For Safe Updates, Build a Better Firewall

By Larry Seltzer  |  Posted 2005-08-29 Print this article Print

Opinion: Controlling a computer's Internet access while it's not being used is more effective than turning off the box.

Im one of those people that everyone comes to with their computer problems. The other day my electrician was telling me how he went away for a while and turned his computer off while he was gone. He had current anti-virus software and a firewall, but when he came home and turned it back on, something got through and attacked him. It struck me that this is a general problem, and one that is probably getting worse.
Consider the recent Zotob episode: The first variants of the worm appeared less than a week after the vulnerability on which they relied was disclosed and a patch released.
Its not hard to see how a computer might not be patched in that time, and its easy to see how a new computer, fresh out of the box, might be connected to the Internet and vulnerable to attack less than a week after disclosure. Click here to read about possible problems with the Windows Server SP1 automatic update. (A new computer would have Windows XP and basically not be vulnerable to Zotob and related attacks, but the general point stands.) In fact, its not uncommon to read security advice that you should turn off your computer when youre not using it. The theory is that you diminish the amount of time that the computer is on the Internet being attacked. But this misses the ironic point that it also diminishes the amount of time that you are able to update your computer. This led me to write a column telling users to leave their computers on all the time. A better answer would be a special mode of communications into which Windows would enter before fully enabling the network stack. A "whitelist" of addresses, which will need to be rigorously secured, would define the only sites with which the computer will communicate until the user takes it out of whitelist mode, using some big obvious user interface element. The most obvious entries in this whitelist would be the various Microsoft update sites. In a corporate installation it might be the SUS server or some other relevant server. An OEM could also put in entries for its own update site and for any bundled security software, such as LiveUpdate from Symantec. Once in the mode, the user could be presented with a list of available updates and asked if he or she wanted to download and apply them. Or a policy could be set to install all updates automatically, and then exit the mode. Read details here about Microsofts latest set of patches. It seems to me that the personal firewall is a proper point for enforcing such a policy, and probably any modern firewall could be updated to provide such protection. If Im not mistaken, Windows XP SP2 loads either the Windows Firewall or whatever the users third-party firewall is prior to the network stack being enabled. So, in fact, any firewall vendor (including Microsoft) could implement this, but Id hope some sort of standards could develop for the whitelist and the behavior of the mode. It might make sense, after a period of inactivity, to re-enter this mode. In this way, if the user leaves the system on overnight, the only thing that can take place is software updates. Certainly this would interfere with retrieving e-mail or running any peer-to-peer services on the computer, but the answer is to let the user make the choice as to the degree the whitelist mode will be in effect. As I see it, whitelist mode doesnt address a major hole, but a low-probability edge case. The problem is that its an edge case to which even well-protected users are subject, and purely out of bad luck. I think this mode would fill in those cracks and reinforce the general effort to make users aware of their security arrangements and whether they are up to date. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel