|
Independent Evaluations of Networking Products and Tools |
|
Ouch! You’ve Been Probed A close look at four personal firewall products
ComputerWorld, 2001
From Iraq, Afghanistan, Libya, China, New York City and maybe even your home town, the bad guys’ software probes the Internet, inexorably examining consecutive IP addresses for device information. Ah! The software finds an active IP address. What sort of device is it? Does it have a network management agent? Whose protocol stack is the device running? Is the address permanently assigned (i.e., has the software previously encountered the same address)? Might the device be a good candidate target for a virus, trojan or worm? Is port 23 (telnet) open? Might the effort of flooding the device with Denial of Service packets be worthwhile? Does the device’s IP address correspond to a registered domain name? Is the network node running Web server, FTP server, database server or file sharing (server or peer) software? What files reside on the computer? The wealth of data a sophisticated probe can discover is staggering. The probe software stores the results of its examination in a huge relational database. If your PC has a persistent Internet connection, perhaps via DSL, cable or other always-on technology, this database almost certainly contains your IP address and network node information. Even dial-up users with their dynamically-assigned IP addresses can be at risk if Internet sessions last more than a day or even a half day. Several companies offer personal firewall products to help you block Internet-based intruders. In the lab, I erected four of these firewall products to find out which is the best deterrent to Internet probes. The products are Symantec, Inc.’s Norton Personal Firewall 2001 3.0, Network ICE Corporation’s BlackIce Defender 2.5, Tiny Software, Inc.’s Tiny Personal Firewall Build 12 and Zone Labs, Inc.’s ZoneAlarm Pro 2.6. Unlike firewalls that provide a corporate site with insulation from the Internet on a network-wide basis, these tools guard an individual computer by inserting themselves into the PC’s TCP/IP protocol stack. The firewall software intercepts each inbound or outbound Internet message and subjects it to close scrutiny. The firewall distinguishes, for example, between the legitimate messages that are responses to your browsing Web sites and illegitimate messages you never asked for. The software also uses Network Address Translation (NAT) to substitute a bogus IP address inside your computer’s outgoing Internet messages. The bad guys don’t know who you are and can’t penetrate your PC. I installed these firewalls on an IBM ThinkPad A21m with 850 Mhz Pentium III processor, 512M bytes of RAM and a 32G byte hard disk. The four operating systems for each battery of tests were alternately Windows 98, ME, NT 4.0 and Professional. A 384 kb/sec SDSL connection supplied by Covad Communications linked the Thinkpad to the Internet through a 3Com 100 mb/sec Fast Ethernet port. To test security, I used a variety of tools to try to penetrate each firewall and scan for ports. These tools included Internet Security Systems Inc. (ISS) Internet Scanner and Northwest Performance Software Inc. NetScanTools. To evaluate performance, I simply launched a ten-minute standardized barrage of TCP and UDP network request messages on all common ports through the firewall. I then measured the time it took for each firewall to fully resolve the requests. Happily, all four firewalls survived the lab tests by successfully blocking unsolicited Internet messages, including port scans and Denial of Service attacks. The firewalls slowed Internet access only slightly as they protected the computer from hacking efforts. A firewall that crashes your computer or garbles your Internet connection is worse than no security protection at all. Fortunately, these four firewalls behaved well in my tests I found ease of use the most significant criterion differentiating these products. BlackIce Defender has an intuitive, simple user interface and requires the least firewall expertise to install and operate. Norton Personal Firewall 2001 and ZoneAlarm Pro have well-designed interfaces that are only slightly more complicated to use than BlackIce Defender’s, while Tiny Personal Firewall is an excellent product with Wizards that only partially shield you from the forehead-furrowing process of configuring TCP/IP access rules.
Norton Personal Firewall 2001 Version 3 of Norton Personal Firewall 2001, available separately ($49.95) or bundled in the Norton Internet Security 2001 suite ($69.95 for the Standard Edition), alerts you to intrusions, maintains an event log of connection incidents, allows only applications you specify to use the Internet, permits cookies only from Web sites you’ve authorized and blocks both Java applets and ActiveX controls by site. Its AutoBlock feature detects and thwarts port scans. Norton Personal Firewall 2001 is highly configurable. Via a series of dialog boxes, you tell the firewall which applications you use to access the Internet, which Web sites’ cookies, applets or ActiveX controls you’ll accept and what actions the firewall should take when it detects an intrusion. You can also tell Norton Personal Firewall 2001 (called Norton Internet Security when it’s part of the Norton Internet Security 2001 suite) to optionally block all message traffic from an intruder for a set amount of time. For more information, visit www.symantec.com. The Norton Internet Security 2001 suite download is a hefty 10.9 Mb.
Tiny Personal Firewall Aptly named for its small download size of 1.3 Mb, Tiny Personal Firewall is in all other respects not so tiny. It’s a feature-rich product with a rule-based TCP/IP filter that detects intruders, foils trojans by preventing unauthorized applications from accessing the Internet, ensures trojans can’t pose as trusted applications by verifying that a program has an MD5 digital signature and logs security events. Tiny Personal Firewall can even send its log entries to a central server for reporting purposes. Tiny Personal Firewall (free for personal use, $39 for business use) discriminates between sites you trust and all others on the basis of IP addresses, address groups or subnet ranges. It offers remote administration and you can specify when during the day a filtering rule should be applied. For more detail, visit Tiny Software at www.tinysoftware.com.
BlackICE Defender Besides detecting and spoiling intruders, BlackICE Defender ($39.95) tracks them down and does everything except handcuff them. It performs a comprehensive back-trace to find an attack’s origin and identify the hacker. Depending on what information’s available, BlackICE Defender reports the intruder’s IP address, NetBIOS name, DNS name, permanent network adapter (MAC) address and other data. The firewall software stores the evidence of each attack in its log file. It’s like having caller ID turned on for Internet hackers. Although BlackICE Defender’s default (preset) firewall configuration is thoughtfully crafted and suitable for just about any mobile computing situation, the product has an intuitive user interface and you don’t have to be a firewall expert to operate BlackICE Defender. Its alerts are color-coded and easy to understand. BlackIce Defender is a 3.0 Mb download from www.networkice.com.
ZoneAlarm Pro In addition to parrying hackers’ thrusts and lunges in your PC’s direction, ZoneAlarm Pro ($39.95) sifts through incoming e-mail to detect about 30 categories of mail-based viruses and trojans. The postal inspector module, an enhanced version of the company’s MailSafe product, spots VBScript, JScript and executable programs attached to e-mail you receive and warns you before you absent-mindedly double-click them. ZoneAlarm Pro’s e-mail monitor works best as a complement to (but not a replacement for) a full-blown anti-virus tool. ZoneAlarm Pro prevents unauthorized applications from accessing your Internet connection, includes password protection, distinguishes between trusted and untrusted sites and exposes intruders with on-screen alerts and log entries. More information and the 3.2 Mb ZoneAlert Pro download are at www.zonelabs.com.
|