What does a leak proof firewall get you?

A lot of attention is given to firewall leak testing today. Scott Finney, a well known blogger says it is the holy grail of software firewall performance. I suppose it is the main reason to run a software firewall because a cheap router gives excellent inbound protection.

Correct me if I am wrong, but a leak test attempts to use an application previously approved for outbound internet communications, usually IE or the default browser, to accomplish communication for an unauthorized application. So if your firewall is leak proof it provides an extra measure of defense against malware that is not detected initially by your AV, and perhaps not detected later because it is cloaked by a root kit.

My question is, once the leak is accomplished, how much damage is actually or potentially done?

Some explanation is needed. Some malware is of low impact. All it does is report on your surfing behavior or serve up targeted advertising. Other malware is really nasty. The nasty stuff steals banking passwords, sends out spam, participates in DDOS attacks or does other unspecified bad things. [If you can link to articles discussing the other category I would be interested.]

My belief, and prove me wrong please if you can, is the nasty stuff relies on specialized communications protocols or IRC and would be unable to utilize a browser to communicate. For example, the Storm worm uses an encrypted Edonkey/Overnet protocol. Furthermore, I suspect that the nasty stuff does not bother with the sort of stuff leak tests do. Instead they would use a communications driver to bypass the firewall, or disable it in some other way. After all, the really nasty stuff is not getting found by your AV because it patched the kernel, and if it can do that as a cloak, it can do other things to your TCP/IP stack.

Its a lot of trouble to leak proof a computer, what with pop ups all the time. Are we simply chasing a phantom? I all we are accomplishing is a warning on low impact malware?

I asked about this several years ago. The answer back then was the leak techniques had been used, but only in a few examples of malware that were targeted at specific organizations.

 

The impression I get is that this whole leakproof thing was started primarily by Steve Gibson a long time ago

Then Matousec joined in and voila, a whole new paranoia developed,the credibility of which was never really seriously questioned.

 

As to the value of leak-tests, a marketing-consultant would love to have "bragging-rights" and those who held it, used it! To the end-user I think it just instills confidence in the firewall, in the company's attention to detail.

 

The cheap router firewall you mention gets my vote. add in a dash of firefox.
have your mail delivered by a company that removes spam and nasties and don't take candy from strangers. I can run tests that say I fail leak tests but if nothing bad gets in to leak then what the heck.

 

I have never worried or paid any mind to leak tests whatsoever.... I keep my machine clean and that's it. To my mind, software firewalls started downhill when they all began adding features to block leak tests...

 

I do believe this is why it's good to have a firewall like Webroot now provides. With the Dynamic Security Agent enabled, ( along with an AV and firefox) I have no worries of anything getting in. It does however do quite good in the leak test area though.

 

The FW I use does well in the leak-tests also, but is there any benefit to the end-user

 

Hello 19monty64. I guess leak tests would be important since there is an off chance of malware infecting a PC because someone has unsafe surfing habits. However with a Router Firewall, AV, a HIPS and Firefox. I'm still not sure how this could possibly happen?

 

One can perform their own leak-tests to compare with Matousec's testing, but one can also test the vulnerabilities of their browser at http://bcheck.scanit.be/bcheck/ before feeling secure in their browser choice...

 

Wouldn't using a leak proof firewall while in a limited account improve the protection it provides greatly? Malware couldn't do much to alter the TCP/IP stack and bypass it from within an LUA, for example.

If you can't use a HIPs, a firewall might be a little easier to use as an extra layer of security, if you don't surf safely.

 

Here is a possibility??:

Malware in the form of a trojan disguised as a funny video does get in as an email attachment circulated from a trusted co-worker, bypassing the antivirus because it is a zero day threat that even the heuristics misses, the tired and irritated recipient who's had a bad day at work opens it, and it launches and steals personal information from the "My documents" folder and tries to send it out on the Internet to a remote bad guy's server by hijacking svchost. The leakproof firewall catches and alerts on this attempt, user hits "Block" and private info stays put. No devastating theft of personal data occurs.

 

Here is a list of malware that utilises leaktest techniques:

Here: http://www.personalfirewall.comodo.com/leaktest.html
or here: http://www.personalfirewall.comodo.com/Comodo_Firewall_2.3_vs_The_Leaktests.pdf

By the way, Webroot is based on Private Firewall 6 and thus offers better leaktest performance than the Private Firewall 5 tested on matousec. It passes the coat leaktest now.

