Tech Notes

Protection Against Advanced Firewall Bypass Techniques

Summary
ZoneAlarm products provide numerous features to prevent firewall bypass and circumvention techniques. This document outlines how to ensure your ZoneAlarm product is configured for maximum protection against outbound firewall circumvention methods such as those used by firewall leak tests, Trojan horses, and firewall auditing utilities.

Background
Personal firewalls must protect from both external and internal threats. External threats generally originate from the Internet where an attack may come inbound to your system. Internal threats originate on the protected system itself. Because attacks can originate from either side of the firewall, ZoneAlarm products must protect from both the outside in, and the inside out.

Applications, generally referred to as leak tests, have been created to audit and test personal firewall effectiveness. These tools are run on the personal firewall protected system itself and utilize various firewall circumvention techniques, attempting to bypass the personal firewall's protection mechanisms. Leak tests are useful to ensure the firewall is secure and performing as expected. They also allow a third-party (the leak test creator) to make their best attempt to bypass firewall controls. ZoneAlarm takes these tests seriously and has designed countermeasures to ensure the most comprehensive protection for our users from both leak tests, Trojan horses, and other malware that attempts to circumvent firewalls.

Techniques used to bypass personal firewalls include:

• Outbound firewall requests; simply sending traffic from the protected system outbound
• Process injection; injecting the leak test application into a previously authorized application's process space
• DLL injection; injecting/chaining using a malicious DLL to a trusted DLL
• Control via DDE; sending DDE messages to an application
• Process killing/handle killing; closing or killing an file handle required by a trusted application
• File Tampering; tampering or modification of a file used by the personal firewall

Note: It is possible Trojan horses or other malware may use these same techniques to circumvent personal firewall software. Therefore, ZoneAlarm makes every attempt to ensure these attacks are blocked and unsuccessful.

To prevent and protect against advanced firewall bypass techniques, leak tests, or Trojan horses and assure the user the firewall is secure, ZoneAlarm has included many different hardening features with our firewall products. These features include:

• Process hardening; not allowing other processes to call or control ZoneAlarm processes
• OpenProcess Protection; preventing process injection attacks
• File exclusive locking; preventing any process from writing to ZoneAlarm installed or required files
• Cryptographic hashing; using cryptographic hashes to verify required files
• Component Control; securing DLLs loaded by trusted applications to prevent DLL injection and SetWindowsHookEx attacks
• Program Control; securing programs through pre-assigned and/or user-defined access policies
• Fail Closed; in the event an unexpected activity is encountered, the firewall will fail closed

Users of ZoneAlarm products should ensure they have configured their firewall properly to prevent successful Trojan horse attacks or firewall bypass by applications (including leak tests):

• If the leak test application creates a ZoneAlarm alert, select Deny. Do not allow the leak test access to the network. If you do, it will succeed by design.
• Enable Advanced Program Control. Select Program Control | Main. Under the Program Control item, click Custom. Ensure the Enable Advanced Program Control box is checked. Re-run the leak test. If you are prompted to allow the leak test application to use another application to access the Internet, select Deny. This will prevent the leak test application from using another process to access the Internet.
• Enable OpenProcess Control. Select Program Control | Main. Under the Program Control item, click Custom. Ensure the Enable OpenProcess Control item is checked. If you are prompted to allow the leak test application to use another application to access the Internet, select Deny. This will prevent the leak test application from using another process to access the Internet.
• Set SmartDefense Advisor to Automatic. Select Program Control | Main. Under the SmartDefense Advisor item, set the slider to Automatic. Using this feature will allow your firewall to be automatically configured for safe programs. [Default setting]
• Ensure the ZoneAlarm client product is protected. Select Overview | Preferences. Under the General item, make sure the "Protect the ZoneAlarm [product name] client" box is checked. [Default setting]
• Lock the hosts file. Browse to Firewall | Main. Select the Advanced button and ensure the "Lock hosts file" box is checked.

Some of these settings are not enabled by default to allow the product to "learn" about your systems expected behavior. The ZoneAlarm product family is designed to allow the user to train the program through Program Control. After the initial usage period, users are encouraged to ensure the settings outlined above are enabled. They should also consider setting Program Control to High to enable "Advanced Protection Mode." This will move Component Control out of learning mode and provide the most comprehensive protection.

Users who enable Advanced Protection Mode within the ZoneAlarm product line will see the following informational message:

Advanced Protection Mode

High Program Control enables the advanced protection of Component Control and Advanced Program Control. To minimize the number of alerts you will see, use this setting after you have first accessed the Internet with your most common Internet-accessing programs.

ZoneAlarm recommends allowing your system to run for a week or more before setting Program Control to High to ensure it has trained and understands your system's behavior.

Following these simple steps will ensure you are getting the strongest level of award winning protection offered by ZoneAlarm products.

Date Published
July 16, 2004