Windows 7 FW for inbound/outbound control

Gullible Jones · Feb 2, 2013

Not sure how many people here have noticed, but Windows 7's built in firewall is extremely powerful. It supports inbound and outbound rules, rules for users and groups, even rules for program paths. It's kind of like a more featureful version of iptables.

The default rules seem to be fairly lax (lots of inbound stuff is allowed, outbound connections are allowed unless otherwise specified). All kinds of neat stuff is possible though; and the default outbound rules allow system services via svchost, so you don't have to worry about allowing Windows Update and friends.

e.g. my current setup allows Firefox FTP, HTTP, and HTTPS outbound, and Internet Explorer HTTP and HTTPS outbound. All inbound connections are blocked, and nothing else gets internet access (other than system services).

This sort of setup is probably quite dubious vs. a directed attack, but I think it should be pretty effective against common malware, especially when combined with browser based defenses like Noscript. I am open to further suggestions and criticism though.

alexandrud · Feb 2, 2013

Have you tried Windows Firewall Control ? It can make it even more powerful.

The Red Moon · Feb 2, 2013

I could not agree more.the windows firewall is a lot more powerful today than it used to be.
Being the slightly paranoid user that i am i do like to be notified of outbound connections and only 2 firewalls i have used have fitted the bill.Online armor and comodo.
If windows firewall control is light and has reasonable outbound control then i would consider having a look at it.

safeguy · Feb 2, 2013

Windows 7? Consider giving some credits to Vista too lol.

I'm pretty sure you know this already but still, if you don't mind, I would like to touch a bit on the often debated aspect of outbound control. It seems to me that most users are under the notion that a firewall with outbound control can/should stop malware attacks from calling home. I agree in that it might work for some malware out there currently. However, personally I wouldn't put a lot of faith on a firewall to control malware behavior once it executes. See here for what I mean...

At Least This Snake Oil Is Free

There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks. The one that seems to elude everyone that claims a piece of software can stop arbitrary other pieces of softare from making outbound connections is that all software running within the same user context can control any other software within the same user context. Put more simply, if you permit any application to communicate out, over any port, then any other piece of software you execute as the same user can communicate out over that same port.

Let's say you run application A, a web browser. The browser runs as you, user Bob, who is a standard user. The browser tries to connect to some server, and the outbound host-based firewall detects that and asks if you wish to permit it. If the administrator has enabled it, you can permit that yourself, otherwise you may need an administrative account to do it. For the sake of argument, let's say you can enable it yourself. More than likely, you would enable it to connect to all web servers, since a web browser is far more useful that way.

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it. The application gathers up all your stored passwords, your Microsoft Money file, all your recent e-mail messages, and any documents you have access to. It then needs to send this stuff to the criminals, but, the outbound host-based firewall would stop it, right? No. The malicious application could do a couple of things. First, if you have the ability to open outbound ports the application, running as you, could just open the ports it needs, transfer the data, and close them again.

Let's say, however, that you would have to ask your administrator to open ports (notwithstanding the fact that no administrator, and no user, would ever put up with that in the long run). That would stop the malicious application, right? No. That won't work either. The application would simply look for some other application that can communicate outbound. It would find that the web browser can do so. Cool. The malicious application would launch the web browser, which opens the hole in the firewall, attach to it using standard debugging techniques, and then ask the web browser to take the neatly packaged information it stole and send it to whereever it wants. This would be done by simply injecting code into the running web browser. The web browser, essentially unaware that this was even happening, would go ahead and do it. The host-based outbound firewall would only know that the web browser sent some data out, which it is permitted to do, and would not take any action to stop it.

Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening.
Click to expand...

A few more links:
Deconstructing Common Security Myths
Windows Firewall: the best new security feature in Vista?

The behavior indicated in the quoted words above can be seen if you try leak tests for example. WF (on it's own) fails. I would say preventative measures deserve more attention here.

Some argue that some 3rd-party firewalls are better in this regard as it tries to fill in this "niche" area by bundling with HIPS that plays the role of providing further self-protection...e.g. preventing 1 program from accessing/modifying another program's behavior. Of course, even this has it's limitations (more so with KPP) and effectiveness is argued upon ("It's too late" vs "Better than nothing").

If anything, I see outbound control as adding on to the concept of least privilege. As Marcus Ranum puts it, it's a risk reduction system, it is not a risk mitigation system.

Gullible Jones · Feb 2, 2013

Thanks safeguy. I figured UAC integrity levels might add the necessary MAC dimension; I suppose not?

safeguy · Feb 2, 2013

I was speaking from the viewpoint that once you execute a program such an installer (with admin rights), you can't depend on WF to control it's outbound attempts. Legit programs will usually respect the rules but you can't say the same for malware. Firewalls with HIPS have a better chance here but it's still a gamble...

As for ILs, they are more useful for preventing lower IL processes from accessing higher IL processes. IE runs as a Low IL process and Firefox runs under Medium IL (or you can configure it to run under Low IL). Most programs don't run under Low IL but even if you manage to, the processes can interact with these 2 browsers afaik.

E.g Integrity Levels and DLL Injection

moonblood may be a better resource for info on ILs. UIPI also doesn't seem to help here.

Not to forget, exploits can run in RAM solely (as HungryMan often points out) and if this occurs within the context of the browser itself....it basically has all the outbound access it needs since the the browsers are allowed ports 80 and 443.

That said, NoScript is a nice addition to Firefox.

Cutting_Edgetech · Feb 2, 2013

Beethoven1770 said:

I could not agree more.the windows firewall is a lot more powerful today than it used to be.
Being the slightly paranoid user that i am i do like to be notified of outbound connections and only 2 firewalls i have used have fitted the bill.Online armor and comodo.
If windows firewall control is light and has reasonable outbound control then i would consider having a look at it.
Click to expand...

Maybe you should use Online Armor, and Kaspersky AV then instead of Kaspersky Security Suite. They should work well together.

wat0114 · Feb 2, 2013

safeguy said:

I was speaking from the viewpoint that once you execute a program such an installer (with admin rights), you can't depend on WF to control it's outbound attempts.
Click to expand...

I don't see the problem here as long as safe, legitimate programs are installed.

It's just like the mostly hypothetical nonsense the "snake oil" author talks about...

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it.
Click to expand...

...that's clearly the fault of the end user.

No one should allow articles like that to discourage them from using a firewall for outbound control. There may be other more legitimate reasons for not using one, but certainly not scaremongering articles like that one.

safeguy · Feb 3, 2013

@wat0114

I agree with you on installing legit programs.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Click to expand...

Now back onto topic. It's not scaremongering. The author is Jesper Johansson, a "Senior Security Strategist in the Security Technology Unit at Microsoft". Basically, the "snake oil" he's referring to is the exaggerated claims of outbound host-based firewall controls...

bogus claims of value, including "All in all, VistaFirewallControl is a great way to make sure your PC isn't making unwanted outbound connections."
Click to expand...

The words "snake oil" are used because the claims are misleading to end users.

Anyway, the article highlights misconceptions. Some users have the assumption that they can execute a file (with admin rights) hoping that their firewall would kick in, without considering of the possibility that the said program/process may tamper, disable or work around the firewall. This is the crux of the articles.

Maybe this other piece he wrote (which I've linked above) gives a better picture?
Windows Firewall: the best new security feature in Vista?

As long as the account the code is running as can open outbound connections on any port the evil code can simply use that port. Aah, but outbound firewalls can limit outbound traffic on a particular port to specific process. Not a problem, we just piggy back on an existing process that is allowed. Only if the recipient of the traffic filters based on both source and destination port, and extremely few services do that, is this technique for bypassing the firewall meaningful.

