Personal Firewalls Tests: McAfee Firewall

An analysis of mini-firewalls for Windows users

By Seán Boran


This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to 1 for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the McAfee Firewall.


Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) 3 was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2k test PC. It was then attempted to connected to this service remotely. It is not recommended that you enable telnet, we do this purely for testing purposes.

d) An nmap 2 scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2k sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) the following.

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host


McAfee Firewall

McAfee Firewall 4 is based on the Conseal's Signal-9 Private Desktop 5 (which can also still be bought online and has a loyal following). Other McAfee products like Guard Dog are privacy rather than firewall products and have not been tested here (Guard Dog 'Pro' also includes the McAfee Firewall). It can be bought online 4

V2.10.0005.0 was tested on NT5 SP5 and partially on Win2k SP1. It runs as a service, is visible in the System Tray and the Services list.

Note: McAfee was not initially tested (in the July/August roundup) since it was an on-line subscription based service that uses ActiveX and I don't agree with its use in such a scenario. An explanation from McAfee shows that I was getting confused by the McAfee website:

"McAfee and McAfee.com are two separate companies. McAfee Retail is owned by Network Associates and offers box products for consumers; McAfee.com is a separate company from Network Associates and provides ASP services to consumers."

Features

A few quotes from the README file to explain how McAfee works:

McAfee Firewall manages your network privacy through two areas---APPLICATION traffic and SYSTEM traffic. APPLICATION traffic is based on trusting or not trusting applications that you know and use. SYSTEM traffic is more static and will allow or not allow things like fileshares and ICMP (control) traffic. ..... McAfee Firewall will manage a "trusted" application list and a "not trusted" list. You can always click on APPLICATION to see these lists and move known applications around.

System behaviour is defined under the SYSTEM button on a per device basis. Each device can have its own behaviour. For example, a network card may allow fileshares (sharing computer resources between trusted computers using the NetBIOS protocol); but that could be turned off over a modem to the Internet. The same applies to other basic services.

.... The log files reside in the Private Desktop folder, e.g. in C:\PROGRAM FILES\McAfee\McAfee Firewall. The files are of the format YYYYMM.log. Each log file can be up to 2 MB in size before warnings are generated by the system and only essential messages are then written. If there is no log file, a new one is built for the current month. This means that a full log file can be deleted or renamed, and a new one will instantly replace it.

Security Effectiveness

There are problems with the security effectiveness:

  1. The GUI for configuring the packet filter is not so easy to use, there is a risk that despite its useful features, the user will be unable to use the packet filter effectively.
  2. The user may forget/neglect to install the protocol filter, leaving only the application level protection.
  3. By default on my Ethernet Interface, pings/shares etc were disabled, the system was pretty tight. However on the first dialup adapter, everything was enabled.
  4. It is not possible to configure rules for specific tcp/udp ports.

Defence against Netbus: The user is asked "Allow NBSVR to communicate?" when the Netbus server is started. Then Netbus can be remotely controlled, unhindered.

Nmap detects the same list of services as without the firewall, but the TCP fingerprint is slightly different. The scan is presented as 'unknown traffic' in the GUI. When file sharing, identification and ICMP are disallowed, the Netbios ports (135-139) are no longer visible to nmap and pings do not work. All other ports are visible.

This product does have the capability to firewall the PC reasonably well and make penetration difficult, but careful configuration is required. Its intrusion detection facilities are basic however.

Advantages
  1. The GUI is easy enough to understand.
  2. Logging: The GUI allows users to see what services are running, on what ports, and what communication is currently open. It is easy to see what network service a specific application uses.
  3. Log files: The log file is a simple text file that is easily viewed with notepad, it includes not only a copy of network activity, but also firewall startup messages and a record of all settings changes. Nice!
  4. The Security model is simple: ask the user if an application is allowed to communicate and then allow it unhindered access. The advanced user can then also set rules on the protocol and adaptor level. I like several features, such as restricting pings to 3 per second, and enabling/disabling of file sharing and/or mounting remote file shares.
  5. The GUI access can be protected with a password.

Disadvantages

  1. No trial version available.
  2. Installation:
  3. Deinstallation: the Network Driver is not removed, it needs to be manually removed.
  4. The GUI is quirky:
  5. Some traffic that is blocked causes the PC to beep and the alert to be logged. There is no way to switch off this beeping, which can be annoying if the alerts are false positives (e.g. snmp monitoring on an Intranet)
  6. NetBios port not protected by default.
  7. The Security model: McAfee asks the user to authorise applications to communicate. This is useful, but some applications have names that are not understandable to the user. e.g. on our Win2k test system, the user is ask if the following are allowed on the first logon: mstask, tcpsvcs, services, svchost, tlntsvr, specserv. When mounting a share from another host ('net use'), it asked "Allow LSASS to communicate?".  Suggested improvements:
  8. It is not possible to configure rules for specific tcp/udp ports.
  9. Documentation included in the downloaded version was quite limited.
  10. The Laptop power saving modes Hibernate/Standby won't work with McAfee enabled. Hot swapping of PC-cards won't work either.
  11. Win2k: Protocol filter engine does not work (known issue) only application level protection is available. 'Systems settings' do not work and all System elements in the GUI are empty.
  12. If you make changes to the rules or applications, make sure to "Save Settings", otherwise the changes will be lost on the next reboot.

Summary

McAfee is a firewall for the casual and advanced user that is interesting, once you get used to the quirks in the GUI.

This product does have the capability to firewall the PC reasonably well and make penetration difficult, but careful configuration is required. Its intrusion detection facilities are basic however.

Not the most effective, or cheapest. Laptop users will not be happy with giving up power saving functions and PC-card hot swapping. Win2k users can't use the protocol level filtering. Corporate users will miss features for centralised rollout, lockdown and support.


References

  1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
    pf_main20001023.html
  2. Nmap
    http://www.insecure.org/nmap

  3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
    http://netbus.nu/

  4. McAfee Firewall
    http://software.mcafee.com/products/#Firewall
    See also online purchasing:
    http://store.mcafee.com/product.asp?ProductID=123&CategoryID=3
  5. Conseal's Signal-9 Firewall
    http://www.signal9.com
    The original Conseal firewall can also still be bought online.
    http://www.consealfirewall.com

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

09.Oct.00 First draft for Publication (thanks to Réjane Forré, Plenaxx.com for patient proof-reading)
31.Oct.00 Update: fixes after feedback from McAfee, remove reference 6.
09.Nov.00 Minor update.

© Copyright 2000, Seán Boran, All Rights Reserved     Last Update: 23 September, 2001