IT security experts and vendors this week welcomed the introduction of
Windows Firewall, part of Windows XP Service Pack 2 (SP2), as a valuable way
of protecting PCs. But while the firewall is an improvement, it falls short
of the standard of protection expected of commercial firewalls, according to
some industry observers.

Windows Firewall - which replaces the old Internet Connection Firewall -
marks the first time all up-to-date PCs will have a firewall switched on by
default, an important step in stopping the spread of viruses, according to
industry analysts. However, the software suffers from two major flaws,
critics say: it does not block outbound traffic, and it can be switched off
by another application, possibly even by a clever worm.

Most commercial firewalls include a feature to stop all but authorised
applications from sending data to the Internet; this stops malicious code
from sending unauthorised communications, and also prevents PCs from being
hijacked and used to send spam or participate in distributed
denial-of-service attacks. Windows Firewall, however, only filters incoming
traffic, allowing any application to send outbound packets, a fact which
some industry observers have said makes it less useful for serious
protection. "It still isn't as robust as many third-party host-based
firewalls," wrote Jeff Fellinge, information security officer at media
company aQuantive, in a recent analysis of the firewall.

More seriously, rival firewall makers claim that the API (application
program interface) used to manage the Windows Firewall could also be used by
attackers to modify the software or turn it off. Major firewall makers,
including Zone Labs, McAfee and Symantec, are releasing SP2-compatible
versions of their applications which disable Windows Firewall when they are
installed, and enable it again when they are uninstalled.

But if an installer can switch off Windows Firewall, so could an attacker,
argues Zone Labs, maker of the popular ZoneAlarm firewall. The company said
its own products are locked-down in such a way that third-party applications
can't disable firewall protection without uninstalling the software.

Microsoft admitted that, in some cases, malicious code could indeed switch
the firewall off. However, this isn't so much a flaw as a limitation on the
role firewalls should play in a company's security system, Microsoft said.
"An attacker could misuse that (administrative) capability," said Microsoft
technical specialist David Overton. "But you're already in a compromised
state, if you're at that point." He said that Windows Firewall is designed
to stop malicious transmissions to the PC, rather than protecting the PC
once it's been infected.

If malicious code makes it past the firewall, it is the role of anti-virus
software to protect the machine, Overton said. Likewise, it is not the
firewall's place to stop malicious code from sending outbound packets -
Microsoft argues companies should use perimeter technologies to examine
outbound traffic. "The firewall is a management process, not a silver
bullet," Overton said.

He said that Microsoft's user testing had shown that asking users to approve
every application trying to communicate with the Internet tends to backfire.
"If you flood the user with messages like that, they say 'yes' all the
time," he said.

Rival firewall makers say they have various ways of dealing with this
problem. McAfee, for example, has a "white list" of trusted applications,
designed to reduce the number of messages a user receives.