Software FIREWALLS : inbound protection or just “leak test” protection ?

[Zyrtec]

Hi everybody,

Lately, I've been reading a lot about the hype of software firewalls being used to protect computers from so called “leak tests” instead of focusing on INBOUND PROTECTION.

What is a software firewall for ? I ask.

I thought it was useful to block intrusions, port scans, protect form vulnerabilities in the operating system, protect from computer WORMS like for example the infamous BLASTER that hit Windows NT/2000/XP in August, 2003 (does someone remember this infamous mesage, by the way ? : “Windows must now restart because the Remote Procedure Call
(RPC) Service terminated unexpectedly.” and the endless reboots that happened to computers running those OS at that time.

That worm exploited a vulnerability in the OS and got into thousands of PCs through a computer PORT not protected (by people not using a software firewall or people who not applied a patch for that vulnerability released by MS a month earlier [July 16, 2003]).

Now, I see people just “worried” about this or that firewall just passed the “LEAK TEST” with flying colors and don't care about INBOUND protection.

What good is a “leak test” if you allow bad software (e.g. : worms, malware, etc.) to penetrate your defenses in the first place?
That's why you MUST run Antivirus and Anti-spyware on your computer and you must have them updated.
If you are so worried about bad software lurking on your PCs you may as well run an HIPS that not necessarily have to be integrated into the firewall.

Software FIREWALLS are intended to control INBOUND connections in my humble opinion.
If you are so worried about outbound connections then that means you DON'T trust the software already installed on your PC hence you shouldn't have it installed in the fisrt place.

Every time I read about the hype with the “leak tests” for software firewalls annoys me because people are sidetracking the most important function in a FW that is to protect computers from the bad software embedded on certain web pages that some naive users visit (e.g.: porn sites, warez sites, etc.). Then they come across with a computer virus infection and start asking themselves how have I gotten myself into this ?

We should practice SAFE computing instead of keep worrying if whether your FW passed “leak tests” or not.
I'm NOT a computer expert, far from it, I'm just a newbie who have been using computers since the Windows 95 days. However, the PCs I've used since then haven't been infected by a virus, a trojan horse, an Internet worm or other malware ever.

If you have a good AV and a good AS why shouldn't they be able to handle any bad software that might have slipped through your firewall ? Then, either your FW is not protecting you or your AV/AS are outdated.

Thank you,

Carlos

[dmenace]

Some Interesting Points Zyrtec.

Inbound Protection by a software firewall is usually irrelevent as most routers have NAT and SPI.

The only area that distinguishes various firewalls' inbound protection is ARP poisioning related attack protection. Such attacks are only a concern when your pc is connected to a large network.

Software Firewall's Inbound Protection is useless against allowed traffic - so if you allow firefox to receive packets on port 80, any traffic will pass straight through firewall. So if you download a virus in firefox, your firewall won't block that.

[FadeAway]

Quote:

Originally Posted by dmenace

Inbound Protection by a software firewall is usually irrelevent as most routers have NAT and SPI.

Not everybody has routers. If you are just running a modem, then
a software firewall on your Windows comp can be a major line of defense,
along with things like a up-to-date OS and no unnecessary open ports
with listening apps. In my experience, a good software firewall will
also allow you to block ranges of ports, protocols, and IP addresses,
both in-bound and out-bound. A Trojan can't set up shop on,
for example, port 30100, if you have a rule blocking port range
10,000 - 65535, except for what you may need open.
In fairness, some routers do have firewalls that allow users to
configure rules, but that is just one option.

Everyone's system is unique. A blanket statement that software
firewalls are only for outbound protection is naive. Microsoft
didn't add an in-bound firewall to XP and turn it on automatically
in SP2 just for the fun of it.

[nmaynan]

Quote:

Originally Posted by Zyrtec

Hi everybody,

Lately, I've been reading a lot about the hype of software firewalls being used to protect computers from so called “leak tests” instead of focusing on INBOUND PROTECTION.

What is a software firewall for ? I ask.

I thought it was useful to block intrusions, port scans, protect form vulnerabilities in the operating system, protect from computer WORMS like for example the infamous BLASTER that hit Windows NT/2000/XP in August, 2003 (does someone remember this infamous mesage, by the way ? : “Windows must now restart because the Remote Procedure Call
(RPC) Service terminated unexpectedly.” and the endless reboots that happened to computers running those OS at that time.

That worm exploited a vulnerability in the OS and got into thousands of PCs through a computer PORT not protected (by people not using a software firewall or people who not applied a patch for that vulnerability released by MS a month earlier [July 16, 2003]).

Now, I see people just “worried” about this or that firewall just passed the “LEAK TEST” with flying colors and don't care about INBOUND protection.

What good is a “leak test” if you allow bad software (e.g. : worms, malware, etc.) to penetrate your defenses in the first place?
That's why you MUST run Antivirus and Anti-spyware on your computer and you must have them updated.
If you are so worried about bad software lurking on your PCs you may as well run an HIPS that not necessarily have to be integrated into the firewall.

Software FIREWALLS are intended to control INBOUND connections in my humble opinion.
If you are so worried about outbound connections then that means you DON'T trust the software already installed on your PC hence you shouldn't have it installed in the fisrt place.

Every time I read about the hype with the “leak tests” for software firewalls annoys me because people are sidetracking the most important function in a FW that is to protect computers from the bad software embedded on certain web pages that some naive users visit (e.g.: porn sites, warez sites, etc.). Then they come across with a computer virus infection and start asking themselves how have I gotten myself into this ?

We should practice SAFE computing instead of keep worrying if whether your FW passed “leak tests” or not.
I'm NOT a computer expert, far from it, I'm just a newbie who have been using computers since the Windows 95 days. However, the PCs I've used since then haven't been infected by a virus, a trojan horse, an Internet worm or other malware ever.

If you have a good AV and a good AS why shouldn't they be able to handle any bad software that might have slipped through your firewall ? Then, either your FW is not protecting you or your AV/AS are outdated.

Thank you,

Carlos

Good points! I get the impression from some folk that software Firewalls are "old news" and "just basic protection." But in every endeavor I've undertaken in life from music to sports and so forth, it's the basics that the champions keep coming back to, keep improving upon.

It's hard to find a basic firewall anymore. They always come wrapped up with all this other security software which complicates the software and makes it bigger and hungrier for resources. And along with it, Inbound protection seems to never get mentioned or focused upon in the security stance of the company. This is disappointing to me.

This said, however, Outbound protection is important to me from both a privacy and security perspective. I want control over applications that phone home and connect willy nilly to the internet for who knows what reason. Also, there is legitimate security protection from knowing what is leaving your computer (e.g., spambots etc). The leaktest craze though does seem to me at times to be off in netherland (away from real world applicability).

[nmaynan]

Quote:

Originally Posted by dmenace

Inbound Protection by a software firewall is usually irrelevent as most routers have NAT and SPI.

The key word is usually (meaning if a NAT is in use). But there are plenty of folk who don't have a router or SPI. Also: what about people with laptops on public access networks?

Quote:

Originally Posted by dmenace

The only area that distinguishes various firewalls' inbound protection is ARP poisioning related attack protection. Such attacks are only a concern when your pc is connected to a large network.

There are things like deep packet inspection that protect at the application layer. This can greatly enhance protection from bad stuff getting in, especially if the user is not actively pursuing questionable material for download.

Quote:

Originally Posted by dmenace

Software Firewall's Inbound Protection is useless against allowed traffic - so if you allow firefox to receive packets on port 80, any traffic will pass straight through firewall. So if you download a virus in firefox, your firewall won't block that.

this is not completely true. For example, with deep packet inspection, only data that has been "requested" is allowed to pass. Yes, some malware could get through if the user is downloading at dangerous places. But assuming the malware comes from a trusted site, this is why anti-virus is considered the other half of Basic security setup.

[alex_s]

Quote:

Originally Posted by nmaynan

this is not completely true. For example, with deep packet inspection, only data that has been "requested" is allowed to pass. Yes, some malware could get through if the user is downloading at dangerous places. But assuming the malware comes from a trusted site, this is why anti-virus is considered the other half of Basic security setup.

And this is why the modern firewalls are supplied with the HIPS. It is not enough that malware just was downloaded and saved. It needs to run to do something, and this is where HIPS starts to act.

[Diver]

Some of us use portable computers on public wireless networks. In an airport there can be a lot of users on that wireless lan, and one of them might have a machine infected with a worm. That is why I use a software firewall.

As for leak testing, it has a very low return on investment and is a distraction from other security measures that are more effective, like LUA/SRP and DEP.

[Seer]

Quote:

Originally Posted by Zyrtec

What is a software firewall for ? I ask.

As I am behind a NAT (most of the time) a software firewall to me is SPI.

Quote:

Originally Posted by dmenace

Software Firewall's Inbound Protection is useless against allowed traffic

Yes it is, but it depends on what criteria a firewall allows traffic.

Quote:

Originally Posted by dmenace

so if you allow firefox to receive packets on port 80, any traffic will pass straight through firewall.

In case you allow traffic on port 80 in, you are running a web server. For browsing, you would need to allow FF to connect out on remote port 80, and the inbound is based on returned/request. It is the SPI that allows the inbound in this case, not you.

Quote:

Originally Posted by dmenace

Inbound Protection by a software firewall is usually irrelevent as most routers have NAT and SPI.

