OneCare Firewall: a light-weight approach to a heavy-duty problem
Since Microsoft released its Windows Live OneCare security kit in June, there has been much discussion as to how the product would benefit ordinary PC users and whether it really delivers on its mission of providing reliable, yet easy-to-use, PC protection for consumers. On top of those discussions came accusations (http://sunbeltblog.blogspot.com/2006/06/microsoft-practices-predatory-pricing.html) that Microsoft was engaging in predatory pricing intended to drive off competition and stifle innovation in the security space for consumers.
In order to fully understand the ins and outs of the debate, we decided to go ahead and install the product and conduct our own in-house assessment of the OneCare-bundled firewall protection. We are pleased to share the results of this test run with you in this month’s Security Insight.
A brief glance
The OneCare interface looks sophisticated and well-organized; it has a colorful information window from which all program settings and commands can be accessed. The program is based on Microsoft’s proprietary .Net technology and requires users to install the .Net package before using it.
As we were primarily interested in the firewall component, we went first for the Firewall tab - available from the Settings menu. The remainder of this article is a description of our experience and the impressions we garnered while using the OneCare firewall.
A firewall’s applications treatment
By default, OneCare firewall is set to address programs in an automatic mode – every program access is managed through the Microsoft-created and supplied application behavior policy. Programs that are allowed to connect to the Internet are included in that policy and the firewall simply lets them connect without restriction.
The problem with this policy is that it covers a very limited number of applications, so the user is forever having to respond to notifications from other quite legitimate programs as they attempt to access the Internet. Another weakness of this approach is that, no matter whether the firewall is in automatic or user-definable access mode, it first blocks the application from accessing the Internet and then asks whether the program should be permitted to access the Internet on subsequent occasions.
What this means is that a legitimate program soliciting first-time access to the Internet, in our case an IM chat program, cannot connect to the Internet; after a brief delay, a message to this effect appeared on the screen. It’s really not very user friendly to deny connections to programs accessing the Internet for the first time, and it limits the program’s functionality until a restart restores programs’ operations to a normal state. The way unknown programs are treated by the firewall leaves users with the impression that every application is presumed guilty - by being blocked - until proven otherwise.
The same cannot be said of how OneCare fares with leaktests (http://www.firewallleaktester.com, http://www.pcflank.com). After OneCare has worked for a couple of hours and created a reasonable-sized database of application access rules, we subjected the firewall to a slate of leaktests intended to verify how the program would protect users against imaginary malware attempts to upload data from the host computer. The results were very poor, with the OneCare firewall passing only the most basic and simple leaktests and failing the rest. Amusingly, it treated leaktests as if they were normal Windows Explorer (explore.exe), Internet Explorer and other credible applications widely used on a Windows-based computer, failing to detect the tests’ tendency to imitate, implant its code in, or hijack a credible application on which behalf it subsequently gained access credentials.
The implications of this poor performance are far-reaching: any competent piece of malware would have no problem stealing data from a PC ‘protected’ by OneCare, and the firewall uttered not a single peep to prevent this from happening. This is a pretty serious shortcoming, since one of the primary functions of a firewall is to protect against unauthorized program connections – both incoming and outgoing; OneCare on this basis does not even meet the minimum requirements for an effective firewall.
The OneCare firewall is so basic that it doesn’t even provide for the creation of advanced application access rules – you can either allow an application to access the Internet or deny it. You cannot make a rule, that, for example, would enable Internet Explorer to access some websites and not others (on the basis of IP address, for example). Nor can you specify, for example, time-based access permissions and apply advanced access parameters to the way applications are allowed to connect to the Internet, such as stipulating trusted access ports and protocols for a particular application.
Despite these major failings, OneCare does have other qualities, both good and bad, that it is worth mentioning.
Network configuration and intrusion prevention
OneCare firewall detects your network configuration and can limit access to the user’s files and printers to members of the same network (a subnet), with access from the Internet being restricted. Just as with granting applications Internet access, this is very basic; you cannot create advanced rules or specify advanced whitelist and blacklist settings of remote locations for Internet or complex network domain access. The same limitations apply to access through the Remote Desktop.
Amazingly, OneCare lacks the accepted industry standard of Intrusion Detection and Protection systems used by most third-party firewalls (Outpost Firewall Pro, Norton Personal Firewall). This is a serous omission, as there are many hacker tools available today which can generate automated, wide-scale intrusion attempts on thousands of PCs in the hope of finding inadequately-protected PCs that can be exploited in the future. These tools are being constantly improved and expanded, and it is very quite disturbing that Microsoft does not provide any kind of protection against such attacks for their OneCare customers.
OneCare’s packet filtering is on a par with its competition, and the ability to select a port range for any chosen protocol is a useful feature.
Performance and compatibility
Although the program works quite fast on a mid-range PC, the way it handles programs launched for the first time is less than satisfactory. By default, all executed programs undergo an initial spyware scan with OneCare’s Windows Defender (currently in its Beta 2 version), which delays program execution by as much as ten seconds. We also found, towards the end of our evaluation, that this may not be limited to the first program run. Windows Defender is updated separately from the main program update, and may start at any time, regardless of how much bandwidth you may be using – for example, if it starts up when the user is at a crucial point in an online game, the gameplay could be badly interrupted.
We also found compatibility issues with OneCare – but not the ones you’d expect. Before installing the software, we already had a running firewall on our computer (of course – as would most people). Guess what happened next? OneCare neglected to warn us of any need to first de-install the existing firewall before proceeding with the installation of OneCare. So, we found that OneCare worked smoothly alongside Outpost Firewall Pro, and that Outpost Firewall was the first to monitor the system, ask questions and protect the user – not OneCare. That’s not good news for OneCare.
Before we finished our testing, yet another unfortunate incident occurred – OneCare blocked Internet access for our installed browsers (IE, Firefox) altogether and only permitted them to connect to the Internet in idle (switched off) firewall mode. This is when we finally parted company with the entire OneCare suite.
Although the program is very intuitive, nice to look at, and easy to use – which is good for the program’s target audience of inexperienced users – its functionality is a big let-down and does not serve that inexperienced user audience well. It reminds us of those a colorful and feature-rich Graphical User Interfaces (GUI) with nothing behind them that you sometimes see at exhibitions, because the vendors couldn’t finish the whole program in time. Microsoft OneCare needs a serious overhaul before it can be considered anything more than just a fancy interface with no real security under the hood.