Windows Firewall Has A Backdoor

I never use Windows Firewall. I use Tiny Perssonal Firewall which is MUCH better than Windows Firewall.

The firewall itself can never be a backdoor. The malware that gets through it is.

how many people here have had their firewall ever stop something that you are certain was bad... I am still not convinced of the usefullness of firewalls unless they are somehow linked to an antivirus database in real time so they can analyse processes to determine if they are legitimate (or not)..

Will

A user executes a file that he shouldn't have and it opens a backdoor on an unusually high TCP port. The firewall asks you should it allow this process access to the internet and you say no as you do not know what it is.

Firewalls use Stateful packet inspection alongside signatures to detect malicious traffic.- firewalls analyse traffic and not processes

- although I can think of one or two that check processes in memory as the case of Sygate Personal Firewall pro. If you don't understand how this is useful then you need to do a little more reading. It's like this client I spoke to one day said 'I don't believe in firewalls' I said ' You don't need to!

I have a hardware firewall that does SPI, so I don't really need the incoming protection a software firewall provides. If the software firewall asks me.. "do you want to let this application or component application access the net" how can I really be sure those processes are legitimate or may be being interfered with or modified by a trojan or virus.. surely the writers of these trojans often make sure their processes are likely not to be detected by replacing legitimate processes with their own?

Will

Wrong, You do. I will explain in a sec....*

The firewall (using checksums) will detect a modification to the executable which unless you have updated it should be regarded as suspicious. In many occassions a firewall can tell you about the nature of a program or/and componants when AV does not detect anything it considers to be malicious. A new trojan for example creating a backdoor on an unusually high TCP port would be highlighted by your firewall. You would be able to determine the location and rename the file or boot in safe mode and do so. *A personal firewall also offers signature detection for certain types of malicious traffic. If for some reason a machine is missing some patches say for example MS04-011 the personal firewall detect traffic attempting to exploit this vulnerability and prevents the infection. So if you reckon you don't need this type of protection then I advise you rethink your security strategy.

There are a number of strategies which can be used to bypass (software) firewalls, such as running in the process space of a permitted program. Correspondingly, there are a number of tests (tooleaky, firehole, etc.) which can be applied to your firewall to see how resilient and robust it is in the face of such attacks.

An excellent site regarding such tests and the resistance of various firewalls to them is:

For instance, in addition to my preferred software firewalls (Outpost and Look-n-Stop - I vacillate between which I prefer) I also run ProcessGuard which I recommend very highly.

Regards,

PS I am also behind a cheap - but very effective - hardware router (D-Link).

For the average desktop user this is not reliable.

Yes, I know, but thanks anyways.

Nice! thanks for the link!

Sygate is your friend!

Ha ha, I got SMC router with Sygate Personal Firewall Pro.

It _may_ detect the traffic, it may also not. Signatures are signatures. If you change the footprint of a virus the virus scanner won't recognize the virus. If you change the footprint of your traffic your PFW won't notice either. Keeping your machine up-to-date is one of the top-most priority for everyone. (But why the hell doesn't your PFW warn you that you are missing an important security update, then? Wouldn't that be wiser?) If you need a PFW to cover for your negliance, well, then I advise to rethink your security strategy. And anyway, if you are missing MS04-011 and are running your machine openly on the internet, either you want to run internet-accessible servers, then update your machine, or you don't want to run servers, then close all the ports. You won't need signatures to do that...

Gerald

If there is a signature created to detect an exploit then it will detect it. There is no in between here.

Ok...

This is true.. but since packets exploiting certain vulnerabilities have signatures this does not apply since they DO detect these vulnerabilities.

This would mean that your personal firewall would have to download the xml file containing the update database that MSBA uses. Why duplicate Windows update functionality?

I never said that... but in a scenario where there is a large computer network and not enough time to deploy these patches then this solution gets you out of a temporary bind...

Oh, mine works. I don't need to rethink it although I am always open to suggestions.

whooooooaa.. wait a second... what does running servers have to do with LSASS?

No, a personal firewall does this. Did you by any chance read my OP?

No, you cannot detect an exploit of a vulnerablity. How do you want to detect a buffer overflow exploit in a network firewall? You must know exactly the protocol going over the wire and what everything means. Then you may be able to see in which part a buffer overflow could be. A specific exploit does have a signature and you can track the pattern it uses. But once you modify the exploit a little bit the pattern is different and you must write a new signature. It's not like all existing exploits of a vulnerablity send exactly the same packet with the same pattern. Take some of the apache exploits: it requires a special crafted URL. How do you want to recognize in general the pattern for this vulnerablity? You must fully understand and parse the URL to find out whether in there is a buffer overflow or not... This you have to do for and service in any situation... This is impossible and the best you may be able to do is to apply some heuristics.

You came up with the not-up-to-date machine. For whatever reason you want windows update not working...

No. It does not. It just protects you against one specific exploits not closes the vulnerablity. If you cannot deploy the patches in timely fashion and you know that there are exploits out there you have to shutdown the service in your firewall as long as you are busy updating. If you cannot or don't want to update the machine you have to reconfigure it or isolate it for the vulnerable services. Running a vulnerable service and relying on a not 100% (so that we won't start argueing about how many percent it will actually catch) reliable "filtering" service instead of employing a 100% reliable firewall rule is just very bad security practice.

