I have been challenged whilst working at Microsoft to up my thinking about security, architecture, and infrastructure. When I joined (around 5 years ago) I thought like a lot of IT Pros that I knew a relatively good amount about Windows and Microsoft did stupid things that I never gave it the benefit of the doubt for. Once you get to learn the reason behind some of the decisions made, you quickly realise very little happens by accident, and most things are done for a very good reason.

One of my favorite debates in this thread is the externally filtering firewall. (Outbound Filtering, Egress Filtering, whatever you want to call it). This is a relatively good technology that has its place, but the industry "experts" seem to entirely miss the point - One of the strongest features of a firewall for a client is in the area of worm defence - meaning that the kind of attacks seen like Sober, Slammer, etc that propagated themselves automatically would be impeded by a host based firewall. There is a usability paradigm to look at, but medicine teaches us that the most effective countermeasures are extremely simple and operate with no exceptions or conscious user interaction (like the skin, its stops bugs that would kill the heart - but doesnt let it pass through so heart is effectively immune), or are very complex and operate with little user interaction (like the immune system - which although it runs as "admin" on the body, doesnt really give you a choice).

Case Against it

Outbound firewall needs some work - in order not to kill the user with decisions and questions like "RPC End Point Query needs to speak to DC1 on remote 135 - do I allow" ? And inbound traffic is the most effective way to prevent a worm in the first place - if we look at an inbound blocking mechanism like a host based ingress firewall then it could stop a worm in several ways - the most important would be to not process the infection packet as you didnt ask for it. The argument from anti-outbound community says if you already have been infected its too late - and attack coders would have written some code in their pathogen to disable outbound blocking (if you accept this as a trivial action, which I dont)

How do you manage outbound connections and policy on 120,000 clients with outbound policy ? In XP Firewall and Vista we use Active Directory, and our firewall is fully scriptable, but it is a fair question, if you do want to manage a complex outbound filtering policy in a worldwide org, it wont be a small effort.

Trial posting - as is and confers no rights

Case For It -

Lets take an example from medicine (again) – when a host gets infected with a disease – we sometimes treat the disease from an epidemiological perspective by blocking its propagation to other hosts, and allowing the infection to run its course. Many diseases today, for which science has no answer for have this as our only defence. Quarantines, as well as more traditional barrier mechanisms all have a place in the real world. An outbound firewall if you could implement it correctly could contain an infection on a host to the host, and prevent it from propagating.

 

If you believe the above, doesn’t that mean that if correctly implemented, an outbound firewall can add real value? And if so, isn’t the question to ask “what is the kind of technology we have to engineer to make this a real barrier” Man has seldom seen nature get it wrong, ignoring post infection containment blocking strategies may be a cost benefit argument, maybe other things are cheaper or easier to do, but I would love for us to get this feature right. What would it need to do to be useful and legitimate from your view ? - mail me - email address is the same as my first name. at Microsoft.