Detect and alert on OUTBOUND filtering?

[Frisco]

In article <mq6v41pg2pvmdgjiiso8shg1g5352gu2he@news.speakeasy .net>, Jay T.
Blocksom says...
> <http://groups.google.co.uk/groups?scoring=d&q=Blocksom+"software+firewall"
> &btnG=Search>
>
> Do read the whole thread(s). (And WRT to the most recent one in particular,
> give Google at least a few hours to "catch up" with my latest article.)
>

[thread moved to alt.privacy.spyware from comp.mail.pegasus-mail.misc]

Summation, to save everyone all the reading time: A software firewall is a
tool. It's one tool. It is ONLY one tool. It is useful for what it is
useful for, and nothing more. The same is true with hardware/firmware
firewalls, anti-virus scanners, spyware trappers, encryptors and the whole
lot. Each does something that the others cannot do. Each is useful and
serves a purpose. To expect one tool to do it all is like having one
hammer at home, but not having any screwdrivers, wrenches, pry-bars, saws,
planers, chisels or... For security, it is not good enough to wait until
you identify a need to get a tool. Once you've identified the need, it is
too late. You must have all the tools at once, install them, configure
them, monitor them, and react intelligently to what they tell you is going
on. "Intelligently" is the operative word. "Install it and forget it,"
while probably in line with most people's attention spans, isn't going to
work. Save your money and your time and your disc space if you're not
going to get involved with your own security.

Jay,

Thanks for the thread leads! Very interesting discussions (even if some of
the contributors happen to be defending their own products' features and
have a reason for a biased view).

Yeah, I think we're in agreement, at least as far as I understand your
point about software firewalls vs. outboard hardware, firmware or "roll
your own on a cheap PC" firewall.

I also enjoyed your term (assuming it was coined by you) "nagging nanny."
I think I'll adopt if for my own conversations in the office, if you don't
mind.

But I also think, after reading the threads (Hoo, boy! They're LONG!),
that either the others are missing your point, or perhaps you're missing
theirs. Like one of the threads requested: "define adequate." I get the
impression that two different points are being debated, but done as if it
is only one point. It may be a choice of words that contributes to this,
so I'll try state my position clearly. If you disagree, well, we disagree,
and I can sleep knowing there are differing opinions.

An outboard firewall (to use your term) is necessary. So is a NAT router
that offers IP address translation. Both can block unsolicted inbound
packet requests, and also protect from machine addresses being published
and subjecting them to outside attack. They can't, BTW, protect a home
user from the EFFECTS of DoS; packets coming down the line from the ISP
will eat all home-based bandwidth, even if the modem/router/firewall stops
them cold at that point. No available bandwidth is no available bandwidth,
even if the protected computer isn't bogged down with examining the
incoming packets and disposing of them.

The outboard solution is highly more configurable than most home-priced
routers (and much cheaper than enteprise-level firmware boxes), being able
to do things like examine traffic frequencies and nature (one example: if
it sees a gazillion 64k packets blasting out port 80 to the same IP
address, it can shut down access to port 80 until the Zombie attack is
finished - and alert you that you have a Zombie on your machine). Among
other reasons, this is why I have one. I got a used PC for $75, and other
than the electricity and cabling costs, that's all I paid for it. It's an
old pentium, 333mHz, but it runs linux and its sole job is a firewall.
It's far more than adequate to the task.

Where a software firewall (running on the same machine as it is
protecting) shines is a different matter. It's the "nagging nanny" feature
that is highly desirable, here. Example:

Suppose you download a program from a web site. Let's be a little more
"I'm not that dumb" and say it's an UPDATE to a program you've been
running for years; a patch, perhaps. Something you trust, and you trust
the vendor. Unknown to the vendor, their development machines have been
infected with a trojan designed to scan for things that look like account
numbers, open port 80 outbound, and transmit what it finds to a
predetermined list of addresses.

