When is a firewall not a firewall?

[Gary Dobbins <dobbins () ND EDU>]

Wondering if anyone out there has seen this characteristic of XP's
built-in 'firewall', and/or if it's widely known:

Some folks have asked recently how it's seemed possible for someone's
XP machine to have contracted one of the recent RPC/DCOM worms even
though they had the XP firewall enabled.  Maybe they hadn't had a
chance to install the patch yet, but knew the firewall would hold off
the probes by worms seeking victims.  They were right, except...

Just don't reboot.

During the period of time during Windows startup, between the IP stack
coming up and the firewall service starting, Windows is fully exposed
to the net.  On one test I just ran, XP dutifully responded to probes
for at least 10 seconds, while it was busy preparing the "welcome
screen" for login.

Same syndrome seen using Kerio v2 and McAfee v8.

The XP firewall operates as a "service", which means it can start
running even after other parts of the system have become ready (like
the DCOM server processes).  Messing with inter-service dependencies
is tempting, but may bear no fruit as the XPFW may not hook network
drivers low enough to hold them off during startup, and/or it may
depend on other services, creating a Catch-22 sort of problem.

Needless to say, we'll be looking at other firewall products to see if
any are constructed in a way that lets them "fail closed" where they
intercept the network at a low enough layer to deny everything until
they're ready to permit, versus the other way 'round.

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.