What does a leak proof firewall get you?

Discussion in 'other firewalls' started by Diver, Nov 4, 2007.

Thread Status:
Not open for further replies.
  1. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    A lot of attention is given to firewall leak testing today. Scott Finney, a well known blogger says it is the holy grail of software firewall performance. I suppose it is the main reason to run a software firewall because a cheap router gives excellent inbound protection.

    Correct me if I am wrong, but a leak test attempts to use an application previously approved for outbound internet communications, usually IE or the default browser, to accomplish communication for an unauthorized application. So if your firewall is leak proof it provides an extra measure of defense against malware that is not detected initially by your AV, and perhaps not detected later because it is cloaked by a root kit.

    My question is, once the leak is accomplished, how much damage is actually or potentially done?

    Some explanation is needed. Some malware is of low impact. All it does is report on your surfing behavior or serve up targeted advertising. Other malware is really nasty. The nasty stuff steals banking passwords, sends out spam, participates in DDOS attacks or does other unspecified bad things. [If you can link to articles discussing the other category I would be interested.]

    My belief, and prove me wrong please if you can, is the nasty stuff relies on specialized communications protocols or IRC and would be unable to utilize a browser to communicate. For example, the Storm worm uses an encrypted Edonkey/Overnet protocol. Furthermore, I suspect that the nasty stuff does not bother with the sort of stuff leak tests do. Instead they would use a communications driver to bypass the firewall, or disable it in some other way. After all, the really nasty stuff is not getting found by your AV because it patched the kernel, and if it can do that as a cloak, it can do other things to your TCP/IP stack.

    Its a lot of trouble to leak proof a computer, what with pop ups all the time. Are we simply chasing a phantom? I all we are accomplishing is a warning on low impact malware?

    I asked about this several years ago. The answer back then was the leak techniques had been used, but only in a few examples of malware that were targeted at specific organizations.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Diver

    I also ask the same question. I am not enamored of nor swayed by "leaktests" My question is if nothing can get on your system to "leak" then does it matter. I take other steps.

    To me the leaktests are like a donkey chasing it's tail. Someone comes up with a theoritcal leak, and the firewall folks rush to plug it. Then someone comes up with another and so on and so on.

    Thats my take.

    Pete
     
  3. Hairy Coo

    Hairy Coo Registered Member

    Joined:
    Oct 19, 2007
    Posts:
    1,486
    Location:
    Northern Beaches
    The impression I get is that this whole leakproof thing was started primarily by Steve Gibson a long time ago

    Then Matousec joined in and voila, a whole new paranoia developed,the credibility of which was never really seriously questioned.
     
  4. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    As to the value of leak-tests, a marketing-consultant would love to have "bragging-rights" and those who held it, used it! To the end-user I think it just instills confidence in the firewall, in the company's attention to detail.
     
  5. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    The cheap router firewall you mention gets my vote. add in a dash of firefox.
    have your mail delivered by a company that removes spam and nasties and don't take candy from strangers. I can run tests that say I fail leak tests but if nothing bad gets in to leak then what the heck.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    I have never worried or paid any mind to leak tests whatsoever.... I keep my machine clean and that's it. To my mind, software firewalls started downhill when they all began adding features to block leak tests...
     
  7. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    I do believe this is why it's good to have a firewall like Webroot now provides. With the Dynamic Security Agent enabled, ( along with an AV and firefox) I have no worries of anything getting in. It does however do quite good in the leak test area though.
     
  8. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    The FW I use does well in the leak-tests also, but is there any benefit to the end-usero_O
     
  9. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Hello 19monty64. I guess leak tests would be important since there is an off chance of malware infecting a PC because someone has unsafe surfing habits. However with a Router Firewall, AV, a HIPS and Firefox. I'm still not sure how this could possibly happen?
     
  10. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    One can perform their own leak-tests to compare with Matousec's testing, but one can also test the vulnerabilities of their browser at http://bcheck.scanit.be/bcheck/ before feeling secure in their browser choice...
     
  11. Dogbiscuit

    Dogbiscuit Guest

    Wouldn't using a leak proof firewall while in a limited account improve the protection it provides greatly? Malware couldn't do much to alter the TCP/IP stack and bypass it from within an LUA, for example.

    If you can't use a HIPs, a firewall might be a little easier to use as an extra layer of security, if you don't surf safely.
     
  12. wat0114

    wat0114 Guest

    Here is a possibility??:

    Malware in the form of a trojan disguised as a funny video does get in as an email attachment circulated from a trusted co-worker, bypassing the antivirus because it is a zero day threat that even the heuristics misses, the tired and irritated recipient who's had a bad day at work opens it, and it launches and steals personal information from the "My documents" folder and tries to send it out on the Internet to a remote bad guy's server by hijacking svchost. The leakproof firewall catches and alerts on this attempt, user hits "Block" and private info stays put. No devastating theft of personal data occurs.
     
