Personal Firewalls / Intrusion Detection Systems - Page 2

 By Sean Boran
Page 2 of 3   |  Back to Page 1
Print Article


EUC with HCI: Why It Matters

Zone Alarm

Combining the safety of a dynamic firewall with total control over applications' Internet use, ZoneAlarm gives rock-solid protection against thieves and vandals. ZoneAlarm now features MailSafe to stop email-borne Visual Basic Script worms like the "I Love You" virus "dead-in-its-tracks," thwarting its spread, and preventing it from wreaking havoc on your PC. ZoneAlarm makes ironclad Internet security easy-to-use.

Zone Alarm (http://www.zonelabs.com/) watches network communications on a per application basis and asks the user for permission each time an application wants to use the network.

  • General security levels low, medium, high are available, for the Internet and local (i.e. trusted) interfaces.

  • The network interface which is trusted (local) can also be chosen (useful to protect a dialup, but not an Ethernet connection for instance). However if you use dial-up for both Internet and Intranet access, it's problematic (see below).

  • Specific trusted hosts can be added, but not which services you wish to allow.

  • ZA detects running network applications and provides a list. Each application can be allowed to receive incoming connections, on either the Local or Internet connection (or both)

  • Download size: 1.5MB

  • Running nmap on ZoneAlarm in "high security" mode causes one alert that was not informative, and nmap is able to identify a few services:
    Port    State       Protocol  Service
    17      open        tcp       qotd                    
    19      open        tcp       chargen                 
    135     open        tcp       loc-srv                 
    139     open        tcp       netbios-ssn             
    No OS matches for host.


  • Shuts down all unused ports.

  • Cost: free for personal use, $20 for business use.

  • Has different rules for LAN (local) and Internet networks.

  • Stops and asks for your permission before an application can use the network, for the first time, or every time.

  • Flexible

  • Button to block the network temporarily (which can be use if you suspect you have a Trojan, or are opening an email/program from an untrusted source, or are going off for lunch...). Programs which are configured to "Pass Lock" are still allowed to communicate.

  • Quick download (1.5MB)

  • Other ZA users have indicated have they like its method of functioning.


  • Stability: I had one blue screen in 4 weeks.

  • If many applications are used, the questions to the user can be annoying/confusing, and the user may end up having more applications trusted than expected.
    It doesn't tell you exactly what the Application does, and application is either trusted, or it is not.
    For example, when using Internet Explorer, ZA prompted saying the IE wanted to be a server to the Internet, but without any details as to what port, whether this was dangerous, etc.. I denied access and IE still worked (Netscape did not cause this effect). IE did this several times.

  • If you use a dialup connection, sometimes for Intranet, sometimes for Internet, ZoneAlarm will always apply the same rules. e.g. on an Intranet dial-up NetBIOS file sharing, RPC etc. are desirable, but they are not on the Internet connection. It's too unwieldy to switch security levels on the GUI each time you dial one or the other.
    There is also no concept of "trusted addresses" which would allow one to trust specific (Intranet) addresses.

  • ZA can't be configured to ignore pings from unknown sources, e.g. from Network management stations on the Intranet.

  • GUI could be easier to use, more instructive, and could use less screen space (I don't like the permanent window that can't be removed).

  • It would be nice if power users could customise the rules a bit more: Cannot allow/deny specific incoming/outgoing ports/protocols.

  • Deinstalling could be cleaner, an empty ZoneAlarm directory is left in C:\Program Files\ and keys are left in the registry.

  • There is no 'user friendly' GUI for browsing attacks. However a third part tool is available (Firewall Log Analyzers -- Brady & Associates, LLC, for BlackICE and ZoneAlarm. Tested and works well for BlackICE. Cost: $20, 1 month evaluation.)

  • The attack logs \winnt\Inernet Logs\ZALog.txt is not detailed enough, it gives port numbers but not reasons why packets are blocked and with no packet headers or contents, nor any state information.

  • Bugs:

    • Stability: I had one blue screen during early testing.

    • If Windows 2000 service pack 1 is installed, ZoneAlarm breaks and will only work in "Medium" mode (Windows 2000 SP1 breaks firewall software: Q269676, Wininformant article).

    • ZA looks at the application's file header to decide if  traffic is allowed. If Communicator were allowed access, and a malicious trojan were installed that called itself communicator (with the same file header information), ZA would allow the trojan to communicate with the Internet.

BackOfficer Friendly (BOF)

BackOfficer Friendly (BOF), from NFR (http://www.nfr.net/), detects BackOrifice scans, as well and ftp/telnet/http/smtp/imap2/pop3 connection attempts. It can also act as a honeypot trapping attackers into believing they've penetrated a real system.

BackOfficer Friendly can interact with the hackers, pretending to be a Back Orifice server or server for other types of requests. Instead of silently discarding their commands, it sends them responses (sometimes humorous) that look somewhat like a real system.


  • Costs $10

  • UNIX and NT


  • Not very powerful

  • Ordering doesn't always work as expected.

  • Not evolving.

E-Safe Desktop

Anti-vandal protection using eSafe's unique Sandbox II technology Internet content filtering based on keyword, URL, port and protocol Resource management and desktop lockdown features ICSA and Checkmark certified anti- virus protection. eSafe Desktop is compatible with Windows95, Windows98, WindowsNT, Office2000 and now Windows 2000.


  • "Sandbox" which theoretically restricts malicious programs from damaging the system.

  • Learn mode for 14 days

  • Anti-virus protection (not tested or installed).

  • Download size is quite large: 10MB.

  • Tested v2.2 in personal firewall mode on Win2000.

After installation and rebooting, eSafe (http://www.esafe.com/) detects a few applications (in my case IE, Office, Outlook and Communicator), and allows a "protection setting" of default, previous, and none to be set. It is not obvious what this means. An icon sits in the task bar which can be used for anti-virus or setting configuration. Each time you logon, eSafe starts its check for new "known network" applications.

An nmap scan seemed to indicate the machine is not protected at all:

Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
135 open tcp loc-srv
139 open tcp netbios-ssn
445 open tcp microsoft-ds
1025 open tcp listen
TCP Sequence Prediction: Class=random positive increments
Difficulty=16695 (Worthy challenge)
Remote operating system guess: Windows 2000 RC1-RC3

It turns out that eSafe wasn't blocking. Because it was in "learn mode", it relied on it's sandbox mode for protection. There was no time to wait two weeks to see how it would perform after learn mode. Two weeks is a long time to wait.


  • Cost: free for personal use. Trial version available.

  • Can be configured to protect only specific applications.

  • One reader indicated they liked Esafe!


  • Not so easy to use. Quite complex, GUIs could be much better.

  • Not a firewall when in learn mode.

  • Sandbox mode: Asks lots of questions about Browser access to access to DLLs etc, which a normal user simply cannot answer. It gets pretty annoying. I switched off the sandbox.

  • Slow download (10MB)

  • Virus scanner is low quality.

Norton Personal Firewall 2000 V2.0

Symantec's product (http://www.symantec.com/) has two modules that can be selectively enabled: the Personal firewall and the Privacy module.

Personal firewall: minimal, medium, high and custom protection is available.
The custom level allows selection of whether Java applets and/or ActiveX controls are allowed/blocked or prompted. Options for enabling alerts and silently blocking unused ports are enabled by default.

Privacy Module: minimul, medium, high, and custom protection is available.
An interesting feature is the "confidential info" which allows specification of text strings that must be blocked (bank account number, credit card number, etc). The custom protection allows/blocks/prompts when specific (confidential) info is transmitted. Cookies can be allowed/blocked/prompted, HTTPS (SSL) connection can be enabled/disabled and browser privacy can be enabled/disabled (i.e., blocks querying of email address and last site visited).

The tests were carried out using the default (medium) settings.

An nmap scan resulted in the usual list of alerts, which weren't very informative. The Alert dialog would pop up with messages like: Norton Personal Firewall has detected that a network communication is trying to access TCP/IP Services Application. Before your computer can be accessed, you must tell Norton how you would like it to handle this situation. The user must then choose a course of action:

  • Configure a rule
  • Block access this time
  • Permit access this time

There was no analysis of the connection that could have helped the user decide whether it was valid or not. For example, the firewall could have checked for other existing and past connections from the same IP address and informed the user about whether the service is a well-known one or not. If many attempts are received from one host, the firewall should offer the user a one click option of blocking all traffic from that host, and explain why.

Nmap reported that some services were open, but was unable to detect the OS type. The open services were visible as open connections in the Connections Log Viewer--in fact, they were still open 40 minutes after nmap had stopped! In addition, one wonders what the nterm service is -- a service of the Norton firewall?

7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
113 unfiltered tcp auth
135 open tcp loc-srv
139 unfiltered tcp netbios-ssn
1025 unfiltered tcp listen
1026 unfiltered tcp nterm
No OS matches for host

To test the privacy option, a confidential Bank account number was configured. Norton detected when this number was submitted to a web page. It did not notice when the number was sent via email.

There is a live-update feature, which allows updating the program to the latest version via the Internet. It's worth running this after installation. See also Symantec's Norton Internet Security 2000 for a discussion of blocking "ad spies", a LiveUpdate reduces the number of "ad spies" allowed.


  • Well thought out, very powerful, instructive.

  • Good GUI: easy to use and instructive. Good on-line help. Tries to address the needs of expert and normal users.

  • Can be configured to only protect specific applications.

  • Works well in a mixed Internet/Intranet/LAN environment.

  • "Normal" traffic such as ftp, http, https, pop3 is allowed out without asking the user (which is a safe assumption for "medium" security in my opinion).

  • Unused ports are silently blocked (not alerted), and logged (this makes sense: don't alert the user unnecessarily).

  • The expert user will find an fully fledged firewall waiting to be configured under the advanced options.

  • The GUI "Logging of events"/"dynamic rules changes" / "firewall activity" is exemplary. The expert user who wants to find out exactly how a particular application uses the network, will appreciate the flexibility and detailed logging.


  • $49/year including updates. Yearly fees will not be appreciated by most users.

  • No trial version available.

  • GUI does not have the simplicity of BlackICE.

  • The Alert dialog could be more informative, could analyse existing and past connections to/from a suspect IP address, analyse the traffic contents and then make a more informed recommendation to the user, rather than just leaving it up to the user to decide.

  • Requires a reboot during installation.

  • Bugs:
    • Crashes/conflicts with VPN software like CheckPoint's SecureRemote.
    • Conflicts with Win2000's IPsec capability.

  • There is no console managed version  that enables corporate policy enforcement for the subset of destinations within a corporate net.

  • Outbound TCP/NetBIOS ports (the 137/8/9) cannot be blocked, it has to be done on the OS level.

  • Suggested improvements:
    • in the Log Browser, allow the various tabs (Connections, Firewall, etc.) to be sorted by clicking on the column title.
    • the Event Log and  Statistics should be available by right clicking on the icon in the taskbar.
    • Add intelligence to detect a scan or coordinated attack.
    • Add features to lookup up source of the attack, to try and find a contact name (whois, ripe, etc.)
    • The firewall rules in advanced options should have an icon to indicate whether the rule is logged/alerted or not
    • When a browser is connected to a site via a proxy, show the proxy and final destination in the Connection Log.

This article was originally published on Oct 16, 2000
Get the Latest Scoop with Networking Update Newsletter