The key problem is that most people think outbound host-based firewall filtering will keep a compromised asset from attacking other assets. This is impossible. Putting protective measures on a compromised asset and asking it not to compromise any other assets simply does not work. Protection belongs on the asset you are trying to protect, not the one you are trying to protect against! Asking the bad guys not to steal stuff after they have already broken into your house is unlikely to be nearly as effective as keeping them from breaking into the house in the first place.
Click to expand...

To be fair, he also mentioned that there's value in outbound control...

Does that mean that all outbound host-based firewall filtering is meaningless? No, it does not. Host-based outbound filters can make it more difficult to communicate out for applications which cannot (easily) get other applications to do their evil bidding for them. Windows Vista already does that by default with services. It can also be used to prevent accidental disclosure. For example, you can block outbound SMB connections on public networks. SMB, or Windows file sharing, should not be used outside a confined network environment anyway. Blocking it on public networks can prevent a user from accidentally connecting to a file server on the Internet and performing a challenge-response authentication, thereby volunteering an authentication sequence that can be cracked.
Click to expand...

wat0114 · Feb 3, 2013

Okay, using the term "scaremongering" is a bit over the top, although no where near as embellished as the author's "snake oil" claim, and what he writes about and what is reality are mostly two different things. Most malicious payloads will attempt outbound comms on their own rather than through the hijacking of another legitimate process. Agreed, what he hypothesises could happen, but the way he presents his claims will discourage most who don't know any better from utilizing outbound firewall control in their security setup.

If one were to really research further, they will find that many - not all -but many malicious processes not only connect out on their own, but to non-standard remote ports, especially 8080. If a default-deny approach is used for configuring a firewall, ports such as the latter mentioned are not included, so even if a payload managed to hijack a whitelisted process and tried to connect to an excluded remote port, it would fail.

safeguy · Feb 3, 2013

Trust me...he's not discouraging outbound control. Instead, he's trying to convince readers to reconsider the real value of an outbound firewall (which have been mentioned in my previous post...last quote)

The aim is not to get trapped in the mindset of relying on outbound firewall to prevent unwanted outbound connections. I'm pretty sure you've seen this line of thoughts:

"yeah man, my firewall will block any keyloggers from calling home, so I'm safe".

No one's arguing against the fact that most malware are designed to "take the easy way" these days. We're on the same page there.

However, where we disagree is that it's akin to depending on SRP in WinXP (user-mode, remember?). Sure, in practice, it might work (and is great considering it's free) BUT if we're speaking on actual security terms, it's a joke as it's trivial to bypass and poses little to no hurdles to the attacker. I'm taking about "security by design" vs "security by diversity". Yeah, both gives security but there's differences.

True, it stops some malware, today, but only because current malware has not been written to circumvent it. There simply are not enough environments that implement outbound rules for the mass market malware authors to need to worry about it. In an interactive attack the attacker can circumvent outbound filters at will.
Click to expand...

wat0114 · Feb 3, 2013

I've got no problems using SRP in XP Pro, although I don't rely upon it as the only component in a sound security setup (and a malicious macro could bypass it at user level, but I'm not about to open an office email attachment with macros enabled anyway) just as I don't rely on the firewall as the only component, but I feel they both offer considerable value, in different ways of course, in a sound security approach.

Either one might get bypassed, but I still like my chances

Log in or Sign up

Windows 7 FW for inbound/outbound control

Gullible Jones Guest

alexandrud Developer

The Red Moon Registered Member

safeguy Registered Member

Gullible Jones Guest

safeguy Registered Member

Cutting_Edgetech Registered Member

wat0114 Registered Member

safeguy Registered Member

wat0114 Registered Member

safeguy Registered Member

wat0114 Registered Member

Log in or Sign up

Windows 7 FW for inbound/outbound control

Gullible Jones Guest

alexandrud Developer

The Red Moon Registered Member

safeguy Registered Member

Gullible Jones Guest

safeguy Registered Member

Cutting_Edgetech Registered Member

wat0114 Registered Member

safeguy Registered Member

wat0114 Registered Member

safeguy Registered Member

wat0114 Registered Member

Useful Searches