Notes on the AVG Firewall. Feb 2010.
This Document
This document is an attempt by me to improve the rather lamentable manual that AVG produce about their firewall.
Technically the Firewall seems an excellent affair, though I'm no expert judge as I have only seen and handled three or four in any depth.
This document was forced on me when a customer using an AVG business solution ran into trouble, I diagnosed the problem as being the firewall by the simple expediency of turning it off and seeing if the problem went away; it did. So I turned to the AVG manual, and was sorely disappointed. There is little technical content, hardly any explanations, and only the words are English: the grammar and syntax are Czech I guess.
So this is an extract of the AVG pdf for version 9. I can't be bothered to copy over all AVG's images but recommend these notes are read in conjunction with the AVG manual.
Overview
The AVG Firewall works using “Profiles”. A Firewall can contain as many profiles as the administrator cares to configure. Each profile effectively contains two lists:
1. A list of all the network adaptors and network address ranges that the PC can currently see, and whether this profile considers them safe or unsafe to use.
2. A list of all the applications and services inside the PC, and how this profile should individually allow them to behave.
A computer can find itself in a number of different network “environments”. For example: connected directly to the Internet, connected to a Home LAN, connected to an Office LAN, connected to a Public Wireless hot-spot, etc. Each of these environments can be assigned an appropriate Firewall Profile.
The firewall can automatically switch between profiles based on network changes it detects.
Limitations and Restrictions.
The automatic profile switching could be a very powerful tool, however it is largely ineffective because of the widespread use of the 192.168.x.x sub-net: I don't think the firewall has any current way of detecting the difference between a Home LAN using 192.168.x.x and a public Wireless hotspot using the same IP range. As many wireless routers use 192.168.1.x as default there is a security risk that the AVG firewall will think it is on the Home LAN and open up its ports when, in fact, it has found a Wireless hotspot. The solution, of course is for the firewall to check for pre-set signatures that are unique to its Home LAN, for instance: the IP address of the sub-net router, the SSID of the Wireless LAN it has connected to (is that possible?).
The rest of this document refers to the section numbering in the AVG manual.
10. Firewall Settings
The Firewall configuration dialogues open from a separate place in the AVG control panel. So you won't find the firewall settings where the rest of the anti-virus and anti-everything-else settings are.
10.1. General
The only buttons on this page are Import and Export, which allow you to copy all the settings in your firewall into a file. You can then either save the file as a backup of your firewall settings or copy the file to another machine and there Import the settings. What this section does not say, and I have yet to find out, is now this all works if you are using the AVG control centre. From the Control Center you can ship a firewall config to a number of PCs, but I have yet to discover exactly how this works.
10.2. Security
This section is fairly obvious. One permission set is for overall changes and the other is restricted to the pop-up dialogues that occurs when you haven't set a defined rule. What is not clear is how much damage an untrained user could do in a confirmation dialogue. Need to check this – are they restricted to pre-set choices?
10.3. Areas and Adapters Profiles
This is probably the most important area as the settings on this page allow the firewall to switch automatically between profiles depending on the network connectors and IP ranges it is picking up. However, despite its importance there are almost no controls in this page.
· Disable area detection and automatic profile switch – Ticking this box will stop the firewall from automatically switching between profiles as it detects changes in its networks. This does not stop you switching between profiles; it's just that you have to do it manually. Of course if your PC is fairly static and is only ever going to need a single profile, then define that profile, tick this box, and set the profile manually. If you only have one defined profile, but leave this box un-ticked. I am not sure if the firewall is intelligent enough to realise there is only one profile and stop trying to detect network changes. I suspect it might be.
Note also that detection is “change” triggered. The active profile switches when then firewall detects a change in its networks, it does not continuously monitor its status. So if something or somebody switches the profile to an inappropriate setting it will remain there until the firewall next detects a change in its network connections. I guess the firewall assumes that manual profile changes are made by someone who knows what they are doing. Maybe there should be a “prevent manual profile changes” button???
· List of adapters, areas and assigned profiles – Here is where the fun begins: I am not sure how or when the Firewall produces its list of adaptors. I suspect it only lists the adaptors it finds in the Windows “Network Connections” panel, because if I load VPN software “on the fly” so that does it not list itself in the Windows panel, the firewall does not pick it up.
I am also not sure of the distinction between Adaptors and Areas.
For instance;
Traffic arriving over an Ethernet LAN card is almost certainly on an internal LAN somewhere, or through a NAT gateway, and not direct to the Internet.
Traffic arriving over a 3G mobile broadband modem is almost certainly connected directly to the Internet
Traffic on an 802.11 Wireless adaptor could be either on an internal LAN or in a hot-spot somewhere, and so has no obvious profile.
The only config control in this area is the ability to delete an entry or assign an entry a profile.
I cannot find out how to add new Network Areas or adaptors. There is an argument that Adaptors should only be added when detected by Windows, although this seems to fail when VPN software is loaded. But any firewall should be able to be pre-set with network ranges that the PC has yet to meet. I want to be able to tell the Firewall, in advance, that when it meets the IP range 192.168.99.x it is to use profile XXX. It appears that the only way of configuring that is to wait for the firewall to detect the IP range and ask the question of which profile to use in a pop-up.
· Advanced settings – Disabling notification of profile switching seems OK to me , but if you disable the dialogue that appears when a new network is detected how does the firewall decide if it's safe or not? And if it just assumes all networks are unsafe, then ticking this box would stop the firewall learning about new safe networks. Interestingly there is a “Gaming” mode setting on individual profiles that does ask the question about what assumption to make. Why not ask that here?
10.4. Logs
One of the main things one needs to see in the log is the firewall switching between profiles. “Network XXX detected- switching to profile 123”, Profile 456 – manually activated, etc. Unfortunately the log doesn't record switching events, so although it logs all traffic events as one would expect, as the profile in force at the time is unknown it is not possible to know if the packet events are supposed to happen or an error.
10.5. Profiles
Clicking on the “Profiles” tab rather than a specific profile name gets you to the “Profiles' settings” [[Note correct use of apostrophe, so someone in AVG speaks good English!]] where you can create or delete profiles, decide whether a profile should use the AVG trusted database, and finally activate a given profile. Apart, obviously, from the one in bold letters which is already the active profile.
There is no “add” button. You create a new profile by duplicating the existing profile that most nearly corresponds to what you want, renaming it, and then clicking on the new profile to change its settings away from the profile you duplicated.
Note that clicking on a profile and then clicking “activate profile” does not actually activate the profile even though the bold lettering switches to it. The profile is only activated when you hit the “Apply” button on the bottom of the page. The profile may not remain active - see “Area detection” above.
Before moving on to the "Applications" or "System services", you need to understand "rules". A rule lists a "protocol" (for instance UDP or TCP), a direction (in or out), local ports, remote prorts, and remote addresses. They allow an application or service to be very specifically controlled as to what it can send where.
10.5.1. Profile Information
This is where individual profiles are configured. This initial screen sets some basic parameters.
10.5.2. Defined Networks
This is puzzling. Most of the items that appear on this page are put there automatically by the Firewall. Here is a screen shot of my test frame.
Most of the entries have been added by the Firewall and cannot be altered. I know this because if I reboot the PC without a network connected, and thus no data from DHCP all of the network addresses disappear. So although the top 10 lines are there, only the top three, and the broadcast / multicast have allocated addresses. All the 192.168.x.xstuff disappears!
Also there must be some weird priority stuff going on as the local IP address is declared safe at the top and unsafe at the bottom!
Also the system seems to be including the WINS and DNS target addresses in an unsafe list. Surely this is just for the WINS and DNS ports (understnadable) and not all ports on that address.
Of the controls on the right:
Add network – I can use at any time. I added TEST LAN NAME for instance.
Edit network – only works on: the network I added, Fictive Local IP address, and the three items at the bottom of the list all of which are adaptors
Delete network – Only works on the Network I added.
Mark as Safe/Unsafe – Only works on the network I added and the three adaptors at the bottom.
Thisis as far as I have got with the analysis. more will follow, the rest is still original AVG text.
10.5.3. Applications
Most applications are controlled in what they can send through the firewall. They can send either: nothing, anything to a "safe" address, anything to any address, or cause a pop-up to ask the user.
However, there is a fifth "advanced settings" option that allows rules to be set against applications thus controlling exactly what they can send where.
10.5.4. System Services
Most of the profiles seem to contain the same 24 rules with different settings depending on the profile used, but the "small home or office network" profile seems to carry some 36 rules.
Although the rules seem fairly sensible the weird thing is that they all seem to carry the usual "allow for all" or "block" actions, yet when you edit one it only allows the selection and editiing of rules. So somewhere there is a set of pre-defined rules for certain actions.
Why you can set certain logging actions here in the System services of a specific profile rather than in the "Logs" area where you would expect is anybody's guess. Interestingly there is no "Logs" area in the AVG control centre, presumeably because logs are kept on individual PCs and not in the control centre. So someone must have assumed that the "logs" area is for accessing the logs rather than configuring them.!
Log unknown traffic