Recently I was trying to explain to someone why there was no point in installing a software firewall on a PC that was already protected by the hardware firewall on a NAT router. We both agreed that there was no point in having a software firewall monitoring incoming traffic. The router performs the same port controlling functions as the software firewall, and provides NAT services as well, effectively hiding the connected workstations. Since the hardware firewall is more difficult to penetrate, neither of us thought it likely that anything that couldn’t be stopped by the hardware firewall would be stopped by the software firewall.
The value he saw in the software firewall was that, unlike the hardware firewall, it would monitor outgoing traffic. He postulated that this “program control” would provide a second layer of security. If a malicious program eventually made its way onto the system, and then tried to phone home, the software firewall would warn him, and he would get a chance to deny it access to the internet, limiting the amount a damage done. This is one of the angles the vendor pushed the product from, and it passes the common sense test, so it is a fairly reasonable conclusion to come to—if you only spend a brief moment thinking about it.
My objection is that it is so stone-cold simple to get around program control, anyone clever enough to break through your other security measures would slip by it as easy as a rear-wheel drive car slips on ice.
The easiest method is for the hacker to change the name of his piece of malware to match another program on their system that requires internet access, for example “Internet Explorer”, or “Yahoo Messenger”. If they looked closely, the might see clues that something was amiss, but programs like these are always being updated, so it wouldn’t seem out of the ordinary that they needed permission again. The user would click allow without bothering to look twice.
But there’s another easy method that won’t cause any alert to display. All the hacker would have to do is load his little joke as a plug-in for your favorite browser. Web browsers typically don’t notify you when a new plug-in is added. It’s assumed that you added it, so of course you already know about it. A plug-in almost never alters the programs executable, so it would not be detected as a change in the program by a software firewall’s program control. It would get access to the internet just by piggy-backing on the rights of your web browser. Don’t believe it could work? You can prove it does. Just download and install a plug-in that accesses a remote server for your favorite web browser, and see if your software firewall picks it up as a change. You could try Forecastfox for Firefox.
And those are just two easy ways off the top of my head. A real nerdy hacker might try to insert the information he’s trying to send into unencrypted packets being sent out by other applications, and then intercept them on the other end. If I can come up with three ways of doing it without trying, you know your favorite enemy can come up with sixteen.
From my viewpoint, calling a software firewalls “program control” security is analogous to calling a T-shirt body armor. They both offer approximately the same level of protection.