I find it very interesting how an SPI router is considered a holy grail for inbound protection. Isn't a hardware firewall just a software (firmware) installed in a router's chip? Um... that's the same as a sw FW on a PC, right? What are the qualities/level of SPI in a hw FW? Just a header inspection or it goes deeper that that? How deep? Why should I use a hw FW if a (certain) sw FW has better/deeper SPI?
I have seen many posts here suggesting to buy an "el cheapo" SPI router and forget about the inbound. Is this a sound advice? Don't think so... I personally prefer to disable firewall in my router and use a software firewall of my choice. But to each its own.

As for the "leakproof" abilities of firewalls I couldn't care less fir that. It is a job for a HIPS and I don't like suites.

Cheers,

Quote:

Originally Posted by Seer

I find it very interesting how an SPI router is considered a holy grail for inbound protection. Isn't a hardware firewall just a software (firmware) installed in a router's chip? Um... that's the same as a sw FW on a PC, right? What are the qualities/level of SPI in a hw FW? Just a header inspection or it goes deeper that that? How deep? Why should I use a hw FW if a (certain) sw FW has better/deeper SPI?
I have seen many posts here suggesting to buy an "el cheapo" SPI router and forget about the inbound. Is this a sound advice? Don't think so...

Well said

[ggf31416]

I think the inbound protection of most software firewalls is good enough. Where are the millons of computers infected by network worms (not by infected attachments, malicious websites, fake "codecs", etc) despite using a properly configured firewall? I bet they don't exist.

[dmenace]

Quite some strong arguments in response to my post! Basically I tried to make a very generic statement about a hardware NAT/SPI router being sufficient that obviously doesn't apply if a user is on a public wireless network etc.

The reason for this is that I am behind a router with NAT/SPI. I also have Outpost 2008 Pro installed on all my pcs. None of these pcs have ever, despite being connected to the internet for extended periods of time, detected any attacks originating from the internet.

Thus, in conclusion, my router does the job of blocking unsolicited network packets extremely well, making Outpost a little useless.

This is why recently there has been a boom in leaktesting and HIPS, as this is the main areas that a software firewall is still required for.

Your router won't stop this:

Code:

2008-03-14 17:35:27	reject	Block stats.microsoft: svchost	TCP/IP	outbound connect	C:\WINDOWS\system32\svchost.exe	0.0.0.0	207.46.211.250	1045	80	

But outpost or other application firewalls will. I know that there are many who will say: "who cares that my trusted programs connect out unsolicited!" I do care. And no, I do not use pirated Windows or any kind of pirated software, as I've been wrongly accused of before. I have automatic updates disabled, so I see no reason to allow svchost to "talk" to Microsoft unsolicited. Software firewalls are not useless against already established connections, either. that is what adequately incorporated SPI is for, to ensure the sequence of packets is originating from the intended source/destination.

[nomarjr3]

Generic Windows Process for Win32 (a.k.a. the "dreadful" svchost.exe) can easily be 'terminated' using Sygate Personal Firewall.

Just my 2 cents.

[jrmhng]

Quote:

Originally Posted by nmaynan

The key word is usually (meaning if a NAT is in use). But there are plenty of folk who don't have a router or SPI. Also: what about people with laptops on public access networks?

Quote:

Originally Posted by diver

Some of us use portable computers on public wireless networks. In an airport there can be a lot of users on that wireless lan, and one of them might have a machine infected with a worm. That is why I use a software firewall.

You have the windows firewall that gives you inbound protection. The only issue I can think of is an IGMP exploit early in the year which would have got you cuz by default the windows firewall doesn't drop IGMP.

Quote:

Originally Posted by nmaynan

There are things like deep packet inspection that protect at the application layer. This can greatly enhance protection from bad stuff getting in, especially if the user is not actively pursuing questionable material for download.

No consumer host firewall I know of has deep packet inspection. The closest we have is http and ftp scanning from our av.

Quote:

Originally Posted by Seer

What are the qualities/level of SPI in a hw FW? Just a header inspection or it goes deeper that that? How deep? Why should I use a hw FW if a (certain) sw FW has better/deeper SPI?

I don't think anyone really knows SPI on our home routers do. It is just marketing. Linksys has a few ADSL modems/wireless gateways. Same model, just one has 'SPI' and is $20 more expensive.

[Mrkvonic]

Hello,

Very simple:

Check if the packets are related to the ones sent before:
-m state --state ESTABLISHED,RELATED

What this does is: a firewall keeps track of open connections and checks if packets are part of any of those. If not, they will be discarded. Thus, even if you have a connection that is open between client and server, SYN packets injected into this connection will be dropped.

This costs more CPU cycles, so the price tags must go up...

Mrk

[Stem]

Quote:

Originally Posted by huangker

I don't think anyone really knows SPI on our home routers do.

From what I have seen, they perform simple IP/Port checks, as with most software firewalls I have taken time to look at,... actually quite sad.

