Re: Flawed outbound packet filtering in various personal firewalls

["Robert Graham" <list-bugtraq () robertgraham com>]

> Issue: Outbound filtering in personal firewalls does not block 
> packets that are generated by protocol stacks other than the 
> default Microsoft stack.

No. The issue is that users who run Trojans/viruses using 
root/administrator privileges can bypass all defenses on that
machine. That is why root/administrator privileges exist in the
first place. Any process that can inject kernel code can
bypass anything (assuming it just doesn't kill the monitor
in the first place) -- witness the recent IOS discussions.

Goner.scr is one example of a trojan/virus that attempts to
deactivate the personal firewall. Other recently published
techniques do DLL insertion into trusted processes. One could 
take the rootkit style approach for sending raw packets. 
Heck, I've got a 3Com driver that replaces the hardware
driver supplied by the vendor -- nothing will stop those
packets from going out.

We in the personal firewall industry are providing EXTRA protection,
not TOTAL protection. It is an arms race, and as long as users
are logging in as administrator/root, it is a race that
vendors cannot win. Of course, I'm not suggesting such products
are useless (I'm a vendor after all), they have proven their value
to our customers in CodeRed, Nimbda, and other recent incidents.
It's just that if you are looking for some absolute barrier that
cannot be bypassed, you have to look to your OS vendor for that.

Microsoft has spent years trying to make non-administrator the
default login. It is tough -- in the home market, users are
accustomed to installing OS upgrades, such as games that include
a DirectX driver upgrade. Notice that WinXP has some features
that helps move customers to an environment where their default
login is non-admin. They are also working tightly with personal
firewall vendors to augment their authentication privilege 
infrastructure, because, of course, we cannot hope to replace it.

The reason I'm writing this e-mail is to set expectations.
I've had to write several similar e-mails recently in response
to the other attacks against personal firewalls. More attacks will
appear in the future, too. As a vendor, I cannot remove risk, all
I can promise you is that I will significantly reduce risk. And,
more important, our products have proven their value repeatedly
in the field. Sorry to repeat that last point, in several recent
incidents, customers reported that our products were more valuable
than their primary firewalls, anti-virus, or intrusion detection
systems -- please do not interpret my attempt to set reasonable
expectations as a claim that our products do not work.


Regards,
Robert Graham
Lead Architect, Internet Security Systems