Google
Web pcflank.com
PC Flank Logo
 Make sure
you're protected
on all sides
 Test Your System
 PC Flank Leaktest NEW!
 Quick Test
 Stealth Test
 Browser Test
 Trojans Test
 Advanced Port Scanner
 Exploits Test
 Internet Speed Test NEW!
 Ask the experts
 Leak Tests Catalog NEW!
 Glossary
 Free Security Software
 Comparison & Download NEW!

 

Tip of the day
To prevent being spammed, do not publish your personal e-mail address on public sites.
Articles Library

Firewalls and Leak Tests: face-to-face battles

July 19, 2004 - Part II

Introduction to leak tests
That's where firewall leak tests come in. Leak tests are programs that allow us to find out just how well protected your computer is in terms of preventing outgoing network connections. These tools demonstrate, how leaky or to what extent your firewall is willing to disseminate personal data through outbound connections.

If your firewall passes all leak tests, you can feel reasonably certain that you are reliably protected and need not worry about someone being able to download or steal your personal information without your knowledge. Leak tests are developed by professionals who are expert in computer security and also by programming enthusiasts with the sole purpose of unearthing weak points in personal firewall protection and convey them to users and firewall developers, so they can fortify them and attain flawless protection. Leak tests are free utilities available for download on the Worldwide Web. They are not commercial products and therefore are not so broadly advertised, however they perform a humble, but extremely important function: checking the performance of your outbound protection and point out any faults. Leak tests are simulators. They imitate the actions of a harmful application, such as a Trojan horse; yet they do not cause damage to your data and, unlike hackers, make the tester pay attention to them and understand their working principles.

Using them is highly recommended when you're about to buy a new firewall. At the very least, review the results we obtained when we subjected most well known firewalls to leak tests.

Leak tests in action

Let's now examine the different leak tests themselves and their mechanisms as well as analyze their impact on user Internet safety.

One of the basic leak tests, the pioneering invention in the field of outbound data inspection, is undoubtedly the program named "Leak Test v.1.2" (the current version is expected to update to v. 2.0 in the near future), made by the famous computer security guru Steve Gibson. His program imitates the work of a vicious Trojan horse, attempting to upload your personal data off your PC to some given host. According to Steve, the test tries to upload data from your machine to his Gibson Security Corporation website, bypassing your firewall's defenses.

The principle is that it makes your firewall believe that a legitimate application, like your FTP client or MS office component is attempting to send data to the remote host address. This is done by impersonating or renaming the test file to the name of one of the applications your firewall allows to access the Internet according to its network access rules. Modern firewalls have learned to pass this test, but early in their history a chillingly trivial name change of a harmful program permitted it to send out private info.

Another program for testing outbound data blocking is called TooLeaky; it is similar to Steve's, but with enhanced disguising capabilities from accumulated experience. TooLeaky uses the system's default web browser to communicate data to a remote host.

After these tests became available Firewalls grew more sophisticated, and consequent tests created to challenge them follow suit. New generation leak tests not only are able to disguise themselves as permitted applications, but they can execute themselves within a truly legitimate process, for instance, IEXPLORE.exe (Internet Explorer executable file), substituting a part of its genuine operating components with bogus malware and being undetectable by Firewalls. One of these is the famous FireHole test, created by the lead networking security programmer of Foundstone.

FireHole installs a DLL file that has an intercept function on the user's computer. This DLL gets loaded up with any subsequent program and is treated as being in the same process space as the already trusted program. Thus, FireHole uses the process space of the system's default browser, which makes it eligible to the firewall (TCP port 80 is most likely affected).

Another tool for testing a firewall's filtering capabilities is a Trojan-like application aptly named Yalta (a popular resort in the Southern Ukraine), which really makes a Firewall sweat. It simulates the work of an advanced Trojan horse, letting its tester specify what "test failed" message should be send, to what IP address and on which port. This application was created by the developers of Look'n'Stop firewall, so Look'n'Stop would have no problem passing the test.

Another powerful testing suite is Atelier Web Firewall Tester, in which six rigorous tests are combined in a package aimed at completely testing one's system's outbound security. According to AWFT's website, these tests perform the following tasks:

One: It attempts to load a copy of the default browser and patch it in memory before executing it. Defeats the weakest firewalls.

Two: Creates a thread of a loaded copy of the default browser. It's an old trick, but most firewalls still fail it.

Three: Creates a thread on Windows Explorer, another old trick, which almost every firewall still fails.

Four: Attempts to load a copy of the default browser from Windows Explorer and patch it in memory before execution. Defeats firewalls that require authorization when one application tries to load another (following on Technique 1); Windows Explorer is almost always authorized by firewalls. Firewalls usually fail this test, unless the default browser itself is blocked from accessing the Internet.

Five: Performs a heuristic search for proxies and other software authorized to access the Internet on port 80, loads a copy and patches it in memory before execution from within a thread on Windows Explorer. This is a very difficult test for firewalls to pass!

Six: Performs a heuristic search for proxies and other software authorized to access the Internet on port 80, requests the user to select one of them, and then creates a thread on the selected process. Another difficult nut to crack for firewalls!

Afterword

All in all, the ever-increasing challenges presented to firewalls by modern tests are tremendously beneficial, because the more complex a leak test gets, the more strain is placed on your firewall, which makes it better prepared for "real life" trials. And the better it handles the tests, the more reliably it will behave when confronted with a real pest: Virus, Trojan horse or Spyware.

We have a round-up of firewall outbound data protection test results on our site and you are invited to check them out and see which firewalls most successfully survive these leak tests.

In this article we have looked at tools testing your firewalls' ability to resist unintended outbound data leakage. Later we will familiarize our visitors with other security concerns solvable by authorized a wide range of modern data-protection tools.

Back to:
Part I

 
 
Start Page
Make "PC Flank" your   
Start Page!   
Make

 
Sponsored links


   
 
Related Links
» 2003 tests:
Personal Firewalls
vs.
Leak Tests:
Part II:
"Leak Tests
Win Again!"

» 2002 tests:
"Personal Firewalls
vs Leak tests"
part I
   
 

 
   
Outpost Firewall PRO 3.0 - complete protection on the Internet!

 
Privacy Policy
    Advertiser Info		 Site Map
    Contact Us

 
 
© 2011 PC Flank Ltd. All rights reserved.