Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May

Improving application-based filters

Another approach that can be taken to prevent tunneling through arbitrary protocols is to enhance application-based filters. For instance, PassiveX relies on its ability to execute a hidden instance of Internet Explorer. If the execution of a hidden Internet Explorer weren't permitted or the hidden instance were unable to access network resources, the payload would not be functional5.1. It would also be useful to support application-based filters on network activity that occurs on the loopback interface, such as binding to a TCP port on loopback. However, support for this requires a different approach than what is typically employed by most firewall vendors and would not necessarily be indicative of a malicious program5.2.

Perhaps one of the most useful enhancements would be to add state-based filtering. One example of a state-based filter would be to prevent outbound communication of applications like Internet Explorer while the user is idle. Though this doesn't prevent communication while the user is active, it does add another layer of protection. Another example of a state-based filter would be to track unrequested internet traffic and to ask the user if it should be permitted. An example of unrequested internet traffic comes in the form of the initial HTTP request that is made by the hidden internet explorer. In this case, the Internet Explorer process was not spawned by a user and thus the internet traffic can rightly be deemed unrequested.