>Issue: Outbound filtering in personal firewalls does not block >packets that are generated by protocol stacks other than the >default Microsoft stack. No. The issue is that users who run Trojans/viruses using root/administrator privileges can bypass all defenses on that machine. That is why root/administrator privileges exist in the first place. Any process that can inject kernel code can bypass anything (assuming it just doesn't kill the monitor in the first place) -- witness the recent IOS discussions. Goner.scr is one example of a trojan/virus that attempts to deactivate the personal firewall. Other recently published techniques do DLL insertion into trusted processes. One could take the rootkit style approach for sending raw packets. Heck, I've got a 3Com driver that replaces the hardware driver supplied by the vendor -- nothing will stop those packets from going out. We in the personal firewall industry are providing EXTRA protection, not TOTAL protection. It is an arms race, and as long as users are logging in as administrator/root, it is a race that vendors cannot win. Of course, I'm not suggesting such products are useless (I'm a vendor after all), they have proven their value to our customers in CodeRed, Nimbda, and other recent incidents. It's just that if you are looking for some absolute barrier that cannot be bypassed, you have to look to your OS vendor for that. Microsoft has spent years trying to make non-administrator the default login. It is tough -- in the home market, users are accustomed to installing OS upgrades, such as games that include a DirectX driver upgrade. Notice that WinXP has some features that helps move customers to an environment where their default login is non-admin. They are also working tightly with personal firewall vendors to augment their authentication privilege infrastructure, because, of course, we cannot hope to replace it. The reason I'm writing this e-mail is to set expectations. I've had to write several similar e-mails recently in response to the other attacks against personal firewalls. More attacks will appear in the future, too. As a vendor, I cannot remove risk, all I can promise you is that I will significantly reduce risk. And, more important, our products have proven their value repeatedly in the field. Sorry to repeat that last point, in several recent incidents, customers reported that our products were more valuable than their primary firewalls, anti-virus, or intrusion detection systems -- please do not interpret my attempt to set reasonable expectations as a claim that our products do not work. Regards, Robert Graham Lead Architect, Internet Security Systems
