Personal Firewalls / Intrusion Detection Systems - Page 3

By Sean Boran | Posted Oct 16, 2000
Page 3 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Other Products

McAfee Guard Dog (based on the Conseal's Signal-9 Firewall): This seems to be a subscription based service that uses ActiveX. I have ActiveX disabled, so it wasn't possible to download or test this product. The original Conseal firewall can still be bought online.

CyberwallPLUS-WS runs on NT and Win2k, and sounds like a heavy weight. Evaluations can only be ordered by post, and apparently are not sent internatonally (the author is based in Switzerland).

AtGuard, by WRQ, was purchased by Symantec, changed, and resold as Norton Firewall. The original AtGuard has a loyal following on the net. It can block incoming and outgoing connections.

AtGuard new home page (unofficial)
AtGuard user message board

Tiny Software also has a Personal Firewall. It was discovered too late for this review. Personal Firewall 1.0 costs $29.


Products that are complementary to personal firewalls:

Tauscan removes Trojans from the registry without deleting damaged files that the system needs to operate. Its sister program, Jammer, is a registry monitor and has an excellent netstat and dns feature. It also has a very official looking email that can be sent to an abuser's provider explaining the type of attack with relative information. If someone does get ZoneAlarm, then Jammer will pick up their scanning activity and notify the user as to the attack. They work with any Anti-Virus or security software and are simple to set up and use. Tauscan and Jammer cost $39 are are available from Agnitum.


WormGuard
(also called Trojan Defence Suite) from Diamond Computer Systems, in Australia, is a bit different, it...

  • Analyses files heuristically and generically rather than relying on known signatures.

  • Provides worm-detection for ALL executed files, ensuring the file is safe BEFORE it is allowed to run.

  • Has four primary and six secondary core detection engines built-in to handle executed files depending on their type.

  • Provides network administrators with the power of blocking the execution of filenames/filetypes on all machines on their network with immediate effect.

  • Neutralises many severe Windows vulnerabilities, such as the use of hidden extensions, multiple file extensions, and excessive spaces in filenames.

  • Provides extended universal detection and analysis of Macros across all Microsoft Macro formats, such as DOC, XLS, and MDB.

  • Provides extended universal detection and analysis of command files, such as COM, PIF, BAT, and CMD.

  • Provides Deep-Scanning to detect password-stealers, keystroke- loggers, IRC worms, references to known worm authors, and  much


Netlab
is a free program that offers a comfortable interface to finger, whois, daytime, ping, traceroute, clock synchronisation, dns lookup and network scanner.
(Test on NT4, useful).


Windows 98 -SE (second edition) and Win2000 include the Internet Connection Sharing (ICS) tool, which can be configured on a gateway PC between a cable modem and a hub of internal PCs. Apparently it provides some measure of protection against external attack, but no firewall is included. It hasn't been tested as part of this review, but is mentioned for reference purposes.



Summary & Conclusions


Summary

Personal Firewalls ARE useful and should be considered by any Windows user who directly connects to hostile networks, such as the Internet. They have a role to play in both the corporate and SOHO markets.  However, many products are immature, and all these products need to be subjected to more scrutiny and given time to prove their security effectiveness before they should be used to protect very sensitive PCs. None of these products is provided with source code.

  • There is a tendency for anti-virus and Personal Firewalls to be integrated into the one product, which is not necessarily a good thing. While it may make sense for the home user, the corporate user may find his/her anti-virus solution already mandated by a central IT organisation, or may want the choice of separate tools.

  • These products can't just be installed and forgotten about; the user has to learn how to use them, and understand their interface and consequences, for them to be effective.

  • The main difficulties are making such products easy to use, being flexible enough for power users, and reducing false positives (a common ailment among Intrusion detection systems).


Key Criteria

The key criteria in analyzing a personal firewall are:

  • Effectiveness of security protection (penetration, trojans, controlling leaks, Denial-of-service)

  • Effectiveness of Intrusion Detection

  • User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?

  • Price


Conclusions

  • eSafe is not of much use, and BOF is not a firewall.

  • Norton is very effective for the SOHO (Small Office / Home Office) user, but it is the most expensive and requires quite a bit of configuration. It is not easy to setup for corporate use and can be problematic.

  • ZoneAlarm is the best "Free for personal use" product, but I find the GUI (Graphical User Interface) confusing. Other users have indicated that they like the ZA GUI, so give it a try before deciding.

  • BlackICE has been my favourite for many months. While not perfect, it is simple, stable, easy to use and doesn't interfere much with my daily work. It does not block outgoing ports however, and does not work well with Windows 2000. I've now deserted BlackICE for Norton, since it blocks outgoing ports and catches ActiveX controls. BlackICE may well be a better choice for many users though, due to its simplicity, regular updates and support for centralised configuration and rollout.


Thanks to Interceptor, Tom Chmielarski, Larry Adams, Geoffrey Kidd, Thomas Rude, Paul Rarey, Bill Curnow, Lissi Paffrath and Peter Klammer who provided valuable feedback.



Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net (tm)

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter