Personal Firewalls / Intrusion Detection Systems

The complexity of Microsoft Windows, Browsers, and PC applications has contributed to continual discovery of security weaknesses (which the typical user cannot be expected to follow or understand). Until now the standard tool for defending Windows was the Anti-Virus scanner, but this is no longer enough - the Personal Firewall has made it's debut and should soon become an essential tool for Windows users connected to hostile networks.

By Sean Boran | Posted Oct 16, 2000
Page 1 of 3
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Contents

  1. Introduction
  2. Products:
    1. BlackICE
    2. ZoneAlarm
    3. BackOfficer Friendly (BOF)
    4. E-Safe Desktop
    5. Norton Personal Firewall
    6. Other Products
  3. Summary & Conclusions


Introduction

Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may even be rendered useless by dialup access weakness, encryption, VPNs, teleworkers connecting directly to the Internet from home, etc.

An interesting new breed of "personal firewalls" has surfaced. These are installed on a user's PC and allow the (unsophisticated) user to protect his/her PC. The risks faced by the Home User on the Internet is analysed in Securing Your Home Network , by AtomicTangerine. In short, there is a significant risk and it needs to be addressed.

These tools can:

They protect PCs from attack when connected to hostile networks (like the Internet), especially those connected for hours or even days at a time (DSL or cable users). The longer you're on the Net, the more likely you'll be attacked.

If an infected email should install a backdoor (like BackOrifice), the personal firewall will still prevent network access to the backdoor.

When trying out new applications, you can see exactly what communications are needed when.

Teleworkers who connect to the corporate LAN via Internet VPNs may be exposing the corporate Intranet. If their PC is penetrated it could be used as a bridge by attackers to penetrate the Intranet. By installing a personal firewall, VPNs via the Internet do not pose as much of a risk.

Education: become aware of just how hostile your network environment is.

They ensure that your PC is not used to attack others.

In a corporate environment, laptop users, Internet VPN users, home workers etc. could be mandated to use a preconfigured Personal Firewall to ensure their PCs pose no additional risks to the corporate Intranet.

The following products were tested:

  • BlackICE Defender

  • Zone Alarm

  • Back Officer Friendly

  • eSafe

  • Norton Internet Security 2000


There a few measures that Windows users can take, even without installing a firewall:

  • Install a good anti-virus scanner and keep it up to date. Scan Email attachments before opening them.

  • Never run any executable files received by email unless you are very sure of it's authenticity.

  • Disable file and printer sharing.

  • Disable the SMB/Microsoft protocols on the Interface used to access the Internet. For example, on NT with a Dialup connection, select "Control Panel->Network->Bindings->NetBIOS Interface", select the "Remote Access WAN Wrapper" entries, Right-Click and select "disable". If you use Dial-up for both Internet and Intranet access, this may not be a good idea.

  • Connect to the "Shields UP!" site (Steve Gibson's site. I had problems doing the Shield Up test with IE5, but Netscape 4.73 worked just fine.) Let it analyse your PC network security (port scan and netbios services scan) and tell you just how well you PC is protected. Even if you install a personal firewall, trying this out is useful.

  • Install Windows and Explorer security fixes: This is a tricky one as it can be very time consuming and cause major headaches. For instance the recent Outlook security patch is so restrictive as to make it unusable on Intranets (in my opinion).

  • Backup you system regularly


How did we test firewall effectiveness? An nmap scan was also run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (NT4 sp5) presented nmap (nmap -sT -P0 -O IP_ADDR) the following:

Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
135 open tcp loc-srv
139 open tcp netbios-ssn
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 4 SP3, Microsoft NT 4.0 Server SP5 + 2047 Hotfixes



BlackICE

The first product tested was NetworkICE's BlackICE Defender (http://www.networkice.com/). A quotation from the web site:

...BlackICE works continually to defend servers and workstations from over 200 hacker signatures including the Melissa Worm, "Slow Scans" and "Back Orifice." Even if hackers bypass firewalls or intrusion defenses, BlackICE bars entry at the desktop and server.

Attributes:

  • This little tool sits in your taskbar (on NT) and informs you of incoming Network connections (possible attacks).

  • It has four simple protection levels from paranoid (allow no inbound TCP or UDP ports) to nervous (allow non-standard UDP), cautious (allow non-standard TCP/UDP), trusting (block nothing, but warn when something bad happens).

  • File sharing can be enabled or disabled, as can NetBIOS Neighborhood (other hosts in your domain can see you in the Network neighborhood).

  • When an attack happens, the icon in the taskbar flashes (it changes to yellow, orange or red, depending on the urgency). On clicking on the icon, the user is presented with a list of attacks. Right clicking on the event allows several courses of action:
    a) trust this address
    b) block this address (hour, day, month, forever)
    c) ignore this attack
    d) ignore this attack by another intruder

  • Firewall experts will be disappointed at not being able to specify more detailed filter rules, but the simple configuration makes it ideal for protecting non-techie PCs.

  • Auto-port blocking response: Automatic blocking of all traffic from an IP address on certain critical attacks (e.g. LAND Dos or Trojan horse attacks like Back Orifice).

  • Many versions were tested from V1.8.6 in Dec.99 to V2.1.cb,  on NT4/sp5 and Win2000.

