Share via

It's your turn: what improvements would you like in Windows Firewall and IPsec?

  • Article

Yes, the ink is barely dry on the boxes for Windows Vista and we're already planning the next version of Windows. And no, I have no clue what it'll be called. But that isn't a decision I get to make, oh well...

The folks responsible for the firewall and IPsec are actively seeking ideas and suggestions for improvements in the next version. Some areas up for consideration include:

  • The configuration and management UI (the new advanced snap-in, not the control panel)
  • Deployment
  • Diagnostics and troubleshooting
  • Interoperability
  • New scenarios and features
  • Documentation and help
  • Anything else you can think of

Actually, we aren't limiting this to the next Windows. If there are major deployment blocking problems that you have now -- bugs, performance hits, whatever -- let me know now. We can consider some ideas for Vista SP1 and Longhorn Server.

Thanks! Looking forward to your thoughts.

Comments

  • Anonymous
    January 18, 2007
    The comment has been removed

  • Anonymous
    January 18, 2007
    How about stealing the syntax and features from OpenBSD's pf?

  • Anonymous
    January 18, 2007
    Turn the ISA "firewall client" into a real firewall as well. Let me assign different rules to groups. Let me push rules. Give it enough guts so I can enable it on gigabit server interfaces and use it as a host-based firewall to protect my servers. Give it a "monitor only" mode and a way of aggregating what it sees into rules so I don't break too much when I implement a rule. Give it real automatic change control features so I can look up who even breathed on the management console to satisfy my SarBox audits. Etc. :-)

  • Anonymous
    January 18, 2007
    For troubleshooting - I'd like to see a visual traffic grapher built in to Windows that shows traffic flow, type of traffic, source and destination.  What Windows (and a lot of third party firewall products) is missing is instant visual display of what is happening over the network at a current point in time, visually. This could show what's hitting in the computer, what's being denied and what's being allowed through.

  • Anonymous
    January 19, 2007
    Something like OpenBSD pf and the new ipsecctl/ipsec.conf simplicity will rock. I'm tired to deal with bad and bloated ipsec/vpn client with lots of bad behaviour and a GUI designer by CEO son.

  • Anonymous
    January 19, 2007
    I would like to see a feature, that allows me, to block access for a program for Incoming AND outcoming traffic. It wouldn't be bad too, if I could define ports which should be blocked for incoming traffic.

  • Anonymous
    January 19, 2007
    I can't keep my windows FIREWALL ON? It keeps disconnecting? WHAT is causing this?

  • Anonymous
    January 19, 2007
    There should be predefined settings for voip, messengers, games, torrents, games, ...

  • Anonymous
    January 19, 2007
    Support for IKEv2 ( see http://www.rfc-editor.org/rfc/rfc4306.txt )

  • Anonymous
    January 20, 2007
    An application authorized by UAC is able to add/remove/destroy all rules from the Windows Vista Firewall without any additional user's consent (example: when you install an application). I would like having an extra UAC warning in order to protect the Firewall rules.

  • Anonymous
    January 21, 2007
    I would like an interactive mode. Every new Program which sends a ping out should be blocked until i decide to allow or not. (ok, i can add rules at the snapin but thats not comfortable enough :) Many greetings!

  • Anonymous
    January 23, 2007
    The comment has been removed

  • Anonymous
    January 24, 2007
    I'd like to see a user-friendly editable configuration file for the firewall. OpenBSD's PF firewall is a firewall done right. It's syntax is very easy to understand and it is a secure firewall. Also, I second one of the posters who mentioned OpenBSD's ipsec work. It really is the best out their. It's user friendly, it's secure, and it's technically correct.

  • Anonymous
    January 26, 2007
    @Joe an user-friendly editable configuration file for a firewall is impossible due the syntax that it can't be user-friendly! Windows Vista Firewall is fully configurable and powerful by the advanced GUI. The true is that OpenBSD and linux firewall are obsolete!!! nowadays nobody wants to manage rules using an editable text file!!!

  • Anonymous
    January 27, 2007
    The comment has been removed

  • Anonymous
    February 01, 2007
    The comment has been removed

  • Anonymous
    March 07, 2007
    I would consider the following as a useful:

  • allow Firewall policies/exceptions based on user groups / user roles (Windows Vista brings this cool same feature with Local Group Policies that can be assigned to Administrators / Non-administrators).
  • bring the ISA Firewall client into the Windows Firewall on the client machines.
  • given the Network Location Awareness feature in Vista, it'd be nice if one could set Firewall rules/exceptions depending on WHERE the computer (mobile computer!) actually is located.

  • Anonymous
    March 28, 2007
    Take a page from other firewall vendors on how to configure them. As a reseller, I sell Sonicwalls, not ISA. Why? Look at how to get the two interoperating. Details at: http://www.sonicwall.com/us/support/2134_3527.html 3 pages (P. 2->4) on configuring the Sonicwall side. 19 pages (p. 7-25) for the ISA server side. Do them both; count the settings, mouse clicks, keys, or whatever. Similar hoops with IPSec, and I can point to those examples if you haven't already seen them. Maybe ISA 2006 is better? Don't know; haven't looked into it. Too many moving parts and settings for the same functionality means more ways to not do it right and more things to debug. Just my $0.02. BTW: You've done some great recorded webcasts!

  • Anonymous
    April 02, 2007
    The comment has been removed