Outbound control in software firewalls

A guy in the comp.security.firewalls newsgroup wrote this today. What do you guys think of this and his comments:

"Unfortunately, it's not possible to control outbound traffic reliable,
because of tunneling.

A simple test proofes this: http://www.dingens.org/breakout.c
Just start an Internet Explorer, and test it for your own, your
"Personal Firewall" activated.

In our tests every of the tested "Personal Firewalls" failed to detect
even such simple tunneling methods. Alexander Bernauer then wrote a
simple remote shell with this POC, the wwwsh. And no "Personal Firewall"
was able to detain this remote control software, as expected (you can
download the code here: http://copton.net/vortraege/pfw/wwwsh.tar.bz2).

Even, if the "Personal Firewall" providers will extend their efforts,
and will try to prevent this in future releases, there are so many
possibilities to tunnel, that this attempt cannot not succeed.

So it's true unfortunately, that the only type of application the
"Personal Firewalls" are able to stop communicating, are the programs,
which admit to be controlled.

Yes, some more harmless malware is like this, but I doubt, that this is
what you intend to stop communicating.

The only way to avoid unwanted software on your PC is not installing
and executing it. If it's running, mostly it's too late.

Yours,
VB."

 

Well, tunneling has been around for a long time. DNS tunneling can be prevented with firewall rules, as has been discussed in the Kerio forums, but this must be different, using the browser. Would be interesting to run this test - has anyone looked at it to identify the script and how to run it?

But for the real world exploit:

Now there is a novel idea!

-rich
________________
~~Be ALERT!!! ~~

 

I hope some of the guys in the know weigh in on this. I am fairly new to security considerations and do not know what to think. I do know that firewalls have given me BSOD and other headaches (even the good ones) so if they really do not do much I will stay behind my router, the XP sp2 firewall for redundancy and call it a day with the inbound attacks covered.

 

I myself am on the fence regarding outbound control these days, having recently bought a router, I no longer need the inbound protection due to the router doing that job. I guess I feel that I don't need outbound coverage about 80% of the time, but then sometimes I think perhaps I should have some anyway. So I'm still undecided, currently running just the router with Avast. But if the outbound protection of a software firewall can be so easily circumvented, then why bother with it at all?

I also asked if this exploit works with any browser or just IE, and got this response from him:

"http://www.dingens.org/breakout-mozilla-firefox.c

This works with any browser."

 

well i dont think every single trojan or malware is using this method so its not completely useless. in addition, on one of my computer i installed ZA and even tho its connected to a router, ZA still reports some blocked intrusions.

 

The extra inbound protection may be useful:

Unsolicited UDP gets by NAT?
http://www.dslreports.com/forum/remark,13468899


-rich
________________
~~Be ALERT!!! ~~

 

Thanks for the links..

There are some who think outbound control is a waste of time. I think there are some good uses for it, on my part I like it for controlling known apps a little, like Windows Media Player and such. I also like to limit Outlook to my ISPs servers and ports, you can also force browsers to use proxies and so on. Kerio 2 is probably my favorite for those purposes.

But when it comes to malware, I'm not so sure that any firewall will be totally effective, as the above statements imply. I do not worry much about that myself, but I know that many do.

 

I use Firefox, and clicking those links simply caused a windows to appear asking if I wanted to either download it, or open it.
Whatever I picked, failed to cause the code to execute on my machine.

Tunneling is not new in regards to firewalls, and indeed MS IPV6 uses IP tunneling, and a router on a default setup won't make a massive difference either, since they normally allow all outbound connections by default.

If your really serious about the issue, you need to another box acting as a firewall as well, probably linux. The linux box will lock down the ports, so even if your machine became infected it wouldn't get past the linux box. However even that is not full proof.

I've come to the conclusion, there is only so much you can do, and how far you can go. So where do you stop? the only really safe computer is probably one not connected to the net

 

That's just the c source for one of the tunnelling examples. You're supposed to download it and compile and run it, for those interested and able to do so...

I think you are probably right on that one. There is no such thing as a truly secure machine for some. So, like you say, to what extent should we go with all this stuff?

 

If I'm not mistaken, all this hardcoded code does is look for characteristic Window string names (MozillaWindowClass or IEFrame) in an already open browser and mimic keystrokes to paste a URL and press return.

Who cares?

 

I guess the point is, what can a "personal firewall" do about it? Nothing...

 

But this is where behaviour monitoring and programs likes process guard take over, the prevent the code from hopefully running in the first place.

Personal firewalls are the start, but you certainly need other software around it to support it.

 

For some people, I would agree, they probably need more. I guess I pretty much subscribe to the view that care and some intelligence is the most important thing and all you really need..

 

Ditto.

 

Well I don't really worry about it, but as you said, it isn't really that hard for malware to bypass outbound protection of even the best firewalls, but very few borther to do so.

 

Another important line of defence is to install NetMeter or DU meter and then monitor for any suspicious net activity specially when you know that there should not be any, also TCP View to monitor the ports.

 

arup,

you have a valid point, but like I've already said, where do you stop, where do you draw the line. There comes a point when you spent so much time with security setups, monitoring etc, that you lose sight and enjoyment of being connected to the net in the first place.

You can't have a totally secure setup, save not connecting to the net, and I'm inclinded to agree with Kerodo that "that care and some intelligence is the most important thing" but I don't believe it's all you need.

 

Most MS Windows firewall vendors have started to implement some sort of "process guard" features to block malicious tunneling. Their implementations are not perfect yet, but its a good start. A good reference is from Outpost, http://www.agnitum.com/download/OFPvsLeakTests.pdf.

Kind of disappointed that Linux desktop firewalls are still lacking way behind in "Application and process guards" feature. The linux firewalls are still basically "network packet filters".

Best Regards

 

Fully agree, would never trade speed for security, one of the reasons I am just running CHX with Antihook and leave everything else to Avast.

 

This reminds me of the AOL Client action on a network and allows a similar problem - been around since 2001 or so. The VPN nature of the AOL client setup establishes a public IP, effectively bypassing your network firewall:
http://www.mynetwatchman.com/kb/security/Articles/AolVPN/index.htm