Comments on: Is Windows Vista’s firewall crippled?

By: Michael

Michael — Sat, 11 Nov 2006 11:47:22 +0000

>> In plenty of scenarios malware will be unable or unwilling to reconfigure the OS to avoid detection. That detection will then allow you to clean up your computer and stop infecting others.

Ronald, I fully agree. The problem is that security experts often don’t acknowledge this argument. They assume that all malware avoids detection by outbound filtering. Experience shows that this assumption is simply wrong.

By: Ronald

Ronald — Thu, 09 Nov 2006 21:16:18 +0000

I can’t believe people are seriously debating the value of outbound filtering. The “It’s too late if you are catching it at outbound” argument is insane. That is like saying that testing for STD’s is useless because if you test positive you already have the disease. In plenty of scenarios malware will be unable or unwilling to reconfigure the OS to avoid detection. That detection will then allow you to clean up your computer and stop infecting others.

Moreover, the now routine collecting of personal information by big corporations and phoning it home cannot be stopped without outbound filtering. I for one don’t trust MSFT, Adobe, etc. etc. all of which liberally phone home regularly sending god-knows-what back to their vast databases unless you block it.

Because Windows Vista offers no way to do outbound filtering on-the-fly (no outbound notifications are possible), it is entirely crippled for outbound. The only way to do it is if I know in advance the exact name of the program that will be attempting to phone home, etc. If I knew all that in advance, I wouldn’t need outbound filtering!

The good news for the firewall makers is this will keep them in business for another 5 years as any serious computing user will still have to purchase a 3rd party firewall. Really a shame. It would take only a few lines of code to enable on-the-fly outbound notification, MSFT has all the other needed outbound filtering capabilities in place. I kind of laugh when I see the option for _inbound_ notification with a parallel outbound option conspicuously absent. It’s like, “Hello guys, you seem to have forgotten something!” Ridiculous.

By: Michael

Michael — Wed, 17 May 2006 06:07:33 +0000

quux, I fully agree on this with you.

By: quux

quux — Wed, 17 May 2006 02:38:17 +0000

Obviously, personal preference should be respected.

My main goal in this discussion has simply been to point out the basic weaknesses in the outbound firewall strategy. Certainly it can do some good – however, those who use it should be aware of these weaknesses so they have an accurate understanding of what they’re doing. Too many proponents of the outbound firewall appear to be unintentionally ignorant of these fundamental weaknesses.

By: Michael

Michael — Wed, 17 May 2006 01:15:10 +0000

Andrew, I think, we only have to discuss the last point. If there are some cases where the Personal Firewall’s outbound filter prevents malware from causing further damage, then this would prove that outbound filtering is useful. I’ve already seen such cases, and I guess, I am not the only one. I just gave some examples above. Those were real scenarios not just theoretical considerations.

So, the question is, will this change in the near future? Of course, malware gets more and more sophisticated. This should not surprise us. We encounter more and more sophisticated viruses that can disable anti-virus software, and cause a lot of damage afterwards. Is this a reason to uninstall my anti-virus software? I guess, not. Vendors of anti-virus software improve their products too. This doesn’t mean that malware won’t succeed in fooling anti-virus software in the future. It is quite obvious that there will always be malware that is more sophisticated than the security software I use in my network.

But this is not the point. As long as my outbound filter helps against some malware out there, I will keep on using it, no matter how sophisticated malware will be in the future. I bet, the programmers of Personal Firewalls will get better, too.

I think, the problem is that security experts often think like hackers or malware writers. They think of ways to crack a certain system. If they think it is easy for them, then a security solution seems useless from their point of view. A sysadmin should think differently. If a security solution helps in some scenarios, it is already useful. In the end, it doesn’t matter how sophisticated the malware was that crashed my whole network.

By: Andrew

Andrew — Fri, 12 May 2006 17:53:35 +0000

I will reply in-line below…
This is wrong for three reasons: First, the firewall may still prevent the malware from sending information to its masters.
(adidell – If the box is compromised, there is no way for the outbound firewall to do this, especially if the malware contains a rootkit. The malware can make the firewall also not alert you by intercepting the dialog box or by simply hijacking an existing session at the network layer.)

Second, the firewall might prevent the malware from compromising other systems on your network.
(adidell – For the same reasons above, this is not possible. For example, if you received an attachment in an email that contains an executable, and you are silly and don’t have current and updated AV software running on your system that could block code execution, at the exact moment your outbound firewall alerts you it is already too late…i.e. the code has already executed. While you have the potential to block the *initial* attempt by clicking "No"at the warning dialog box, just because you don’t see another box on your screen does not mean the malware has been prevented from traveling outbound and affecting other systems or "dialing home.")
Third, the alarm of the personal firewall could be a hint that your system has been compromised, which is very valuable information.
(adidell – In the absence of an AV product on the system, I agree with you 100% that the alert is important…but the underlying block may not prove effective once the malware is executed.)

