X-Ray: The firewall is an essential bastion of internet security, but what's not well known is that all firewalls have an Achilles heel...
Firewalls are the first line of defence for any network connected PC. And, usually, the more the merrier - having them at the gateway, the router, and on every individual PC on the network helps to ensure no nasties come knocking on your silicon door.
And they couldn't be simpler. While once upon a time a firewall was a static, binary allow/deny wall of defence, modern firewalls are different. Blanket allow and deny rules are effective, but not terribly practical - everytime you ran a program that wanted to access the net on a non-standard port, you would need to explicitly open that port. And then, even if it was no longer in use, it would remain open unless you explicitly closed it.
Thus was borne the stateful firewall, an intelligent packet-analysing firewall that tracks packets going out to determine what to allow in - responses to any connections originated on the inside are automatically passed through. Ports don't need to be opened or closed, just exceptions based on the traffic to and from a specific machine.
All firewalls, at least at the consumer level in routers and security software, are stateful. They provide a fire-and-forget solution to ensuring a machine remains locked down with the exception of the traffic it generates itself. And it's a very effective solution.
But therein lies the Achilles heel as well.
Man on the insideBecause a stateful firewall allows in any traffic generated by programs going out, there's an implicit expression of trust at play - obviously, all the traffic leaving the machine must be legitimate. It has to be, because inherently the firewall can't tell good traffic from bad.
So what happens if a malicious program gets on a machine, and happily starts transmitting your keystrokes to a hacker in Russia? Why, it allows it through - because it has no way of knowing it wasn't the user that wanted to contact that .ru domain.
This is what spurred the evolution of personal firewalls, the type of which you can get standalone or as part of a security suite today. On top of the basic stateful firewall, these firewalls take the extra step of assuming that not all traffic originating from a machine is necessarily legitimate, and so implement internal checks - at the very least to query the user with 'This program wants to access the net, do you want me to allow it?'
You would think this should be relatively foolproof, as a user can easily answer whether the program in question really is one they started or not. But what this means is that for a malicious program to bypass the firewall, all it has to do is pretend it's the user.
There's another problem with this too - invariably, some programs will automatically be allowed access by any security suite, because they're considered essential: Windows Update for example, or the program's own services. Additionally, a user is going to grow tired very quickly of being prompted to allow their browser through everytime they launch it, so they're going to tick 'Add to exclusion list' quick-smart.
Which means malicious software doesn't need to force access and bypass a firewall, all it has to do is pretend it's one of the programs that's already allowed through. And this is exactly what some malware attempts to do.
Most of today's advanced firewall suites cannot stop a nasty application from emulating another program and gaining unrestricted access to the net - to do things like transmit your keystrokes, or send other data gleaned from the system for identity theft.
The smart ones don't try and emulate one or two programs, they'll have an internal list of many and try each one until it gets through. The [i]really/i] smart ones will highjack programs and use techniques like DLL or thread injection to either directly alter a running program, or create a 'clone' of an application (such as Explorer itself) that kills the original instance and launches the new one with a modified DLL.
These are attacks from the inside out, and there's not a lot security programs and their firewalls can do about it - because there are two factors at play: first any hijacked programs pass through the firewall because the firewall is doing exactly what you tell it to - let through 'trusted' programs, including those the user themselves has allowed. Secondly, because the very foundation of Windows assumes the user is an expert - and given administrative access on-demand - security programs and firewalls are again bound by the level of trust implicit in a user's authority. A user's 'copy' of Internet Explorer for example is considered trusted, even if it's been hijacked.
The solution many personal firewalls work with is to look for trojan code when a 'trusted' application accesses the net. Either the code itself shows up in its database of malicious software, or an MD5 sum or similar is compared against the database of known programs. Neither of these methods are foolproof, and so while some security suites can catch some of these wolves in sheep's clothing, none can be completely effective, and they're only as up to date - like virus scanners - as their signature files.
And that's the rub, a firewall is no silver bullet. There is, however, something much better: common sense.
Issue: 111 | April, 2010