Personal Firewalls / Intrusion Detection Systems

By Sean Boran | Oct 16, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/624491/Personal-Firewalls--Intrusion-Detection-Systems.htm

Contents

  1. Introduction
  2. Products:
    1. BlackICE
    2. ZoneAlarm
    3. BackOfficer Friendly (BOF)
    4. E-Safe Desktop
    5. Norton Personal Firewall
    6. Other Products
  3. Summary & Conclusions


Introduction

Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may even be rendered useless by dialup access weakness, encryption, VPNs, teleworkers connecting directly to the Internet from home, etc.

An interesting new breed of "personal firewalls" has surfaced. These are installed on a user's PC and allow the (unsophisticated) user to protect his/her PC. The risks faced by the Home User on the Internet is analysed in Securing Your Home Network , by AtomicTangerine. In short, there is a significant risk and it needs to be addressed.

These tools can:

They protect PCs from attack when connected to hostile networks (like the Internet), especially those connected for hours or even days at a time (DSL or cable users). The longer you're on the Net, the more likely you'll be attacked.

If an infected email should install a backdoor (like BackOrifice), the personal firewall will still prevent network access to the backdoor.

When trying out new applications, you can see exactly what communications are needed when.

Teleworkers who connect to the corporate LAN via Internet VPNs may be exposing the corporate Intranet. If their PC is penetrated it could be used as a bridge by attackers to penetrate the Intranet. By installing a personal firewall, VPNs via the Internet do not pose as much of a risk.

Education: become aware of just how hostile your network environment is.

They ensure that your PC is not used to attack others.

In a corporate environment, laptop users, Internet VPN users, home workers etc. could be mandated to use a preconfigured Personal Firewall to ensure their PCs pose no additional risks to the corporate Intranet.

The following products were tested:

  • BlackICE Defender

  • Zone Alarm

  • Back Officer Friendly

  • eSafe

  • Norton Internet Security 2000


There a few measures that Windows users can take, even without installing a firewall:

  • Install a good anti-virus scanner and keep it up to date. Scan Email attachments before opening them.

  • Never run any executable files received by email unless you are very sure of it's authenticity.

  • Disable file and printer sharing.

  • Disable the SMB/Microsoft protocols on the Interface used to access the Internet. For example, on NT with a Dialup connection, select "Control Panel->Network->Bindings->NetBIOS Interface", select the "Remote Access WAN Wrapper" entries, Right-Click and select "disable". If you use Dial-up for both Internet and Intranet access, this may not be a good idea.

  • Connect to the "Shields UP!" site (Steve Gibson's site. I had problems doing the Shield Up test with IE5, but Netscape 4.73 worked just fine.) Let it analyse your PC network security (port scan and netbios services scan) and tell you just how well you PC is protected. Even if you install a personal firewall, trying this out is useful.

  • Install Windows and Explorer security fixes: This is a tricky one as it can be very time consuming and cause major headaches. For instance the recent Outlook security patch is so restrictive as to make it unusable on Intranets (in my opinion).

  • Backup you system regularly


How did we test firewall effectiveness? An nmap scan was also run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (NT4 sp5) presented nmap (nmap -sT -P0 -O IP_ADDR) the following:

Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
135 open tcp loc-srv
139 open tcp netbios-ssn
Remote OS guesses: Windows NT4 / Win95 / Win98, Windows NT 4 SP3, Microsoft NT 4.0 Server SP5 + 2047 Hotfixes



BlackICE

The first product tested was NetworkICE's BlackICE Defender (http://www.networkice.com/). A quotation from the web site:

...BlackICE works continually to defend servers and workstations from over 200 hacker signatures including the Melissa Worm, "Slow Scans" and "Back Orifice." Even if hackers bypass firewalls or intrusion defenses, BlackICE bars entry at the desktop and server.

Attributes:

  • This little tool sits in your taskbar (on NT) and informs you of incoming Network connections (possible attacks).

  • It has four simple protection levels from paranoid (allow no inbound TCP or UDP ports) to nervous (allow non-standard UDP), cautious (allow non-standard TCP/UDP), trusting (block nothing, but warn when something bad happens).

  • File sharing can be enabled or disabled, as can NetBIOS Neighborhood (other hosts in your domain can see you in the Network neighborhood).

  • When an attack happens, the icon in the taskbar flashes (it changes to yellow, orange or red, depending on the urgency). On clicking on the icon, the user is presented with a list of attacks. Right clicking on the event allows several courses of action:
    a) trust this address
    b) block this address (hour, day, month, forever)
    c) ignore this attack
    d) ignore this attack by another intruder

  • Firewall experts will be disappointed at not being able to specify more detailed filter rules, but the simple configuration makes it ideal for protecting non-techie PCs.

  • Auto-port blocking response: Automatic blocking of all traffic from an IP address on certain critical attacks (e.g. LAND Dos or Trojan horse attacks like Back Orifice).

  • Many versions were tested from V1.8.6 in Dec.99 to V2.1.cb,  on NT4/sp5 and Win2000.

  • BlackICE does notice nmap scans by flashing a red icon, the attacks windows says "TCP Port scan",  "TCP port probe", "NMAP OS Fingerprint", "TCP Ace ping", "TCP OS Fingerprint" and "UDP Port Probe", among many others, which is pretty good. Nmap returned a massive list of  "unfiltered" ports, port 113 and may ports between 1024 and 65031. Nmap was unable to identify the OS either.

  • While browsing the Internet, I was subjected to PCAnywhere, BackOrifice and several TCP port scans (all identified by BlackICE). It certainly is a useful tool for increasing user awareness about the dangers of the Internet.

  • BlackICE can be switched off on a specific interface, by hacking blackice.ini.

  • Download size: 1.9MB

  • Costs $39 (for entry level Defender)


Advantages:

  • A nice idea well implemented.  GUI is pretty simple and easy to use.

  • Good intrusion detection.

  • Allows File sharing and Network Neighborhood visibility to be easily disabled.

  • The "attack history" and list of attacks windows are useful. Informs immediately of an attack, and notes the attacker's host name and IP address.

  • A corporate version can centralise configuration, policy and alerting.

  • Free updates are included and can be easily downloaded (the default browser and proxy settings are used). V2 correctly determines (automatically at regular intervals if selected) whether the existing version needs updating.

  • Innovation: testing with BlackICE started in December 1999, and useful new features have been added to the free upgrades in this time.

  • Stable.

  • Documentation is pretty good.


Disadvantages:

  • Not free and no demo version available for download.

  • It would be nice if power users could customise the rules more. The file firewall.ini can be manually edited to block/allow udp/tcp ports. It would be better to be able specify port ranges or wildcards and even better to be able to filter state based protocols like ftp. It would also be better if individual ports could be open/blocked from the GUI rather than by hacking the firewall.ini file.

  • The default configuration does not protect against Trojans like Back Orifice.

  • BlackICE waits until a connection is made before it takes action, it doesn't prevent a connection by shutting down the system's ports.

  • Outgoing ports cannot be blocked.

  • False alarms when used on a LAN: from SNMP servers, Network management agents, NetBIOS connection attempts, Exchange servers  etc. (these are not really annoying as hey only generate "yellow" alerts). This is not necessarily a bug, but on a large corporate Intranet, there can be many such connections that are harmless. In a hostile environment, such as the Internet, it is good to know about such probes. So it depends on your needs.
  • The attacks windows cannot be "drilled down" to list exactly what ports were connected to and what (packet) information was sent. (Clicking on the advICE bottom does help and you can see the port in the URL, and the file attack-list.csv be examined).

  • False positives: One often sees "UDP port scan", but don't know exactly what is causing it: a real scan, heavy dns or SNMP traffic etc. In one case if was an Exchange server trying to make a (legitimate) connection back to an Outlook client, BlackICE didn't help discover the reason at all. attack-list.csv can be examined to see what Port number was used.

  • No tool to browse packet or evidence logs (but some of the logs are in CSV format, easily browsed with Excel). However, a third part tool is available. (Firewall Log Analyzers -- Brady & Associates, LLC, for BlackICE and ZoneAlarm. Tested and works well for BlackICE. Cost: $20, 1 month evaluation.)

  • Deinstalling could be cleaner, Registry Keys are left behind. Optionally, the NetworkIce directory is left in C:\Program Files\ with configuration and logs files, which is useful.

  • Bugs

    • Updates did not always work perfectly: from 2.1.u to 2.1.x and access denied to blackdll.dll was reported. Re-running the updated worked.

    • In cautious mode or higher, the Cisco/Altiga Concentrator VPN client won't work.

    • On Windows 2000, the BlackICE engine just stops now and again, leaving the PC unprotected. Upgrading to v2.1.cb should have fixed this, but it did not.

