Understanding the value of Vista's Firewall and outbound filtering

Jesper has an interesting blog post discussing what he thinks is the best new security feature in Vista... the Windows Firewall. I am more inclined to say I like UAC better, but thats just me.

Anyways, besides the excellent breakdown on the benefits of the new Vista firewall, Jesper has some discussion on outbound filtering offered by the new firewall, and that it is disabled by default (which is actually incorrect, see his post for more details). This is quite topical to me as we have been discussing this in some detail on a few security lists I am on.

In my opinion, the key take away from Jesper's post is this...

Protection belongs on the asset you are trying to protect, not the one you are trying to protect against!

AMEN!

However, I have to disagree with one part of Jesper's position in regards to this. When the asset you are protecting against comes from another asset you have control to, providing as many layers of defense as possible to assist in the least privilege stance of the asset is helpful in diagnosing and tracking down security violations. In other words, if you have the ability to control outbound filtering, the benefits do exist in applying them to control network packet flow.

If we look back in history to worms like SQL Slammer, we KNOW that those machines are NOT configured to offer outbound SQL connections. So why let it? Instead of allowing all outbound connections and hoping to trap it at the perimeter (which typically is just as poorly configured for outbound connections), why not provide least privilege at the network level and not ALLOW outbound connections in that manner from subjects like this to objects we don't know about. The result would be the significant reduction in the propogation of such hostile code against such attack vectors.

Jesper points out that it would be easy to circumvent much of this. Well yes, if you expect your firewall to act at the TDI layer, its easy to get around. But if you constrain it down at the NDIS layer with deep policy to control the machine to only send out packets to services you wish it to access (following least privilege here and only offering network access to resources needed to perform the task of the machine), you have a much more finite network flow of data. Of course as Jesper kinda eludes to... if the user is logged on as an administrator its a pretty moot point since they can turn off the firewall anyways.

I you want to learn more about the Vista firewall, I highly recommend you check out Jesper's post. It's a great read.