| Common concept | | | | integrity of modules (component protection). In this |
| This paragraph describes common concept of | | | | case the firewall allows malicious code to damage or |
| Windows personal firewalls. It is not necessary to | | | | replace files of privileged applications. If such application |
| implement the firewall in a similar way to have it | | | | is about to run its modules are verified and the |
| secure. Common personal firewall is implemented as | | | | execution is stopped or reported to the user. The file |
| three or four separate components. | | | | protection is also needed for all system files. |
| Kernel driver | | | | Driver protection |
| The first part is kernel driver. Its has two main | | | | Windows operating systems trust its drivers. This |
| functions and that is why it is sometimes implemented | | | | mean that every code that is run by the driver is |
| in two components rather than in one. The first | | | | trusted and thus it is allowed to execute even |
| function is a packet filter. Usually on the NDIS, TDI or | | | | protected processor's instruction and has potential |
| both levels this driver checks every packet that | | | | access to all system resources. This is why it is |
| comes in from the network or goes out to the | | | | necessary to implement a part of security software |
| network. This is also known as inbound and outbound | | | | like personal firewall as a system driver. However, it is |
| connection protection. There exist some personal | | | | also why it is necessary to control loading of new |
| firewalls that do not implement neither inbound nor | | | | drivers and to protect existing drivers. Malicious |
| outbound connection protection. However, these | | | | programs must not be able to install drivers or modify |
| products also have kernel drivers because of their | | | | already loaded drivers. |
| second function. The second function is called | | | | Service protection |
| sandbox. The most common methods of the sandbox | | | | Since a part of the firewall is usually implemented as a |
| implementation are SSDT hooks and SSDT GDI | | | | system service the protection of system services is |
| hooks. The driver of the firewall replaces some | | | | also necessary. But it is not only the firewall |
| system functions with its own code that verifies the | | | | component that has to be protected. To install a new |
| rights of calling application and either denies the action | | | | service is easy way for malware how to persist in the |
| or passes the execution to original code. These | | | | system because system services can be set to run |
| methods allows the firewall to control all the possible | | | | every system start. What is more, a malicious service |
| dangerous activity of applications such as attempts to | | | | can be dangerous also because it runs even if no user |
| open files, processes, registry keys, modify firewall | | | | is logged on. Creation, deletion and control of system |
| settings, automatically respond to its queries etc. | | | | services must be protected actions. |
| System service | | | | Registry protection |
| There are special user mode processes called system | | | | Windows registry contains a lot of important system |
| services. These processes have special functions and | | | | information. Settings of system components can be |
| behaviour in the system. They run under privileged | | | | changed using the registry. An incorrect modification of |
| system user rather than under common user account. | | | | some registry objects can easily cause system to |
| This fact allows services to run independently of user | | | | become unstable or unable to boot. There are many |
| and they run also when no user is logged in. The role | | | | registry keys and values that should be protected |
| of service in the personal firewall is to secure the | | | | against modifications of malicious applications. |
| communication between main components. The | | | | Protection of other system resources |
| service receives messages from the GUI and from | | | | There are also different system resources and |
| the kernel driver and forwards this messages to each | | | | objects in Windows operating systems. Some of them |
| other. For example if the firewall is in the learning | | | | can be dangerous if they are controlled by malware. |
| mode, the driver code in hooked SSDT function may | | | | One of these objects is a well known section |
| be unable to decide whether to allow or deny the | | | | 'DevicePhysicalMemory' which can be used to gain the |
| action because there is no corresponding rule for the | | | | complete control of the system if it is not protected. |
| action in the database. In such case it wants the user | | | | The firewall must protect those objects that can be |
| to decide. This requires to send a message to GUI to | | | | misused by malware. |
| show the dialog and to receive the answer from it. | | | | Parent process control |
| This communication is usually implemented through the | | | | We already know that it is necessary to protect |
| service component. The service of the firewall is | | | | privileged processes. Probably the easiest way how to |
| sometimes used to ensure that the GUI is always | | | | implement process protection is to control opening of |
| available for the user. | | | | processes and threads. However, if the process |
| Graphical user interface | | | | protection is implement in this way it is also important |
| The graphical user interface (GUI) is the user part of | | | | to implement Parent process control. Every process in |
| the firewall. It often implements a trayicon from which | | | | the system has to be created by some other process |
| the administration of the firewall is available. Another | | | | - its parent. The parent is always given two handles |
| important function of the GUI is to ask user for the | | | | when new it creates child process. These are handle |
| decision of actions when the firewall is in the learning | | | | to the process object and handle to its main thread. |
| mode. | | | | The given process handle is opened with a full access |
| Self-protection | | | | and thus the parent process can control its child |
| This is rule no. 1 for all security products, not only for | | | | completely. This is why the firewall must restrict the |
| personal firewalls. No matter the perfection of other | | | | execution of privileged processes. Moreover, the |
| features, if the firewall is not able to secure itself it is | | | | parent process control should be implemented even if |
| useless. If a malicious activity is able to switch off, | | | | the firewall security design does not protect processes |
| disable or destroy the personal firewall it is equivalent | | | | via control of opening of processes and threads. |