If you bind LSASS to your internet interface you offer that service/server to the internet. That is the bottom line. Just don't do it. If you need LSASS in your LAN you must protect this service, keep it updated and be able to shut it down or block it in your firewall in case it has vulnerablity and you have to react quickly. What else did you want to protect with your firewall detection signatures?

Again: this is totally flawed logic: Why do you employ a PFW to protect you from something instead of fixing the actual problem? If you require a service to listen to the network you must protect it. If you know that there are exploits out there you do not rely on some signatures to catch some exploits and the next second there is a modified exploits that you do not catch. You just sit there and hope that the PFW company does update their signatures faster than the bad guys create variations of their exploits. You will loose eventually. If you know that there is a vulnerablity out there and no patch, yet (which fortunately hasn't happen to often, yet) you will not rely on something so unreliable like signature detection of traffic. If you want to do some pattern/signature checks then you would rather use a real intrusion detection system that analyzed your network traffic during normal times and is able to recognize abnormalities. This is still not 100% reliable but you know that it recognizes your specific patterns and not something somebody else does somewhere else and you keep sitting hoping...

Gerald

Wrong.

Sounds to me like you are a little unsure.... 'what everything means'

correct - there are some differences. But traffic generated by say 'Lovsan' worm has a signature and can be detected by a firewall utilizing such signatures. Sygate does it for Sasser, Lovesan and others also....

This is not relevant to what I am speaking about. I am speaking about the detection of malicious traffic.

No, many personal firewalls have a large database of signatures and they are updated to detect new malicious traffic.

Ever heard of the phrase ' time is money'? Shutting down services like this is not practical unless absolutly necessary.

It's an extra layer of protection! Not a stand alone alternative!

What if a fix was not available? I'm sure there will be situation where there will be a case. Are you familiar with Zero Day?

Now you refer to anomoly based IDS... which uses a combination of heuristic and pattern matching. (Signatures)

pattern=signature

:) exactly... you are coming around!

My virus scanner does detect at least one virus. It does not detect all virus even though many companies try to sell exactly that. Second, this is not a network exploit of a network service. Here we have a whole different class of attack.

I am not unsure. You must know the semantics of all parts of your application protocol if you prefer.

An specific exploit of a specific worm/virus whatever can be recognized. There is no way to detect all possible exploits of a vulnerablity as you claimed and wrote your personal firewall would do with MS04-11. It may block exploits that it knows of and that the PFW maker has seen and prepared a signature for.

Then please define "malicious" traffic properly. You are mixing various different classes of attacks into one big pot and don't differeniate between them. A packet send to a network service which exploits some vulnerability of this network service is something completely different than a exploit of a JPEG parser.

Yes, that is exactly what I was saying: you have a signature database like in a virus scanner. You detect exploits you know and have seen but not all exploits for a specific vulnerablity. This is a huge difference.

Yes, heard of it. And as always: security costs time and money. And the worst: you cannot really put a proper number on what it actually gives you back. Something that eats your money but does not pay you back is always hard. I haven't seen a company yet that did not quickly block and shutdown a vulnerable service if there is an actual attack. If you see your e-mail server dying one after the other why do would you keep them running?

You never said that. You wrote: "If for some reason a machine is missing some patches say for example MS04-011 the personal firewall detect traffic attempting to exploit this vulnerability and prevents the infection."

It is: a PFW does detect traffic attempting to exploit this vulnerablity. There is no "if", no "maybe", no "not always", no "together with other things", no "not stand alone". And the absence of all these details is exactly what so many people fall for. They believe it...

If a fix is not available you have to protect your service against not just for all the signatures some other company may know already. You are the only one you can decide in your own LAN what you need and what not. What you can protect and what not. You need a reliable security not some undefined one.

These are based on your network and your traffic. This is something different. You employ this technology and you should know about what it can do. If you find an anomoly within your e-mail server traffic, you must have a quick look and if in doubt you will restrict and block the traffic immediately to see what is going on. You won't simply press the "update" button of a PFW and hope that the next update will recognize something.

Gerald

I never said it had to be a network service...

I never said 'all' but there is a generic detection for traffic attempting to exploit this vulnerability. Check it out for yourself.

Well,yes.

All incoming malicious traffic which can be inspected by a firewall can be subjected so analysis and pattern/signature matching.

I agree. Of course it is not possible to detect the all of the unknown.

Well, no - but some admins do not think proactivly :)

Ah come on. This is a detection for traffic attempting to exploit a vulnerability - this detection is usually specific to a particular 'known' threat attempting to do so.

Yes - I understand this.

I understand this too.

Of course not. It's part of a layered solution. After all signature based is reactive and it's already too late in this case.

I know that but read what most security software or hardware maker sell to you. A personal firewall is for personal use and those you use them usually don't know much about it. They read the box and just think, cool, with that thing I am invulnerable. And if someone who seems knowledgable tells them "this firewall blocks malicious traffic", well, they probably believe it. That's the reason why I don't like these quickly said sentences without consideration. It seems that common sense is quickly abandoned once it comes to computers. Comparable risks that you would never accept in real life are quickly ignored. Things that are impossible in real life seem to be true in computers. Noone who buys a bullet-proof vest would believe that he cannot be killed. For whatever reason, many users embrace this idea very happily for the internet. Therefore I think it is just important to say it over and over again: there is no perfect security and the only thing that really makes a difference in the end is the user, the user and only the user himself...

Gerald