Re: Flawed outbound packet filtering in various personal firewalls

[Te Smith <tsmith () zonelabs com>]

In-Reply-To: <3C0E54A9.18978.24B88E9@localhost>

In reply to Message-ID: 
<3C0E54A9.18978.24B88E9@localhost>

Tom contacted us a couple of weeks ago with the 
information that certain packet drivers can bypass the 
low-level firewall that is part of our ZoneAlarm and 
ZoneAlarm Pro drivers. Upon investigation we 
confirmed the problem and we are testing a fix.
 
It turned out that a bug in Windows NDIS layer allows 
a packet driver to bypass any personal firewall or 
similar product. In order to exploit the bug, malicious 
code would have to break through two levels of 
protection in our software - our inbound firewall 
protection and/or our MailSafe feature that blocks 
potentially dangerous attachments. In addition, a 
malicious application would need administrative 
privileges under Windows NT, 2000 and XP. To date, 
there have been no reports of actual exploits of this 
potential vulnerability and we are working on a fix and 
expect to have another build for testing next week.
 
After providing Tom with a test version of ZoneAlarm 
Pro that sealed this vulnerability to confirm the fix, he 
was then disappointed that his LaBrea@Home 
application would not work any more. LaBrea@Home 
is a honey pot application that attempts to frustrate 
hackers by initially responding to a scan but then not 
continue "the conversation". The theory is that a 
hacker would waste time in his/her scan but would 
ultimately be unsuccessful in the attempt.  We'd 
recommend that a honeypot application be put on a 
separate machine and not be protected by a firewall.
  
If used by security specialists,  honeypot applications 
have their legitimacy, but we firmly advise against this 
approach for most users because honey pots do 
(and are designed to) attract subsequent attacks. 
ZoneAlarm and ZoneAlarm Pro will block 
indiscriminate outbound traffic to untrusted 
computers by applications that attempt to bypass the 
normal TCP/IP stack and therefore we don't expect 
that LaBrea@Home and our products will work 
together. It is possible to configure ZoneAlarm and 
ZoneAlarm Pro for this setup but we don't 
recommend it for the reasons listed above.
 
Tom contention that we block any outbound traffic 
issued by drivers other then the regular TCP/IP driver 
is simply wrong.  For example, most VPN drivers do 
just that in one way or the other. However we require 
that such drivers only communicate with the trusted 
computers as defined by the local zone in ZoneAlarm 
and ZoneAlarm Pro.
 
Tom further complains that he doesn't get an alert for 
every single blocked packet. This is as designed. 
ZoneAlarm and ZoneAlarm Pro have been carefully 
designed to eliminate unnecessary alerts. This 
includes:
1) Only issue one alert for any hack attempt even if 
the attempt consists of multiple packets.
2) Reduce alerts by "Internet background noise".
3) Repress alerts if issuing an alert might lead to a 
DoS situation because processing the alerts start to 
take up too much CPU time.

This behavior is consistent with most professional 
firewalls - personal or otherwise. In addition, 
ZoneAlarm Pro allows the user to customize many of 
the alert settings.
 

Te Smith
Director, Corporate Communications
Zone Labs Inc.
1060 Howard St.
San Francisco, CA  94103
415-341-8233 (v)
415-341-8399 (f)
831-462-5317 (Santa Cruz)
tsmith () zonelabs com