    • Some security bugs have cropped up, for example, one posted on Bugtraq:
      BlackICE Defender versions 2.1 and prior, as well as BlackICE Pro versions 2.0.23 and prior, when configured for security level Nervous or lower, do not properly block or filter Back Orifice traffic. NetworkIce recommends setting your security level to Paranoid, which will correct this problem. http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html

    • ICEcap, the corporate management tools for BlackICE, listens on Ports 8081 and 8082 and it can be flooded with UDP or TCP Denial-of- Service (DoS) to these ports,. If logging is enabled (packet and evidence) and DNS and NetBIOS traces are selected, then ICEcap either

      a) completely stops responding and CPU is at 100% or
      b) slows to such a crawl that the user cannot reliably do anything.

      The  workaround found is to disable packet logging (which is the default).

      Notes:
      1. BlackICE is not affected by the slowing down of the ICEcap server.
      2. Packet logging should not normally be enabled, as ALL network packets are logged, this will obviously drain disk and CPU resources.

Tips:

I used BlackICE sometimes on the Intranet, Internet and Intranet via VPNs. It worked well and was setup as follows:

Tools|Preferences: Visible indicator=Red/Orange (not yellow), no sound.
Tools|Settings: Paranoid, Allow NetBIOS Neighborhood, Enable Evidence log, Add Exchange server + VPN gateway + known Intranet SNMP manager servers to "trusted addresses".


Zone Alarm

Combining the safety of a dynamic firewall with total control over applications' Internet use, ZoneAlarm gives rock-solid protection against thieves and vandals. ZoneAlarm now features MailSafe to stop email-borne Visual Basic Script worms like the "I Love You" virus "dead-in-its-tracks," thwarting its spread, and preventing it from wreaking havoc on your PC. ZoneAlarm makes ironclad Internet security easy-to-use.

Zone Alarm (http://www.zonelabs.com/) watches network communications on a per application basis and asks the user for permission each time an application wants to use the network.

  • General security levels low, medium, high are available, for the Internet and local (i.e. trusted) interfaces.

  • The network interface which is trusted (local) can also be chosen (useful to protect a dialup, but not an Ethernet connection for instance). However if you use dial-up for both Internet and Intranet access, it's problematic (see below).

  • Specific trusted hosts can be added, but not which services you wish to allow.

  • ZA detects running network applications and provides a list. Each application can be allowed to receive incoming connections, on either the Local or Internet connection (or both)

  • Download size: 1.5MB

  • Running nmap on ZoneAlarm in "high security" mode causes one alert that was not informative, and nmap is able to identify a few services:
    Port    State       Protocol  Service
    17      open        tcp       qotd                    
    19      open        tcp       chargen                 
    135     open        tcp       loc-srv                 
    139     open        tcp       netbios-ssn             
    No OS matches for host.


Advantages:

  • Shuts down all unused ports.

  • Cost: free for personal use, $20 for business use.

  • Has different rules for LAN (local) and Internet networks.

  • Stops and asks for your permission before an application can use the network, for the first time, or every time.

  • Flexible

  • Button to block the network temporarily (which can be use if you suspect you have a Trojan, or are opening an email/program from an untrusted source, or are going off for lunch...). Programs which are configured to "Pass Lock" are still allowed to communicate.

  • Quick download (1.5MB)

  • Other ZA users have indicated have they like its method of functioning.


Disadvantages:

  • Stability: I had one blue screen in 4 weeks.

  • If many applications are used, the questions to the user can be annoying/confusing, and the user may end up having more applications trusted than expected.
    It doesn't tell you exactly what the Application does, and application is either trusted, or it is not.
    For example, when using Internet Explorer, ZA prompted saying the IE wanted to be a server to the Internet, but without any details as to what port, whether this was dangerous, etc.. I denied access and IE still worked (Netscape did not cause this effect). IE did this several times.

  • If you use a dialup connection, sometimes for Intranet, sometimes for Internet, ZoneAlarm will always apply the same rules. e.g. on an Intranet dial-up NetBIOS file sharing, RPC etc. are desirable, but they are not on the Internet connection. It's too unwieldy to switch security levels on the GUI each time you dial one or the other.
    There is also no concept of "trusted addresses" which would allow one to trust specific (Intranet) addresses.

  • ZA can't be configured to ignore pings from unknown sources, e.g. from Network management stations on the Intranet.

  • GUI could be easier to use, more instructive, and could use less screen space (I don't like the permanent window that can't be removed).

