Why your firewall sucks :-)
I have been following the ongoing discussions at GRC about LeakTest and firewalls for some time. I finally got fed up with the whole thing. In my estimation the position held by the majority (and, yes, advocated by Steve Gibson) basically comes down to this:
Admittedly, that seems to be a good argument. In fact, I used to believe it. When Zone Alarm first came out, I even recommended it to friends and colleagues.
But I quickly realized the truth:
The added protection provided by outbound filtering is entirely illusory.
Such filtering is in fact no better than the insanely stupid kludge that Network Ice put into Black Ice Defender to block Steve's LeakTest. It does the same thing: it gives you a false, undeserved sense of security!
If a firewall is going to allow some program to transmit and receive data over the Internet, and that program allows other programs to control its actions, then there's no point in blocking anything at all.
In this example, if Internet Explorer is a "trusted" application by your firewall, you'll find that this drills right through. In essence, by giving "trust" to Internet Explorer, you are implicitly trusting every other software application on your PC.
Now, a brief warning: Who should download this software? Quite likely not you. This software is targeted for security professionals. Unless you have a thorough understanding of software firewalls, outbound filtering methods, and the details of this exploit, there is no need to download this program. It's not going to do anything other than frustrate you. However, that said, it can be lots of fun to demonstrate to your friends how you can get right through their firewall if it trusts Internet Explorer.
This program very clearly penetrates every firewall on the market, including Zone Alarm. It sends data out to a server (in this case, grc.com, just like Steve Gibson's LeakTest), and then retrieves data in response--completely bypassing your firewall.
So, one must ask: Why have so many people said that firewalls with outbound filtering are more secure than those without it? The best solution I can come up with is that they simply didn't consider (or know how) to bypass them.
For full details of how and why these firewalls are so easily penetrated, see the liberal comments in this program's source code.
(Incidentally, for those who believe it was reckless to release this software, I agree wholeheartedly with Steve Gibson's explanation of why software like this should be released. Please see his explanation of why publishing such information is a good thing. And as far as why I released the source code, anyone with half a brain, the TooLeaky executable, and a copy of IDA Pro would have been able to figure out what was going on within five minutes anyway.)
Copyright © 2001 Bob Sundling. All Rights Reserved.