Microsoft Firewall Bashing… Didn’t Agnitum Already Try This?
This time the culprit is Preston Gralla, writing for ComputerWorld... in his article entitled "New Vista firewall fails on outbound security". I thought we were supposed to capitalize significant words in titles... Some of you may recognize Preston's name... he was the journalist who proclaimed "Justice Prevails" when an innocent school teacher was found guilty when porn accidentally appeared on a school computer screen due to spyware.This time, instead of attacking an innocent school teacher, this so called "computer expert" decides to take on the Vista firewall.
Preston makes some interesting claims... I'm going to attempt to cover some of the more "controversial" comments here:
Normally, to configure the Window Vista Firewall, you choose Control Panel, then Security, then Turn Windows Firewall on or off. You'll see the screen shown in the figure below.
You can actually go Control Panel --> Windows Firewall but since Gralla is attacking Microsoft here he needs to make it seem like it takes longer.
To work with outbound filtering, you instead have to use the Microsoft Management Console, specifically the Windows Firewall with Advanced Security Group Policy applet, by typing wf.msc at the Search box or command prompt and pressing Enter.
Most people that I know who want to look at their running services are going to type services.msc in the Run Dialog (available via 'Windows Key' + R in Vista) or in the search box (a Run Dialog replacement), so why not make the firewall available via the same means? That being said, you can actually go Control Panel --> Administrative Tools --> Windows Firewall with Advanced Security. Yes... you can navigate to it with a GUI and in the same number of clicks it takes Preston to access the basic features of the Windows firewall.
So, why does the Windows Firewall have basic and advanced features? Well, most personal firewall products do, so why shouldn't this one. It's also fairly simple to navigate to and in the expected place... in fact I had no idea where I'd find it, I just knew there would be a GUI... It was in the first place I looked. One might call it intuitive placement.
Every rule in the Windows Firewall allows outbound connections, though. Click the Outbound Rules icon on the left side of the screen, and you'll see all the outbound rules. As you can see from the figure below, every outbound rule allows outbound connections. None block connection.
This was one of my favourite comments. The Outbound Rules list is populated with a collection of Allow statements for core Windows functions. Oh No!!! We're allowing core functionality. I'm not really sure what Gralla was thinking here but common sense tells me that these should be here. The idea is that the list is pre-populated with rules that will allow Windows to function unhindered should you decide to enable Outbound Connection Blocking. Let's think of this like Cisco IOS... when ACLs are enabled there is an implicit 'deny any any' at the end of the ACL list. Now think of the Windows Firewall as two ACLs... an Inbound ACL and an Outbound ACL. These rules have implicit 'deny any any' at the end of their lists, which means you would only put allow rules in them. Any CCNA can confirm this for you.
Making matters worse, there is no way for an individual or IT staffer on his own to create an all-purpose rule that will block malware from making outbound connections. You can only create a rule to block a specific piece of malware. That is an extremely difficult task, requiring that you know quite a bit of information about that piece of malware, including its location on your PC, the port it uses to make outbound connections and so on.
To stop all malware from making outbound connections, you'd have to know all those details of all the thousands of pieces of malware in existence, and create rules for each one individually. But even that wouldn't work, because you wouldn't know about malware that has not yet been detected.
In short, as a practical matter, it's an impossible task.
This is a long statement, but it makes me laugh yet again. I would suggest that Mr. Gralla look to gain at least a basic understanding of how firewalls work. What he describes in his first sentence is a mythical rule that doesn't exist. I bet that every Sys Admin on the planet would pay a pretty penny for an "all-purpose rule that will block malware from making outbound connections." This rule doesn't exist, in fact it couldn't exist. Let's say my malware communicates with a parent server by submitting information via an HTTP POST to port 80 or better yet over SSL to port 443. This will look like regular traffic and a rule that blocks outbound access to ports 80 and 443 would block your browser from functioning as well. Mr. Gralla doesn't seem to get that this is why you have an implicit 'deny any any'... because that blocks all malware by blocking all outbound traffic. You then allow specific programs, protocols or ports. Strangely enough what would be considered the norm for any network security setup is exactly how the Windows Firewall works in Vista.
As a side note, a nice feature of Vista is that it allows multiple networks... They are classified as Domain, Public and Private... and seem to correlate to the Work, Public and Home settings that Vista presents to the user every time a new network is discovered. Each of these networks can have their own inbound and outbound settings (for default block and allow).