Edit spelling and added matousec

 

I agree with Dogbiscuit,

A firewall is like a HIPS with less pop-ups.

These days most malware - worms, trojans etc will try to connect over / utilise the internet. Thus a firewall is in a sense a very primitive but effective way of detecting Zero-Day threats.

Firewalls also supplement your AV - if your AV doesnt detect a new spyware / adware program your firewall leak test functionality definetly will. This is because Adware and Spyware must connect to the internet to work!

 

dmenace,

Now we are getting somewhere. Actual hard data. What I did notice was 4 categories of tests had example trojans and 5 did not. Its a mixed bag. I am a bit more convinced its not a complete waste of time. At least one of the four with examples, substitution, is relatively painless to implement and maintaining a CRC database dates back to such classics as Kerio 2.15. As the scenarios get more complex, so do the measures to detect them. This makes me wonder if there is a cost to benefit mis match in the less leaky firewalls in terms of required user interaction.

I am not so certain about the HIPS analogy. HIPS should prevent infection. Triggering a firewall on outbound is post infection, and that is not as good. A firewall can have less noise because the focus is narrowed to communications. Some firewalls have HIPS features which might prevent infection. Actually, the same could be said of Vista's UAC. One of the leak testers found UAC prevented one third of his tests from either installing or functioning when no outbound filtering was enabled in the Vista firewall.

Anyone else have some facts?

 

I remember Rmus doing a test of Storm vs Kerio 2. Kerio 2 alerted of an outbound attempt of explorer.exe.

 

I understand the view that prvention is more important than plugging leaks.
But if my firewall and or av somehow fail me then what?
I don't know too much about security, but it seems to me that if there is a holy grail it would be a layered approach and common sense.
I'd rather have a strong leakproof firewall with HIPS than to take a chance on an inbound firewall failing.
Too, is there a group that tests the firewalls in routers?

I just took the browser security test mentioned in this thread.
Firefox passed. And OA2 free alerted a number of times during the test.
Thanks for a good thread.

 

Stem, our resident firewall-expert, has been questioning the router's ability as of late. The only test I know of is shields up https://www.grc.com/x/ne.dll?bh0bkyd2 which helped me stealth a router that was supposed to already do this. That convinced me to question the ability of the router and install a FW/HIPS.
Security-Free...
Peace of mind-Priceless!

 

Aren't stealthing and leak proofing two completely different things. According to tests I am stealthed or my hardware firewall is stealth but it leaks as I have no outbound protection.

 

Exactly. Stealth/inbound & Leak/outbound. Routers monitor inbound only.

 

Thanks for the confirmation. I don't worry about outbound protection - just focus on inbound.

 

"...leak proof firewall"??

At least i know.... it ain't made of fishnets, or porous material huh!

 

I like to have confidence that my Firewall has outbound protection (which is what leaktests detect) to protect me from malware... (downloaders, backdoors, spyware and keyloggers)... Just incase something gets through me, my AV and Behavior-Blocker.

 

More interesting stuff.

Further to my last post ackowledging that on the Comodo site the examples of four of nine categories of malware that use outbound monitoring firewall bypass techniques. I wonder why there are not more examples. After all, there are hundreds of thousands of different malware signatures in AV's. Is this simply a rarely used technique, and were these particular malware samples widespread or uncommon?

Kerio 2.15 catches Storm. That's nice. Kerio 2.15 probably was designed before Steve Gibson ever started this whole business. I guess this means that a bidirectional firewall is useful, but chasing after the latest and most exotic leak test performance is not.

It would be nice to know which of the many tests are the most important and what if any bypass techniques were used by Storm. Do we have to chase after those few items at the top of Matousec's list, or are those in the middle going to be just as good in reality?

 

Easy to answer. OA just "won" the leak-test race, but if you read the OA forum, you find out that it's a buggy firewall!

That's what a leak proof firewall gives you.

So stop buying bloated firewalls, and stop posting about the "importance" of leak tests.

If you want a HIPS then get a HIPS. There are useful forums for this too.

If we all started acting sensibly, then we would have better firewalls and better HIPS.

Too boring?