Personal Firewalls/Intrusion Detection Systems

An Analysis of Mini-firewalls for Windows Users

By Seán Boran
www.boran.com/security/sp/pf/pf_main20001023.html


The complexity of Microsoft Windows and browsers/PC applications, and the pervasiveness of networking, have contributed to continual discovery of security weaknesses - which the typical user cannot be expected to follow or understand. Until now the standard tool for defending Windows was the antivirus scanner, but this is no longer enough. The personal firewall has made its debut and may become an essential tool for Windows users connected to hostile networks.

Recent updates:

  1. Introduction
  2. Product Tests
  3. Comparison Charts
  4. Summary and Conclusions
  5. References
  6. Appendix: Acknowledgements | Change history |
    Reader Comments | about the author

Each product is analyzed in a separate article, with the introduction, summary and conclusions in this document.

This report was awarded "Best Comparative Personal Firewall Review" [6] — thanks to those of you who voted. Help us keep it that way by continuing to provide us with detailed feedback/suggestions.


Introduction

Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may also be rendered useless by dialup access weaknesses, encryption, VPNs, teleworkers connecting directly to the Internet from home, etc.

An interesting new breed of "personal firewalls" have surfaced that are installed on Windows and allow both beginner and expert users to protect their PCs. The risk faced by the home user on the Internet is analyzed in [4]. Basically, there is a significant risk of information being stolen or destroyed; of your PC being misused to attack others, or used to access sensitive (e.g., banking) software; or simply of PC/network resources wasted; and it needs to be addressed.


Benefits


Precautionary Measures

There are a few measures that Windows users should take, whether they install a firewall or not:


Key Criteria in Choosing a Personal Firewall

  1. Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of service.
  2. Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
  3. Effectiveness of reaction: discovering identity of attacker, blocking attacks, ease of use.
  4. User interface: ease of use, instructiveness, simplicity, quality of online help. Can rules be easily added/removed/checked? Does the interface suit the way you use your PC? Do you understand the questions the software asks and what it is doing?
  5. Price: how much are you willing to pay initially, and each year for support/updates?


How Did we Test Effectiveness?

  1. Ping and accessing shares to and from the test host.
  2. A powerful, well-known "remote-control" Trojan (Netbus Pro v2.1) [3] was installed on the system on a nonstandard port (to make detection more difficult), he Netbus server started and attempts made to connect from a remote system.
  3. The telnet server was enabled on the Win2K test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet; we do this purely for testing purposes.
  4. An nmap [2] scan was run against each product (see below), to check that incoming ports were effectively blocked.


Note on Trojans


Product Tests

Each test report is in a separate document, so that we can continue testing new products and updating the existing results.

McAfee Firewall
pf_mcafee20001011.html  

PGP7 Firewall
pgp7firewall20001006.html
NAI are no longer selling PGP (see also www.pgp.com)
"Network Associates recently announced the closure of PGP Security business unit and the integration of some of its product into other business units. PGP encryption is retained and continues to be the encryption engine within McAfee E-Business Server product line. PGP's Desktop Firewall and VPN client products are continuing as McAfee products. The bundle called PGP Corporate Desktop will be put into maintenance mode. PGPmail, PGPdisk and file, PGPwireless, and PGP Keyserver are also being put into maintenance mode." 

VirusMD
pf_virusmd20001023.html  

BlackICE
pf_blackice20001023.html

ZoneAlarm
pf_zonealarm20001023.html  

Norton (equivalent to Symantec Personal Firewall)
pf_norton20001023.html  

eSafe
pf_esafe20001023.html

ZoneAlarm Pro
pf_zonealarmpro20001108.html
Trend Micro and Zone Labs are involved in a joint venture, joining ZoneAlarm and PC-cillin together. This good news was brought to us by one of our regular readers.

Sygate
pf_sygate20001112.html

Tiny (see also Uzi Paz's remarks)
pf_tiny20001114.html

Conseal
pf_conseal20001221.html

Privacyware Personal Firewall
pf_privatefirewall20010316.html

TermiNET
pf_terminet20010327.html


Personal Firewalls Not Tested, Or Tests Abandoned

AtGuard by WRQ was purchased by Symantec, changed and resold as Norton Firewall, but the original AtGuard has a loyal following on the Net (i.e., despite its being over a year old users are convinced it is a very good firewall and worth discussing in detail). It can block incoming and outgoing connections.

PC Viper Personal Firewall (http://pcviper.com)
This only seems to be available for Win95/98/ME. At the moment I have NT4 and Win2K test PCs available, so no tests can be made of this product for now. A review can be found on http://www.dslreports.com/security/sec014.htm  

McAfee Firewall
This product is based on Conseal's Private Desktop (www.signal9.com). We only tested the McAfee product, since it is presumed that the Conseal product will no longer evolve. Note that Conseal's "PC Firewall" is a different product - see previous section.

Internet Firewall 2000/IF2K (www.digitalrobotics.com)
Although it installed without error on the test NT4 SP5 system, it would not start, giving the error "Internet Firewall 2000 Failed. Make sure you have full system privileges and try again." I was logged in with Administrator privileges. No further testing was conducted with this product.