  • It would be nice if power users could customise the rules a bit more: Cannot allow/deny specific incoming/outgoing ports/protocols.

  • Deinstalling could be cleaner, an empty ZoneAlarm directory is left in C:\Program Files\ and keys are left in the registry.

  • There is no 'user friendly' GUI for browsing attacks. However a third part tool is available (Firewall Log Analyzers -- Brady & Associates, LLC, for BlackICE and ZoneAlarm. Tested and works well for BlackICE. Cost: $20, 1 month evaluation.)

  • The attack logs \winnt\Inernet Logs\ZALog.txt is not detailed enough, it gives port numbers but not reasons why packets are blocked and with no packet headers or contents, nor any state information.

  • Bugs:

    • Stability: I had one blue screen during early testing.

    • If Windows 2000 service pack 1 is installed, ZoneAlarm breaks and will only work in "Medium" mode (Windows 2000 SP1 breaks firewall software: Q269676, Wininformant article).

    • ZA looks at the application's file header to decide if  traffic is allowed. If Communicator were allowed access, and a malicious trojan were installed that called itself communicator (with the same file header information), ZA would allow the trojan to communicate with the Internet.


BackOfficer Friendly (BOF)

BackOfficer Friendly (BOF), from NFR (http://www.nfr.net/), detects BackOrifice scans, as well and ftp/telnet/http/smtp/imap2/pop3 connection attempts. It can also act as a honeypot trapping attackers into believing they've penetrated a real system.

BackOfficer Friendly can interact with the hackers, pretending to be a Back Orifice server or server for other types of requests. Instead of silently discarding their commands, it sends them responses (sometimes humorous) that look somewhat like a real system.

Advantages:

  • Costs $10

  • UNIX and NT


Disadvantages:

  • Not very powerful

  • Ordering doesn't always work as expected.

  • Not evolving.



E-Safe Desktop

Anti-vandal protection using eSafe's unique Sandbox II technology Internet content filtering based on keyword, URL, port and protocol Resource management and desktop lockdown features ICSA and Checkmark certified anti- virus protection. eSafe Desktop is compatible with Windows95, Windows98, WindowsNT, Office2000 and now Windows 2000.

Attributes:

  • "Sandbox" which theoretically restricts malicious programs from damaging the system.

  • Learn mode for 14 days

  • Anti-virus protection (not tested or installed).

  • Download size is quite large: 10MB.

  • Tested v2.2 in personal firewall mode on Win2000.


After installation and rebooting, eSafe (http://www.esafe.com/) detects a few applications (in my case IE, Office, Outlook and Communicator), and allows a "protection setting" of default, previous, and none to be set. It is not obvious what this means. An icon sits in the task bar which can be used for anti-virus or setting configuration. Each time you logon, eSafe starts its check for new "known network" applications.

An nmap scan seemed to indicate the machine is not protected at all:

Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
135 open tcp loc-srv
139 open tcp netbios-ssn
445 open tcp microsoft-ds
1025 open tcp listen
TCP Sequence Prediction: Class=random positive increments
Difficulty=16695 (Worthy challenge)
Remote operating system guess: Windows 2000 RC1-RC3

It turns out that eSafe wasn't blocking. Because it was in "learn mode", it relied on it's sandbox mode for protection. There was no time to wait two weeks to see how it would perform after learn mode. Two weeks is a long time to wait.


Advantages:

  • Cost: free for personal use. Trial version available.

  • Can be configured to protect only specific applications.

  • One reader indicated they liked Esafe!


Disadvantages:

  • Not so easy to use. Quite complex, GUIs could be much better.

  • Not a firewall when in learn mode.

  • Sandbox mode: Asks lots of questions about Browser access to access to DLLs etc, which a normal user simply cannot answer. It gets pretty annoying. I switched off the sandbox.

  • Slow download (10MB)

  • Virus scanner is low quality.



Norton Personal Firewall 2000 V2.0

Symantec's product (http://www.symantec.com/) has two modules that can be selectively enabled: the Personal firewall and the Privacy module.

Personal firewall: minimal, medium, high and custom protection is available.
The custom level allows selection of whether Java applets and/or ActiveX controls are allowed/blocked or prompted. Options for enabling alerts and silently blocking unused ports are enabled by default.

Privacy Module: minimul, medium, high, and custom protection is available.
An interesting feature is the "confidential info" which allows specification of text strings that must be blocked (bank account number, credit card number, etc). The custom protection allows/blocks/prompts when specific (confidential) info is transmitted. Cookies can be allowed/blocked/prompted, HTTPS (SSL) connection can be enabled/disabled and browser privacy can be enabled/disabled (i.e., blocks querying of email address and last site visited).

The tests were carried out using the default (medium) settings.

An nmap scan resulted in the usual list of alerts, which weren't very informative. The Alert dialog would pop up with messages like: Norton Personal Firewall has detected that a network communication is trying to access TCP/IP Services Application. Before your computer can be accessed, you must tell Norton how you would like it to handle this situation. The user must then choose a course of action:

  • Configure a rule
  • Block access this time
  • Permit access this time

There was no analysis of the connection that could have helped the user decide whether it was valid or not. For example, the firewall could have checked for other existing and past connections from the same IP address and informed the user about whether the service is a well-known one or not. If many attempts are received from one host, the firewall should offer the user a one click option of blocking all traffic from that host, and explain why.

Nmap reported that some services were open, but was unable to detect the OS type. The open services were visible as open connections in the Connections Log Viewer--in fact, they were still open 40 minutes after nmap had stopped! In addition, one wonders what the nterm service is -- a service of the Norton firewall?

7 open tcp echo
9 open tcp discard
13 open tcp daytime
17 open tcp qotd
19 open tcp chargen
113 unfiltered tcp auth
135 open tcp loc-srv
139 unfiltered tcp netbios-ssn
1025 unfiltered tcp listen
1026 unfiltered tcp nterm
No OS matches for host

To test the privacy option, a confidential Bank account number was configured. Norton detected when this number was submitted to a web page. It did not notice when the number was sent via email.

There is a live-update feature, which allows updating the program to the latest version via the Internet. It's worth running this after installation. See also Symantec's Norton Internet Security 2000 for a discussion of blocking "ad spies", a LiveUpdate reduces the number of "ad spies" allowed.


Advantages:

  • Well thought out, very powerful, instructive.

  • Good GUI: easy to use and instructive. Good on-line help. Tries to address the needs of expert and normal users.

  • Can be configured to only protect specific applications.

  • Works well in a mixed Internet/Intranet/LAN environment.

  • "Normal" traffic such as ftp, http, https, pop3 is allowed out without asking the user (which is a safe assumption for "medium" security in my opinion).

  • Unused ports are silently blocked (not alerted), and logged (this makes sense: don't alert the user unnecessarily).

  • The expert user will find an fully fledged firewall waiting to be configured under the advanced options.

  • The GUI "Logging of events"/"dynamic rules changes" / "firewall activity" is exemplary. The expert user who wants to find out exactly how a particular application uses the network, will appreciate the flexibility and detailed logging.


Disadvantages:

  • $49/year including updates. Yearly fees will not be appreciated by most users.

  • No trial version available.

  • GUI does not have the simplicity of BlackICE.

  • The Alert dialog could be more informative, could analyse existing and past connections to/from a suspect IP address, analyse the traffic contents and then make a more informed recommendation to the user, rather than just leaving it up to the user to decide.

  • Requires a reboot during installation.

  • Bugs:
    • Crashes/conflicts with VPN software like CheckPoint's SecureRemote.
    • Conflicts with Win2000's IPsec capability.

  • There is no console managed version  that enables corporate policy enforcement for the subset of destinations within a corporate net.

  • Outbound TCP/NetBIOS ports (the 137/8/9) cannot be blocked, it has to be done on the OS level.

  • Suggested improvements:
    • in the Log Browser, allow the various tabs (Connections, Firewall, etc.) to be sorted by clicking on the column title.
    • the Event Log and  Statistics should be available by right clicking on the icon in the taskbar.
    • Add intelligence to detect a scan or coordinated attack.
    • Add features to lookup up source of the attack, to try and find a contact name (whois, ripe, etc.)
    • The firewall rules in advanced options should have an icon to indicate whether the rule is logged/alerted or not
    • When a browser is connected to a site via a proxy, show the proxy and final destination in the Connection Log.


Other Products

McAfee Guard Dog (based on the Conseal's Signal-9 Firewall): This seems to be a subscription based service that uses ActiveX. I have ActiveX disabled, so it wasn't possible to download or test this product. The original Conseal firewall can still be bought online.

CyberwallPLUS-WS runs on NT and Win2k, and sounds like a heavy weight. Evaluations can only be ordered by post, and apparently are not sent internatonally (the author is based in Switzerland).

