Personal Firewall Test: Norton 2000 Personal Firewall

By Seán Boran

 


January 26, 2001 - This article is part of a series of tests on Personal Firewalls/Intrusion Detection Systems. Refer to [1] for an introduction to personal firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison and a summary of analyses.

January 26th 2001 update:

This report focuses on the Norton 2000 Personal Firewall.



Security Effectiveness Tests

Key criteria in choosing a personal firewall are:

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known "remote control" Trojan (Netbus Pro v2.1) [3] was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2K test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet; we do this purely for testing purposes.

d) An nmap [2] scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2K SP1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host


Norton Personal Firewall 2000

Symantec's product 4 has two modules that can be selectively enabled: the Personal firewall and the Privacy module. It runs in the taskbar, with an "NT service" also running in the background.


Personal Firewall:
"Minimal", "medium", "high" and "custom" protection are available.
The "custom" level allows selection of whether Java applets and/or ActiveX controls are allowed/blocked or prompted. Options for enabling alerts and silently blocking unused ports are enabled by default.

Privacy Module: "Minimal", "medium", "high" and "custom" protection are available.
An interesting feature is the "confidential information," which allows specification of text strings that must be blocked (e.g., bank account number, credit card number). The custom protection allows/blocks/prompts when specific (confidential) information is transmitted. Cookies can be allowed/blocked/prompted, HTTPS (SSL) connection can be enabled/disabled, and browser privacy can be enabled/disabled (i.e. blocks querying of email address and last site visited).

Test setup: Norton Firewall V 2.0 was tested on Windows NT4 SP5 and Win2000 SP1. LiveUpdate was used to download the latest version via the Internet. The version of individual modules within the firewall was v2.5.30, except:

iamapp.exe v2.52.4
ndisdrv.sys v2.5.32
ndisfilt.sys v2.5.32

A corporate version of Norton exists [5], a console-managed version that enables corporate policy enforcement for the subset of destinations within a corporate net and rollout.

There is a live-update feature, which allows updating the program to the latest version via the Internet. It's worth running this every few weeks, although it does not seem to be possible to save the downloaded files for reinstallation. See also [4] for a discussion of blocking "ad spies." An update in July 2000 reduced the number of "ad spies" allowed.


Security Effectiveness

The tests were carried out in the high firewall and default (medium) privacy settings.

  1. The Netbus server could be started, but remote connections were silently blocked and logged.
  2. An nmap scan resulted in the usual list of alerts, which weren't very informative. The "Alert dialog" would pop up with messages such as "Norton Personal Firewall has detected that a network communication is trying to access TCP/IP Services Application. Before your computer can be accessed, you must tell Norton how you would like it to handle this situation." The user must then choose a course of action:

    There was no analysis of the connection that could have helped the user decide whether this was a valid connection or not. For example, the firewall could have checked for other existing and past connections from the same IP address, and informed the user about whether the service is a well known one or not. If many attempts were received from one host, the firewall should offer the user a one-click option of blocking all traffic from that host, and explain why.

    Nmap reported that some services were open, but was unable to detect the OS type. The open services were visible as open connections in the Connections Log Viewer; in fact, they were still open 40 minutes after nmap had stopped. In addition, one wonders what nterm is - a service of the Norton firewall?

  3. 7 open tcp echo
    9 open tcp discard
    13 open tcp daytime
    17 open tcp qotd
    19 open tcp chargen
    113 unfiltered tcp auth
    135 open tcp loc-srv
    139 unfiltered tcp netbios-ssn
    1025 unfiltered tcp listen
    1026 unfiltered tcp nterm
    No OS matches for host

  4. To test the privacy option, a bank account number was configured being "confidential information." Norton detected when this number was submitted via a form in a Web page. It did not notice when sent via email.

Leakage test: Norton allows certain applications automatic outgoing access for improved ease of use (examples are FTP, browsers, CuteFTP). While useful, this can be a security weakness, since if a Trojan or virus infects the machine, it can pretend to be a "well known application" and fool the firewall into allowing it to access the network without prompting the user. So we ran a few tests to better understand how Norton manages these trusted applications and where weaknesses might lie.

Testing "Automatic Rule Creation":

  1. First we check to see that absolutely no rules are in the firewall set for "ftp" our test application. There were 4 rules, so we deleted them and restarted the firewall.
  2. Check that "Automatic Rule Creation" (Options - Advanced) is disabled.
  3. Try "ftp" to some destination. Norton will prompt to allow the connection - don't accept for now.
  4. Now re-enable "Automatic Rule Creation."
  5. Try "ftp" to some destination. Norton will allow the connection and automatically create 4 rules entitled "DOS FTP." An entry in Norton's event log also documents the rule creation.