[Stem]

Quote:

Originally Posted by Mrkvonic

Check if the packets are related to the ones sent before:

For that to be correctly checked for TCP, then there is a need for the checking of the TCP sequence number,..

[Mrkvonic]

Hello,
Stem, to the best of my knowledge, random sequencing and sequence checks are a part of ipv4 ... so any firewall that doesn't violete the Internet Protocol Suite should be doing that....
Mrk

[Dogbiscuit]

Quote:

Originally Posted by huangker

You have the windows firewall that gives you inbound protection. The only issue I can think of is an IGMP exploit early in the year which would have got you cuz by default the windows firewall doesn't drop IGMP.

Not sure what you mean by "would have got you" because there was no exploit AFAIK.

Maybe you mean a vulnerability (CVE-2007-0069) which was privately disclosed to Microsoft; it was patched before it was ever made public. Microsoft said there was no evidence of any public attacks, or even examples of proof of concept code.

[Pseudo]

Quote:

Originally Posted by Dogbiscuit

Not sure what you mean by "would have got you" because there was no exploit AFAIK.

Maybe you mean a vulnerability (CVE-2007-0069) which was privately disclosed to Microsoft; it was patched before it was ever made public. Microsoft said there was no evidence of any public attacks, or even examples of proof of concept code.

Vulnerabilities and exploits are essentially the same thing.

[jrmhng]

Quote:

Originally Posted by Dogbiscuit

Not sure what you mean by "would have got you" because there was no exploit AFAIK.

Maybe you mean a vulnerability (CVE-2007-0069) which was privately disclosed to Microsoft; it was patched before it was ever made public. Microsoft said there was no evidence of any public attacks, or even examples of proof of concept code.

This is the same point you made the last time that I mentioned this. So if you didn't get my response last time, let me clarify.

I am only using it as an example. The windows firewall did not drop IGMP packets and this vulnerability was triggered malformed IGMP packet. Another stateful firewall that drops all unsolicited packets not in it's state table would not have let this malformed packet through.

Now whether it was 'exploited' as a zero day or MS actually patched it before any 'exploit' code was written is another issue. The vulnerability was there and the windows firewall did nothing to stop it being exploited had the malformed packet been sent to you.

[Dogbiscuit]

Quote:

Originally Posted by huangker

This is the same point you made the last time that I mentioned this. So if you didn't get my response last time, let me clarify.

You must mean from this original statement:

Quote:

Originally Posted by huangker

A little while back there was an IGMP exploit for windows and because windows firewall didnt drop IGMP, it would have hit your computer if it wasn't behind your NAT.

This looked to me as if you had heard of some malware that took advantage of the flaw, and I was interested what that malware was, if true. We all can mistate things from time to time. That's why I asked.

[alex_s]

Quote:

Originally Posted by huangker

This is the same point you made the last time that I mentioned this. So if you didn't get my response last time, let me clarify.

I am only using it as an example. The windows firewall did not drop IGMP packets and this vulnerability was triggered malformed IGMP packet. Another stateful firewall that drops all unsolicited packets not in it's state table would not have let this malformed packet through.

Now whether it was 'exploited' as a zero day or MS actually patched it before any 'exploit' code was written is another issue. The vulnerability was there and the windows firewall did nothing to stop it being exploited had the malformed packet been sent to you.

Yes, there was such DoS exploit based on mistake in tcpip.sys driver. Still I hate the idea that every third-party firewall reproduced its own tcp/ip stack just to control either the packets are malformed or not. This is just silly and leads to the resources duplication. In the end such approach leads to the whole Windows duplication. BTW, probability of third-party firewall vendor making the same mistake implementing its own tcp/ip stack is just the same.

[jrmhng]

Quote:

Originally Posted by Dogbiscuit

You must mean from this original statement:
This looked to me as if you had heard of some malware that took advantage of the flaw, and I was interested what that malware was, if true. We all can mistate things from time to time. That's why I asked.

I meant posts 12-14 from this thread http://www.wilderssecurity.com/showthread.php?t=210340& where it is almost exactly the same exchange.

If there is a vulnerability, there will be an exploit for it. I've read that crackers are reverse engineering the MS patches and usually exploits appear 2 days after the original patch. Most of the time people use vulnerability and exploit interchangeably. But this is not the point I'm trying to make. When people ask about inbound I let them know that they can use the default windows firewall but there have been vulnerabilities it didn't block in the past.

[CoolWebSearch]

Quote:

Originally Posted by ggf31416

I think the inbound protection of most software firewalls is good enough. Where are the millons of computers infected by network worms (not by infected attachments, malicious websites, fake "codecs", etc) despite using a properly configured firewall? I bet they don't exist.

But there is a difference between leak-tests and real malware.
Check Norton Internet Security.
It's extremely poor on leak-testing, but it's excellent in blocking real malware from phoning home.

This is why I will always think leak-tests are completely useless.