Microsoft is concerned with the potential security problems of the naive user who has connected to the Internet via a cable or DSL modem. Without a firewall, a customer's computer is vulnerable to a variety of scans and hostile attacks, and many new users don't understand this. Windows XP, the mid-2001 upgrade platform for all Windows users, includes an easy-to-configure firewall facility to address this security issue.

At the same time, Microsoft doesn't want to cause a series of upgrade conflicts with third-party vendor firewall products. Many Windows customers already have firewall software installed, and many others will purchase new third-party packages. The potential for conflicts between two firewalls is enormous.

On December 14, 2000, Microsoft presented their concerns to a small group of independent firewall vendors who are also Windows XP beta users to develop a plan for avoiding problems early in the Windows XP upgrade process.

The Windows XP Internet Connection Firewall from Microsoft is a base-level firewall that only inspects inbound traffic at the packet level. It does not, as currently planned, conduct any outbound filtering or application-layer filtering. It was designed for the simplest configurability possible, targeting new and non-sophisticated users. Microsoft focused on streamlining the configuration process and programming the majority of settings with common defaults.

Yet even with the common default settings, Microsoft anticipates problems whenever two firewalls exist in the same box.

When the Microsoft application compatibility testing team discovers this type of conflict, they add code to the Windows setup that detects the presence of those applications, by looking for file names or registry entries, for example. That code will launch a dialogue box for the user during the upgrade process that specifies which components will not operate after the upgrade. The dialogue gives them the option of halting the upgrade in order to save the component's functionality. If the customer proceeds with the upgrade, Windows XP will essentially default to disable or uninstall the component in order to eliminate subsequent conflicts.

"We want to go beyond that default with firewall application developers to give them the opportunity and resources to test their products for customer upgrades to Windows XP," says Morgan. "We hope that firewall vendors can then either write upgrade components to supply to customers for compatible upgrades or even provide a new revenue-generating upgrade-enhanced product."

In essence, Microsoft is asking firewall vendors to conduct the initial testing and establish the upgradability of their products, and then contact them to work with the vendors to develop a smooth upgrade experience for users.

"We know every individual vendor and product will have special issues to address, and we want to work with each of you to develop better solutions," says Morgan. "For example, you could write code for the upgrade that we could potentially ship on the Windows XP CD that would detect your product on the customer's machine and launch an upgrade DLL for your specific product."

It will show, for example, how to enumerate the adapters, how to determine whether the firewall is enabled on an adapter, and how to enumerate the port mappings. SDK Beta Release 2, available mid-Q1, will include more functionality to work with the Microsoft Internet Connection Firewall's installation, configuration, and coexistence settings.

"If you decide not to disable the Microsoft Internet Connection Firewall during the installation of your product, and both products are running at the same time, that's fine," he adds, "We just don't want the user to see pop-up boxes every time there's an incoming packet."

Either way, the Microsoft Windows XP product team emphasizes that they are not out to replace your product or cut into your sales. They simply want all of their customers connected to a cable modem or DSL line to have at least a basic firewall in place.

Many game vendors are frustrated over not being able to ensure compatibility with new releases of Windows, especially when a firewall is concerned. They ask quite reasonable questions, such as, "Why won't my network game run in Windows Millennium Edition?" or "How can I have two instances of my game running behind ICS?" Microsoft has developed a process to help.

"Our first message is to write your application to use DirectPlay as your networking transport. Support for DirectPlay is provided as part of the DX SDK. By doing that, you get support for both ICS and our firewall for free," says Morgan.

"If you decide to use your own protocol, for example, because you are cross-platform, which DirectPlay doesn't support, we ask you to write it in a NAT-friendly way," he says. Microsoft offers a whitepaper on this topic, "Developing NAT Friendly Applications," available in the Microsoft Knowledge Base.

As an alternate approach, Morgan adds, "If you decide that your application protocol in fact can not work with NAT and DirectPlay, Microsoft will provide you with an API called the Application Layer Gateway. With this API, you can write a plug-in, essentially a proxy, that allows you to maintain control of your data as it goes through ICS and the firewall. That way, you can write and distribute the plug-in to gain compatibility without releasing any proprietary protocol information."

Today, the Windows XP team has a simple message: "Test your products now with the Windows XP Microsoft Internet Connection Firewall. Test your product with ICS. Test early and retest over and over again. We'll help you work out the conflicts. But don't wait. Start now."

• Windows XP Firewall - hnetfb@microsoft.com
• Application Compatibility - appfix@microsoft.com
• NDIS Questions - ndisfb@microsoft.com