SP2's firewall is not good enough

[prathapml]

Full story

The latest Windows firewall is better than nothing - but I for one won't be relying on it

With Microsoft having released Windows XP Service Pack 2 (SP2) to manufacturing, the technology that some have nicknamed "Security Pack 2", coupled with recent rumblings from Microsoft, is spinning the spotlight towards the personal firewall and antivirus sectors.

For starters, after installing SP2, users of XP will notice the addition of a security dashboard to Windows' Control Panel known as the Security Centre. This simple status report on your system's defences answers such basic questions as whether your firewall and antivirus systems are turned on, whether your antivirus solution is using the most recent signature file, and whether your operating system has received all available critical updates.

Today, Windows will tell us that critical updates are waiting to be downloaded through an indicator that pops up from the Windows tray, or following a "scan for updates" that takes place after Windows Update is manually invoked. Until SP2, users could never go to one central location to get an easily scannable status report on their systems' readiness to deal with the most prevalent threats. Barring any known compatibility problems between SP2 and your company's computing infrastructure (like that which has been reported to have occurred at IBM), this feature alone makes SP2 worth the upgrade.

The security dashboard is less of an innovation than it is the reuse of an existing Windows API known as the Windows Management Interface (WMI). During a video interview, Microsoft spokesperson Greg Sullivan said that "WMI is used mostly by IT managers to enforce policies broadly across their domains." But, as it turns out, the API is flexible enough that it can be used to interrogate the status of firewall and antivirus products as long as the developers of those products support that sort of WMI-based interrogation.

Knowing that third-party vendors of personal firewalls such as Zone Labs and Sygate may need some time to support the interface, Microsoft jerry-rigged a connection between the Security Centre and most of the popular third party security products -- a sign of the lengths to which Microsoft will go to deputise customers in the battle against hackers.

Quietly, however, even before SP2 had officially shipped, Zone Labs became one of the first to jump on the WMI bandwagon. Within the past few days, the company issued WMI-compatible updates to the freely downloadable Zone Alarm personal firewall, Zone Alarm Pro (the paid version) and Zone Alarm Security Suite (includes antivirus technology licensed from Computer Associates). If you're running any of those products and the product hasn't already notified you of the update's availability, you should be able to get the update from Zone Labs' site. Though I haven't checked with every firewall vendor, Sygate product manager Elisha Riedlinger told me that Sygate expects to have WMI support in its firewall sometime in the fourth quarter.

According to Zone Labs' vice president of business development Fred Felman: "Our update accomplishes two things. First, our firewalls and antivirus solutions can now report their status to SP2's Security Centre. [Also,] we can turn off the Windows Firewall when we are installed and we turn it back on if we're uninstalled."

This is the way Microsoft would want it to be. According to Microsoft's Sullivan, only 10 percent of Windows users have a personal firewall on their systems. In the interview, he said Microsoft had to ask itself: "What can we do to make sure that this system right out of the box is as rock solid as we can make it, so that the user doesn't have to do anything?" At least part of the answer for Microsoft was to make improvements to the firewall built into Windows and turn it on by default -- which is exactly what the Windows Firewall does once it's installed. As I've posited before, improvements to the Windows Firewall are a controversial issue, the flames of which are being fanned by recent revelations that another answer to Sullivan's "What can we do?" may be "a Microsoft antivirus product".