Frontier Defense
Keep the Bad guys away from your remote outposts
Most of the security tips you find these days will slow down a determined hacker - for about 5 seconds. By that time, his highly modified script has blasted past the errors you've fixed in your operating system and finds the one hole you left unplugged.
If you have a direct Internet connection (cable modem, DSL, ISDN or a T-1 line) and you're not behind an industrial-strength corporate firewall, you're wide open to attack. Even if you're behind a corporate firewall, remember that about half of all damage is done by those on the inside. Disgruntled employees and the insanely curious can do a lot of damage over their lunch break.
How we did it
Personal firewalls - the next step Stop 'em with a box
Interactive scorecard and NetResults
Archive of NWW Reviews
Subscribe to the Product Review e-mail newsletter
Why a personal firewall?
Although most corporate firewalls are relatively safe, break-ins have occurred. When this happens, a personal firewall provides redundancy, protecting users from hackers who've breached the corporate firewall. Unfortunately, most organizations haven't protected their systems from internal threats nearly as well as they have against external ones.
Other areas where you'll need a personal firewall include:
Your mobile worker who plugs into a variety of networks while traveling. Their laptop may be protected against viruses, but the data is wide open.
Your small, remote or branch office that doesn't have a firewall.
Your telecommuting employees who just got DSL or cable modem access at their home.
Buying a $50,000 enterprisewide firewall is often overkill for protecting the small office or teleworker. Unfortunately, companies are flocking to cable modems as an inexpensive way to connect to the Internet, often with disastrous results.
Unlike hardware-based firewalls, personal firewalls are relatively inexpensive software programs that install directly on each PC in the organization. They take control of the network hardware and perform the same basic functions as corporate firewalls: intrusion detection, access control, policy execution and event logging. They filter all network traffic, allowing only authorized communications (For more on personal firewall hardware, see -Stop 'em with a box,-page 48).
We tested ConSeal's PC Firewall, McAfee.com's Personal Firewall, Network ICE's BlackICE Defender, Sybergen's Secure Desktop, Symantec's Norton Personal Firewall 2000 and Zone Labs' ZoneAlarm. The products fell into one of three distinct categories: a corporate solution capable of central management; a stand-alone solution better suited for the home office or small business owner; and in the case of ConSeal's PC Firewall, a product that was best suited for the systems administrator requiring detailed control over every aspect of network communications.
Only a few of the current offerings have matured enough to effectively secure your systems against unwanted intruders. Your level of security depends on which one you choose and how you use it.
|
For personal, home office and small business use, we recommend Zone Lab's ZoneAlarm, an outstanding personal firewall that's highly effective and easy to use.
Secure that desktop
If you intend to use personal firewalls for more than a handful of users, you need some degree of centralized deployment and management. Both Sybergen's Secure Desktop and Network ICE's BlackICE Defender can handle this.
Secure Desktop is just that: secure. It was one of just two products that achieved perfect scores in all security categories. Our tests couldn't even see the ports, much less find one that was open. Instead, our tests reported all ports as -stealth.-A passing hacker would believe this machine is either disconnected from the network or turned off. Nor could the tests glean any information that's usually available from a computer connected directly to the Internet, such as the name of the computer, its user or its workgroup. Secure Desktop's strength doesn't stop there. When used with Sybergen Management server, it efficiently and effectively secures any corporate environment.
| Firewall Footprint | |
| Firewall | Throughput (M bit/sec)* |
| Personal Firewall | 9 |
| BlackICE Defender | 9 |
| PC Firewall | 8.7 |
| Secure Desktop | 8.6 |
| ZoneAlarm | 7.8 |
| Norton Personal Firewall 2000 | 6.5 |
| * Reference system (without firewall installed) had 9.7M bit/sec throughput | |
Secure Desktop uses a deceptively simple control panel that can set five security settings: ultra high, high, medium, low and off. Ultra high and off are overkill - you'd be better off unplugging the RJ-45 jack or uninstalling the software. The high setting, however, gave us complete Internet access through Internet Explorer and Outlook, while achieving a perfect security score. When we tried using other programs, however, Secure Desktop prompted us to add that application to its -allowed-area. Applications that are granted network access retain that access regardless of the security level you may have set.
Secure Desktop also lets the administrator set a security level based on the time of day. This gives users the access they require during the day while securing their systems overnight. Users can also choose to have Secure Desktop enter the ultra high security level whenever their screen saver activates. The only downside of this feature is that it may interfere with some network management programs.
We liked that Sybergen included two features with Secure Desktop to assist the IT staff: e-mail notification and password protection. These features weren't evident in some of the other products.
Secure Desktop's primary strength lies in its powerful configuration window. Here you can adjust advanced port settings manually, or choose common configurations such as -allow to browse Network Neighborhood-or -share via Network Neighborhood-simply by checking a box. Other options include one-click administration of Dynamic Host Configuration Protocol (DHCP), several well-known VPNs, pcAnywhere and more. If you'd prefer to control port access manually, Secure Desktop lets you open specific local ports to the outside, as well as allow internal applications access through specific ports. Both options can be set on TCP, UDP or both, thus providing extremely detailed port control.
The installation was routine, although Secure Desktop requires you to provide an unlock key and reboot your system to complete the installation. We found Sybergen's list of known issues refreshingly thorough because it highlighted all issues that may have an impact on your particular installation, such as the fact that it will not support Internet Chess Server. The program's documentation was equally detailed but without the wordiness of some of the other products.
Stopping the script kiddies
Network ICE's BlackICE Defender gets its name from an acronym for -Intrusion Countermeasure Electronics,-referring to software that responds to intrusion by attempting to immobilize or kill the intruder.
While BlackICE doesn't go quite that far, it does employ a feature called Backtrace, which lets BlackICE learn details about the intruder. When combined with BlackICE's Evidence File, Backtrace is highly useful at bringing repeat offenders to justice by logging activity in a format suitable for prosecution. If you want to go after the script kiddies, this is definitely the product for you.
Unfortunately, while BlackICE Defender blocks ports, it doesn't control applications. Thus, if a Trojan horse finds its way onto your system, the horse can use any open port to communicate with its author.
BlackICE has four security levels: trusting, cautious, nervous and paranoid. While each level allows full outbound communication, the program provides increasingly restrictive filters on incoming traffic. When you manually input an IP address into either the trusted IP address or blocked IP addresses, BlackICE either allows complete access or completely blocks packets from those senders. Network ICE recommends strongly against adding IP addresses to the trusted block unless you're absolutely certain they're safe. Unfortunately, BlackICE has no provision for entering ranges of IP addresses or subnets.
As IP addresses can easily be spoofed, it's a good idea to configure your routers not to allow packets bearing your subnet's IP addresses if they originate outside the subnet. If this has been accomplished on your network and your routers are reasonably safe from attack, it would probably be safe to enter IP addresses within your subnet into BlackICE's trusted block. Otherwise, you're better off just letting BlackICE filter the packets.
In addition to its four security levels, BlackICE has four alarms: critical, serious, suspicious and informational. We left BlackICE on the system while it was connected directly to the Internet during a lunch break. When we returned, we had one critical, two serious and more than 30 suspicious and informational alarms. Armed with BlackICE's outstanding log information, we backtraced and discovered that the critical event had been a genuine attempt to find points of entry into the system.
Unfortunately, BlackICE is entirely too wordy when it comes to reporting events - it logs everything. Fortunately, its history window lets you see a time-dependent representation of network traffic as it relates to potential attacks.
Also to its credit, BlackICE Defender scored top honors in the ease-of-installation category, installing itself as a service in Windows NT without a reboot. All corporate software should install this easily because reboots during mass upgrades can be disconcerting for users.
BlackICE's documentation is thorough, covering all the program's many features. It also contains a very good primer on intrusion detection and how to respond in an appropriate manner. For example, Network ICE strongly discourages retaliation hacking, because it's a quick way to lose your ISP.
Zone defense
For a stand-alone solution for a small business, personal use or a teleworker, look no further than Zone Labs' ZoneAlarm. The security was rock-solid, and the product worked exactly as advertised. We found this surprising for a relatively new product, especially for one designed strictly as a stand-alone.
ZoneAlarm is perfect for individual use and even protects dial-up users. It supports Windows 95, 98, NT and 2000, and will run just fine on 486-MHz machines, although it uses 2.3M bytes of RAM under Windows NT.
ZoneAlarm installs two services during installation - the TrueVector Basic Logging Client and the TrueVector Internet Monitor. Zone Lab's patented TrueVector technology monitors and controls all network activity - whether someone is logged on to the machine or not.
All alerts for unknown activity are simple and give you two choices: allow the connection or refuse the connection. ZoneAlarm also asks you whether or not you want it to remember your choice. Alarms for known activity are merely informative, but the program gives the user the option of not viewing them. Regardless of a user's choice, ZoneAlarm still logs all activity.
ZoneAlarm's firewall has three security levels (high, medium and low) and breaks its security into two zones (local and Internet). Zone Labs recommends the high setting for all Internet activity, which blocks everything until you specifically authorize it. This is one reason ZoneAlarm isn't ready for mass installations because each install would have to be configured this way. ZoneAlarm also uses a -stealth mode,-which hides all ports not in use by an authorized program by not responding to port status requests such as those encountered during port scans.
The medium setting is best reserved for local use, which enforces all application privileges set by the user but allows local network access to Windows services, shared files and drives.
The user must define those resources allowed in the local zone. These can include the machine's own adapter (for loopback and other services), and other computers. Fortunately, you don't have to enter an IP address for every computer, as ZoneAlarm lets you enter host/site names, single IP addresses, ranges or subnets.
Finally, the low setting is best if you're running a server internal to your network. The most likely installation in this case would be a file or print server behind a hardware-based firewall.
ZoneAlarm's current release adds MailSafe, which scans all e-mail for the presence of Visual Basic script attachments (such as the infamous -ILOVEYOU-virus). If such an attachment is found, MailSafe isolates it and warns you if you try to run it. Although MailSafe is active by default, it can be disabled via the security panel.
ZoneAlarm's setup was simple, installing the logging client and Internet monitor without a reboot. Unlike most of the other products, ZoneAlarm uses an HTML-based help system stored on your local hard drive, which requires the user to have installed a suitable browser, such as Internet Explorer or Netscape Navigator. The help is divided into 10 sections, corresponding with ZoneAlarm's main features. Within each section are plenty of well-written details to help the user with whatever problems may arise.
Transmitting critical information
We weren't quite as thrilled about the two contenders from two of the more well-known companies: Symantec and McAfee.com.
Symantec's Norton Personal Firewall 2000 uses the same interface as the Norton AntiVirus 2000 management window. Symantec has combined the two so you can manage Norton Personal Firewall 2000 and Norton AntiVirus 2000 from the same control panel.
The Security menu lets you block external access, while the Privacy menu lets you restrict someone at your computer from transmitting private information over an unencrypted connection.
Norton Personal Firewall 2000 was the only product we reviewed that let the user name, computer name, workgroup/ domain name and the network interface card's media access control (MAC) address be transmitted in its default configuration. All of these are juicy targets for hackers. Although it did close Port 139 (NetBIOS), it let the security scan see the other three open ports on the reference system.
Fortunately, a quick talk with one of Symantec's product support managers revealed that this was by design - many older cable modems require the computer's name for authentication prior to TCP/IP address assignment under DHCP. Symantec avoids potential problems with these modems by using rules that enable the NetBIOS Name and NetBIOS Datagram by default.
Symantec is currently reconsidering their decision, and may change the default configuration in future releases. To disable this function manually, simply select options, Internet security and advanced options. Choose the -Firewall-tab on the left and disable NetBIOS Name and NetBIOS Datagram.
Why is it important to block the MAC address? First, it's a globally unique identifier. When combined with other information, this lets hackers pin down a particular machine, even when IP addresses are assigned by a DHCP server.
Thus, while Norton Personal Firewall 2000 earned average or above-average scores on other areas, it earned the lowest security score of all. The program was among the easiest to install, even though it required a reboot. While its documentation is outstanding, we found their 77-page manual a bit long, although it does make a good primer for the neophyte.
New shell for McAfee
McAfee.com's Personal Firewall fared somewhat better in terms of security, blocking all names and the MAC address, but it still revealed three ports, even when the security settings were set at the highest level. This was odd, given that ConSeal's PC Firewall was easily configured to pass the security test. McAfee.com's Personal Firewall is the desktop version of ConSeal's PC Firewall - McAfee.com purchased the rights to use the engine in their product. While the newer shell is an overall improvement to that of its predecessor, it limits the user's ability to make certain changes, specifically in modifying the rule sets. Then again, McAfee.com's product isn't targeted at systems administrators, as is ConSeal's PC Firewall.
McAfee.com's product has a learning mode similar to ZoneAlarm, but it also employs built-in rule sets similar to those used by PC Firewall. All adjustments by the user simply modify the rule set. The default configuration blocks all network printer and file sharing unless it's specifically checked in the NetBIOS over TCP/IP configuration window. Personal Firewall also lets the user block specific applications.
Although it was fairly easy to manage, part of the management score was its lack of flexibility and scalability. We liked the product, as it was simple - but in order to appeal to more than a narrow range of customers, the product has to be able to be used in a variety of systems and by users with a variety of skills. Its requirement to install a network driver isn't exactly what most users would be up to doing. Most corporate users running Windows NT aren't going to have the permissions to do this anyway, thus forcing the IT staff back into the equation.
We also noticed an annoying glitch shared by ConSeal's PC Firewall and McAfee.com's Personal Firewall. Both produced 1-second freezes about every 10 seconds, reminiscent of a driver conflict. If you decide you want to use this product and a quick test reveals no such problems, you should be fine.
If you're using Norton Antivirus 2000, however, you may have a problem. Open Norton Antivirus, and go to Options. From the selection tree, choose Exclusions, and press New. Enter C:\Program Files\Signal9\*.* in the selection box, and click OK, then OK again, and exit the program. On Windows 95/98/2000 systems, you may have to modify the path. Use the same approach for McAfee.com's product.
Installation proceeded without any problems, although the program requires you to install its driver as a network service, an additional and unnecessary step not shared by the other programs. While the installation wasn't particularly difficult, it would be time-consuming in the corporate environment, and probably beyond the safe installation of someone who's either new to computers or who has little experience configuring systems.
Industrial strength
While ConSeal's PC Firewall isn't the personal firewall of choice for individual use, it's a tinkerer's dream come true. PC Firewall has the most capability, granularity of control and flexibility of any of the firewalls we tested. In many ways, it's very much like a hardware-based firewall, complete with password protection.
PC Firewall uses file-based rule sets, which should be developed and tested by the IT staff. These rule sets can then be deployed to the desktop or shared across the network. These aren't simple configurations, but are industrial-strength controls over every detail of network communication, including TCP/IP addresses (connect to, receive connections from), ports (to, from, TCP and UDP), and an application's ability to access each of these.
Although PC Firewall has an automatic learning mode, creating these rule sets from scratch may be daunting. In response, ConSeal has placed 24 rule sets on its Web site for download. While a round of exhaustive testing with all the applications a particular user might access should create a good initial rule set, it's better to begin with the ones available from ConSeal.
ConSeal uses a -Building Block-approach with its rule sets. When you install a second set, it doesn't overwrite the first one. Instead, they're additive. If two rules conflict, the latest rule has priority, which is why ConSeal recommends adding the Building Blocks from the most basic tasks, such as connecting via a cable modem, to the most specific, such as allowing a pcAnywhere client.
Priorities can also be set manually and every detail of the rules can be manually edited. This gives administrators unparalleled control. Different rule sets can be deployed to different groups, giving administrators the ability to allow accounting access to some network resources while denying them access to others.
Finally, these rule sets aren't just for desktops. You can even apply different rule sets to different network cards. This lets PC Firewall be used in a multihomed system employing packet forwarding or IP routing, thus acting as a full-blown multiport firewall, although without the same processing power available in today's hardware-based firewalls.
Although the PC Firewall didn't match Secure Desktop in the initial tests, a quick modification to the rule set we downloaded from their Web site fixed this problem. Installing PC Firewall was very similar to how we installed McAfee.com's Personal Firewall. The only difference was that instead of installing the driver as a service, we installed it as a network protocol. Fortunately, ConSeal includes three pages of detailed instructions.
The user is presented with four types of initial configurations, including basic (blocks all ICMP), cable (for cable modems and DSL/asymmetric DSL users), browse (lets you choose an existing rule set), and none (experts only). Once the installation is complete, you'll want to read the documentation thoroughly. ConSeal's built-in help is sufficient to answer most questions, such as the difference between TCP and UDP ports. Their Web site provides additional information on common hacks, rule set configurations and strategies for successfully implementing PC Firewall in a corporate environment.
RELATED LINKS
Interactive scorecard and NetResults
Personal firewalls - the next step