Does "Automatic Rule Creation" check the file/directory name of applications? Yes.

  1. First we run "ftp" from the command-line and note that we can make outgoing connections without being prompted by Norton.
  2. Then we copy the standard c:\winnt\system32\ftp.exe to c:\ and then use this new copy of the ftp executable to access the network. This time Norton prompts us, asking whether we wish to allow the outgoing connection or not.
  3. Likewise if we copy c:\winnt\system32\ftp.exe to c:\winnt\system32\test1.exe and try to use "test1" to access the Internet, Norton prompts us.

Is renaming an application enough to fool "Automatic Rule Creation"? No

  1. Next we tried to replace ftp.exe with an untrusted application. The "finger" application is not trusted by default (the user is prompted before it accesses the network).
  2. So c:\winnt\system32\ftp.exe was copied to c:\winnt\system32\ftp1.exe and c:\winnt\system32\finger.exe was copied to c:\winnt\system32\ftp.exe.
  3. Then we try to use the "bad" ftp to access the Internet. Norton prompts us.
  4. Of course we copy c:\winnt\system32\1ftp.exe back to c:\winnt\system32\ftp.exe afterwards.

So Norton uses na application's name, folder and contents to decide if the application requesting network access is "well known" and should be allowed access without prompting the user. This is good. The only question is how Norton examines the executable contents: does it look at the file header or run a CRC checksum or strong one-way hash on the file? A one-way hash is the only foolproof method.


Advantages

  1. Well thought-out, very powerful, instructive.
  2. Good GUI: easy to use and instructive. Good online help. Tries to address the needs of expert and normal users.
  3. Can be configured to only protect specific applications.
  4. Works well in a mixed Internet/intranet/LAN environment.
  5. "Normal" traffic such as FTP, HTTP, HTTPS, POP3 is allowed out without asking the user (which is a safe assumption for "medium" security in my opinion).
  6. Unused ports are silently blocked (not alerted), and logged. (This makes sense: Don't alert the user unnecessarily.)
  7. The expert user will find a fully fledged firewall waiting to be configured under the "advanced options."
  8. The GUI "Logging of events"/"dynamic rules changes"/"firewall activity" is exemplary. The expert user who wants to find out exactly how a particular application uses the network, will appreciate the flexibility and detailed logging.

Disadvantages

  1. $49/year including updates.
  2. No trial version available.
  3. GUI could be better (e.g., does not have the simplicity of BlackICE; can be confusing use).
  4. The Alert dialog could be more informative, could analyze existing and past connections to/from a suspect IP address, analyze the traffic contents and then make a more informed recommendation to the user, rather than just leaving it up to the user to decide.
  5. Requires a reboot during installation.
  6. Custom firewall rules: Protocols like FTP or Ping are not available. The user has to know how to use the individual ICMP/TCP ports.
  7. Bugs:
  8. Outbound TCP/NetBIOS ports (the 137/8/9) cannot be blocked - it has to be done on the OS level.
  9. Suggested improvements:

Summary

A useful, effective, powerful firewall. Norton is recommended for the SOHO (Small Office/Home Office) user, but it is expensive and requires quite a bit of configuration.

Norton does not document the list of "Trusted Applications," nor can the list be edited. If you are very worried about Trojans and information leakage, consider disabling "automatic rule creation."

It can be problematic with VPN software. Laptop users won't appreciate Norton disabling hibernation/suspend mode.

Addendum: One reader feels that the cookie block features are faulty: Even if a cookie should only be allowed once, it is in fact always allowed. He also likes the "Web Washer" product for its privacy features.


References

  1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
    pf_main20001023.html
  2. Nmap
    http://www.insecure.org/nmap

  3. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
    http://netbus.nu/

  4. Symantec's Norton Internet Security 2000
    http://www.symantec.com

    Symantec Knowledgebase - Blocking Radiate Ad Service with Norton Internet Security
    http://service1.symantec.com/SUPPORT/nip.nsf/
    1b078893dcd782a985256771004dfaa5/
    cf375937d96ab71d8825689f0002a293?OpenDocument

  5. Symantec Desktop Firewall 2.0 for Windows 9.x, Windows NT 4.0, Windows 2000
    http://enterprisesecurity.symantec.com/products/
    products.cfm?productID=36

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

18.Oct.00 Published
09.Dec.00 Notes on Symantec Desktop Firewall, Webwasher, fix master
21.Jan.00 Leakage test, trusted applications

© Copyright 2000, Seán Boran, All Rights Reserved     Last Update: 10 octobre, 2001