Personal Firewalls Tests: Tiny Personal Firewall

By Seán Boran

November 14, 2000 - This article is a part of a series of tests on Personal Firewalls/Intrusion Detection Systems. Refer to [1] for an introduction to Personal Firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the Tiny Personal Firewall.

April 13, 2001 update: Tiny Version 2 tested.

Security Effectiveness Tests

Key criteria in choosing a personal firewall are:

• Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of service.
• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC?
• Price.

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well-known "remote-control" Trojan (Netbus Pro v2.1) [3] was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2K test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet; we do this purely for testing purposes.

d) An nmap [2] scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2K SP1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

Tiny Personal Firewall

The Tiny Personal Firewall product [4] is still in beta and free for personal use. From the Website:

A quote from the Tiny Personal Firewall website [4]:

Tiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. It is built on the proven WinRoute Pro, ICSA certified security technology. Tiny Personal Firewall is also an integral part in Tiny Software’s new Centrally Managed Desktop Security (CMDS) system awarded a contract by the US Air Force to encompass about 500,000 desktop computers.

Intrusion Detection: Personal Firewall includes an easy-to-use wizard that detects unknown activity and prompts the user for setup information. After the setup is complete, a new rule is applied to the filter rules list. This option may be disabled.

Application Filter: To protect from Trojan horse and other unauthorized applications, Personal Firewall includes an application filter. The wizard will detect when an application attempts to bind to a port for communication and create a filter rule based on the users input. Users may permit applications manually from the filter rules. Tiny Personal Firewall also provides a database of common applications that use known ports.

Here we test v2.0.2 on Windows 2000/SP1. In November 2000 we also tested a beta of v2.0 on NT4/SP5.

Price: free from home use, from $39 for commercial use.

Features

• There are three security modes:
  1. Cut me off: disable the network connection.
  2. Ask me first:  unknown traffic will cause the user to be prompt to accept/deny or add an appropriate rule.
  3. Don't bother me: unknown traffic is allowed
• Configuration and log viewing can be password protected. If the password protection is enabled, remote access to the configuration and/or logs can be switched on.
• Remote access to logs and remote administration of the firewall can be enabled.
• Learning mode (which can be switched off): the user is prompted to accept/deny new traffic, or create a rule to accept/deny long term traffic.
• Trusted addresses can be configured is three ways - single IPs, networks/subnet masks or ranges of addresses.
• Log information can be sent to a central syslog.
• Rules can be time controlled -  days of the week, time range per day.
• Rules can optionally create log entries.
• An MD5 checksum of allowed application is maintained and used to identify applications which are mentioned in rules.

Security Effectiveness

The following tests were conducted in high security mode.

• A ping from a remote machine caused the user to be prompted, asking whether incoming ping should be allowed or not.
• The Netbus server could be started without Tiny Firewall objecting, but when trying to remotely connect to Netbus, a dialog box asked the user to accept or reject the connection.
• Nmap scan: all connections were blocked, nmap was unable to identify the OS or any open ports. There was no logging of the scan and the alerts presented maybe difficult to understand for the typical user.

Advantages

1. Relatively small footprint (500KB on hard-disk).
2. Good concept, quite easy to understand.
3. Can be run manually or as a service.
4. The Status/Log viewer is quite informative, includes statistics on transmitted/received bytes per application/port and speed. Overall statistics are also available.
5. In learning mode, the user is supplied with a maximum of information regarding the new traffic connection requests (e.g., application, ports and IP addresses affected).
6. A user manual is available for download in Acrobat format. It explains the main features and how Tiny works.

Disadvantages

1. FTP protocol not understood (automatic management of dynamic ports/FTP state engine).
2. Scans can generate lots of alerts.
3. User needs quite a bit of knowledge.
4. Alerts can be annoying at first, until the first batch of rules have been defined.
5. Network adapters cannot be selected/excluded for firewalling.
6. User manual: It could go into more detail and do more "hand-holding."
7.  
8. Bugs:
   • Fixed in v2: In the status/log viewer, selecting Logs->Error Log, or Logs->Firewall log causes a constant error dialog "Invalid format of log file", that can only be removed by killing the logviewer application. This happened consistently on both the NT4 and Win2k test systems.
   • If an application has a long name or path, it is not legible in the Alert dialog.
9. Suggested improvements
   • Online help.
   • Fixed in v2: Status/Log viewer: it would be useful if the log entries could be sorted by clicking on the column titles.
   • Separate log browsing for statistics on current connections and intrusion detection.
   • Fixed in v2: Make log viewer and about box available from the taskbar icon.
   • In learning mode, when creating new rules, have an optional "fast rule" dialog that would allow the expert user to specify the rule contents in one dialog, rather than several. Also, allow an address range and not just one address to be specified.
   • Allow identification/lookup of attack sources. Show statistics/attacks per source.

Summary

Tiny Firewall does have some quirks, but it is a useful, stable, powerful personal firewall at an unbeatable price for home users (free).

Non-expert users should download the User Manual (in Acrobat format) to get the most out of this firewall, as there is no online help.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote-control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. Tiny Software
   http://www.tinysoftware.com/pwall.php

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

14.Nov.00 sb First publication
13.Apr.01 sb Update after tests with v2.02 on Win2k