  13. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
  14. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    I agree with Dogbiscuit,

    A firewall is like a HIPS with less pop-ups.

    These days most malware - worms, trojans etc will try to connect over / utilise the internet. Thus a firewall is in a sense a very primitive but effective way of detecting Zero-Day threats.

    Firewalls also supplement your AV - if your AV doesnt detect a new spyware / adware program your firewall leak test functionality definetly will. This is because Adware and Spyware must connect to the internet to work!
     
  15. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    dmenace,

    Now we are getting somewhere. Actual hard data. What I did notice was 4 categories of tests had example trojans and 5 did not. Its a mixed bag. I am a bit more convinced its not a complete waste of time. At least one of the four with examples, substitution, is relatively painless to implement and maintaining a CRC database dates back to such classics as Kerio 2.15. As the scenarios get more complex, so do the measures to detect them. This makes me wonder if there is a cost to benefit mis match in the less leaky firewalls in terms of required user interaction.

    I am not so certain about the HIPS analogy. HIPS should prevent infection. Triggering a firewall on outbound is post infection, and that is not as good. A firewall can have less noise because the focus is narrowed to communications. Some firewalls have HIPS features which might prevent infection. Actually, the same could be said of Vista's UAC. One of the leak testers found UAC prevented one third of his tests from either installing or functioning when no outbound filtering was enabled in the Vista firewall.

    Anyone else have some facts?
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I remember Rmus doing a test of Storm vs Kerio 2. Kerio 2 alerted of an outbound attempt of explorer.exe.
     
  17. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    I understand the view that prvention is more important than plugging leaks.
    But if my firewall and or av somehow fail me then what?
    I don't know too much about security, but it seems to me that if there is a holy grail it would be a layered approach and common sense.
    I'd rather have a strong leakproof firewall with HIPS than to take a chance on an inbound firewall failing.
    Too, is there a group that tests the firewalls in routers?

    I just took the browser security test mentioned in this thread.
    Firefox passed. And OA2 free alerted a number of times during the test.
    Thanks for a good thread.
     
  18. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Stem, our resident firewall-expert, has been questioning the router's ability as of late. The only test I know of is shields up https://www.grc.com/x/ne.dll?bh0bkyd2 which helped me stealth a router that was supposed to already do this. That convinced me to question the ability of the router and install a FW/HIPS.
    Security-Free...
    Peace of mind-Priceless!
     
  19. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Aren't stealthing and leak proofing two completely different things. According to tests I am stealthed or my hardware firewall is stealth but it leaks as I have no outbound protection.
     
  20. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    Exactly. Stealth/inbound & Leak/outbound. Routers monitor inbound only.
     
  21. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Thanks for the confirmation. I don't worry about outbound protection - just focus on inbound.
     
  22. clambermatic

    clambermatic Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    216
    "...leak proof firewall"??

    At least i know.... :D it ain't made of fishnets, or porous material huh!
     
  23. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    I like to have confidence that my Firewall has outbound protection (which is what leaktests detect) to protect me from malware... (downloaders, backdoors, spyware and keyloggers)... Just incase something gets through me, my AV and Behavior-Blocker.
     
  24. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    More interesting stuff.

    Further to my last post ackowledging that on the Comodo site the examples of four of nine categories of malware that use outbound monitoring firewall bypass techniques. I wonder why there are not more examples. After all, there are hundreds of thousands of different malware signatures in AV's. Is this simply a rarely used technique, and were these particular malware samples widespread or uncommon?

    Kerio 2.15 catches Storm. That's nice. Kerio 2.15 probably was designed before Steve Gibson ever started this whole business. I guess this means that a bidirectional firewall is useful, but chasing after the latest and most exotic leak test performance is not.

    It would be nice to know which of the many tests are the most important and what if any bypass techniques were used by Storm. Do we have to chase after those few items at the top of Matousec's list, or are those in the middle going to be just as good in reality?
     
  25. Lundholm

    Lundholm Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    108
    Location:
    Copenhagen, Old Zealand
    Easy to answer. OA just "won" the leak-test race, but if you read the OA forum, you find out that it's a buggy firewall!

    That's what a leak proof firewall gives you.;)

    So stop buying bloated firewalls, and stop posting about the "importance" of leak tests.

    If you want a HIPS then get a HIPS. There are useful forums for this too.

    If we all started acting sensibly, then we would have better firewalls and better HIPS.

    Too boring? :cool:
     
Loading...
Thread Status:
Not open for further replies.