IT security experts and vendors have welcomed the introduction of Windows Firewall, part of Windows XP Service Pack 2 (SP2), as a valuable way of protecting PCs. But while the firewall is an improvement, it falls short of the standard of protection expected of commercial firewalls, according to some industry observers.
Windows Firewall-which replaces the old Internet connection firewall-marks the first time all up-to-date PCs will have a firewall switched on by default, an important step in stopping the spread of viruses according to industry analysts.
However critics say the software suffers from two major flaws; it does not block outbound traffic, and it can be switched off by another application, possibly even by a clever worm.
Most commercial firewalls include a feature to stop all but authorized applications from sending data to the Internet; this stops malicious code from sending unauthorized communications, and also prevents PCs from being hijacked and used to send spam or participate in distributed denial-of-service attacks.
Windows Firewall only filters incoming traffic and allows any application to send outbound packets, a fact which some industry observers have said makes it less useful for serious protection.
"It still isn't as robust as many third-party host-based firewalls," wrote Jeff Fellinge, information security officer at media company aQuantive Inc., in a recent analysis of the firewall.
More seriously, rival firewall makers claim that the API (application program interface) used to manage the Windows Firewall could also be used by attackers to modify the software or turn it off. Major firewall makers, including Zone Labs, McAfee and Symantec are releasing SP2-compatible versions of their applications which disable Windows Firewall when they are installed, and enable it again when they are uninstalled. But if an installer can switch off Windows Firewall, so could an attacker, argues Zone Labs, maker of the popular ZoneAlarm firewall. The company said their products are locked-down in such a way that third-party applications can't disable firewall protection without uninstalling the software.
Microsoft admitted that, in some cases, malicious code could indeed switch the firewall off. However, this isn't so much a flaw as a limitation on the role firewalls should play in a company's security system, Microsoft said.
"An attacker could misuse that (administrative) capability," said Microsoft technical specialist David Overton. "But you're already in a compromised state, if you're at that point."
He said that Windows Firewall is designed to stop malicious transmissions to the PC, rather than protecting the PC once it's been infected. If malicious code makes it past the firewall, it is the role of anti-virus software to protect the machine, added Overton.