About | Gallery | News | Order the XPT | Products | Resources | Security | Services | Workshop
Home » Workshop » Assorted

When a Firewall is Not a Firewall

When it's just another way to aggrandise obscene quantities of money.



Get It

Try It

Personal firewalls - with ZoneAlarm at the forefront - make sweeping claims about being able to stop outbound traffic, yet none of them have even given it an honest try.

If applications running on a local machine spoke directly with the Internet, there would be no issue, and any attempt to stop applications from communicating with the Internet would be considered a firewall. But unfortunately things are not that simple.

Between the application and the Internet you have four layers of logic. The diagram below represents these layers. For outbound traffic, logic flows from the top down.

Application
Transport
Network
Link
   
FTP, HTTP, POP, SMTP etc.
ICMP, IGMP, TCP, UDP
ARP, IP, RARP
Device Driver/NIC

We might, for example, be using Telnet or Netcat to communicate with an SMTP server to send mail, and after successfully connecting with the SMTP server, we would follow by identifying our computer by using the 'HELO' message.

As we input the HELO message into our console, the application we are running (Telnet, Netcat) puts the text of our message into a packet to be sent to the remote SMTP server. Our application has to establish an interface with either 'sockets' or 'TLI' (Transport Layer Interface) to do this.

At the application level, using sockets, the functions send and sendto would be used. In this case, the function send, as we're dealing with a connection and not just sending a message (where sendto would be used instead).

The code for the function send exists, according to the diagram above, at the Application level, in the Application layer. This code must take our HELO message and format it for use by the next lower layer, the Transport layer. Using TCP in this case, our message will be enclosed in a TCP packet. When TCP has the packet assembled, it will pass it on to the next lower layer, the Network layer, where IP will take over. IP is the mainstay of the Internet, the 'unreliable' protocol which governs everything we do. IP will take the TCP packet, format it again - encapsulate it if you will - and just like before, send it to the next lower layer again - in this case the Link layer.

The Link layer - our network interface card or our modem card or whatever physically connects us with the Internet - will again format our message, encapsulate the IP packet (which in turn encapsulates a TCP packet which in turn encapsulates our message) for transmission through our adapter card (either the NIC or modem card).


Get It

Try It

If our computer is in a local area network and our packet has to transport to the gateway or firewall to get out onto the Internet, then that is what will happen: the Link layer will encapsulate our message accordingly and send it in the general direction of our gateway or firewall. If we have a stand-alone home PC, then our message must be encapsulated for use by the modem card so the modem's device driver can start making all the beeps and such it needs to get our message online.

It's fairly easy to understand that a firewall for a local area network should be the network's gateway to the Internet. It should be (and normally is) a separate machine that stands between all that is inside and all that is outside. If this computer should be instructed to stop all outbound traffic then it would do just that, and have no big problem with it either: it just refuses to pass along any traffic sent its way for outbound transmission.

With a wee bit more concentration it's easy to see that a firewall for a stand-alone home PC must be placed logically in the stand-alone home PC between the Link layer and the modem. And if it's instructed to stop all outbound traffic, then anything sent its way that is destined for the modem card is simply not forwarded there.

Yes, it is possible to corrupt any program anywhere, and yes, it is a lot easier to attack a program running in the same machine, so no, personal firewalls cannot even in theory approach the level of security that local area network firewalls can. But a properly running firewall in a stand-alone machine would still stop all outbound traffic if so instructed.

Interest in (and fear of) surreptitious outbound traffic has grown only in the past few years. Initial attempts to create and market personal firewalls concentrated on stopping inbound traffic only. When ad machines such as Aureate came along, the focus changed.

The proper place for stopping outbound traffic is at the modem card, of that there can be no doubt. When home PC users decide they want to stop outbound traffic, that is where they expect the outbound traffic to be stopped.

The PR blurb at the Zone Labs website makes the following claim:

Unlike other personal firewalls, ZoneAlarm Pro includes Application Control to protect against known and unknown Internet threats. Application Control monitors all outbound traffic to prevent rogue applications from transferring your valuable data to a hacker. With ZoneAlarm Pro, you're in control with the ability to specify which applications, known or unknown, can be trusted to access the Internet.

The claim uses the phrase 'all outbound traffic' quite unequivocally. It also speaks, somewhat ironically, of 'applications', and as we have seen, traffic is not the same as applications, just as stopping traffic is anything but a question of stopping applications (stopping traffic means just that: stopping traffic).

For the past few months people have been toying around - in a rather meaningless exercise - with trying to find ways to fool firewalls and to get outbound traffic past them. These attempts will only succeed if the firewall has not been instructed to block all traffic. The sneak attempt will only succeed if it is able to impersonate an 'approved' application in one way or another.

But this is where the control is, and implementing an 'Internet Lock' - ie formally stopping ALL outbound traffic - will have no effect on outbound traffic itself.

In the case of ZoneAlarm's Internet Lock, outbound traffic per se is not stopped, for the 'lock' is put on not at the modem but at the Application level, high high above.


Get It

Try It

Filtering or stopping traffic from this point is futile and injudicious. It only stops attempts to create sockets and use the Transport Layer Interface. Code running in the computer at the Network layer or Link layer is not even seen by ZoneAlarm's Internet Lock. It is possible for two machines, both with ZoneAlarm's Internet Lock on, to conduct complete meaningful conversations as it were, without ZoneAlarm ever being aware that these conversations exist.

Firewalling all outbound traffic on a stand-alone home PC is difficult but not impossible. Completely locking down the Internet (Internet Lock) is the easy part - this should present no programmatic problem at all - and filtering would use the technique of demultiplexing - the opposite of the encapsulation demonstrated above - which is normally used to route inbound traffic. The protocols used at each layer are designed to make this possible. The Link layer packet has information about what Network layer protocol is responsible for the packet, the packet at the Network layer has information about what protocol at the Transport layer is responsible for the packet, and the protocol at the Transport layer, together with the 'port' and other data, serves to uniquely identify the application (and application instance) using the packet at the Application level. If certain data is to be allowed exit and other data not, then it is just a question of deciding where what rules apply and implementing them. And if all outbound traffic is to be stopped, then the lock is implemented at the Link layer so nothing but nothing but nothing makes it past the modem.

But this is not what personal firewalls do, this is not what ZoneAlarm does, despite the rather unequivocal claims of John McAfee's Zone Labs. ZoneAlarm looks only at the interface between the Application layer and the Transport layer. Anything else running in the system can play around and get out as much as it wants to.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.