Oct 20 2015
NetMon has become more important to me recently as the latest update to eSet completely broke my VMware network. I try everything I could imagine, but eventually had to completely disable the eSet firewall and rely on the intrinsic Microsoft firewall. This was annoying, but I don't view the loss of eSet as degrading my personal security much. The personal network security picture has changed since the initial virus scares of the 1990's, while the mentality behind firewall design has not.
The primary threat in 1990 was an unsolicited network connection into some standard service running on a computer. If the local computer accepted the connection, the remote computer would exploit some defect or overly lax protection in the service to perform some action on the local computer, such as installing a program or deleting files. The firewall would block these incoming "cold calls". This stopped the early "worm" attacks that exploited design defects in the OS and device drivers of the target systems, such as the infamous "Ping of Death" that could crash a Windows system with a single packet. The local firewall protected the computer by denying the incoming connection before it made it to the OS and service program.
These incoming attacks relied primarily on exploiting design defects. As the internet connection became more important to everyday use of computers these defects were fixed and blocking incoming connections became less important to network security. The firewall persisted because it provided a since of security against the previous threat, and it was easier to configure a firewall than to disable or harden all the various services running on the system.
As the threat from external attacks waned a new threat arose, the Trojan Horse. The trojan attack involved tricking the user into running a program that looked innocent but in fact held a malware payload -- a malicious software program. The most common trojan was an email attachment that included a script that would run if the user simply clicked on it. A combination of circumstances in the late 1990's made trojans extremely dangerous. The internet was beginning to really take off and the number of emails and files being shared grew geometrically. The personal computer was no longer used just by nerds and businesses, it was becoming as common in homes as a television and many of these users had very little experience or understanding of how the computer worked. Microsoft and Apple raced to make the computer easier to use and when there was a design design between security versus convenience, convenience always won. Simultaneously, the personal computer became easier to reach, the users easier to trick, and the information on the computer became more personal and valuable.
These new trojan attacks hit the firewall from the inside, trying to connect to their remote servers while running as a supposedly trusted service on the local machine. The firewall regained its importance by detecting the outbound connection from a program that was not on its trusted list and alerting the user. The alert would typically be something like, "A program xxxx.exe is trying to connect to the internet. Allow or deny?" The firewalls assumed that the threat could be associated to the program and allowed or denied connections based by identifying the program. This successfully blocked most trojan programs.
The internet continued to become more important to people's everyday lives. Then, in 2007, the landscape changed again. The iPhone popularized the mobile phone as a computer platform with the tremendous success of apps. Technology had made the phone almost indistinguishable from the personal computer from a software perspective, while its ubiquitous network connection transformed the network connection from an add-on feature to the central component. The users now expected the apps to connect to internet servers for everything. When every program requires an internet connection, a firewall that blocks internet connections becomes worse than useless.
This software mentality migrated from the phones to the personal computer. It became more and more common for programs to require an internet connection to function. Users became conditioned to allow access to any program and firewalls became more of a nuisance than a security measure.
The new security threat is a hybrid Trojan: a program that the user wanted, provided some benefit, but also communicated information out of the personal computer to remote servers without the user's knowledge or permission. For example, the user would download a game that was fun. The game would communicate with a server to upload scores and download scoreboards, which was something the user wanted. However, the game was also uploading all the user's contact and location information -- something the user very much did not want. The local firewall is of no help in this situation. If the user had not already disabled the firewall, he would tell it to allow the game access anyway. The decision whether the connection should be allowed requires more information than either the user or firewall has.
Even more insidious is the trojan library that binds itself to an otherwise innocent program. These libraries can be part of an advertisement package that are added to programs to allow developers to derive third-party revenue from in-game advertisements.
The firewall needs to evolve. It now needs to make a qualitative decision based not just on the program name, but on the remote server, the local time of day, the information content, and even historical analysis from other users.
The user should know the name of the company that is running the remote server, where in the world that server is located, and whether that server should be trusted. Who, by name, is receiving the information is the critical bit of information -- not the name of a file.
This requires more than a DNS WhoIs look up, since most servers are unregistered. It requires a central, independent third-party registry that provides a measure of trust for the remote servers. Servers that are found to be receiving personal information will be flagged as suspicious. Servers that register with legitimate identities will be tagged as trusted.