a Firewall is purely the Internet facing side of a security solution. Other components monitor the other stuff.
The thing is- a lot of interprocess communication is done via
Named Pipes - interestingly enough, a Socket is really just a Named Pipe that goes to another machine on the net.
So if the Firewall program hooks into the "CreateNamedPipe" API, it will also be able to inspect interprocess communication. of course there really is no way to know wether such communication is malicious, so the benefit of that is fairly low.
Also, since Named Pipes are written/read using the ubiquitous WriteFile/WriteFileEx and ReadFile/ReadFileEx API functions, hooking those will also result in the ability to hook into filesystem calls. This is far easier to inspect then interprocess communication.
Some may say, But BC! I thought internet connections using WinSock used Sockets, not Named Pipes?
Thats true, and I may be wrong in the assertion that WinSock, while representing Socket connections at a high level, is really just using Named Pipes to remote servers deeper down (again, just a educated guess on my part).
The thing is, Although "firewall" software may include these features, the features are not part of the "Firewall" itself and are rather simply part of the software. removing the features would make them no less of a firewall, and other firewalls may/may not have these features (such as Windows Firewall, which is no less of a firewall because of it).
making a broad statement that Firewalls do that is like saying that a image editor allows you to save in TGA format. Sure, a wide variety of image editors do, and it is a common practice, but basic image editors don't always have this ability- but it still makes them no less of a image editor.
See what I'm saying?