It is just a theoretical scenario that malware circumvents outbound filtering, once the system is compromised.
(adidell – Actually, this is seen everyday by security support groups at many software firms. For NDA reasons, I cannot disclose any more. At a minimum, the malware hijacks an existing session and rides it out with no notification and makes no attempt to shut down the actual firewall.)
The point is that in practice, malware has not always enough rights to shut down the firewall.
(adidell – If the user is running as admin, it has all the rights it needs. If the user is running as non-admin but the malware has an escalation of priv exploit, it can obtain those rights.)
Plus, malware is often not clever enough to circumvent outbound filtering. So, in some cases, outbound filtering of a personal firewall helps, and in some it doesn’t. Just like in some cases antivirus software helps against malware, and it some cases it doesn’t. You wouldn’t give up your antivirus software, would you?
(adidell – AV is not analogous to this because AV attempts to prevent the execution of malware…outbound firewalls only attempts block traffic once the malware has executed.)
It is just not enough to show that there are some cases where outbound filtering of a personal firewall is useless. You have to make me believe that there is no case where it is useful.
(adidell – It is useful if your OS’s services architecture is integrated with the firewall’s monitoring capabilities, as in Vista and I’m sure in the future on other platforms. It could prevent poorly written malware from calling home if if doesn’t have any code to hijack existing connections. However, the trend in malware is that they are becoming incredibly sophisticated relative to malware less than a year old. So, while this may have been valuable in the past, its use in the future is diminishing.)

By: Michael

Michael — Fri, 12 May 2006 16:17:53 +0000

@Andrew

„The problem with applying the defense-in-depth principle to host-based outbound filtering is that if all the other defenses fail to prevent malware from being loaded on your machine, then the game is already up…your box is already compromised.“

This is wrong for three reasons: First, the firewall may still prevent the malware from sending information to its masters. Second, the firewall might prevent the malware from compromising other systems on your network. Third, the alarm of the personal firewall could be a hint that your system has been compromised, which is very valuable information.

It is just a theoretical scenario that malware circumvents outbound filtering, once the system is compromised. The point is that in practice, malware has not always enough rights to shut down the firewall. Plus, malware is often not clever enough to circumvent outbound filtering. So, in some cases, outbound filtering of a personal firewall helps, and in some it doesn’t. Just like in some cases antivirus software helps against malware, and it some cases it doesn’t. You wouldn’t give up your antivirus software, would you?

It is just not enough to show that there are some cases where outbound filtering of a personal firewall is useless. You have to make me believe that there is no case where it is useful.

By: quux

quux — Thu, 11 May 2006 22:42:57 +0000

Andrew – well said. I agree 100%.
As previously mentioned, most of the people I’ve met who use outbound firewalls are really more interested in preventing software from ‘phoning home’ for privacy protection and/or to escape various licensing fees. Once they’ve gotten that far, they tend to defend their choice as a security measure.
But as you’ve shown, depending on the compromised system to protect other systems is, well, not clear thinking in my humble opinion.

By: Andrew

Andrew — Thu, 11 May 2006 19:07:37 +0000

The problem with applying the defense-in-depth principle to host-based outbound filtering is that if all the other defenses fail to prevent malware from being loaded on your machine, then the game is already up…your box is already compromised.
Given that, your outbound firewall will simply be shut off if the malware elevates itself to admin via exploit or if the user is already running as admin.
This is a fundamental and common misunderstanding…
The malware has to be prevented from getting onto your box in the first place, prevented from executing if it does, and then damage mitigated if it still manages to. The outbound firewall cannot help you if those 3 scenarios fail as the box is completely under the control of the malware already.

By: Michael

Michael — Thu, 04 May 2006 15:45:52 +0000

You are right, there are more and more programs that need network access, but there are also still many which don’t. I estimate that on my PC at least half of the programs I use don’t need network access. They are allowed to execute, but if they ever try to connect to the internet they will be automatically blocked, since there is a high chance that they might be infected by malware. Signature-based malware detection is useful, but sometimes heuristics does a better job. If notepad.exe suddenly needs networks access, something is wrong, even if the execution list gives a go.

By: quux

quux — Thu, 04 May 2006 03:16:54 +0000

I do see your point. Well spoken.

However, for most folks the test is

’do I trust the program?’

not

‘do I trust the program to network?’

For most users, the simpler choice is the better one. Especially as more and more software becomes dependent on network use, if for no other reason than to check for security updates at regular intervals!

You mentioned that a program would need to execute before we can see if it tries to start outbound networking. That’s true. But it’s also true that we’d have to let it establish that network connection, and then we’d have to sniff that connection, before we could determine whether there was some malicious intent. That’s still a task better suited to humans than to software. Luckily we have a lot of experienced humans on the job doing just that; which is why most outbound firewalls and execution firewalls have the ability to download big lists of ‘allowable’ and ’suspect’ programs from some (presumably trustworthy) source.

For those who wish to allow a program to run but not give it permission to network, I totally agree with you. An outbound firewall is what these folks need. I suspect a lot of these people are using their outbound firewall not for security purposes, but for privacy protection purposes. Or maybe as a way to escape licensing fees. I also suspect this class of user is by far the minority and that mainstream users would be better served by an ‘execution firewall’ than by the ability to selectively choose which programs can or cannot initiate outbound network sessions.

But hey, I’m just one (opinionated) guy!