Biodata's Sphinxwall Firewall (http://www.sphinxwall.com/) V1.0 build 599 was tested briefly:

After reboot, the LAN adapter was dead! No local communications would work, all bindings to the local LAN were missing, and all TCP/IP settings were lost.

De-installation was very painful. It was hours before the computer was fully functional again. The procedure that works best was: In Control Panel -> Network settings, remove the Biodata protocol, reboot. Then try to remove any Biodata adapters left, reboot. Remove your LAN adapter, reboot. Deinstall SPHINX, reboot. Search the registry for SPHINX entries and reboot. Add your LAN adapter again and set the IP address or other TCP settings, reboot. Check that TCP/IP is not disabled under the network bindings.

HackerTracer (www.neoworx.com/download/download.asp?product=HackTracer)
The trial version does not work on NT or Win2k, so no tests were carried out. An NT version is coming soon and we hope to test it. 

CyberwallPLUS-WS  (www.network-1.com/WSeval/index.htm)
This heavy weight runs on NT and Win2k. Evaluations can only be downloaded from  http://www.network-1.com/download/index.html. V6.03 was downloaded and installed on an NT4 SP4 system, but the tests had to be abandoned:

Smoothwall v0.9.6   (sourceforge.net/projects/smoothwall)
"SmoothWall is a Linux cut down to a complete minimal automated installation, providing out of the box security & functionality as a router and firewall, managed by platform independent web browsers. No prior Linux experience required."

Freedom 2.0 (www.freedom.net)
This free tool from Zero-Knowledge sounds interesting. It contains a personal firewall, form filler, cookie manager, ad manager and keyword alert. It has a few unusual requirements though: no NT support (Windows 95, 98, 2000 and ME are OK) and Freedom will not work behind a firewall if it is configured to deny access to certain data ports (51100 TCP/UDP, 51101 UDP, 51102 TCP, 51107 TCP, 51109 UDP). This means it won't work in my existing test setup, but hopefully I'll get a chance to try it in the future.

Internet Connection Sharing
Windows 98 SE (second edition) and Win2000 include the Internet Connection Sharing (ICS) tool, which can be configured on a gateway PC between a cable modem and a hub of internal PCs. Apparently it provides some measure of protection against external attack, but no firewall is included. It hasn't been tested as part of this review, but is mentioned for reference purposes.

Another report examines integrity checkers and Trojan detectors:

Complementary products to Personal Firewalls
pf_other20001023.html

ADSL and hardware firewalls are covered in separate papers:

ADSL: Security Risks and Countermeasures
pf_adsl20010614.html

ADSL Firewalls: Product Reviews
pf_adsl_tests_20010627.html  
 

Tests of more Products

I had planned to test the following products but sponsorship has dried up, and I mostly use ADSL hardware firewalls now myself.:


Comparisons


Feature Comparison

Product Security Effect- iveness Restricts Java Applets & ActiveX File/
Registry Integrity Checking
Regular (online) Updates
BlackICE Incoming ports only No No Yes, 1st year
eSafe Low - No No
Norton High Yes No Yes, 1st year
ZoneAlarm High, if understood No No No
McAfee Good, if understood No No No
VirusMD Very low No No Yes
PGP7 High No No automatic function, but important files could be PGP signed. Possible
ZoneAlarm Pro High No, but does restrict dangerous email attachments. No No
Sygate High No No No
Tiny High No No No
Conseal High, if understood No No No
Privacyware Incoming ports only No No No
TermiNET High, if understood No No No

 

Product Allows Custom Rules Platform Other tools/ features included
BlackICE Possible NT, Win2k buggy -
eSafe Yes Win9x, NT, Win2k Sandbox, antivirus (Low quality)
Norton Yes Win9x, NT, Win2k -
ZoneAlarm - Win9x, NT -
McAfee Yes Win9x, NT.
Does not work with Win2k + dialup.
-
VirusMD No Win9x, NT, Win2k -
PGP7 Yes Mac, Win9x, NT, Win2k File, disk, folder, email, icq encryption. VPN. File wiping. Fully functional MAC version.
ZoneAlarm Pro Yes, but could be more flexible. Win9x ME, NT,
Win2k buggy.
MailSafe: useful checking for dangerous Mail attachments.
Sygate Yes, but could be more flexible Win9x, ME, NT, Win2k Time limited and screen saver limited rules.
Tiny Yes Win9x, NT, Win2k Time periods for rules, small footprint, syslog logging, remote admin.
Conseal Yes Win9x ME, NT, Win2k -
Privacyware Yes Win2k, others unknown -
TermiNET Yes Win9x ME, NT, Win2k Available in 11 languages.

Note: None of these products restricts JScript, VBScript or JavaScript in Web browsers. ZoneAlarm Pro does restrict them in email attachments.