AtGuard, by WRQ, was purchased by Symantec, changed, and resold as Norton Firewall. The original AtGuard has a loyal following on the net. It can block incoming and outgoing connections.

AtGuard new home page (unofficial)
AtGuard user message board

Tiny Software also has a Personal Firewall. It was discovered too late for this review. Personal Firewall 1.0 costs $29.


Products that are complementary to personal firewalls:

Tauscan removes Trojans from the registry without deleting damaged files that the system needs to operate. Its sister program, Jammer, is a registry monitor and has an excellent netstat and dns feature. It also has a very official looking email that can be sent to an abuser's provider explaining the type of attack with relative information. If someone does get ZoneAlarm, then Jammer will pick up their scanning activity and notify the user as to the attack. They work with any Anti-Virus or security software and are simple to set up and use. Tauscan and Jammer cost $39 are are available from Agnitum.


WormGuard
(also called Trojan Defence Suite) from Diamond Computer Systems, in Australia, is a bit different, it...

  • Analyses files heuristically and generically rather than relying on known signatures.

  • Provides worm-detection for ALL executed files, ensuring the file is safe BEFORE it is allowed to run.

  • Has four primary and six secondary core detection engines built-in to handle executed files depending on their type.

  • Provides network administrators with the power of blocking the execution of filenames/filetypes on all machines on their network with immediate effect.

  • Neutralises many severe Windows vulnerabilities, such as the use of hidden extensions, multiple file extensions, and excessive spaces in filenames.

  • Provides extended universal detection and analysis of Macros across all Microsoft Macro formats, such as DOC, XLS, and MDB.

  • Provides extended universal detection and analysis of command files, such as COM, PIF, BAT, and CMD.

  • Provides Deep-Scanning to detect password-stealers, keystroke- loggers, IRC worms, references to known worm authors, and  much


Netlab
is a free program that offers a comfortable interface to finger, whois, daytime, ping, traceroute, clock synchronisation, dns lookup and network scanner.
(Test on NT4, useful).


Windows 98 -SE (second edition) and Win2000 include the Internet Connection Sharing (ICS) tool, which can be configured on a gateway PC between a cable modem and a hub of internal PCs. Apparently it provides some measure of protection against external attack, but no firewall is included. It hasn't been tested as part of this review, but is mentioned for reference purposes.



Summary & Conclusions


Summary

Personal Firewalls ARE useful and should be considered by any Windows user who directly connects to hostile networks, such as the Internet. They have a role to play in both the corporate and SOHO markets.  However, many products are immature, and all these products need to be subjected to more scrutiny and given time to prove their security effectiveness before they should be used to protect very sensitive PCs. None of these products is provided with source code.

  • There is a tendency for anti-virus and Personal Firewalls to be integrated into the one product, which is not necessarily a good thing. While it may make sense for the home user, the corporate user may find his/her anti-virus solution already mandated by a central IT organisation, or may want the choice of separate tools.

  • These products can't just be installed and forgotten about; the user has to learn how to use them, and understand their interface and consequences, for them to be effective.

  • The main difficulties are making such products easy to use, being flexible enough for power users, and reducing false positives (a common ailment among Intrusion detection systems).


Key Criteria

The key criteria in analyzing a personal firewall are:

  • Effectiveness of security protection (penetration, trojans, controlling leaks, Denial-of-service)

  • Effectiveness of Intrusion Detection

  • User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?

  • Price


Conclusions

  • eSafe is not of much use, and BOF is not a firewall.

  • Norton is very effective for the SOHO (Small Office / Home Office) user, but it is the most expensive and requires quite a bit of configuration. It is not easy to setup for corporate use and can be problematic.

  • ZoneAlarm is the best "Free for personal use" product, but I find the GUI (Graphical User Interface) confusing. Other users have indicated that they like the ZA GUI, so give it a try before deciding.

  • BlackICE has been my favourite for many months. While not perfect, it is simple, stable, easy to use and doesn't interfere much with my daily work. It does not block outgoing ports however, and does not work well with Windows 2000. I've now deserted BlackICE for Norton, since it blocks outgoing ports and catches ActiveX controls. BlackICE may well be a better choice for many users though, due to its simplicity, regular updates and support for centralised configuration and rollout.


Thanks to Interceptor, Tom Chmielarski, Larry Adams, Geoffrey Kidd, Thomas Rude, Paul Rarey, Bill Curnow, Lissi Paffrath and Peter Klammer who provided valuable feedback.



Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.


SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net (tm)