Personal Firewall Test: Privacyware Privatefirewall 2.0
By Seán Boran
March 16, 2001 - This article is a part of a series of tests on Personal
Firewalls/Intrusion Detection Systems. Refer to  for an introduction
to Personal Firewalls, risks, tips on "hardening" your Windows even without a
firewall, a feature comparison and a summary of analyses.
This report focuses on the Privatefirewall 2.0 by Privacyware.
Key criteria in choosing a Personal Firewall are:
- Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of
- Effectiveness of intrusion detection: few false positives, alerting of dangerous
- Effectiveness of reaction: discovering identity of attacker, blocking attacks, ease of
- User interface: ease of use, instructiveness, simplicity, quality of online help. Can
rules be easily added/removed/checked? Does the interface suit the way you use
your PC? Do you understand the questions the software asks and what it is doing?
- Price: how much are you willing to pay initially and each year for support/updates?
How did we test attack defense effectiveness?
- Ping and accessing shares to and from the test host.
- A powerful, well known "remote control" Trojan (Netbus Pro v2.1) 3
was installed on the system on a nonstandard port (to make detection more difficult), the
Netbus server started and attempts made to connect from a remote system.
- The telnet server was enabled on the Win2K test PC. It was then attempted to connect to
this service remotely. It is not recommended that you enable telnet; we do this purely for
- An nmap 2 scan was run, to check that incoming ports were
effectively blocked. With no firewall installed, the test PC (Win2K sp1) presented nmap
the following (nmap -v -sT -P0 -O IP_ADDR).
Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host
Privatefirewall 2.0 by Privacyware  is a relatively small and
Privatefirewall continuously checks and changes settings that allow unauthorized
users access to information stored on a Windows or NT-based PC. Privatefirewall also
constantly monitors other sensitive areas of a PC where intrusion can occur and reports on
their status so that users can make regular decisions about these areas and make changes
V2.0 build 1.12.16 was tested on Windows 2000 SP1.
To get a feel for the GUI, check out the "test drive": http://www.privacyware.com/pf_testdrive2.html.
- Costs $14.95. A trial version is available for download.
- Works on Win95/98/Me, W2K, and NT environments.
- "Hardens" the Windows PC when installed:
- Browser (IE) settings are set to "medium" (which is fine, except you may have
been using "restricted" before). Other browsers such as Opera or Navigator are
- File/printer sharing is disabled.
- It is suggested that network access to DCOM objects be disabled using the Win2k
- Active ports and the corresponding applications can be listed in Report->Port
Tracking Report. No explanation on the applications or ports is given though.
- All reports can be viewed on-screen or in HTML format.
- The status reports, whether DCOM, the browser, network, or file sharing are security
problems. The network icon was always yellow for me, although no problem was indicated.
- Firewall log. It's not clear if only failed or successful attempts are logged.
- Security model:
- Target addresses are divided into "Zones" Internet, Intranet, Trusted
and Restricted (like Internet Explorer). Host/network addresses can be added to each of
these sites. In addition the firewall rules for each site can be customized, for example
ICMP can be allowed, Internet Explorer can be allowed to access websites, etc.
- There are 3 security levels: high, medium and low, with rules attributed to each.
- New "applications" can be added. Each application can have resources (i.e.
filter rules) attached to it. For example, you might attach a rule allowing outgoing tcp
port 22 to your SSH client application. The rule can be enabled for each of the three
security levels. This application and its rules then appear as available options in the
Zone configuration dialogs noted above.
- There are three security policies: Home, Office and On the Road. Each of these policies
can be configured to have different Zones configurations. This allows the laptop user to
easily change firewall behavior depending on whether he/she is working directly on the
Internet, the Office LAN, etc.
1. Ping & shares tests
Incoming ping and access to shares is blocked.
2. The Netbus server
- The firewall did not complain when the Netbus server was started.
- The incoming Netbus connection was stopped.
- The "Port tracking report" did not show Netbus listening on port 30,000,
although "netstat -a" did.
The firewall did not complain when the Telnet server was started. Incoming telnet was
4. An nmap scan
All ports are filtered; the operating system version was not detected. The logs are
filled with alerts, one for each port scanned.
5. Other tests:
- NetBIOS traffic was not detected or stopped.
- Outgoing SSH and ping were allowed.
- Since outgoing connections are allowed, information could easily be leaked out of the PC
without the user knowing. So if an attack could get a Trojan on the PC, a reverse tunnel
could possibly be used to take it over.
- Small, simple but quite powerful.
- Installation and deinstallation were painless.
- Interesting security model.
- Cheap, and a working version can be downloaded to test.
- Works on Windows 2000.
- Separate policies for Home, "On the Road" and Office use.
- Prevention: the PC is examined for weaknesses and the user informed on how to improve
security. For example, the user is encouraged to disable file sharing.
- All outgoing traffic is passed. It should be possible to define rules that block
specific traffic, but I was unsuccessful in my attempts to block outgoing SSH, for
- Understanding where and how to edit rules is not easy.
- Documentation is poor. I could find no detailed information of what the product does on
the website. There is online help, but it is limited.
- User interface:
- A status icon always indicated that I had a "potential security issue,"
although the status report was fine.
- I found the "traffic lights" confusing. Green is completely open, red shut and
orange "normal - filtering." It seems probable that the user would hit green
thinking that the firewall is active in this state. Suggestion: get rid of the green
button. If the user wants to open the firewall fully, he does so by "suspending"
- The GUI is neither the best or worst of products tested so far.
- Zones: It is not possible to look at the details of a particular rule in the
"Custom settings" of a particular zone.
- Intrusion detection:
- Configuration changes are not logged; neither is starting/suspending the firewall.
- Each alert can generate a small window, but this is tiring and will be disabled by most
- The detail of data packets cannot be viewed, just the IP addresses and port numbers.
- Scans are not detected, just each forbidden port connection is logged. This makes it
more difficult to understand the attacks in progress. High-level attack analyses are not
- There is no simple way to block all traffic without logging from an address that is
currently scanning the system.
- No corporate features.
User interface: for some home users, the default configuration is ideal and will work
fine, out of the box. If the filter rules need changing, the user will need time to master
the tool to configure it correctly. The user might inadvertently open the firewall
entirely, as the GUI can be misinterpreted.
Laptop users will appreciate the security policy flexibility.
Security effectiveness: incoming ports are well protected but outgoing ports are
allowed, which is not optimal.
Effectiveness of intrusion detection: alert and logging needs improvement.
Effectiveness of reaction: discovering the identity of attackers and blocking attacks is
Privatefirewall 2 is an interesting product at a good price, but improvement in several
areas would be welcome.
- Personal Firewalls/Intrusion Detection Systems (the base reference for
- Netbus Pro: Remote-control program often used as an attack tool to
control remote PCs.
- Privatefirewall 2.0 by Privacyware
About the Author
Seán Boran is an IT security consultant based in
Switzerland and the author of the online IT Security Cookbook.
16.Mar.01 sb First Publication
|© Copyright 2000, Seán
Boran, All Rights Reserved
Last Update: 10 octobre, 2001