Now, the vendor tests for function before making the patch available for
download. They scan for viruses (and let's assume the scanner failed to
detect the trojan already in their packaged code). They post it, you
download it and install it. The patch works great! No problems.
Unfortunately, so does the trojan, and none of the protection methods
against INCOMING data have stopped it from arriving, being installed and
executing.

Randomly through the day, the trojan, having been turned loose in your
system by you installing it (by accident, mind you), silently opens port
80 and sends a short packet out of your machine, containing private data.
To circumvent traffic analysis, it waits about 2 or 3 minutes (random)
between packets. Then it resumes looking into data files, a little at a
time so as not to make you wonder why your disc read head is thrashing,
until it finds new information. The process repeats.

A router and an outboard firewall are as useless in this situation as a
software firewall is in combating unsolicited attacks from the outside. To
the firmware firewalls, this looks like a typical web page request,
perhaps using an http header and your private info imbedded in the data
segment. They've no reason to stop it, based on the port, the outbound
initiated request, and the frequency of the packets. The data packets do
not necessarily contain identification as to what program created it, nor
whether a user clicked a button to initiate the packet, nor how long the
sending program has been running on the computer. It's just a data packet,
like all others going to any web server in the world. (Enter, again, my
earlier lament of not having a low-level data packet scanner to pause the
packet, alert the user about private info going out, and asking whether to
let it go or kill the packet).

Presuming that patched program has NO business accessing the internet (at
least it didn't use to until you patched it), the nagging nanny is your
first line of defense, and possibly your only chance of knowing BEFORE it
is too late that something is wrong. In this case, a good (and I don't
know how to define 'good,' sorry) software firewall should be able to:

1. Detect that a new program is accessing the internet, or a previously
approved and signed program has changed in its code signature or the type
of transmission it wants to conduct. That is, the program itself or any
one (or more) if its subcomponent modules. At that point, it is not
allowed to access any port until you [re]authorize it (nagging nanny) and
a [new] digital signature is taken.

2. It should provide stateful inspection, shutting down the access rights
if the program should do anything other than use the ports it was allowed
to use, and only initiate outbound requests (as opposed to listening for
any unsolicted incoming requests). Granted, the firmware firewalls can
protect against the latter, but the fact that a program is acting as a
server (daemon or service) should alert you to a HUGE problem on your
machine. Where yesterday you had nothing listening to port 80, and today
you do, you should remove the cable from your machine immediately!

This is where software firewalls have their forte, and the other firewall
forms are, well, let's just say the keep honest software honest, in this
very particular respect.

I believe I understand you to acknowledge this, and that your main thrust
of your security threads was something along the lines of "Don't be fooled
into thinking that you're protected if all you have is a software
firewall, even if you run 18 of them." And that's a sentiment with which I
enthusiastically agree! Some vendors will have the neophyte believing this
claim. Even if the vendor is honest and says their product is PART of a
tool set, there are still the home users who "read something on some web
blog somewhere, and the guy seemed to sound like he knew what he was
talking about, so he must be correct. Hey, he says he works for Intel (or
Network Solutions, or xyz Security Corp, or...), so he MUST be an
authority on EVERYTHING, right?" Perhaps. When was his article dated?
February, you say? 1998? Hmm...

And while we're at it, unless one actually USES the logs and THINKS before
OKing unknown outbound access (the nagging nanny, again), then there's no
reason to run a software firewall. By mindlessly approving everything and
never looking at access logs, you may as well save yourself some CPU
cycles, some interrupt backlogging, some RAM and the hassles of dealing
with the nagging nanny - delete the software firewall. It's useless unless
users THINK and educate themselves, even if just a little.

Too many users, alas, don't think and they don't educate themselves; "I
bought it and installed it and now I don't have to deal with the topic any
longer." No, they don't. Not unless they're interested in securing their
private information, anyway. In that case, why not save yourself some time
and forget installing a 3rd party product, free or not; just enable the
Windows XP Firewall (assuming you have XP) and leave it at that. The
protection level is just as effective...

Cheers!
Frisco