Ever wondered why your firewall doesn't protect your system, or your network, from attacks? The quick answer is that your firewall configuration allows attacks to pass right through the firewall. If this sounds crazy, then keep reading.
Firewalls function as gatekeepers to a system or network. The firewall configuration controls what types of network traffic get allowed through, and what traffic will be blocked. For desktop systems, the usual configuration is to allow the local system to initiate any remote access it wants to. This allows you to visit the Web, read email, IM and the other things you would normally do on the Internet. And this is all the access to your system needed by today's attackers.
You can think of your firewall as very efficient club doorman that works at a very strange club. Only the people who have already been in the club are allowed back into the club. The doorman remembers who leaves, and lets them back in. But no one else. This works great at protecting the club -- unless someone returning to the club brings in something dangerous, like a bomb (or virus). The doorman has done his job, yet the very way the doorman works proves to be a weakness. And this is how most firewalls are set up.
Your system gets attacked when you visit certain Web sites, read infected email, download some files using IM, and so on. Your firewall allows you to do all these things, as the firewall's task is simple: to allow or deny network access. Your configuration allows you to interact with the Internet, and just doing so will eventually mean your system will become infected with viruses, malware (like adware, spyware, and bots), and even rootkits. An entire underground industry focuses on building malware and using exploits to break into Windows PCs, and your firewall does nothing to prevent this. You could configure your firewall to protect you from these dangers, but then you couldn't use the Internet at all. This would be like telling the doorman not to let anyone in or out. Might as well lock the door in our analogy, which is like doing away with your connection to the Internet.
At this point, you might be wondering why even use a firewall at all? Your firewall still acts as a gatekeeper or doorman, just a rather simple one. Any time you access a service on the Internet, whether it is a Web site, email, or IM, your
firewall not only allows you to do this, but also allows that service to talk back to your system. You want this to happen because it is part of the two way communication that makes the Internet useful. Your firewall blocks uninvited guests that may attempt to connect to any file shares you have set up, a network printer, or any other network service. But your own activities are not blocked.
In a perfect world, you could use Internet services safely. But not only is the world not perfect, your Internet client software, particularly your Web browser (like IE, FireFox, Safari, or Opera) is not perfect. Most attacks against desktop systems (including laptops and even smart phones) come via the Web. Attackers search the Internet for Web servers they can break into. When they do, the attackers add links into existing Web pages that will result in the installtion of malware on your computer when you visit an infected site.
A friend of mine, Niels Provos, works for Google and has been searching for malware infected Web servers since October 2006. He and other members of the team that works on this project search through the millions of Web pages that Google has stored for its search feature, and looking for signs of infection. Provos calls these infections "drive-by downloads", as all you need to do is visit an infected Web page. While most Web servers you visit won't be infected, perhaps as many as one in 200 are currently infected. When you consider that there are hundreds of millions of Web sites, even one in 200 (.5%) turns out to be millions of infected Web sites.
Another way your system can get infected is by reading email. Email readers were once text-only software, making infection very difficult. But today's email readers (mailtools like Outlook, Outlook Express, and even the Mac and Linux mailtools) accept many differant types of mail attachments, including HTML -- that is Web pages. So the same set of exploits that work against Web browsers work just as well with email that includes infected attachments, or even the main mail message. You read the email, and while you are reading your system becomes infected.
IM (Instant Messaging) not only allows you to chat with other people, but also allows those people to send you files. You do have to agree, but if you trust someone, you likely will accept a file from her. Attackers have written malware that takes over IM accounts, and offers to send files (containing attacks) to all the people in the buddy list. To you, this looks like your buddy is suggesting that you accept a file, but in reality, it is the malware attempting to spread itself.
So your firewall cannot prevent any of these attacks because it must allow the network traffic you initiate to pass into your system. The "doorman" is just doing its job.
Anti-Virus and Anti-Spyware
Anti-virus (AV) software companies sell software that is supposed to protect Windows and Macintosh systems from these types of attacks. But the AV companies have a problem: new viruses and malware get created every day. Sometimes hundreds or even thousands of new variants of a virus or malware get created each day. You might wonder if this is even possible, but remember that breaking into systems is a huge underground business that is very profitable. The virus and malware writers have actually automated the process of generating slightly different versions of viruses and malware. They test these new versions against the latest AV tools, only use them if the AV tools can not detect them. By the time the AV vendors have new signatures for the new malware variants, the attackers have crafted yet more variants. The AV vendors cannot keep up.
Should you even bother with AV? Unfortunately, you should because not all viruses and malware will be missed by AV software. All of the most 'popular' and older viruses and malware will be detected, so you get some protection. But all the newest variants are undetectable.
The situation is the same with spyware and bots, software that often gets installed by a virus or other malware. Spyware monitors your Internet activity and will steal your login credentials (usernames and passwords) and send this information off to attackers. Spyware will also steal your mail address books, and send that to the attackers (who then sell it to spammers). Bots turn your computer into a secret slave, one that the botmaster controls and uses to send spam, steal your passwords, attempt to infect other systems and even send out floods of network traffic. AV as well as anti-spyware software attempt to detect spyware and bots, but face the same issues found with viruses and other malware--an endless stream of slightly different and undetectable attacks.
I wish things were different. I have given talks at Apple, Google, HP Labs, and USENIX where I carefully explain why current approaches don't work. I've even been invited to speak at Microsoft headquarters (but haven't done so yet). It's not as if the vendors that sell you operating systems, like Microsoft and Apple, or even Open Sources groups that write Linux and BSD, want to create systems vulnerable to attack. Instead, they do their best at what is currently an impossible task. Creating secure systems today requires starting over from scratch, and no one, particularly vendors who have created tens of millions of lines of code for their software, wants to throw it all out and start over.
At best you can run the current versions of software in a sandbox, a restricted environment. But there is a much simpler and more safe approach.
Live CDs
If you do online banking, you can reboot your system using a Live CD, such as the Ubuntu install CD, and use Ubuntu Linux and Firefox to do your banking or stock trades. Doing so takes extra time, so it really isn't convenient but it is the safest way to browse the Web today. The CD is read-only, so it cannot be changed. As long as version of Linux you use is free of malware when you get, it stays that way while you use it. You will not be able to store passwords or even bookmarks, but you will also not have any spyware, bots or other malware while you use the Live Linux CD.
So quit blaming your firewall for not defending you. Your firewall only lets the traffic through the you tell it to by using the Internet, and your firewall cannot tell when it has, while following your wishes, allowed malware in. Your AV and anti-spyware can help, but is far from perfect at defending your system.
|
|