| not to have any personal firewall at all. All parts of the | | | | Some privileged processes can be misused to |
| firewall have to be protected including its processes, | | | | execute privilege action if they are run with specific |
| files, registry entries, drivers, services and other system | | | | command line arguments. Many firewalls do not |
| resources and objects. | | | | distinguish between the execution of privileged and |
| Verification of own components | | | | unprivileged processes. They restrict the process |
| The verification of own components is very close to | | | | creation in general such that only those applications |
| the above mentioned Self-protection. Firewalls are | | | | that were selected before are able to create child |
| usually complex programs and they are often | | | | processes. |
| implemented in more than one module or component. | | | | Control of automatically started programs |
| In such case there are a few main modules that are | | | | The firewall should protect those places in the |
| executed by the operating system. During the startup | | | | operating system that can be used by malware to |
| or in the middle of run these modules loads other | | | | persist in the system after the reboot. If we allow |
| modules of the firewall. We say that the modules are | | | | users to run new unknown applications then there is no |
| loaded dynamically. It is necessary to check the | | | | chance to protect the system against executing |
| integrity of all dynamically loaded modules. This implies | | | | malicious application. And users often download and |
| that the integrity checker must be implemented in one | | | | install or run new applications. The firewall is able to |
| of the main modules. | | | | restrict actions of malicious applications such that they |
| Inbound and outbound protection | | | | are not able to damage the system. However, if the |
| A good personal firewall offers both inbound and | | | | malware application persists in the system it can |
| outbound protection. The inbound protection means | | | | damage it later when a new security bug is |
| that packets sent from the Internet or local area | | | | discovered. This is why the firewall should control |
| network to your computer are filtered and only ports | | | | those applications that are run automatically e.g. after |
| that you want to be open are accessible. This | | | | every system start or user logon. |
| protection is standard and is very good and reliable in | | | | Sniffing protection |
| almost all personal firewalls. On the other hand is the | | | | Spyware like keyloggers or packet sniffers are |
| outbound protection which cause problems to all | | | | dangerous applications because they are made to |
| vendors nowadays. The outbound protection means | | | | steal the most sensitive data users can have - their |
| that only applications that are allowed to can access | | | | passwords. But not only passwords are targets of |
| the Internet or local area network. This is not as simple | | | | these applications. Personal information, personal |
| as it looks. Imagine the situation that you want to | | | | correspondence or business documents are also |
| browse the Internet with your Internet browser and | | | | sensitive information that must be protected. The |
| that you do not want other applications to do so. The | | | | firewall has to protect sensitive data not only when |
| problem here is that it is not enough only to check | | | | they are complete in form of files but also when they |
| which application wants to send the packet to the | | | | are made or being transferred. Keyloggers can |
| Internet because modern operating systems allows | | | | receive every key stroke user makes and thus |
| programs to communicate. An application that is not | | | | assemble the whole information letter by letter. Packet |
| allowed to access the Internet can start the browser | | | | sniffers are waiting for the messages to be |
| and use it for the communication. Your personal | | | | transferred using some network interface and they |
| firewall has to protect all those privileged applications | | | | make copies of sent messages. There are many |
| against misusing by malware. It has to restrict the | | | | ways how to implement spyware programs to collect |
| access them. But this is still not enough. The personal | | | | sensitive data and all of them have to be protected by |
| firewall has to protect itself. Malicious applications | | | | the firewall. |
| should not be able to switch it off or modify its rules. | | | | Protection of system resources |
| This means that it also has to protect system | | | | Every system has limited resources. Windows |
| resources etc. There are many problems in this and | | | | workstations are able to deal with a few thousands of |
| we still talk only about one feature - the outbound | | | | objects. This number is sufficient for every work of |
| protection. | | | | common users. However, if a malicious program |
| Process protection | | | | creates thousands of threads the system become |
| Every privileged process must be protected against | | | | unusable and such an action cause Denial of service |
| several dangerous actions. Firstly, no malicious | | | | (DoS). The firewall should limit unprivileged applications |
| application can terminate the process. Secondly, it must | | | | to cause DoS. There should be a limit set for number |
| not be possible to modify its code or data. Thirdly, it | | | | of threads, open files, used memory and other system |
| must not be possible to execute any code in a | | | | resources used by unprivileged applications. |
| context of any privileged process. This point also | | | | No ring3 hooks |
| includes DLL injection. | | | | The ring3 (or usermode) hooking is a technique that |
| File and component protection | | | | can be use to implement a personal firewall or its |
| The protection of files is very close to Process | | | | parts. However, ring3 hooks can be used only for |
| protection. If a malicious code is able to replace files of | | | | special features and never for security critical features. |
| privileged applications it is equivalent to modify their | | | | A protection implemented by ring3 hooks can be easily |
| code flow when they run. There are two ways how | | | | bypassed by malicious applications. Ring3 hooks must |
| to implement the protection of files. The first way | | | | not be used to restrict behaviour of unknown |
| (active protection) is to prevent write and delete | | | | applications. They can be used very rarely to modify |
| access to files that belong to privileged applications. | | | | or control the behaviour of privileged applications that |
| Because this can be hard to implement many firewall | | | | are guaranteed not to bypass ring3 hooks. |
| coders choose the second way - to check the | | | | |