Using leak tests to evaluate the effectiveness of firewalls

Kaspersky Lab, a leading developer of secure content management solutions, has published its latest analytical article entitled “Using leak tests to evaluate the effectiveness of firewalls”. The report is authored by Nikolay Grebennikov, deputy director of the Department of Innovative Technologies.

The article examines the importance of firewalls as part of an integrated IT security system, as well as describing the approaches and methods used during one of the most objective types of firewall testing – leak tests. The author stresses the fact that firewall security has becoming increasingly important due to the increase in the number of new malicious programs.

The use of firewalls enables undesirable network traffic, both inbound and outbound, to be blocked. A firewall therefore provides an additional layer of protection that can block the functioning of malicious programs in the event that they were not detected by the antivirus protection system. This can occur if the signature for a malicious program has not yet been added to an antivirus database and therefore the program cannot be detected using standard signature detection, or if the malicious program does not present an obvious threat or any suspicious behaviour and it will therefore not be detected by the behavioural analysis component of an antivirus solution.

A firewall separates applications on the user’s computer from other computers on the local network and on the Internet. For known (trusted) applications there are permission rules that allow these applications to transmit data through the firewall to the network beyond. When any other application attempts to engage in network activity, this activity will be blocked and the application will not be permitted to transmit or receive data from beyond the network.

A firewall can protect against virtually all types of malicious program currently in circulation. Although this may sound an exaggeration, it is true: the functions of most malicious programs are linked to network activity, and as a result they can be blocked by a firewall.

As firewalls have become increasingly widespread, malware writers are more and more frequently implementing leak technologies in their malicious programs in order to circumvent firewall protection.

A firewall is difficult to bypass. Virus writers can test the ability of their creations to circumvent antivirus and behavioural analysis components and modify their programs until these components no longer detect them. Getting round a firewall in the same way is much more difficult, because if a worm or Trojan generates some form of network activity, it is very difficult to conceal it from the firewall. The only way to do so is to make use of leaks.

Leak technology is used to bypass the network activity control mechanisms in a firewall in order to allow applications without permission in the firewall's rule set to transmit data to the outside world. In such cases, the firewall will not block data transmitted by the application sends and will not notify the user that the network activity is taking place.

A properly designed firewall should not permit any leaks and also be capable of detecting all attempts to generate ingoing and outgoing network activity.

Leak tests - small non-malicious programs that exploit one or more leaks - are used to evaluate the quality of protection firewalls provide against leaks. They are mainly written by researchers and network security experts.

What are the benefits of comparative tests of firewalls which use leak tests? First and foremost, such testing helps to determine the integral quality of protection and the results can make choosing an integrated system to protect a computer easier. Good performance in outbound data control tests means that the firewall is not simply a 'makeweight' component of an antivirus product but that it provides an additional level of protection that can prevent the user's confidential data from being sent to cybercriminals, even if the antivirus components fail to block a Trojan program.

According to Nikolay Grebennikov, products which received 'Very Good' or 'Excellent' ratings in the leak tests conducted by http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php provide users with sufficient protection. If protection provided by a product is rated 'Good', 'Worse', 'Poor' or 'Very Poor', it means that malicious program writers will be able to bypass the firewall included in the product using virtually any method.

Today, a firewall is an indispensable component in integrated IT security systems. Even the latest operating systems, such as Windows Vista, cannot block all types of leaks on their own (although, from Windows XP SP2 onwards, Windows has included a firewall and the functionality was significantly expanded in Windows Vista). According to the results of testing conducted in March 2007 by Guillaume Kaddouch (http://www.firewallleaktester.com/articles/vista_and_leaktests.html), Windows Vista Ultimate 64-bit using default settings blocked only 9 leak tests.

According to the author, the new Microsoft operating system is clearly better protected than previous versions thanks to numerous improvements, including UAC, IE protected mode, Service hardening and Kernel Patch Protection. However, even Windows Vista requires third-party protection programs to provide the necessary level of protection from leaks.

The author concludes that in the future malicious programs will implement new methods to bypass protection mechanisms in the Windows Vista system as well as existing protection systems. That is why the importance of the firewall as an additional level of protection will only increase. Malware writers will increasingly use leak technologies to bypass firewalls. Consequently, leak tests will become a crucial method for testing the reliability of a computer's protection.

The full report is available on Viruslist.com.