I wrote an item for the Risks Digest a year ago with a description of the problem. The
problem is software that bypasses an organisation's security policy whether that
software is on the desktop, on a server, or somewhere on the 'net. I have just as much
problem with a Free solitaire game that asks for 50MB an hour of ads as I do with Back
Orifice installed on someone's desktop behind a firewall. Although most virus programs
will kill the latter, the former causes more harm to the organisation. What we need is
integrated IT security monitoring systems that enforce a security policy on desktops,
in a LAN, WAN, server or wherever. It needs to take rules expressed at a higher level
than
DENY TCP any any -> ournet 31337
so that management can understand the implications of a policy.
Perhaps the analogy to a society fits here.
Some Personal firewall systems act only as burglar alarms, triggering only when people
try to break in to your house. The ZDnet story complained that they didn't stop a
guest from stealing your cutlery. Steve Gibson and his "leak test" asks that the tag
everything in you house and send an alarm when anything of yours leaves the house like
a library does. Every user has to evaluate whether that is overkill or not. Most
businesses find that it isn't.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Gutknecht
(firewalls)
Sent: Wednesday, December 13, 2000 01:39
To: [EMAIL PROTECTED]
Subject: Undesired outbound data "leaking" - the next frontier?
If this issue is just "new to me" and has already been covered in detail,
please excuse this post.
The recent thread on this mailing list, "Personal firewalls not so safe",
was initiated by a poorly written ZDNet story.... Needless to say, this
story has now been picked up by the mainstream press and I've now seen it
posted to four firewall-related lists. Of course, most the people who are
posting it intend to give it as an example of "bashing personal firewall
over real stand-alone boxes" and not even reading it... as the story is
really about installing trojan horses on your client machines, and a
in-the-middle firewall can't protect against this! In fact, personal
firewalls are actually ahead of the game (compared to a in-the-middle
firewall).
Undesired outbound data leaking (UODL)
=======================================
Despite the ZDNet story not being to my liking - it does not associate the
problem with the cause, there is a _real issue here_. I will call the
problem "Undesired outbound data leaking" - UODL.
The basic technical issues is that "most existing firewall installations"
generally don't block outbound data, especially on a common destination port
(say 80). This isn't a security issue as much as a "privacy" or "user
education issue." But it is an issue, one that I have see growing for some
time.
Steve Gibson has really been the one I would give credit to for "waving the
flag" and giving this issue the most attention. First he focused on
applications that gave out information about your computer usage ("spyware"
in Steve's terminology). Now he has focused on the claims of personal
firewall products and their blocking/authorizing of outbound traffic. See
Steve Gibson's related site:
http://grc.com/su-leaktest.htm
Is this a "new class of problem"?
==========================================
Some of the basic issues:
-- With the Internet now the center of computing... it is very easy to
send outbound data.
-- The term "trojan horse" is getting stretched more and more each day.
Anti-virus program vendors have not really dealt with "non threatening" data
being sent out. Unless a program "spreads itself", it isn't really
considered a "virus" .. but that doesn't mean that the program isn't doing
something that most users would consider "bad" ("spyware" being an example).
My Questions
==============
Assuming you consider this an issue that is only going to get larger, how do
we (as firewall engineers) deal with it?
Solutions I can see off the top of my head:
1) Allow only outbound traffic to pre-authorized destinations and keep a
list of only those allowable destinations on your firewall. Using "net
nanny" (censoring) type technology for security purposes.
2) Develop a list "safe client pc programs" and some type of scanning
technology to detect "undesired" programs.
Again, we aren't talking virus here... we are talking something more subtle.
One thing that bugs me about this whole thing. Is the term "firewalling"
really correct for this? Is it really more "privacy protection" or as I
have described it "Undesired outbound data leaking" (UODL)? Is there
already established terminology to describe such issues?
Stephen Gutknecht
Renton, Washington
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
