access, assuming of course that the program isn't a known piece of malware.

     

    Second, the file is checked against the firewall policy information, similar to antivirus detection files except that these are known good programs, and allows those that it recognizes.

     

    Only if it doesn't pass one of these tests is the user prompted as a last resort, which should happen relatively rarely if you are using reasonably current and/or well known software. Anyone not digitally signing their programs at this point is either a very small developer or not serious about protecting the users of their programs, which would be a very good reason to dump the program if you ask me.

     

    The world of security has moved a generation ahead in the last couple years and you can either take advantage of it or fight it and loose. None of the protection systems of the past have been very effective, which is why Microsoft has gotten into the game to actually protect the users of their OS, since it's in their interest to do it the right way.

     

    OneCareBear

    Friday, October 12, 2007 3:58 AM
    Moderator

All replies

  • Hello Sam, I agree that an outbound firewall is pretty useless. However, the knock on the XP firewall was that it did not offer outbound protection and therefore was inadequate. After years of hearing this from tech writers and security product vendors, most computer users believe this to be true. That being the case, it is much more practical to write a two way firewall than to re-educate tens of millions of computer users. Although I agree with you ( my preference is to not use a software firewall at all on a desktop) I don't think many users would be comfortable turning off outbound notifications.

     

    Thursday, October 11, 2007 2:29 PM
    Moderator
  • Thanks for your answer!

     

    The main question for me regarding OneCare: will there be a way to switch off the outbound part of the firewall?

     

    Right now the only way is to switch off the whole firewall, which would be ok behind a hardware firewall, but is not really usable because OneCare does continually nag about the computer being unsafe. And if the computer is unsafe already no other real threat will register anymore as being more deadly than the missing firewall, making the whole 'green/yellow/red' alert stuff pretty useless.

     

    regards,

    Sam

    Thursday, October 11, 2007 2:51 PM
  • We don't get information on feature additions or changes on future releases but my best guess is that there won't be an option to turn off outbound control.

    Thursday, October 11, 2007 3:28 PM
    Moderator
  • somehow firewall on my computer is turned off. i have tried to turn on the way its explained (thru control panel), but none worked. Wind xp sp2 (or 3) with auto update.
    need help!
    Thursday, October 11, 2007 5:24 PM
  • Sam, you're wrong. Jim, you're forgetting some important points about the OneCare firewall that make it different from every product that's come before.

     

    The OneCare firewall is different because it doesn't depend entirely on the user to make the decisions, it only uses this as a last resort. First the file is checked for a digital signature and if it exists and can be verified the program is automatically allowed access, assuming of course that the program isn't a known piece of malware.

     

    Second, the file is checked against the firewall policy information, similar to antivirus detection files except that these are known good programs, and allows those that it recognizes.

     

    Only if it doesn't pass one of these tests is the user prompted as a last resort, which should happen relatively rarely if you are using reasonably current and/or well known software. Anyone not digitally signing their programs at this point is either a very small developer or not serious about protecting the users of their programs, which would be a very good reason to dump the program if you ask me.

     

    The world of security has moved a generation ahead in the last couple years and you can either take advantage of it or fight it and loose. None of the protection systems of the past have been very effective, which is why Microsoft has gotten into the game to actually protect the users of their OS, since it's in their interest to do it the right way.

     

    OneCareBear

    Friday, October 12, 2007 3:58 AM
    Moderator
  • OneCareBear, so to use OneCare in a corporate environment with internal developers you would need to sign all in-house applications in order to get the firewall accepting them?

     

    I'd like to give this a try, but I'll need a certificate - is somewhere a list where I can get one of those (hopefully not too expensive)?

     

    Still there is a big problem: clickonce applications, new technology from MS, will be really tough to sign proper due to some installation requirements (when you install a clickonce on a customers server you will need to modify server path and ip and resign the installation manifest. So you either need to hand your private key for signing to the customer, or get a certificate for every customer to use, or customize it at the dev shop, loosing the ability for the customer to change it).

     

    I still think outbound firewalls are useless since a virus can pass around them if they infested the computer, but I'd give the 'sign so you won't be asked' a try if it is not too expensive.

     

    regards,

    Sam

    Friday, October 12, 2007 8:27 AM
  • Sam,

     

    If you want your applications to be accepted silently by the firewall then digitally signing them is the simplest for the users. It's not required, but otherwise responding to the pop-ups is necessary.

     

    Another thing to understand is that OneCare wasn't intended to be used in a corporate environment, it's designed for home use by non-technical users. The ForeFront Client Security suite is designed for use in corporate networks, and I don't believe it even includes a firewall, since managing the Windows XP SP2 or Vista firewall using Active Directory and Group Policy are considered the preferred method in that environment.

     

    Code Signing Certificates are available through the Microsoft Root Certificate Program Members with a range of pricing. Verisign is about $499 for the first year, while Thawte is $299 first year and $249/year thereafter, with others possibly being even less expensive.

     

    I'm not familiar with the specifics of ClickOnce applications, though it sounds messy from your description. I wonder if Microsoft expects the corporate environment to have a PKI infrastructure to provide for internal use. This would make more sense for internally produced and operated applications, while external Certificate Authorities make more sense for applications distributed widely via the Internet, usually to the general public.

     

    I understand your concern about firewall bypass with an already compromised PC. However, since a properly set up PC should only allow Limited User Account access to most users, this should avoid most easily exploitable situations. Having the firewall at least attempt to alert the user to the infection is better than leaving it out simply because it might be bypassed.

     

    OneCareBear

    Saturday, October 13, 2007 4:13 AM
    Moderator
  •  rt35491 wrote:
    somehow firewall on my computer is turned off. i have tried to turn on the way its explained (thru control panel), but none worked. Wind xp sp2 (or 3) with auto update.
    need help!

    You posted in the middle of an unrelated thread. If you are not using Windows Live OneCare, you're off topic and should try the public Microsoft newsgroups here - http://www.microsoft.com/communities/newsgroups/default.mspx

    If you are having a problem with the OneCare firewall not starting, contact support.  Support for 2.0 beta - http://help.live.com/help.aspx?project=onecarev2 -use the "Get More Help" link in the lower right of the page to contact support via email.

    Support for v1.6 is via the information here - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=1183038&SiteID=2

    -steve

    Monday, October 15, 2007 5:05 PM
    Moderator
  • How do i turn my firewall off temporarily?

    Monday, October 29, 2007 2:12 AM
  • Open One Care, select Change Settings, on the firewall tab select Off, select the time period you would like the firewall turned off for in the drop down menu.

     

    Monday, October 29, 2007 2:17 AM
    Moderator