Finally – what if one program had both execution firewalling and outbound net firewalling? Check out http://free.prevx.com for just that.

By: Michael

Michael — Thu, 04 May 2006 02:32:48 +0000

I think, the interesting question in our debate is, if there might be cases where your execution firewall allows the malware to run, but your network firewall doesn't allow it to access the network. I think, I gave such an example. The point is that sometimes you simply don't know, if a program is malware by just inspecting the executables or defining a list of programs which are allowed to execute. But if a program which is not supposed to connect to the internet suddenly shows this suspicious behaviour, you'd better stop it from proceeding. However, the program can only show this behaviour if you allow it to execute. So your execution firewall can't find the malware by definition in this case. To sum it up: the list of the execution firewall might be different from the one of your network firewall.

Besides, there are cases when a program is not malware, but you don't want it connected to the internet, for example, because it loads ads or sends information to the vendor. Your execution firewall is useless here.

By: quux

quux — Thu, 04 May 2006 02:04:46 +0000

Not sure if we are saying the same thing in different ways, or if I have failed to make my point in a clear way.

By default, any executable that’s on your system is allowed to execute.

Prevx (and similar tools, there are a couple others that have the same theory of operation) is something I suggest as a better extra line of defense than an outbound firewall can be.

Instead of putting itself in front of the network stack and saying ‘only things on my list are allowed to access the network’ (in which case the virus can still wreak havoc locally to your system), a prexv-type ‘execution firewall’ it puts itself in front of the system and says ‘only things on my list are allowed to run at all’.

So. Same principle; deeper level of protection. You could run both a Prevx-type ‘execution firewall’ and an outbound firewall if you really wanted an extra moat. But since both are list based, if both had the same list, the outbound firewall would never see a single packet. Because the malware would never run. If I had a choice, ‘oubound firewall’ or ‘execution firewall’, I would clearly choose the ‘execution firewall’ since it protects both my system and all others. While the outbound firewall leaves me unprotected!

By: Michael

Michael — Thu, 04 May 2006 01:32:10 +0000

Quux, of course it is always better to prevent malware from being executed in the first place. There are tools which specialize on this, like antivirus software. My point is that these tools might fail to do their job at times. Thus, it is better to have another line of defence which, at least, helps to prevent malware from infecting other computers on your network or sending confidential information from your computer to its programmers. For example, your word processing program is allowed to execute, but usually it doesn't have to connect to the internet. If a virus that is not recognized as such by your antivirus tool infects this program, your personal firewall can at least prevent the virus from causing further damage.

By: quux

quux — Thu, 04 May 2006 01:08:41 +0000

Michael, think it through. The outbound firewall doesn't prevent malware from executing ... it just prevents said malware from connecting to any other computer. Outbound firewalls basically always boil down to a list of that software which is allowed to connect outbound. My point is simply this: if you're going to be making such a list, why not change it to that software which is allowed to execute - and protect yourself, as well as every other net connected computer in the world? (please feel free to delete my badly formatted post @ 2:30 AM)

By: Michael

Michael — Thu, 04 May 2006 00:56:49 +0000

Quux, I don't agree with your first argument. Of course, no security software gives you a 100% guarantee, malware somehow manages to circumvent the protection. But if you take this argument seriously, then security tools are always useless.

I fully agree with your second point when it comes to outbound filtering configured by end users. However, in a corporate network, administrators have to know anyway which applications are allowed to connect to the internet.

By: Michael

Michael — Thu, 04 May 2006 00:43:29 +0000

Jim, I think, it is almost impossible to create a user interface that makes outbound-firewall filtering easy to configure for end users. The problem, nowadays, are the countless applications that need to connect to the internet. Usually, it takes days to configure a personal firewall. Often, it is not clear for the average user which app wants to connect to the internet. In my view, it is simply too complicated for most users to configure outbound filtering.

By: quux

quux — Thu, 04 May 2006 00:30:55 +0000

Gack. Sorry about the bad formatting … 2nd try. I posted this on the Tilloch article too, and no, I’m not affiliated with Prevx).

You guys who call for outbound firewall protection baffle me.

First: by the time your outbound firewall kicks in, the malware is having its way with *your* computer, and you may be protecting others for a short while, but the malware will probably kill even that protection soon enough.

Second: in real life, outbound firewalls simply train most users to click YES on the ’should I let {X} software access the internet?’ message as soon as it pops up, without bothering to read it. For this class of user (the majority), the speedbump is terribly low.

If this kind of popupware is your idea of good protection, why not look at things like Prevx which not only stop the malware from dialing out – but also stop that same malware from diving in?

By: Jim

Jim — Wed, 03 May 2006 20:28:31 +0000

The conspiracy theory here is that MS simply doesn’t have time to finish up the enduser aspect of this to make it easy. MS is yanking out or cutting short on the features right and left to get Vista out quicker. This theory could very well be true due to the fact it really makes no sense why MS would not include an easy way to handle such a firewall. That and the fact that MS is struggling to get a stable version of Vista out there that will be still be compelling for consumers to buy.

It wouldn’t surprise me to see more much more appearing to be done halfassed once we get our hands on a finished copy of Vista.