For Safe Updates, Build a Better Firewall

Opinion: Controlling a computer's Internet access while it's not being used is more effective than turning off the box.

Im one of those people that everyone comes to with their computer problems. The other day my electrician was telling me how he went away for a while and turned his computer off while he was gone.

He had current anti-virus software and a firewall, but when he came home and turned it back on, something got through and attacked him.

It struck me that this is a general problem, and one that is probably getting worse.

Consider the recent Zotob episode: The first variants of the worm appeared less than a week after the vulnerability on which they relied was disclosed and a patch released.

Its not hard to see how a computer might not be patched in that time, and its easy to see how a new computer, fresh out of the box, might be connected to the Internet and vulnerable to attack less than a week after disclosure.

/zimages/4/28571.gifClick here to read about possible problems with the Windows Server SP1 automatic update.

(A new computer would have Windows XP and basically not be vulnerable to Zotob and related attacks, but the general point stands.)

In fact, its not uncommon to read security advice that you should turn off your computer when youre not using it. The theory is that you diminish the amount of time that the computer is on the Internet being attacked.

But this misses the ironic point that it also diminishes the amount of time that you are able to update your computer. This led me to write a column telling users to leave their computers on all the time.

A better answer would be a special mode of communications into which Windows would enter before fully enabling the network stack. A "whitelist" of addresses, which will need to be rigorously secured, would define the only sites with which the computer will communicate until the user takes it out of whitelist mode, using some big obvious user interface element.

The most obvious entries in this whitelist would be the various Microsoft update sites. In a corporate installation it might be the SUS server or some other relevant server. An OEM could also put in entries for its own update site and for any bundled security software, such as LiveUpdate from Symantec.

Once in the mode, the user could be presented with a list of available updates and asked if he or she wanted to download and apply them. Or a policy could be set to install all updates automatically, and then exit the mode.

/zimages/4/28571.gifRead details here about Microsofts latest set of patches.

It seems to me that the personal firewall is a proper point for enforcing such a policy, and probably any modern firewall could be updated to provide such protection.

If Im not mistaken, Windows XP SP2 loads either the Windows Firewall or whatever the users third-party firewall is prior to the network stack being enabled.

So, in fact, any firewall vendor (including Microsoft) could implement this, but Id hope some sort of standards could develop for the whitelist and the behavior of the mode.

It might make sense, after a period of inactivity, to re-enter this mode. In this way, if the user leaves the system on overnight, the only thing that can take place is software updates.

Certainly this would interfere with retrieving e-mail or running any peer-to-peer services on the computer, but the answer is to let the user make the choice as to the degree the whitelist mode will be in effect.

As I see it, whitelist mode doesnt address a major hole, but a low-probability edge case. The problem is that its an edge case to which even well-protected users are subject, and purely out of bad luck. I think this mode would fill in those cracks and reinforce the general effort to make users aware of their security arrangements and whether they are up to date.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.