Outbound control in software firewalls

Discussion in 'other firewalls' started by Kerodo, Aug 20, 2005.

Thread Status:
Not open for further replies.
  1. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    A guy in the comp.security.firewalls newsgroup wrote this today. What do you guys think of this and his comments:

    "Unfortunately, it's not possible to control outbound traffic reliable,
    because of tunneling.

    A simple test proofes this: http://www.dingens.org/breakout.c
    Just start an Internet Explorer, and test it for your own, your
    "Personal Firewall" activated.

    In our tests every of the tested "Personal Firewalls" failed to detect
    even such simple tunneling methods. Alexander Bernauer then wrote a
    simple remote shell with this POC, the wwwsh. And no "Personal Firewall"
    was able to detain this remote control software, as expected (you can
    download the code here: http://copton.net/vortraege/pfw/wwwsh.tar.bz2).

    Even, if the "Personal Firewall" providers will extend their efforts,
    and will try to prevent this in future releases, there are so many
    possibilities to tunnel, that this attempt cannot not succeed.

    So it's true unfortunately, that the only type of application the
    "Personal Firewalls" are able to stop communicating, are the programs,
    which admit to be controlled.

    Yes, some more harmless malware is like this, but I doubt, that this is
    what you intend to stop communicating.

    The only way to avoid unwanted software on your PC is not installing
    and executing it. If it's running, mostly it's too late.

    Yours,
    VB."
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, tunneling has been around for a long time. DNS tunneling can be prevented with firewall rules, as has been discussed in the Kerio forums, but this must be different, using the browser. Would be interesting to run this test - has anyone looked at it to identify the script and how to run it?

    But for the real world exploit:

    Now there is a novel idea!

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  3. brjoon1021

    brjoon1021 Registered Member

    Joined:
    Aug 10, 2005
    Posts:
    143
    I hope some of the guys in the know weigh in on this. I am fairly new to security considerations and do not know what to think. I do know that firewalls have given me BSOD and other headaches (even the good ones) so if they really do not do much I will stay behind my router, the XP sp2 firewall for redundancy and call it a day with the inbound attacks covered.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I myself am on the fence regarding outbound control these days, having recently bought a router, I no longer need the inbound protection due to the router doing that job. I guess I feel that I don't need outbound coverage about 80% of the time, but then sometimes I think perhaps I should have some anyway. So I'm still undecided, currently running just the router with Avast. But if the outbound protection of a software firewall can be so easily circumvented, then why bother with it at all?

    I also asked if this exploit works with any browser or just IE, and got this response from him:

    "http://www.dingens.org/breakout-mozilla-firefox.c

    This works with any browser."
     
  5. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    well i dont think every single trojan or malware is using this method so its not completely useless. in addition, on one of my computer i installed ZA and even tho its connected to a router, ZA still reports some blocked intrusions.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The extra inbound protection may be useful:

    Unsolicited UDP gets by NAT?
    http://www.dslreports.com/forum/remark,13468899


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Thanks for the links..

    There are some who think outbound control is a waste of time. I think there are some good uses for it, on my part I like it for controlling known apps a little, like Windows Media Player and such. I also like to limit Outlook to my ISPs servers and ports, you can also force browsers to use proxies and so on. Kerio 2 is probably my favorite for those purposes.

    But when it comes to malware, I'm not so sure that any firewall will be totally effective, as the above statements imply. I do not worry much about that myself, but I know that many do.
     
  8. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    I use Firefox, and clicking those links simply caused a windows to appear asking if I wanted to either download it, or open it.
    Whatever I picked, failed to cause the code to execute on my machine.

    Tunneling is not new in regards to firewalls, and indeed MS IPV6 uses IP tunneling, and a router on a default setup won't make a massive difference either, since they normally allow all outbound connections by default.

    If your really serious about the issue, you need to another box acting as a firewall as well, probably linux. The linux box will lock down the ports, so even if your machine became infected it wouldn't get past the linux box. However even that is not full proof.

    I've come to the conclusion, there is only so much you can do, and how far you can go. So where do you stop? the only really safe computer is probably one not connected to the net
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    That's just the c source for one of the tunnelling examples. You're supposed to download it and compile and run it, for those interested and able to do so...

    I think you are probably right on that one. There is no such thing as a truly secure machine for some. So, like you say, to what extent should we go with all this stuff?
     
  10. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    If I'm not mistaken, all this hardcoded code does is look for characteristic Window string names (MozillaWindowClass or IEFrame) in an already open browser and mimic keystrokes to paste a URL and press return.

    Who cares?
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I guess the point is, what can a "personal firewall" do about it? Nothing...
     
  12. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    But this is where behaviour monitoring and programs likes process guard take over, the prevent the code from hopefully running in the first place.

    Personal firewalls are the start, but you certainly need other software around it to support it.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    For some people, I would agree, they probably need more. I guess I pretty much subscribe to the view that care and some intelligence is the most important thing and all you really need.. ;)
     
  14. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Ditto.
     
  15. ct3n

    ct3n Guest

    Well I don't really worry about it, but as you said, it isn't really that hard for malware to bypass outbound protection of even the best firewalls, but very few borther to do so.
     
  16. Arup

    Arup Guest

    Another important line of defence is to install NetMeter or DU meter and then monitor for any suspicious net activity specially when you know that there should not be any, also TCP View to monitor the ports.
     
  17. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    arup,

    you have a valid point, but like I've already said, where do you stop, where do you draw the line. There comes a point when you spent so much time with security setups, monitoring etc, that you lose sight and enjoyment of being connected to the net in the first place.

    You can't have a totally secure setup, save not connecting to the net, and I'm inclinded to agree with Kerodo that "that care and some intelligence is the most important thing" but I don't believe it's all you need.
     
  18. jcc1234

    jcc1234 Guest

    Most MS Windows firewall vendors have started to implement some sort of "process guard" features to block malicious tunneling. Their implementations are not perfect yet, but its a good start. A good reference is from Outpost, http://www.agnitum.com/download/OFPvsLeakTests.pdf.

    Kind of disappointed that Linux desktop firewalls are still lacking way behind in "Application and process guards" feature. The linux firewalls are still basically "network packet filters".

    Best Regards
     
  19. Arup

    Arup Guest

    Fully agree, would never trade speed for security, one of the reasons I am just running CHX with Antihook and leave everything else to Avast.
     
  20. mem1

    mem1 Guest

Loading...
Thread Status:
Not open for further replies.