Below is a summary, however more up to date and complete documents can be found at
Securing Windows Part I and
Securing Windows Part II (PDF files).
COMMENTS
As of 10 August 2003, none of the popular software firewalls that I have evaluated successfully
handles all of the credible, published leaktests that I have investigated. Also, these leaktests
demonstrate only the published ways to bypass the protection offered by the various software
firewalls; there are more. If you are concerned about the potential vulnerabilities demonstrated
by these leaktests, you will need to customize your firewall's settings. You may also need to
use additional utilities to overcome specific problems. In what follows, I will discuss best
guidance settings, and best guidance behaviour. Of course, if you believe that I have overlooked
something significant, please feel free to contact me so that I can make necessary revisions.
I - BEST GUIDANCE SETTINGS
1.1 Default Personal Firewall Configuration
never use a firewall with its "out of the box" settings. You can
reconfigure it to increase your security dramatically
To date, no software firewall vendor has managed to automatically
install its product in a manner that is fully compliant with (and customized exclusively to) your
personal Internet usage habits, the nature of your connection, the details restricted solely to the
needs of your specific ISP, and the specific details of the manner in which you desire to use
(or not use) specific Internet-enabled applications. Consequently, the vendors use a
"least common denominator" approach to ensure that almost anyone acquiring their product will have
a reasonable degree of security while still being able to access the Internet. There are potential
vulnerabilities associated with this vendor-provided solution which you can only resolve by further
customizing the default software firewall's configuration yourself. For example, if possible, apply
rules for single applications instead of global system rules - trojans can escape using such
vendor-provided default rules. You can find a discussion of some of these potential vulnerabilities
on the DSLR Security Forum at
DSLreport post
If your firewall has component control, set it to its maximum level (although it requires good
knowledge (on your part) about Windows to know which DLL is good, which are needed, and which are
not.) Always use the highest mode, sometimes called 'learning mode' or 'block most mode', so that
your firewall will ask you about everything which is not covered by your settings criteria
(This way, everything that is not specifically allowed by you will generate a query as to whether
to allow or prohibit it). Disable automatic firewall behaviour like automatic application control
(e.g. Norton) which will automatically allow all "known" applications...Automatic firewall rule
creation is especially dangerous in the Norton firewalls as it will automatically (and silently)
create rules for applications which the firewall recognizes and can validate - unless this option
is DISABLED. For example, if this option is enabled, the Norton firewalls will create rules for
all of the Microsoft Office applications, including some functions that you may most definitely
not desire.
1.2 Default Operating System Configuration
on Microsoft Windows operating system (which is primarily
what I am addressing in my evaluations), many of the potential exploits
are related to
the default configurations of the OS itself.
Especially in Windows XP,
there are many Internet-enabled services that may be installed and run by default. For
the most part, you neither want nor desire most of these services to be exposed to the Internet
at large. The BlackViper site at
www.blackviper.com provides detailed information
on what services you may (or may not) desire to run when accessing the Internet. This site also provides
instructions for each of the various Windows operating systems, depending specifically on what
you are trying to do on the Internet itself. Another website that you may find of considerable
interest is that maintained by PACS-Portal at
http://www.pacs-portal.co.uk
which provides a detailed list of applications which may (or may not) need to be run each time
each version of Windows starts. You have to review sites like this and then make your own, personal
decision as to which of these applications you need (or do not need) to be running and exposed to
the Internet at large.
1.3 Windows Core Components
Block fundamental Windows components, which could be used
by trojans to escape.
For example, most Windows users do not need to allow Windows Explorer (explorer.exe) to access
the Internet. You should deny its access to the Internet. (even deny it to launch other
application accessing the Internet, if possible, but this recommendation has a certain risk,
because it seems that sometimes explorer.exe legitimately launchesother applications. However,
it's better to totally block it if you can.) In some Windows operating systems, utilities like
Notepad and Wordpad are also Internet-capable. If you have no need for these applications to
access the Internet, remove them from your permissions list in your software firewall. Better
yet, BLOCK any access for these utilities totally if you don't want them to have any access.
Many of the Microsoft Office applications also are Internet-enabled; sometimes for communications
that you might hardly anticipate. Turn off (e.g., BLOCK) functions that you personally do not
wish these applications to have.
Similarly, in Windows XP, you can normally (and explicitly) deny svchost.exe (a Windows service)
to launch applications accessing the Internet; it should normally not do that.