Competing firewalls often use built-in intelligence to allow certain programs to make outbound connections, and then issue alerts when other programs make connections. You're told the program name and executable and given a recommendation as to whether the program should be allowed. You can then block or allow the program to make a connection on a one-time or permanent basis.
First, I'd like to look at the first sentence here... then I'd like to point out to Mr. Gralla that these are the Outbound Allow rules that he was complaining about only paragraphs before. Then he mentions the fact that Vista lacks a user friendly "Allow this program to access the internet" pop-up box. I covered this previously in my Agnitum post but I'll address it again. You see software that provides these pop-ups makes it very easy to fool the user... they also allow the user to become complacent. What Microsoft has done is similar to iptables in Linux and ACLs in Cisco routers. You need to predefine programs that are allowed to access the internet. Let's take my HTTP/HTTPS malware above and let's name it firefox.exe. Next, let's install it to C:\Program Files\M0zilla Firefox\. Most users are going to see that pop up and quickly allow it if the functionality exists (such as the functionality in Norton Security Suite or ZoneAlarm Firewall)... Why? Users like to "click-through"... they think that having the firewall is enough. I commend Microsoft for not including the user-friendly pop-up boxes... This is actually a great improvement to the security provided by firewalls. We all know that a balance must be found between security and user friendliness... This option sure beats providing enough user friendliness that you allow the users to make the firewall useless. Users will allow firefox.exe when they configure their Windows Firewall... then the malware at C:\Program Files\M0zilla Firefox\firefox.exe will be silently blocked.
Another side note, when blocking outbound connections, certain software, such as Microsoft Internet Explorer, will allow you to diagnose connection issues (if you haven't already allowed it in your outbound rules) and it will notify you that an outbound policy is in place on the firewall.
In the end, I think that the sub title really says it all, "Preston Gralla discovers it's impossible to practically configure outbound filtering." Nobody else will have a problem, but Mr. Gralla will. Another nice feature of the Windows Firewall is that it allows you to export and import rules and configurations... I'm quite tempted to build a standard setup and provide the exported setup to Mr. Gralla. In the mean time this should be evidence enough that Preston Gralla is not an infosec (or even IT) expert and that there is no point in reading any future articles he writes.
Good post.
I think you miss Gralla’s point, which he made in his article, where he states the nominal home user should not be required to possess the knowledge of a systems administrator to have a decent firewall with minimal outbound protection. Gralla is correct in saying the Vista firewall allows ALL outbound connections by default, so a rule must be created to block any (or every) specific program or service. I agree that wizards for any program foster user complacency (and isn’t that what Windows is all about?). But shouldn’t minimal protection be afforded to the masses, who will never learn the difference between a NAT and a NAS? VistaFW can be configured to deny outbound connections by default, and then you must determine which Windows Services have to be allowed in order to minimize the number of ports open on your PC. I am doing this now, and it is a time-consuming, hunt-and-peck process. I really don’t mind, I will understand this firewall better, but it is very annoying, especially when all Microsoft had to do was provide a decent rules-based firewall in the first place, a not so very difficult task to begin with.
Tony,
Gralla isn’t talking about a Wizard… he’s talking about run-time interaction… He wants the user to be prompted… that leads to complacency (btw to imply that Windows is all about complacency is just insulting)…
There’s no need to hunt and peck for software… Myself and others have made rulesets available that you can easily apply. I have, on numerous occasions, requested additional software that people would like to see rules added for. I’ve added every request I’ve seen.
I wouldn’t call it time consuming… the list I created, which has every program I could think of that your average user would use and a few extras and it took me 15-20 minutes… If you can’t take 15-20 minutes of your time to ensure that extra bit of protection… then you probably shouldn’t have the extra protection…
I’d compare it to self defense classes for women… They put in the time and when they are attacked on the street they are prepared to defend themselves and get away from their attacker…. Women who don’t take these classes aren’t… They weren’t wiling to put in the time, most likely because they felt safe and that they didn’t need to invest the time… That was a choice they made… Hopefully this doesn’t come across as a “you get what you deserve” statement because that’s not how I’m intending it… I’m just saying.. how safe you are, is how much time you are willing to invest… This applies to everything.. computers included… and it’s about damn time people realize it.