So lets look at some of Yankees specific findings and recommendations. Yankee believes that the two-way firewall in Vista commoditizes the desktop firewall market. They recommend that existing players not look on it as a growth item in the future. Theres something to this, although third parties have typically combined actual firewall functions and the blocking and opening of TCP ports with IPS functions that are much less threatened by Vista.There are a number of other desktop IPS products, but most of them are either small-fry specialty products or integrated into what vendors call desktop firewalls or security suites. I dont see a threat worth measuring here, and its perfectly conceivable that the vendors will be able to demonstrate protections that Microsoft doesnt provide with Vista. I dont think a lot of software is sold for this function. Same thing for teeny categories like Device Control. Some measure of this capability belongs in the OS obviously, but theres still a small living to be made for customers who want greater control. Certainly Yankee is right that conventional anti-virus software is unthreatened by Vista, even though some of Vistas protections make many viruses less threatening. The claim that Windows Defender will kill off much of the anti-spyware market depends on how good a job it does, but this is fine with me. The anti-spyware market is a phony creation of security companies; this function should always have been performed by anti-virus software, and I suggest that the category as a separate entity will die off in any event as companies like Symantec add anti-spyware to their anti-virus offerings, which is where they belong anyway. Yankee is right about what it calls Network Access and Zoningwhat everyone else calls NAC. This is a diverse and competitive market. Microsoft has no special credibility in it and bundled agent support is of trivial value. Yankee then goes on to a series of predictions, some of which are reasonable. For example, Yankee predicts that "Vistas Tighter Security Will Annoy Users"and induce them to consciously make stupid decisions, akin to driving right past a "WARNING! BRIDGE OUT!" sign. No doubt users will blame Microsoft when they compromise their systems after bypassing security features in Vista that proved tiresome, but theres a limit to what Microsoft can do about these things. I disagree with Yankee when it says that there is inadequate information for developers to make their programs run in a restricted account environment. In fact, the guidelines are not dissimilar to those of the Windows XP logo program, which also required that programs run in a standard user context. If Yankee is hearing this from developers, I suspect that the developers are actually just unhappy with the guidelines, not ignorant of them. Yankee recommends that Microsoft backport Windows Defender and Least Privileged Access to XP. Windows Defender runs on Windows XP right now; does Yankee know something I dont know about the future of this program? As for Least Privileged Access, this is a major change in the behavior of the OS and not a reasonable request. Yankee says that an easy-to-use configurator for the DropMyRights tool would do, and it has a point, but there are plenty of third-party tools for this. "Retire ActiveXnow." Yankees assertion that this is a practical idea just cant be taken seriously. ActiveX is widely deployed and cant be easily dismissed. Microsoft has begun, with certain changes in IE 7, to let enterprises limit ActiveX to a specific whitelist and block out all other controls, but if it were eliminated it would have to be replaced with something just as vulnerable. You have to be able to run native codeeven Firefox does. Yankees overall sense that Vista does some damage to some security aftermarkets, but that Microsoft remains vulnerable (especially on legacy operating systems) is spot-on. I also agree that IT departments would be mistaken to dive head first into Vista, but waiting for 2008 seems like an arbitrary rule to me. The enterprise I ran would have some test groups running it, perhaps on a second computer or under VMware. Dont expect Microsoft to cut the heart out of a whole class of ISVsits not something they often do. And in the end, Vista will probably create some new security software opportunities that we havent even realized yet. It happens every time. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
This should aggravate what is already a confusing situation, but the third parties will be hurt by calling them firewalls. They need a new name, otherwise Yankee will be right and the fact that Vista comes with a competent firewall will doom them.