Windows 7 FW for inbound/outbound control

Discussion in 'other firewalls' started by Gullible Jones, Feb 2, 2013.

Thread Status:
Not open for further replies.
  1. Not sure how many people here have noticed, but Windows 7's built in firewall is extremely powerful. It supports inbound and outbound rules, rules for users and groups, even rules for program paths. It's kind of like a more featureful version of iptables.

    The default rules seem to be fairly lax (lots of inbound stuff is allowed, outbound connections are allowed unless otherwise specified). All kinds of neat stuff is possible though; and the default outbound rules allow system services via svchost, so you don't have to worry about allowing Windows Update and friends.

    e.g. my current setup allows Firefox FTP, HTTP, and HTTPS outbound, and Internet Explorer HTTP and HTTPS outbound. All inbound connections are blocked, and nothing else gets internet access (other than system services).

    This sort of setup is probably quite dubious vs. a directed attack, but I think it should be pretty effective against common malware, especially when combined with browser based defenses like Noscript. I am open to further suggestions and criticism though.
     
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,231
    Location:
    Romania
    Have you tried Windows Firewall Control ? It can make it even more powerful. :)
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    I could not agree more.the windows firewall is a lot more powerful today than it used to be.
    Being the slightly paranoid user that i am i do like to be notified of outbound connections and only 2 firewalls i have used have fitted the bill.Online armor and comodo.
    If windows firewall control is light and has reasonable outbound control then i would consider having a look at it.
     
  4. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Windows 7? Consider giving some credits to Vista too lol. :p

    I'm pretty sure you know this already but still, if you don't mind, I would like to touch a bit on the often debated aspect of outbound control. It seems to me that most users are under the notion that a firewall with outbound control can/should stop malware attacks from calling home. I agree in that it might work for some malware out there currently. However, personally I wouldn't put a lot of faith on a firewall to control malware behavior once it executes. See here for what I mean...

    At Least This Snake Oil Is Free

    A few more links:
    Deconstructing Common Security Myths
    Windows Firewall: the best new security feature in Vista?

    The behavior indicated in the quoted words above can be seen if you try leak tests for example. WF (on it's own) fails. I would say preventative measures deserve more attention here.

    Some argue that some 3rd-party firewalls are better in this regard as it tries to fill in this "niche" area by bundling with HIPS that plays the role of providing further self-protection...e.g. preventing 1 program from accessing/modifying another program's behavior. Of course, even this has it's limitations (more so with KPP) and effectiveness is argued upon ("It's too late" vs "Better than nothing").

    If anything, I see outbound control as adding on to the concept of least privilege. As Marcus Ranum puts it, it's a risk reduction system, it is not a risk mitigation system.
     
  5. Thanks safeguy. I figured UAC integrity levels might add the necessary MAC dimension; I suppose not?
     
  6. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    I was speaking from the viewpoint that once you execute a program such an installer (with admin rights), you can't depend on WF to control it's outbound attempts. Legit programs will usually respect the rules but you can't say the same for malware. Firewalls with HIPS have a better chance here but it's still a gamble...

    As for ILs, they are more useful for preventing lower IL processes from accessing higher IL processes. IE runs as a Low IL process and Firefox runs under Medium IL (or you can configure it to run under Low IL). Most programs don't run under Low IL but even if you manage to, the processes can interact with these 2 browsers afaik.

    E.g Integrity Levels and DLL Injection

    moonblood may be a better resource for info on ILs. UIPI also doesn't seem to help here.

    Not to forget, exploits can run in RAM solely (as HungryMan often points out) and if this occurs within the context of the browser itself....it basically has all the outbound access it needs since the the browsers are allowed ports 80 and 443.

    That said, NoScript is a nice addition to Firefox.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Maybe you should use Online Armor, and Kaspersky AV then instead of Kaspersky Security Suite. They should work well together.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    I don't see the problem here as long as safe, legitimate programs are installed.

    It's just like the mostly hypothetical nonsense the "snake oil" author talks about...

    ...that's clearly the fault of the end user.

    No one should allow articles like that to discourage them from using a firewall for outbound control. There may be other more legitimate reasons for not using one, but certainly not scaremongering articles like that one.
     
  9. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    @wat0114

    I agree with you on installing legit programs.
    Now back onto topic. It's not scaremongering. The author is Jesper Johansson, a "Senior Security Strategist in the Security Technology Unit at Microsoft". Basically, the "snake oil" he's referring to is the exaggerated claims of outbound host-based firewall controls...

    The words "snake oil" are used because the claims are misleading to end users.

    Anyway, the article highlights misconceptions. Some users have the assumption that they can execute a file (with admin rights) hoping that their firewall would kick in, without considering of the possibility that the said program/process may tamper, disable or work around the firewall. This is the crux of the articles.

    Maybe this other piece he wrote (which I've linked above) gives a better picture?
    Windows Firewall: the best new security feature in Vista?

    To be fair, he also mentioned that there's value in outbound control...

     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Okay, using the term "scaremongering" is a bit over the top, although no where near as embellished as the author's "snake oil" claim, and what he writes about and what is reality are mostly two different things. Most malicious payloads will attempt outbound comms on their own rather than through the hijacking of another legitimate process. Agreed, what he hypothesises could happen, but the way he presents his claims will discourage most who don't know any better from utilizing outbound firewall control in their security setup.

    If one were to really research further, they will find that many - not all -but many malicious processes not only connect out on their own, but to non-standard remote ports, especially 8080. If a default-deny approach is used for configuring a firewall, ports such as the latter mentioned are not included, so even if a payload managed to hijack a whitelisted process and tried to connect to an excluded remote port, it would fail.
     
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    Trust me...he's not discouraging outbound control. Instead, he's trying to convince readers to reconsider the real value of an outbound firewall (which have been mentioned in my previous post...last quote)

    The aim is not to get trapped in the mindset of relying on outbound firewall to prevent unwanted outbound connections. I'm pretty sure you've seen this line of thoughts:

    "yeah man, my firewall will block any keyloggers from calling home, so I'm safe".

    No one's arguing against the fact that most malware are designed to "take the easy way" these days. We're on the same page there.

    However, where we disagree is that it's akin to depending on SRP in WinXP (user-mode, remember?). Sure, in practice, it might work (and is great considering it's free) BUT if we're speaking on actual security terms, it's a joke as it's trivial to bypass and poses little to no hurdles to the attacker. I'm taking about "security by design" vs "security by diversity". Yeah, both gives security but there's differences.

     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    I've got no problems using SRP in XP Pro, although I don't rely upon it as the only component in a sound security setup (and a malicious macro could bypass it at user level, but I'm not about to open an office email attachment with macros enabled anyway) just as I don't rely on the firewall as the only component, but I feel they both offer considerable value, in different ways of course, in a sound security approach.

    Either one might get bypassed, but I still like my chances :)
     
Loading...
Thread Status:
Not open for further replies.