  • BlackICE does notice nmap scans by flashing a red icon, the attacks windows says "TCP Port scan",  "TCP port probe", "NMAP OS Fingerprint", "TCP Ace ping", "TCP OS Fingerprint" and "UDP Port Probe", among many others, which is pretty good. Nmap returned a massive list of  "unfiltered" ports, port 113 and may ports between 1024 and 65031. Nmap was unable to identify the OS either.

  • While browsing the Internet, I was subjected to PCAnywhere, BackOrifice and several TCP port scans (all identified by BlackICE). It certainly is a useful tool for increasing user awareness about the dangers of the Internet.

  • BlackICE can be switched off on a specific interface, by hacking blackice.ini.

  • Download size: 1.9MB

  • Costs $39 (for entry level Defender)


Advantages:

  • A nice idea well implemented.  GUI is pretty simple and easy to use.

  • Good intrusion detection.

  • Allows File sharing and Network Neighborhood visibility to be easily disabled.

  • The "attack history" and list of attacks windows are useful. Informs immediately of an attack, and notes the attacker's host name and IP address.

  • A corporate version can centralise configuration, policy and alerting.

  • Free updates are included and can be easily downloaded (the default browser and proxy settings are used). V2 correctly determines (automatically at regular intervals if selected) whether the existing version needs updating.

  • Innovation: testing with BlackICE started in December 1999, and useful new features have been added to the free upgrades in this time.

  • Stable.

  • Documentation is pretty good.


Disadvantages:

  • Not free and no demo version available for download.

  • It would be nice if power users could customise the rules more. The file firewall.ini can be manually edited to block/allow udp/tcp ports. It would be better to be able specify port ranges or wildcards and even better to be able to filter state based protocols like ftp. It would also be better if individual ports could be open/blocked from the GUI rather than by hacking the firewall.ini file.

  • The default configuration does not protect against Trojans like Back Orifice.

  • BlackICE waits until a connection is made before it takes action, it doesn't prevent a connection by shutting down the system's ports.

  • Outgoing ports cannot be blocked.

  • False alarms when used on a LAN: from SNMP servers, Network management agents, NetBIOS connection attempts, Exchange servers  etc. (these are not really annoying as hey only generate "yellow" alerts). This is not necessarily a bug, but on a large corporate Intranet, there can be many such connections that are harmless. In a hostile environment, such as the Internet, it is good to know about such probes. So it depends on your needs.
  • The attacks windows cannot be "drilled down" to list exactly what ports were connected to and what (packet) information was sent. (Clicking on the advICE bottom does help and you can see the port in the URL, and the file attack-list.csv be examined).

  • False positives: One often sees "UDP port scan", but don't know exactly what is causing it: a real scan, heavy dns or SNMP traffic etc. In one case if was an Exchange server trying to make a (legitimate) connection back to an Outlook client, BlackICE didn't help discover the reason at all. attack-list.csv can be examined to see what Port number was used.

  • No tool to browse packet or evidence logs (but some of the logs are in CSV format, easily browsed with Excel). However, a third part tool is available. (Firewall Log Analyzers -- Brady & Associates, LLC, for BlackICE and ZoneAlarm. Tested and works well for BlackICE. Cost: $20, 1 month evaluation.)

  • Deinstalling could be cleaner, Registry Keys are left behind. Optionally, the NetworkIce directory is left in C:\Program Files\ with configuration and logs files, which is useful.

  • Bugs

    • Updates did not always work perfectly: from 2.1.u to 2.1.x and access denied to blackdll.dll was reported. Re-running the updated worked.

    • In cautious mode or higher, the Cisco/Altiga Concentrator VPN client won't work.

    • On Windows 2000, the BlackICE engine just stops now and again, leaving the PC unprotected. Upgrading to v2.1.cb should have fixed this, but it did not.

    • Some security bugs have cropped up, for example, one posted on Bugtraq:
      BlackICE Defender versions 2.1 and prior, as well as BlackICE Pro versions 2.0.23 and prior, when configured for security level Nervous or lower, do not properly block or filter Back Orifice traffic. NetworkIce recommends setting your security level to Paranoid, which will correct this problem. http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html

    • ICEcap, the corporate management tools for BlackICE, listens on Ports 8081 and 8082 and it can be flooded with UDP or TCP Denial-of- Service (DoS) to these ports,. If logging is enabled (packet and evidence) and DNS and NetBIOS traces are selected, then ICEcap either

      a) completely stops responding and CPU is at 100% or
      b) slows to such a crawl that the user cannot reliably do anything.

      The  workaround found is to disable packet logging (which is the default).

      Notes:
      1. BlackICE is not affected by the slowing down of the ICEcap server.
      2. Packet logging should not normally be enabled, as ALL network packets are logged, this will obviously drain disk and CPU resources.

Tips:

I used BlackICE sometimes on the Intranet, Internet and Intranet via VPNs. It worked well and was setup as follows:

Tools|Preferences: Visible indicator=Red/Orange (not yellow), no sound.
Tools|Settings: Paranoid, Allow NetBIOS Neighborhood, Enable Evidence log, Add Exchange server + VPN gateway + known Intranet SNMP manager servers to "trusted addresses".


Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter