Re: Microsoft TechNet Magazine Article about Outbound Filtering

Volker Birk wrote:
<http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx>

Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe.

Speaking of host firewalls, why is there so much noise about outbound
filtering? Think for a moment about how ordinary users would interact
with a piece of software that bugged them every time a program on their
computer wanted to communicate with the Internet. What would such a
dialog box look like? "The program NotAVirus.exe wants to communicate on
port 34235/tcp to address 207.46.225.60 on port 2325/tcp. Do you want to
permit this?" Ugh! How would your grandmother answer that dialog box?
Thing is, your grandmother just got an e-mail with an attachment that
promises some rather sexy naked dancing pigs. Then this crazy dialog box
appears. We promise: when the decision is between being secure and
watching some naked dancing pigs, the naked dancing pigs win every time.
The fact is, despite everyone's best efforts, outbound filtering is
simply ignored by most users. They just don't know how to answer the
question. So why bother with it? Outbound filtering is too easy to
bypass, too. No self-respecting worm these days will try to communicate
by opening its own socket in the stack. Rather, it'll simply wait for
the user to open a Web browser, then hijack that connection. You've
already given the browser permission to communicate, and the firewall
has no idea that a worm has injected traffic into the browser's stream.

But WGA, so to speak, does not act that way, and can be blocked with a
software firewall that monitors ougoing connections (if it just doesnt
reboot the system as the newly released ZA do :-)).
On the other hand WGA has no option to prevent it from calling home, nor it
can be uninstalled.
I still remember Microsoft stating that there was no use for a defrag on
NTFS partitions because of the indexing structure, until they inserted one
in their o.s.


.

Relevant Pages

  • Re: Port 443 Outbound
    ... If you've done what you should with your network then malware has gotten behind your network because *it* has admin access, and it is trivial for malware to *use* that admin access to reconfigure a firewall, whether that is software or hardware. ... Agreed - I would much rather nothing got on the network in the first place and have Trend and auditing set up but surely a device that could monitor 443 outbound would only act as an extra layer of defence? ... No no...an edge device is used for inbound blocking and filtering, but is not an effective security boundary for malware already in your network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Passwort-Verwaltung
    ... Host-Based Firewalls Must Filter Outbound Traffic to be Safe. ... "The program NotAVirus.exe wants to communicate on ... | The fact is, despite everyone's best efforts, outbound filtering is ...
    (de.comp.security.misc)
  • Re: Anti-virus
    ... last time I looked the XP firewall didn't have any sort of outbound ... filtering - Vista supposedly has it but from what I've read it's so ...
    (uk.comp.homebuilt)
  • Re: Anti-virus
    ... last time I looked the XP firewall didn't have any sort of outbound ... filtering - Vista supposedly has it but from what I've read it's so ...
    (uk.comp.homebuilt)
  • Re: Most sophisticated free firewall?
    ... The way I understand is that Windows firewall never claimed to ... Ineffective as for performing outbound application filtering. ...
    (comp.security.firewalls)
Quantcast