My own WallBreaker leaktest demonstrator illustrates another very important point: a 'trusted'
application could sometimes be used by a 'hostile' application to launch another 'trusted' one.
So you may allow trusted applications to access the Internet, but if they never need to launch
other, deny the ability to do so and your system will be a lot safer. (This capability is not
present in all of the current software firewalls.)
1.4 Conclusion
Your firewall is running on an Operating System, which is the real reason for
"firewall leaks." So "leaks", are mainly Operating System leaks, not really firewall ones. Thus,
you should take care of your Windows setup instead of only tweaking your firewall.
II - BEST GUIDANCE BEHAVIOUR
2.1 Layered defense
Do not rely exclusively on your software firewall for protection from these kinds
of vulnerabilies.. Try to catch the threats before they hurt.
The best defenses are defenses in depth and rely on a variety of products (both hardware and
software) What one product does not address can often be adequately addressed by another.
Furthermore, if one product should fail or be disabled (possibly maliciously), you have a much
better chance that one of the others will pick up the burden. Indeed, some users prefer to
obtain these products from different vendors, simply to provide further protection against a
total system subversion.
There are hardware products that can contribute to your overall security. NAT routers, which
are used by many home/personal/small business users provide a certain modicum of inbound
protection. (There are also software-based NAT routers like Microsoft's Internet Connection
Sharing and Sygate's SHN that do the same thing if installed on a home computer that serves
as a gateway to a small number of other PCs on a home LAN.) Another, more esoteric, solution
is a hardware firewall appliance. Still, neither the routers nor the hardware firewall
typically can be used to provide protection against the vulnerabilities demonstrated by the
leaktests that I have evaluated.
As a bare minimum, you should also use anti-virus/anti-trojan software which can detect
trojans/malicious program, before (or when) they are activated. Most of the leaktests
that I have evaluated to date rely on having an executable file on your computer in order
to function. Many of the popular anti-virus and anti-trojan utilities will identify truly
malicious threats using a variety of techniques. Typically, the anti-trojan utilities
provide more comprehensive protection against trojans than do anti-virus utilities (which
usually only check for the more popular trojans of the moment). On the other hand, many
of the more popular anti-virus utilities can now also be configured to automatically scan
incoming (and sometimes outgoing) e-mail to detect malicious code that may have been
embedded in the message or attached to it. E-mail is one of the most popular means for
propagating viruses and trojans.
If you are concerned about invasions of personal privacy (and especially disreputable sites
surveying your web surfing activities for marketing purposes), use anti-spyware product
tools like Ad-aware or SpyBot S&D.;
If you have concerns that someone may be even more closely monitoring your activity (either
simply on your computer or when you are on the Internet), you may wish to take a look at
products like SpyCop, which looks for esoteric applications that actually monitor everything you
do on your computer. These products are quite rare and are probably not something that the
average home user needs to be concerned about on their personal computer.
A software firewall will not adequately protect you if you are running some sort of server
that you are deliberately exposing to the Internet. By server, I mean a web server, an
SMTP/POP3/IMAP mail server, an NNTP news server, or an FTP (file transfer) server. (The
preceding should be distinguished from a web browser, or a mail/news/FTP client application.
And many of the P2P file-sharing utilities and instant messaging and chat programs that are
so popular today can, in fact, work as a server. If you feel compelled to do this, you need
to also consider another kind of application known as an Intrusion Detection System (IDS).
However, many of the consumer-grade software firewalls are now beginning to introduce IDS
functionality(Norton Internet Security 2003, BlackIce, etc...). If you are behind a Linux
gateway, famous IDS like SNORT (_also available for Windows_
www.snort.org) or
PRELUDE are available and designed as well as for home user as for firm they are fully
customizable and you can add your own detection rules (to catch for instance easily most
advanced trojan like "Stumbler" with packets with window size of 55808).. A proactive IDS
not only provides protection against some of the more arcane Internet threats, but also is
often the first line of defense against certain worms like the original Code Red. Code Red
did not create a file on disk where your anti-virus or anti-trojan could quickly find it;
it injected its code directly into the executable running in RAM (for an unpatched Microsoft
Web Server, in this particular instance). And an IDS can also often tell you exactly what
exploit was attempted, whereas a traditional software firewall usually cannot.
