Security theater, act#48: outbound blocking firewalls for PCs

Users running XP SP2, Vista or even a third-party firewall client such as ZoneAlarm have probably seen this warning: “… such and such program attempted to make a connection to the Internet and was blocked.” This is supposed to create a warm-and-fuzzy feeling for users. Here is messaging indicating that some shady application running on your computer attempted to do something sketchy, but the clever security system caught it and prevented harm. The reality is a bit different.

First to be clear: firewalls are very important for defense-in-depth. (Although there are alternative security paradigms such as the Jericho forum that seeks to dispense with them altogether.) Main function of a firewall is to block inbound connections, in other words stop other computers “out there” in the wild-wild web from attempting to access resources on the machine “here.” The firewall used this way is the first line of defense; even when the access attempt seems harmless– “surely it would be denied!”– there is no reason to take risks. Exploitable bugs in the access-control software have caused machines to be compromised simply by connecting to them. The further upstream one can detect and

But outbound blocking is an altogether different function. In this case, there is some software already running inside the trusted boundary, admitted into the inner sanctum. The firewall in this case prevents that code from communicating with the outside world. What purpose does that serve? With the exception of parental controls– which is rarely the intended effect– the answer is “not much.” The reason is that blocking assumes malicious intent on the part of the application. Perhaps it is trying to connect to some nefarious host out there and do something dubious, such as ship private user documents off to Russia or download more malware.  The problem is once malicious code is running with the same privilege as user, it is very hard to cut off all of the communication channels to the outside world for one basic reasons: processes and applications do not have strong identity.

While the host-based firewall attempts to create the illusion that application X is highly-regarded and application Y is not to be trusted  with talking to the outside world, in reality it has a very hard time sorting out between them. This is because applications are not intended to be an isolation boundary in an operating system. They are not protected against each other. Simple example: if Y is not allowed to open outbound connection, it can often launch a copy of X to do the same thing instead or prior to Vista subvert the internal workings of X. For “X” substitute Internet Explorer– launching a URL is sending information to a website. In fact malware authors already implemented a more reliable form of this strategy: when they need to phone home, for say downloading a new copy of the botnet software, they use the Background Intelligent Transfer System (BITS) as documented by Symantec. BITS is a trusted operating-system component and has no problem by-passing the firewall, even when acting under orders from malware. There was a minor stir around this when news initially surfaced, including articles at the Register and BBC.  In fact it should have been greeted with a yawn were it not for the firewall itself setting unrealistic expectations around what can be accomplished in the way of outbound blocking.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s