Steve Riley on Security

Formerly of Microsoft's Trustworthy Computing Group.

It's your turn: what improvements would you like in Windows Firewall and IPsec?

It's your turn: what improvements would you like in Windows Firewall and IPsec?

  • Comments 19
  • Likes

Yes, the ink is barely dry on the boxes for Windows Vista and we're already planning the next version of Windows. And no, I have no clue what it'll be called. But that isn't a decision I get to make, oh well...

The folks responsible for the firewall and IPsec are actively seeking ideas and suggestions for improvements in the next version. Some areas up for consideration include:

  • The configuration and management UI (the new advanced snap-in, not the control panel)
  • Deployment
  • Diagnostics and troubleshooting
  • Interoperability
  • New scenarios and features
  • Documentation and help
  • Anything else you can think of

Actually, we aren't limiting this to the next Windows. If there are major deployment blocking problems that you have now -- bugs, performance hits, whatever -- let me know now. We can consider some ideas for Vista SP1 and Longhorn Server.

Thanks! Looking forward to your thoughts.

Comments
  • ok... I have not seen the Vista firewall, but I'd like to see "The Big Red Button" (TBRB).  TBRB would be a "panic" button to immediately institute new firewall rules across a domain.  Yeah, I know that there is probably a firewall at the gateway, but many networks are hard on the outside, but soft and tasty on the inside.  So if a worm or other nasty gets in, the only thing to stop it is the windows firewall.  If I had TBRB, I could write a new rule and distribute the changes to the domain before there is too much damage.

    Hope that makes sense...

  • How about stealing the syntax and features from OpenBSD's pf?

  • Turn the ISA "firewall client" into a real firewall as well. Let me assign different rules to groups. Let me push rules. Give it enough guts so I can enable it on gigabit server interfaces and use it as a host-based firewall to protect my servers. Give it a "monitor only" mode and a way of aggregating what it sees into rules so I don't break too much when I implement a rule. Give it real automatic change control features so I can look up who even breathed on the management console to satisfy my SarBox audits.

    Etc. :-)

  • For troubleshooting - I'd like to see a visual traffic grapher built in to Windows that shows traffic flow, type of traffic, source and destination.  What Windows (and a lot of third party firewall products) is missing is instant visual display of what is happening over the network at a current point in time, visually. This could show what's hitting in the computer, what's being denied and what's being allowed through.

  • Something like OpenBSD pf and the new ipsecctl/ipsec.conf simplicity will rock. I'm tired to deal with bad and bloated ipsec/vpn client with lots of bad behaviour and a GUI designer by CEO son.

  • I would like to see a feature, that allows me, to block access for a program for Incoming AND outcoming traffic.

    It wouldn't be bad too, if I could define ports which should be blocked for incoming traffic.

  • I can't keep my windows FIREWALL ON? It keeps disconnecting? WHAT is causing this?

  • There should be predefined settings for voip, messengers, games, torrents, games, ...

  • Support for IKEv2 ( see http://www.rfc-editor.org/rfc/rfc4306.txt )

  • An application authorized by UAC is able to add/remove/destroy all rules from the Windows Vista Firewall without any additional user's consent (example: when you install an application).

    I would like having an extra UAC warning in order to protect the Firewall rules.

  • I would like an interactive mode. Every new Program which sends a ping out should be blocked until i decide to allow or not. (ok, i can add rules at the snapin but thats not comfortable enough :)

    Many greetings!

  • That there was a standard way to make services (ms)applications to speak static ip (not like the dword name is sometimes TCP/IP Port and sometimes - Assignment ex). How about a GUI where you pushed a button with make this service(/process) IP static, delivered also with a CMD tool and as an option for GP-editing.

    If you can't make this then at least make a way that an application can talk through the firewall without an continous listening process.

    And also an advisory not to use the wizard in 2003 sp1, who makes a complete mess out of any firewall ;)

    How about an alerter who told you when somebody tried to poison you arp cache?

    Or an IPSEC way to speak with your DNS server?

    For IPSEC, a nice way to roll out FIPS compliant certificates for unix-computers (sorry to put the load on you, our Oracle people just don't care... ).

  • I'd like to see a user-friendly editable configuration file for the firewall. OpenBSD's PF firewall is a firewall done right. It's syntax is very easy to understand and it is a secure firewall. Also, I second one of the posters who mentioned OpenBSD's ipsec work. It really is the best out their. It's user friendly, it's secure, and it's technically correct.

  • @Joe

    an user-friendly editable configuration file for a firewall is impossible due the syntax that it can't be user-friendly! Windows Vista Firewall is fully configurable and powerful by the advanced GUI. The true is that OpenBSD and linux firewall are obsolete!!! nowadays nobody wants to manage rules using an editable text file!!!

  • The current firewall in Vista is ok for Vista, but the merging of IPSec and Firewall in Longhorn server is horrible.

    1) Instead of inbound and outbound views, just break it down into what you are really dealing with - services, apps and ports. When I want to see what my services are configured for thats what I want to see SERVICES. Same with apps and ports (having an all in one might also be useful, or some cool query building/filtering)

    2) kill the wizard- or at least give the option to skip it and go right to the config (like ipsec in 2000/2003). I shouldnt even have to ask for this one.

    3) show firewall and ipsec settings for services on the service property page

    4) have a direct way to view and edit firewall/ipsec settings from task manager - either bring up a property page or have a column that indicates allowed, blocked or secured. A block all from the task manager would be nice, as would an allow-all-temp for trouble shooting (and show the results with out having to look for them in some offbeat location)

    5) current help in the wizard is very confusing - I know what I need/want to do, but reading the wizard help confuses me- it just seems that its a one size fits all approach that doesnt fit any size. the wizard can be cut to two or three pages - who, what, how (can any one explain the page where it lists the services (the one after the preseta)) I just dont get what its trying to accomplish there.

    6) emphasize domain groups over ip addresses for isolation policies - why bother with ip address? dont you loose the best advantage?

    7) design the UI around the idea of authentication - thats really what its all about here! design services and apps with this in mind. "This app is allowed to authenticate to: ", "This app trusts: " -- so much nicer and it really gets the number of property pages down

    8) if its really intended that only a few Connection Secuirty policies need to be creadted, then just find a way to remove this form the basic UI - If someone needs a more complicated policy let them configure it, but really this is the biggest disconnect - wont most people just need to set the "default" and go with that?

    9) make the mmc 10x faster! Its way to slow

    10 The entire process is much easier in 2003- all I really wanted was a more customizable UI for ipsec - bigger windows that remeber there size and columns mostly. thats all I really wanted.

    11 A Domain Controller preset!

    I'm just saying...

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment