Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
FCC chairman gives support for use of 'white spaces'
Cyber security threats grow in sophistication, subtlety and power
Ex-Google, Yahoo employees behind Hadoop startup
Ex-Enron Broadband exec pleads guilty to wire fraud
Quest's post-acquisition road map a killer for NetPro
Cisco rolls out TelePresence rental service
Willing to pay a 'Mac tax'?
Microsoft reveals critical holes in Active Directory, mainframe gateway
Intel reports record Q3 revenue
Federal employees lack tools for mobile work, study finds
Apple's new MacBooks carved from blocks of aluminum
How bad is U.S. broadband deployment?
Cisco iPrize goes to energy-efficient power grid
Cisco launches first-ever authorized CCIE training program
Novell buying Managed Objects for BSM
Security /

Frontier defense

Keep the Bad guys away from your remote outposts

By Steve Janss
Network World, 08/07/00

Selection criteria: We invited all known vendors meeting our selection criteria to submit products for this review. Our primary selection criterion was that the software had to be a true firewall, able to block specific connections based on packet content, as opposed to a port monitor/controller, such as HackerWacker. Each software program was required to examine the source and destination IP addresses, port type (TCP or UDP), port number, associated protocol (HTTP, FTP, finger, POP3, etc.) in layers 3 and 4, and associated application (layer 7). The only entry that did not block on an application basis was BlackICE Defender. However, we included it due to its significant strengths in other areas of firewall protection, as well as its established presence in the personal firewall market. Our second criterion required the software to be capable of being used in a stand-alone configuration. Although CheckPoint Software's VPN-1 Secure Client contains a firewall that resides on the local machine, it is used primarily for encrypting communication between remote and local clients, in conjunction with the VPN-1 Gateway and Policy Server. Because of its required participation in a managed system, it fell outside the scope of our review, as did InfoExpress' CyberArmor. As a personal firewall, CyberArmor is merely one component of their CyberArmor Suite - a managed security system consisting of CyberArmor, CyberServer and CyberConsole, and Policy Manager (see sidebar).

Test / Reference System: We tested all products on a P5-200MMX with 96M bytes of RAM, a 3.0G-byte NTFS formatted boot/system partition loaded with Windows NT 4.0 with Service Pack 6, and a full-duplex LinkSys LNE100TX network interface card. In addition, we loaded the test system with Microsoft Office 97, Outlook 98, 128-bit enabled Internet Explorer 5.01, Diskeeper 4.0, QuickBooks Pro 99, and other software to simulate a typical corporate environment.

Test Network: We used 100Base-TX media (CAT-5) for our network, and a LinkSys BEFSR41 EtherFast Cable/DSL Router with version 1.22 firmware for our switch. In addition, we also used the LinkSys Router for our reference hardware-based firewall. For the security tests we bypassed the router completely, connecting directly to the Internet via a Com21 cable modem.

Security Test: Most hackers scan first, and attack only when they find an unprotected system. Thus, determining the ability of the personal firewall to either close the machine's ports, or to hide them, also known as stealth mode, was our primary goal. While in stealth mode, the machine ignores unsolicited connection attempts, making it appear as if it's either disconnected or turned off.

We chose Gibson Research Corp.'s Shields UP! utility and SecuritySpace.com's Desktop Audit to test the security of the personal firewalls. Steve Gibson's Shields UP! identifies the typical holes in the Windows family of operating systems, such as NetBIOS over TCP/IP, the presence of any hidden Internet servers, open shares, and the ability to gain other system information such as the user name, computer name, and workgroup/domain. Shields UP! also tries reading the NIC's Media Access Control (MAC) address, and scans for a few of the more commonly used ports, on the principle that if these ports are unsecured, a hacker need not look any further - you're system is probably wide open.

Desktop Audit, on the other hand, is a pure port scanner, and scans the first 1,023 well known ports, as well as 500 other ports commonly used by hackers, Trojan horses and legitimate services. For a complete list of which ports are assigned to which services, see the Internet Assigned Numbers Authority's port registration database at www.iana.org/numbers.htm We began with each software's default security settings, from which we obtained the security score. If we found gaping security holes, we increased the settings to determine if the software could plug the hole. If the software failed to stop the intrusion with the maximum security settings, the software was judged as inadequate, and would probably not protect a user against an intrusion or an attack.

For our criterion reference, we conducted the security test using both a direct, unprotected Internet connection, as well as a connection protected by our hardware-based firewall. The unprotected connection allowed for an intruder to establish an anonymous connection via port 139, assigned to the NetBIOS session service, and revealed the user name, computer name, and workgroup/domain, as well as its exposed shares. It also allowed others to see the MAC address, which is a globally unique identifier of the network card used in the machine. The port scans discovered a total of four open ports: 135, 139, 6667, and 6668.

In comparison, LinkSys' router blocked all attempts to connect to the reference machine, and revealed nothing to the scanners, primarily due to its use of network address translation (NAT) in a hardware-based environment. Due to the firewall's "perfect" score with the two online utilities, this became our security reference standard.

Throughput Test: We used Ipswitch's WS_Ping ProPack, version 2.2 between the computer and the router's gateway to conduct throughput comparisons, achieving an initial conglomerate score of 9.7Mbps on the reference system.

RELATED LINKS

Janss is the president of Jansys Information Systems, a consulting firm specializing in information systems technologies for small businesses. He can be reached at bizcom@jansys.com.

Back to the main review

Interactive scorecard and NetResults

Personal firewalls - the next step

Stop 'em with a box


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.