Sunday, January 28, 2007

Firewall Considerations #2

I have been planning on taking a renewed look at firewall choices since it has been a while since my last post on the subject: My Firewall Choices.

Not much has changed in my mind since then. I've still got my systems safely tucked behind a configured hardware based router/firewall to block and discard all incoming non-solicited traffic requests. It sits between my cable broadband modem and my pc's. So inbound protection is already covered.

I still run software/personal firewalls on each of the pc's. Just in case something ugly was to slip on one of the systems, it could try to connect both outbound as well as infecting systems within my network. So the 2nd layer of firewall protection should help with that. I don't have file-sharing enabled between any of my systems.

And one of these days I'm going to get a little networked USB hub to hook my printer to to make it a print server for all my machines. (We have just one printer in the house connected to the main one.)

All things considered, my freeware/free-for-personal-use selections pretty much stand as they were then:

There are also other additional freeware/free-for-personal-use firewalls out there as well.

Inbound and Outbound Protection

Now, in my previous post, my focus was primarily for "leak-blocking". By that I mean, how well does the firewall guard against programs attempting to get out to the network? An effective firewall should not only protect against inbound intrusion attempts, but should have sufficient means to keep data from being sent out of the system, without user authorization.

Why? Suppose your system somehow got infected with a trojan or rootkit. As a function of that bot, it collects user information, passwords, accounts, etc. and then transmits that information back out to its master.

If a firewall does not have outbound protection, you wouldn't be alerted to the fact that a program was "calling home" and you can say goodbye to your data.

Unfortunately, many of the firewall applications that have outbound/rule based alerts don't always make it clear what is going on. Users are left with a confusing mix of messages of processes and program alerts that can be bewildering for both geeks and non-geeks alike. And if you do block a legitimate process...well...problems can mount quickly! And if you get so frustrated to turn off outbound protection, well...inbound protection is great, but...what could be leaking out? It's a dilemma.

A commenter by the name "Anonymous" and I have been having a great conversation in that older post. This post has been spun out of our conversation.

Anonymous raised the point that it has been suggested that Comodo has been scoring so high on these "leak-tests" because they code the program to specifically pass them. The point being, that it doesn't necessarily make it better against "live/mutating" leak techniques...just good at passing known ones.

Anonymous has a great point.

Now, let me preface the conversation with the statement that I am not a programmer. Nor do I have any certifications in network security or network traffic or even network architecture. None. So I can't speak as "expert witness" on the validity of any of such claims myself. I can only try to understand the bigger picture here and sort some things out. I'm sincerely open for correction, and am using the best available information I can find.

Firewall Leak Tests

Clever people who are all those things that I am not, work to write test programs (or live malicious programs) that attempt to take advantage of how systems and firewalls operate to get through them. The idea, for the good guys at least, is that by probing and breaching the firewalls using a number of techniques, program developers can make them more robust and more secure--penetration testing (pen tests).

The Firewall Leak Tester website currently has nineteen (19) leak-tests available to evaluate how well a firewall stands up to internal breach attempts using a multitude of programming techniques.

Another highly informative security website, Matousec, currently has twenty-six (26) leak-tests available. Many are the same as on FLT website. They also provide specialized testing programs packaged in zip files. If you are going into the testing business...this is a great place to build your tools...and it's wonderful of Matousec to put them all together so nicely. (Thanks guys!)

NOTE: Many of these will set off all kinds of alarms with your anti-virus software so be aware if you want to download and play with them. Also, if you do and are running XP, be aware that if your system takes a System Restore snapshot, you might get some of these in there as well, and it can be a pain to pull them out of there. How antivirus software and System Restore work together - (Microsoft KB)

Firewall Leak Test Evaluations

Remember, we are talking about attempts to bypass outbound traffic protection by the firewall here, not inbound protection, which most all seem to be able to handle without issue.

Unlike last time when I actual did do the tests myself out of curiosity, I'm not doing that this time. There are enough professional evaluation of these out there and I won't muddy the waters with my uncontrolled end-user testing.

Matousec has a great blog where they have been posting some interesting results on some of the more popular firewall versions out there:

Do vendors Code to the Tests?

Anonymous's point (in particular with Comodo) can apply to any security vendor out there; "Are they guilty of writing their software code to specifically prevent a known leak-test application from getting out?"

