Author Topic: Vista Firewall Situation  (Read 6206 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Vista Firewall Situation
« on: April 10, 2007, 10:49:47 PM »
Extracted from:
Scot’s Newsletter

The Vista Firewall Situation

Windows Vista is far more secure than Windows XP, but is it completely buttoned up? The answer is no. You still need both anti-malware and firewall protection for Vista. Microsoft's failure to solve this problem may, in fact, be a mistake that comes back to haunt the company. On the other hand, at least it didn't put a whole bunch of additional software companies out of business.

I've previously recommended Eset's Nod32 version 2.7 for all current versions of Windows, including Vista. Nod32 is a done deal, a no-brainer, just get it.

But the firewall picture for Vista is nowhere near as obvious. As I've written many times before, every computer connected to the Internet should be sitting behind some sort of hardware firewall that adds NAT (network access translation) stealthing and SPI (stateful packet inspection), both of which help protect against inbound threats. Good security is about layers, though, and a good software firewall complements the hardware firewall by adding application controls for outbound transmissions and network protections. The combination of hardware and software is very powerful. The problem is, very few popular software firewalls currently support Vista.

Vista's Strengths and Weaknesses
In case you think you don't need a firewall, be advised that while Vista's Windows Firewall is mildly improved, the added outbound protection isn't turned on by default, and you may find it difficult to configure. Windows Firewall still does not offer full firewall support. It's better than nothing if you don't have a third-party software firewall, but that's about it.

I'm a big fan of, a Web site that has tested firewall walls for "leaks," in particular, outbound leaks that can be initiated by application spoofing and other means. There are dozens of leak tests, and no firewall blocks them all. What's more, there are probably scores of undiscovered or unexploited leaks that leak tests don't test for.

Vista blocks some leaks that XP doesn't, but not all of them. Check out this document for an objective assessment of Vista. (Don't be put off by the English errors on this Web page; the security knowledge is top notch. The authors are clearly not native-English speakers. In fact, I keep meaning to offer my English editing skills to

The description of UAC (User Account Control) is both useful and accurate, although some of the security functions it describes are just Vista security elements that Microsoft doesn't classify as being part of UAC. But that matters little.

Another document you should review is Matousec's list of software firewalls. This list is very useful for Vista owners because it shows a Vista logo (third from the right) when the product supports Vista. The first thing you'll notice is that several well thought of firewalls do not currently support Vista.

My focus for security software for Windows is strictly on lightweight software that does one thing well, like Nod32. What that means is: No security software suites. It's not just the big, well known commercial suites either, like those from Norton, McAfee, Panda, CA, Trend Micro, Kaspersky, and F-Secure. I would also add less-well-known products, such as BitDefender, BullGuard, and Outpost. When you sift through Matousec's list of firewalls, focusing on Vista support — and you apply my "no suites" rule — there aren't many left. As of early this month, these are the ones left: Windows Live OneCare, Jetico Personal Firewall and PC Tools Firewall Plus

Microsoft has already admitted that Windows Live OneCare is not a great product in its current version. Give that one a miss. I found sign-up for OneCare to be thoroughly annoying too — at least when it first became available. Frankly, Microsoft's security software is not that impressive.

The Jetico product is *not* a good choice for Vista. I ran into severe problems with the Jetico 2.0 beta for XP and Vista. When I installed it on my Vista test machine, I rebooted as directed after installation. Vista booted into the GUI and then gave me a blue screen. I repeated the process and got the exact same result. So I booted into Windows' Safe Mode and uninstalled Jetico. But on restart, the Vista test machine's network stack was totally trashed. It was no longer able to get DHCP assignments from my firewall router. It wasn't able to connect to anything on the network. Eventually, I had to revert to a previous System Restore point, which solved the problem right away.

Although the Jetico 2.0 beta installed fine on my XP test machine, I faced literally about 50 pop-ups over the next few hours. Even though each one said it was making a "permanent" change, that didn't appear to be the case at all. It was a very frustrating user experience (which reminded me a lot of my first trial of Comodo, before that product was refined). I also had trouble with intermittently balky network connections with Jetico installed. I had no problems uninstalling Jetico from the XP test box. That process went fine.

I spent about 30 minutes with PC Tools Firewall Plus prior to writing this article. My sense about PC Tools is that it's a very simple, lightweight firewall. I can't speak for its protective qualities yet, but it works well without being annoying. The UI for controlling networking isn't great. In order to make peer-based networking work, I had to set a rule that basically allowed all TCP/IP transmissions. I'm sure there's a more restrictive way, but the UI didn't make it obvious. I really liked PC Tools' simple application-control settings.

Anyone who has used PC Tools Firewall Plus more than I have, please drop me a note about your experiences, positive or negative.

Of the three third-party firewalls, I'd have to recommend PC Tools Firewall Plus — at least, on a temporary basis until other products, such as Comodo, Sunbelt's Kerio, or Look 'n' Stop Firewall begin supporting Vista. It doesn't seem to me to be a great product. But it's free and serviceable.

Speaking of Look 'n' Stop Firewall by Frederic Gloannec and Jean-Francois Catte, just as this issue of the newsletter was getting ready to mail I learned that the current Look 'n' Stop 2.06 Beta 2 will supports Vista and will also likely be the version of the code that goes gold in the near future.

Another temporary strategy for Vista users is to make sure your hardware firewall is up to snuff, turn on Windows Firewall (and make sure the outbound protection is operational), and sit back and wait for the better firewalls to emerge. They're coming.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33873
  • malware fighter
Re: Vista Firewall Situation
« Reply #1 on: April 10, 2007, 11:04:12 PM »
Hi Tech,

The fw of the future should combine program/process filtering and packet filtering, that is why I have incorporated PktFilter inside my version of ZA. A firewall should work on all levels of the Internet protocol, so nothing can get under the radar unseen by it.

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Vista Firewall Situation
« Reply #2 on: April 10, 2007, 11:14:50 PM »
The fw of the future should combine program/process filtering and packet filtering, that is why I have incorporated PktFilter inside my version of ZA.
I thought this is already present in other firewalls... Am I wrong?
How did you 'incorporate' it?
The best things in life are free.