Today’s personal-firewall debates focus on how well firewalls determine whether an application that requests Internet access is legitimate. Some firewalls show only the application’s filename, and the user has to make the decision whether to let the application access the Internet. Other firewalls contain a database of application filenames. When an application requests Internet access, the firewalls compare the application’s filename against the filenames in the database. If a match occurs, the firewalls permit the application access. Although this strategy worked initially, malicious intruders soon discovered that if their malware had the same name as an allowed legitimate application, the malware could masquerade as that legitimate application and gain access to the Internet. Firewall vendors responded to these types of attacks by creating a database that contained the application’s filename and some sort of stored checksum that could prove the application was what it said it was. Although intruders learned how to defeat the checksum application control, adding the database and checksum controls were steps in the right direction.
Feature 5: Protection Zones
Most home networks don’t need the same level of protection inside the home that they need against the Internet and outside intruders. Some firewalls let you define different protection zones (usually local and Internet) with particular levels of default security. Hence, PCs on your LAN might need accessibility to file- and print-sharing services but not to outside machines. Protection zones allow this type of control. Some firewalls automatically detect the local network machines, and others wait for the user to define the machines.
Feature 6: Logs and Alerts
A good firewall automatically logs malicious activity for the user to analyze. Logging should contain enough information to be helpful during future investigations. At a bare minimum, the average log records the event’s date and time and provides a brief description of which event caught the firewall’s attention. The best logs offer configurable levels of detail or links to more information that describes the attack. The firewall should alert the user with a pop-up message whenever an attack is high risk or consistent. Most people don’t have the time to research every attack; I’ve successfully stopped persistent attackers by calling my ISP. On the downside, firewalls can alert you to every suspicious packet even when nothing is wrong (i.e., a false-positive).
The Test Laboratory
Besides a personal firewall’s features, a firewall’s efficiency is crucial, so I decided to test the six popular person firewalls I mentioned earlier. I set up four victim machines typical of today’s home networks: XP Home Edition, Windows 2000 Professional, Windows Me, and Windows 98. I installed the latest crucial patches on each machine as Microsoft’s Windows Update indicated. My attack machine ran Windows NT Server 4.0; I installed professional security-vulnerability scanners and malicious cracker-attack tools. Tests simulated popular external attacks and scans against the firewall, and internal tests simulated how the firewall handled locally executed malicious code (e.g., Trojan horses, worms).
The assessment and attack tools I used included Gibson Research’s ShieldsUp!! and LeakTest applications, ISS's Internet Scanner 6.2.1, Foundstone’s SuperScan 3.0, Security Software Technologies’ (SST's) Cerberus Internet Scanner (CIS) 5.0.02, an Internet Control Message Protocol (ICMP) bomber, a TCP, and a UDP port flooder. The malware I used for the internal tests included the NetBus Trojan horse, Back Orifice 2000 Trojan horse, Magistr virus, Strange Brew (a Java virus), Hybris worm, Badtrans worm, CIH virus, SubSeven Trojan horse, VBS.LoveLetter worm, Exploder (a malicious ActiveX control), and Keydropper (a boot virus). Although these external-attack and internal-attack tests are far from scientific, they gave the firewalls a good trial and demonstrated their weaknesses.
The Overall Test Results
Overall, how did the personal firewalls do? Except for one contender, ICF, each personal firewall I reviewed provided significant protection for a Windows-based PC. The other firewalls seemed to hopelessly outclass ICF, Microsoft’s first consumer firewall product. All the personal firewalls installed themselves as services, which is important because they provide security anytime you turn on your machine. Each firewall did its job, although false-positive alerts were a problem. I expect vendors to spend the coming year better identifying legitimate threats and providing more information to users so that they can identify the real problems.
All the firewalls I tested prevented most known external attacks from causing problems on the victim machines. Even my largest Denial of Service (DoS) attempts caused only a slight slowing on each PC. The firewalls did their job, and the machines didn’t encounter any large exploits. Although the firewalls provided the needed protection, they didn’t log all the malicious attempts. This deficiency could permit cracking activity to continue unnoticed and let intruders succeed in future efforts.
I wish I could be as upbeat about the internal tests. Most of the firewalls stopped locally executed Trojan horses and worms from connecting to the Internet, but in their default configurations failed to stop any other type of local malicious activity. Viruses, worms, and Trojan horses still executed and were free to manipulate the local computer system without fear of firewall interference. Malicious ActiveX controls and Java applets went untouched through the browser. Visual Basic (VB) worms still executed and attached themselves to Microsoft Outlook email. I expected this result and, to be honest, it was great to see the firewalls preventing malicious connections to the Internet. Last year, half the personal firewalls would have failed this test. This result is evidence of tougher firewall rules and application controls. Clearly, however, no PC is secure without a locally installed antivirus program, too.
Prev. page
1
[2]
3
4
5
6
next page 
