Monday, 7 December 2009

Does the Windows Firewall help?

With both Vista and Windows 7, the analysis of the impact of the inclusion of a firewall in Windows XP may seem a little dated. However, the same use and deployment of this control applies to both Windows 7 and Windows Vista.

This is a control that if used has a statistically significant effect. 'If' as this a control that is commonly overlooked or disabled. Continuing from the same hazard modelling experiments I have posted selected results from over the preceding weeks, in this post I am presenting the effect of using the XP firewall. These results come from the same experiment as reported in a previous survival study on Windows XP.

It is clear from the histogram above that an un-firewalled Windows XP host faces a major problem. This was skewed by the Conflicker worm which managed to compromise the un-firewalled hosts in quick succession. The quickest time being 5.4 seconds from the network cable being connected to a scan occured (this was in May 2009). This was an exception and hence an outlier. Most hosts managed to remain uncompromised for around 18 hours, with only 25% of the sample being compromised in under 3 hours.Alternatively, leaving the host running with the firewall enabled provided a good level of protection (without a user on the system). This does not reflect a true Windows XP system. The connections are from external sources (such as a server model) to the host. In general, a Windows XP system will have a user and will act as a client. This introduces aspects of browsing and retrieving external files (e.g. email). These aspects of the hosts security will be investigated in subsequent posts.
The boxplot and the results of a Welch 2 sample t test demonstrate that the two conditions are statistically distinct at a significant level (where alpha = 1%). With a p-value < 2.2 Exp -16, it is possible to reject a null hypothesis of no significant improvement and state that there is overwhelming evidence in favour of deploying the Windows XP firewall (or an equivalent).

The disappointment is that in a sample of 136 home systems from client computers that have been tested and a sample of 231 systems inside various client networks, few systems ran a firewall.

Of the hosts tested, 31.28% (or 23 systems) had the Windows XP Firewall or a commercial equivalent installed and running. Of the internal systems tested in this study, 6.1% had an internally (inside the corporate firewall) enabled firewall (or 14 hosts).

The ability to enable IPSec and Group Policy within a corporate environment is a control that is generally overlooked or bypassed. The results of enabling (or rather not disabling) the Windows Vista and Windows 7 firewall are still be completed. The preliminary results display an even more pronounced benifit in a pattern similar to Windows XP.

A study of the Redhat Firewall (iptables) will follow in the coming days.

No comments: