Personal Firewalls Tests: E-Safe Desktop

An analysis of mini-firewalls for Windows users

By Seán Boran

This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the E-Safe Desktop

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of Security Protection (penetration, trojans, controlling leaks, Denial-of-service)
• Effectiveness of Intrusion Detection (few false positives, alerting of dangerous attacks)
• User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?
• Price

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) ³ was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2k test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet, we do this purely for testing purposes.

d) An nmap ² scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2k sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

Esafe Desktop

Alladin's eSafe ⁴ is described thus:

Anti-vandal protection using eSafe's unique Sandbox II technology. Internet content filtering based on keyword, URL, port and protocol. Resource management and desktop lockdown features ICSA and Checkmark certified anti-virus protection. eSafe Desktop is compatible with Windows95, Windows98, WindowsNT, Office2000 and now Windows 2000.

Features

• "Sandbox" which theoretically restricts malicious programs from damaging the system.
• Learn mode for 14 days.
• Anti-virus protection
• Download size is quite large: 10MB.
• Tested v2.2 in personal firewall mode on Win2000.

Installation: the 'custom' install was chosen and the automatic virus scanner disabled (since previous tests had not been convincing). Default installs did not work well on the test machine. After installation and rebooting, eSafe detects a few Applications (e.g. IE, Office, Outlook and Communicator). An icon sits in the task bar which can be use for Anti-Virus or setting configuration. Each time you logon, eSafe starts it checks for new "known network" applications. Clicking on the taskbar icon, a protection setting of 'off, low normal, and extreme' can be selected. Extreme was chosen for the tests below.

Security Effectiveness

Security Effectiveness:

a) Trojan: The Netbus server could be started, remote connections worked perfectly, eSafe did not stop them. Adding a firewall rule to block the appropriate port did work and caused an appropriate alert.

b) Ports: An nmap scan seemed to indicate that the machine is not protected at all, no alerts were generated.

Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
135 open tcp loc-srv
139 open tcp netbios-ssn
445 open tcp microsoft-ds
1025 open tcp listen
TCP Sequence Prediction: Class=random positive increments
Difficulty=16695 (Worthy challenge)
Remote operating system guess: Windows 2000 RC1-RC3

Apparently, eSafe wasn't blocking - because it was in "learn mode", it relies on its sandbox mode for protection. The user is certainly not told that no protection is in place. A test machine was not available for two weeks to wait for learn mode to complete.

Advantages

1. Cost: free for personal use.
2. Trial version available.
3. Can be configured to protect only specific ports/applications. Quite powerful.
4. Two readers indicated they used/liked eSafe.

Disadvantages

1. Not so easy to use,  confusing, GUIs could be much better.
2. Not a firewall when in "learn mode".
3. Sandbox mode: Asks lots of questions about Browser access to access to DLLs etc, which a normal user simply cannot answer. It gets pretty annoying. I switched off the sandbox.
4. Slow download (10MB)
5. Only individual ports, not port ranges can be used in rules.
6. Virus scanner is low quality.

Summary

A difficult GUI ruins a product that does have potential. Dangerous for novice users, since they may expect protection when they have none.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
2. Nmap
   http://www.insecure.org/nmap
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
4. E-Safe
   http://www.esafe.com  

Changes to this article

18.Oct.00 Published

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.