Archived from groups: comp.security.firewalls (
More info?)
· said in news:dpjCc.246327$hY.236491@twister.nyroc.rr.com:
>
> The Windows Firewall debuting with SP-2 does not include outbound
> blocking. What you are seeing in that article is the ability to
> control which applications are allowed to receive unsolicited inbound
> connections.
You sure? In AV products that I've seen, an application rules list
means you are defining what port and protocol an application can use to
punch *out* from your network. Articles like
http://www.eweek.com/article2/0,1759,1416130,00.asp which state:
"There will be a new ICF Permissions List to which an administrator may
add a trusted application. When an application on this list needs to
open a port, ICF will open it automatically."
This means the *application* wants to open a port, not that some
unsolicited outside traffic is trying to connect specifically to that
particular application but only through, if it was running. The
application punches out a port to allow traffic in on that port. You
are allowing the application a port through which it can send outbound
communication (with the possibility that inbound traffic could also use
that port if the application responds to it). Most firewalls allow you
to specify the direction of the traffic, whether outbound or inbound or
both, but I didn't see anything in SP2's Windows Firewall that lets you
specify the direction. It just seemed more likely that you were adding
applications to a rules list to let them establish outbound traffic (so
they are usable).
If SP2's Windows Firewall is not monitoring (and blocking non-excepted)
outbound traffic then I don't see the purpose of having an applications
permission list. Why define an outbound exception list for some
applications when ALL of them can making any outbound connection they
want? An inbound exception list doesn't make sense except for server
programs, like a web server. Since the linked article shows an
anti-virus program in the exception list (which makes *outbound*
connections for updates rather than letting the vendor in anytime they
want) and MSCOM Toolbox (obviously something that needs an *outbound*
connection and nothing an outsider would be trying to connect to) then
it sure looks like this applications permission list is the same as an
applications rules list (which is for OUTBOUND connections).
But since SP2 isn't released yet, I won't know for sure until it does
get released and I can check it out. However, in reading review and
news articles about SP2 Windows Firewall, I sure get the impression that
it will have outbound checking. The scary part is the opening a port
for an application in SP2 Windows Firewall seems to allow both inbound
and outbound traffic. You might want the application to only have
outbound traffic and block any *unsolicited* inbound traffic on the same
port (i.e., not initiated by the outbound traffic on that port).
--
____________________________________________________________
*** Post replies to newsgroup. Share with others.
*** Email domain = ".com" *AND* append "=NEWS=" to Subject.
____________________________________________________________