Price Comparison

Product Personal
Price
Normal
Price
Annual
Maintenance
BlackICE $39 $39 $19.95
eSafe Free ?
Norton $50.95 $50.95 Support: $29.95/issue of $2.95/minute
ZoneAlarm Free $20 $19.95 technical support online and by email
McAfee 10-day
trial
$39
VirusMD - ?
PGP7 $32- $200 $32- $200
ZoneAlarm Pro $39 $39
Sygate Free $39-$46
Tiny Free for home use $39
Conseal $49-305 $49-305 Updates: 60% of cost price
Privacyware $14.95 $14.95
Terminet $39-49 $39-49


Usability Comparison

Product Ease of Use User Level
BlackICE Excellent All
eSafe Bad Advanced
Norton Very good All
ZoneAlarm Good Advanced
McAfee Very good All, if limitations understood.
VirusMD Bad -
PGP7 Good Advanced
ZoneAlarm Pro Very good All
Sygate Good All (v4 or later)
Tiny Quite good Knowledgeable-Advanced.
Annoying buggy error dialog boxes in Win2k, but evolving fast and interesting.
Conseal Good Advanced
Privacyware Good Knowledgeable-Advanced
TermiNET Good Knowledgeable-Advanced


Corporate Features

There was a request to cover more aspects that interest use of Personal Firewalls in a business environment. Some vendors offer special versions for the corporate environment; these are indicated in brackets.

Product Central  policy
changes?
Real-time
remote
management?
Runs as service

(NT/Win2k)

BlackICE
(ICEcap/Agent/Sentry)
yes, with predefined update times.
Upgrades can be pushed too.
yes yes
eSafe no no yes
Norton
(Symantec Desktop Firewall)
no no yes
ZoneAlarm no no
McAfee no no yes
VirusMD no no no
PGP7
(admin tool)
yes: LDAP or download no yes
ZoneAlarm Pro yes no yes
Sygate
(Enterprise Network)
yes yes yes
Tiny no yes yes
Conseal no no yes
Privacyware no no -
Terminet no no no



Product Central logging/
alerting?
Create pre-configured
install kits?
Prevent user from changing
selected options (lockdown)?
BlackICE
(ICEcap/Agent/Sentry)
yes yes yes
eSafe no no no
Norton
(Symantec Desktop Firewall)
no yes no
ZoneAlarm no no no
McAfee no no no
VirusMD no no no
PGP7
(admin tool)
SMTP email yes yes
ZoneAlarm Pro yes yes
Sygate
(Enterprise Network)
SMTP email yes password protection
Tiny syslog no yes
Conseal no no no
Privacyware no no no
TermiNET no no password protection



Other issues that may interest the corporate user are:


Summary and Conclusions


Summary

Personal firewalls are useful and should be considered by any Windows user who directly connects to hostile networks, such as the Internet. They have a role to play in both the corporate and SOHO (Small Office/Home Office) markets. Although many products are immature, there have been major advances over recent months. All these products need to be subjected to more scrutiny and given time to prove their security effectiveness. None of these products is provided with source code.


Conclusions


Free firewalls
:


SOHO (Small Office/Home Office) users willing to pay
:


Windows 2000 users may prefer Sygate, Norton or Tiny, until ZoneAlarm Pro, BlackICE and McAfee have sorted their problems out.

Laptop users may not like Norton or McAfee, which won't allow powersaving modes to be used (Sygate and Tiny, for example, allow Win2k to hibernate).

Corporate users would probably be interested in ZoneAlarm Pro, PGP7, BlackICE or Sygate due to their support for centralized configuration and rollout. Tiny Personal Firewall allows remote administration.


References

  1. [SecurityPortal is offline]
  2. Nmap
    http://www.insecure.org/nmap

  3. Netbus Pro: Remote-control program often used as an attack tool to control remote PCs.
    http://netbus.nu/

  4. [SecurityPortal is offline]
  5. Toy Box (a collection of tools that may help clean a system possessed by Trojans)
    http://home.earthlink.net/~rmbox/Reticulated/Toys.html
  6. Best Comparative Personal Firewall Review
    http://www.firewallguide.com/freeware.htm
  7. ADSL: Security Risks and Countermeasures - Sean Boran
    pf_adsl20010614.html
    ADSL Firewalls: Product Reviews - Sean Boran
    pf_adsl_tests_20010627.html  
  8. Free remote testing of your open ports:
    Neoworx port probe: http://www.hackerwatch.org/probe/


Other articles that may provide a different perspective:

Personal Firewalls Under Fire - Gary Bahadur
http://www.infosecuritymag.com/articles/july01/cover.shtml


Appendix

Acknowledgements

Many readers provided feedback and useful inputs. Thanks to Interceptor, Tom Chmielarski, Larry Adams, Geoffrey Kidd, Thomas Rude, Paul Rarey, Bill Curnow, Lissi Paffrath, Peter Klammer, Réjane Forré, Michael Semling, Nathan Legg, Lindsay Macauley, Jammie Czaplewski, Henry Markus, Harry Choughcon, John Ceddie, Eagle10, Roderick Davies and the readers specifically noted below.

Comments from readers  


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2002, Seán Boran   Last Update: 16 avril, 2002