But keep in mind that IDS are passive protection, they only detect and warn (about all other
security software can't see), not react. Of course experimental options to make them capable
to react exists, but this feature could easily be used to DoS your IDS, that it be Windows
IDS or Linux IDS.
If you see an application above that you don't have and would like to investigate further,
the Wilders website at
www.wilders.org is a good place to start. It contains more
detailed descriptions of each of these kinds of applications and also provides evaluations
and links to where various products can be found.
If you feel you need any of the above additional security-related utilities, there are some
other things that you need to clearly understand. First, it is not sufficient to simply
have one or more of these utilities. You must install it; you must understand how it works;
you must configure it for your needs and you must then use it. That's not sufficient either.
All of the above utilities are constantly changing as new threats are identified. Consequently,
you must routinely check for updates, download and install them, also.
Use global system/application monitoring software like System Safety Monitor (SSM) which
will control all launching applications, regardless of whether they attempt to connect to
Internet or not. You could use as well any other sandbox featured capabled software, it's a
very effective line of defense.
2.2 Standard Applications
Don't use standard applications such as Internet Explorer or Outlook Express
They are used by the majority of users all over the world. This will not prevent the possibility of software hijacking, but it will
block poorly coded trojans that are focused on IE as browser and OE as mail client.
2.3 Suspicious files
strict behaviour advices: don't open email attachments until you
perfectly trust the source
, always scan downloaded files with anti-virus software, scan your system with
up-to-date anti-virus once per week, don't downloaded files from warez sites
(lots of Trojans there), be aware that files on Pear-To-Pear network such as Kaaza
or eDonkey can be virus or trojan, always update your windows with newest patches
(against known vulnerabilities, used by the most famous worms/trojans), and regularly
read security forums that provide a lot of information about the latest threats and
how to fight them.
2.4 UNIX* Gateways
Special note for Linux/BSD geeks using a UNIX* gateway at home
I should only stay focused on the Windows computer since the site is mainly
focused on the leaktests and the personal firewalls, but i noticed that more and more users are using a Linux gateway,
so i allow me to go a little over the main topic on this special note, note for Linux users.
If you reach a strong security on your windows computer, all can be wasted by a gateway
infected by worm/trojan or hacked. Indeed, like the "Slapper" worm done, even Linux have
vulnerabilities, and regarding other "windows only" users, have a linux gateway is in one
side, a better security, but in other side, a computer to take care in addition, and you
shouldn't trust it because it's linux, because it's supposed to be stronger than Windows
(yes it is but stronger doesn't mean unvulnerable). There is a lot of worm (or hacker)
that use known vulnerabilities to breach your gateway, to build their home into it,
and to hide them from system commands like "top", "ps", "netstat" and more... A
compromised gateway can be sniffing all your traffic and record all of the personal information
about you! without letting you a way to see them, totally hidden by doing advanced trick
on your system. Hidden, powerfull, stealth, nasty, all of these malicious threats can in
addition of totally anihilate your secured feeling (that you have with a strong
Windows security...) launch attacks from your gateway against famous firms, and this
is not the hacker/worm that will be charged by the law, but YOU. I will not say all
that can be done or must be done, this is not a Linux area, but i will advise you at
least a must to have tool to check system integrity of such nasty spy,
=> chkrootkit (
www.chkrootkit.org)
once downloaded and unpacked, type :
make sense
./chkrootkit
=> it will scan all your system.
2.5 Conclusion
Some "open doors" for viruses or hackers, are often the result of bad or risky habbits, such as opening attachements
from untrusted sources, or surfing on dubious websites.
Sometimes, just not updating your OS will suffice to expose
you to attacks. The firewall, even the best, cannot protect you from your own wrong choices or behaviour.
CONCLUSION
Probably that some advanced users or expert users didn't learn anything here, but these
best guidance settings/behaviour are not known from all firewall users, so if this
is not useful for you, it might be for others.
One important point : don't confuse these best guidances with Leaktest testing.
Leaktest testing is not done with best guidances "enabled", because these best
guidances will protect your firewall from cases that it can't handle, these advices
stop threats before they hurt your firewall.
But to do leaktest testing, your firewall have to deal directly with the leaktests.
I probably haven't said everything about this topic, but I think I said the most important.
I hope this will be help for some users.
Thanks to JV Morris to help me writting a decent english and to suggest
me a lot of ideas!
More up to date and complete documents can be found at
Securing Windows Part I and
Securing Windows Part II (PDF files)
