Re: to PFW or not to PFW



JIP <JIP@xxxxxxxxxxxxxxxxxxxx> wrote:
> As a non-techie I am confused. Whilst lurking in this and related groups I
> see a debate that goes on as to whether there is any point in using PFWs, in
> particular to monitor outgoing traffic. Some say it's essential (as do most
> magazines, and of course all companies marketing such products) and others
> say that they are so easily circumvented that it's a waste of time - and if
> I understand correctly, some even say that they actually open up further
> vulnerabilities.

There are clear proofs for such vulnerabilities. There are clear proofs
how to circumvent easily.

> So, what may be a naive question - is there any point in using a PFW to at
> least stop badly written nasties from kiddy vandals who haven't learned yet
> how to do it properly?

Yes, "Personal Firewalls" can stop software from communicating outside,
which lets itself being controlled, or which just is written dumbly. This
is possible.

But this has nothing to do with security at all.

A security feature has to lead into a situation, where a system is safe
from the event, that a specific attack vector can be used. Then, and only
then you can say, the security feature leads into the situation, that
you're secure against this attack vector.

It is not possible to be safe from everything wrong which could happen,
though. But it is possible to close single attack vectors. And it should
be done.

Why it is so important to think in this context about computer systems, and
not to think about things like camouflage, which help but don't guarantee
for protection, I tried to explain in <43228b5a@xxxxxxxxxxxxxxx>

And this has nothing to do with "there is a security hole, but everything
has exploits". Beside there is proven software, which can be 100% correct
compared to a given specification, there is a big difference between
design flaws and holes or exploits.

There is a big difference, if something works in theory, and the
implementation has a bug or an exploit which has to be fixed, or if
something cannot work already in theory or has a design flaw.

The design of Microsoft Windows is including a security system. But for this
security system, the Desktop is the borderline. Microsoft themselves are
documenting, that one better not should try to ignore this fact. So one can
control applications only, when no application can communicate outside,
which is on the Desktop - that means, no application, which opens a window.

As a result of this, this means, that you may not use a web-browser, if you
want to prevent a second application from communicating outside.

This is what I showed in my proof-of-concept code here:

http://www.dingens.org/breakout.c

I'm just using Windows messages to let the web-browser do, what the
application, which should be controlled, may not do directly. At the
time, when I publicized these few lines, there was no single "Personal
Firewall", which could prevent this. They all failed. And this was no
surprise.

Now Zone Labs made a huge effort to implement a security system for
Windows messages. They invented a technology to add to Windows what
is missing, so they can control Windows messages with Zone Alarm Pro.

But this is a useless effort. It is completely useless, because simulating
an attacker, I just had no look onto their work, but completely ignored it,
because Windows messages are just one of many ways to communicate between
applications, and most of them have no security system at all in Windows.

As the next step, I chose COM. With this technology, you can communicate
without any problems, and I wrote this one:

http://www.dingens.org/breakout-wp.cpp

I just asked Explorer by communicating using COM with ActiveDesktop to
do the work for me. And just like with the Windows messages example, it
works with the actual Zone Alarm Pro without any problems.

So as a matter of fact, no single "Personal Firewall" can prevent from
applications which want to communicate to the outside world, if there
is a single application, which may, like your web-browser or Explorer.
This just is not possible on Microsoft Windows.

Of course, it is not a security hole at all, if you cannot do this.
It is much more sensible to prevent malware from being installed and
running on your machine, than to try to control malware in a way, what
the security system of the operating system does not allow.

And, it is even counterproductive, what the "Personal Firewalls" are
doing here, because a "Personal Firewall" should not ask a normal user
if she/he wants to allow "ACROREAD.EXE" to access a website - they should
open no popups at all here, because it is a very good idea for the
common user to have automatic updates in Acrobat, so the exploits
there and in may other programs can be fixed quickly from time to time.

So popups are counterproductive, because they're requesting the user
to take responsibility for decisions of protection. But the user should
not protect, she/he should be protected.

Yours,
VB.
--
Netzwerkgrundlagen anhand Windows lernen zu wollen ist doch wie seine
ersten sexuellen Erfahrungen mit einer Prostituierten zu sammlen: Die
Leidenschaft fehlt, das wirklich Wichtige lernt man dabei nicht, und die
Chance sich einen Schädling einzufangen ist hoch. (Lukas Graf in d.c.s.m)
.