Sunday, August 12, 2007

Vista's Firewall

I guess the paradigm "advanced" is actually a relative term, at least when it's applied to the firewall included in MS Vista. This SANS paper points out a number of short-comings at the same time proposing that it may eventually "provide the perfect solution".

Oh come on! It's just a packet filter, and a poor one at that! They've tied Layer 4 to Layer 7 (specific applications have specific ports) but somehow skipped everything in between (protocol matching, state tracking, etc.). Where's the ability to add functionality (modules) as needed? How about some decent logging facilities?

While I do see the need to keep it simple (the majority of users can't configure a firewall, much less a WWVB-controlled clock), I disagree with the authors in that this is an absolutely royal piece of dung. This has less functionality than one of the pre-1.0 versions of ipchains (hint: a decade ago).

The majority of third party firewalls have much more capabilities. Unfortunately, only those companies who pay tribute to the OS maker are allowed to run their firewalls on Vista. "Advanced" is a relative term in this case because MS gets to filter its competitors.

And before I get accused of MS bashing again, the technology is not what is at issue here. This is "innovation" (i.e., salesmanship) from the marketing department (i.e., putting lipstick on the domestic Sus and expecting someone to kiss it). Anyone want to call "shennanigans"?