Matousec feels pretty strongly that at least one vendor (Outpost) has: The interception of the test did not fix the problem (2007/01/27 17:20)

As a non-coder I can't say for certain, but I would suspect it could be quite true. I would hope that the vendors would work to understand the principles behind the way each leak-test is punching through their firewall and write the code for their product to address effective blocking of the implementation technique rather than just the specific test itself.

However, in a market (even with freeware versions) that is getting more and more crowded and with more users getting savvy to the need for firewall protection (inbound and outbound), jaded me has little doubt that some vendors might take the easy way out to pass as many tests as possible to elevate their "rank standings".

Fortunately smart good-guys like Matousec and others are out there working as our advocates, digging deep into the code and process functions few of us dare to venture into.

Surveying the Field of Battle from the Ramparts

So have I changed my position on my choices significantly? Not yet...but the winds, they may be 'a blowing.

If you are a broadband Internet service user (cable, DSL, etc.) go ahead and pick up a router/firewall solution. They are cheap and pretty darn effective on blocking unsolicited inbound traffic.

  1. Use a "real-time" Anti-Virus program daily. Consider a weekly/monthly scan with a 2nd "on-demand" standby anti-virus scanner as well.

  2. Run daily/weekly scans using more than one anti-malware product. There are effective "real-time" anti-malware monitoring applications as well as on-demand scanners.

  3. While not for the timid, using a root-kit scanning tool periodically might be worth considering.

  4. If you must, consider a process monitoring utility.

  5. Keep your software and system patched regularly: Windows Updates, Secunia Software Inspector.

  6. Use a secure browser: Firefox, Opera, Internet Explorer 7.

  7. Use wisdom and stay away from dodgy "Knockturn Alley'ish" websites. The content lures the darker side of us in, but the coding on the pages (JavaScripting/ActiveX) can craftily cram malware (and worse) down onto your system.

  8. Download applications, games, videos, music from legitimate websites only. How do you tell? Experience I suppose. And scan them before opening them!

  9. Watch your email attachments and delete all unsolicited attachments you get...even look with caution on those attachments from family and friends....you may like your family and friends...but do they scan and practice safe computing practices as well? Consider disabling HTLM rendering of email messages.

  10. If you have a family member (or yourself) who refuses to practice safe website surfing, force them to use a sandboxed web-browser: Greenborder Pro (Consumer), Bufferzone, or GeSWall Personal Edition

  11. Better yet, put their web-surfing onto a virtual pc session using a LiveCD that won't allow writing back to the system.

  12. Now, once you've done all those "easy" things, wrap it up with a personal firewall that meets your needs and has been vetted by the professionals; Matousec's incredible list of personal firewalls.

Choose and configure a software firewall that strikes a balance between protection and usability. You cannot protect against all the threats that are out there, now and those waiting in the wings we haven't encountered yet. It's a never-ending "arms-race."

Final Thoughts

If you are willing to do the work and even after implementing these Safe-System security habits, you are still freaked out about security and need hard-core leakage protection in your firewall...I'd still say go get Jetico Personal Firewall or their new Jetico v.2 Beta build. It's a ripping-good firewall. But be prepared to do some heavy work with configuration and chatter. It may take a long time before it settles down. And be very careful what you decide to block. You might cripple your system.

If you want something a bit more "family friendly" then take a look at Sunbelt Kerio Personal Firewall or Comodo Free Firewall. And the perennial favorite ZoneAlarm Free is still high atop many user firewall polls. Any of these may provide sufficient protection to meet your needs... despite having clearly known weakness that bump them down lower on the professional's lists. However, if you are already well protected with following the other security recommendations, they might be sufficient enough for family-friend or non-technical pc users.

Remember, for a malicious leak to occur in the first place, your system needs to have been breached and the trojan/virus/malware/rootkit would have to survive getting onto your system through all those defensive layers in the first place....before it has a chance to get caught on it's way back out by your leak-proof' ed firewall defense.

In my humble opinion, pc security isn't based on, nor can it be effective with a "single-bullet" application approach.

Smart and safe users take a holistic approach. It's a lot of work and a frame of mind.

It's a secure digital lifestyle. You can't be too safe nowadays on the network!

--Claus

No comments: