|Home » Resources » Rants
Understand & Beware
Week of April 25, 2002
It's time for home PC users to reassess their use of personal firewalls.
Ever since the inception of Shields Up, the development of which began days after Zone Labs received its patent for 'True Vector' technology, personal firewalls have been the rage. Ever since the millennium 'privacy' and 'security' have been the buzzwords of the New Age. Corporate and home users alike have understood the inherent dangers of unprotected surfing. While corporations have more to think about, they also have more going for them. LANs set up proxies which are true firewalls between the inner and outer worlds. And it is through sales to corporations that the firewall vendors make their money. Yet it is through the dissemination of similar products to home users that they get the word out and around. And up until now home users have felt relatively content and relaxed about their security issues, so long as they have some kind of firewall running on their machines.
Then came LeakTest, which opened the debate to what was happening to traffic in the reverse direction. Zone Alarm was naturally a step ahead of the field here, but the competition soon caught up, and then, as all would have it, personal computers running a direct connection to the Internet were well protected again.
A number of related programs were to soon prove them wrong. First came TooLeaky, then a day later Firehole, then an application kept under wraps for weeks, Outbound, made its way to BugTraq and Intrusions.
The reactions of the firewall vendors varied from compliance to denial. Perhaps the worst of the offenders was McAfee's own Zone Alarm Pro, where suddenly the exploding scandals were no longer happening according to plan. Outbound proved that proper protection was nigh on impossible on a personal computer directly connected to the Internet, and the media complied by burying the issue as best they can.
That was yesterday. Today a clever Italian took TooLeaky and Firehole one step further. Employing a technique Gregor Freund was cheeky enough to call 'a Windows bug' but which has been a necessary complement to that operating system almost since its inception, this clever programmer again tried the piggyback trick - latch onto an accepted application which has already been allowed to communicate with the Internet. But this time the target was new. No longer trying to find applications which are already approved by the firewall, the new trick simply latched onto the firewall itself.
No firewall in existence checks itself at runtime to see if it itself should be allowed Internet access. This glitch, this blind side, has been there all along, and it hasn't taken any fantastic code to create. All it's taken is someone with the ability to see beyond the hype that has become the personal firewall market.
And while the idea itself is genial, it is also foreboding, and in essence spells the end of personal firewall security issues as we know them. No machine can ever be secure, as Tom Liston and others have said all along, as long as the firewall is on the same machine it is trying to protect. Something will always be able to get into that machine space and corrupt the protective measures.
Corrupting a firewall in a network is not an impossible task, but it is more difficult by a significant factor. We see vulnerabilities all the time in Microsoft products, yet even the cleverest hackers are not able to wreak complete havoc unless they can gain complete or root access to the target machines - in which case it's 'game over' anyway. But the idea of in stealth planting a spy on a remote machine without this extra effort - and on a proxy to boot - is for the moment relatively improbable. For now, corporations can catch their breath, as long as they are running good security on a proxy between their LAN and the world outside.
Home PCs connected directly to the Internet are another matter. While no one can successfully argue that a PC is not even marginally more secure with a firewall or two or three running, the baked-in assumption that these products imply total security has today been proven to be not only wrong, but downright dangerous.
It's time for home PC users to reassess their use of personal firewalls. It's time for these 'network security hobbyists' to assess their innate ability to fight intrusion without the use of this latest generation of rainmaker applications.
Let the corporate users continue to protect themselves as best they can. But let the home users understand and beware.