PC
personal firewalls 2004
by Simon Edwards
Hackers, internet worms and programs containing backdoors all pose a threat to your PC, but you can lock the door against attackers.
Simon Edwards tests eight popular Windows personal firewalls to find the best, most effective deals.
| How we tested | Reviews | Product Details | Conclusion |
The internet is an increasingly hostile place to be, and connecting to it without protection is now very risky. Broadband connections that remain on for hours at a time expose your PC to a greater window of opportunity for hackers, but automatic attacks such as worms can affect even those who dial-up for a few minutes a day. Anti-virus software and Windows updates can go a long way to removing the worst security holes, but to really lock down your PC you need a firewall.
Software firewalls have two main jobs. The first is to prevent any unwanted data arriving at your PC from the internet. This includes automated worms, port scans and manual attacks on Windows and any public services running on it, such as a web server. The second job is to control which programs on the PC are allowed to access the PC. This is important because an attacker could place a program on your computer that leaks sensitive data such as passwords to another computer on the internet, or even creates a connection to the attackers system through which he can control your PC. A good firewall will ask you for permission when a new program tries to access the internet.
Incoming!
Sometimes you want to allow some incoming internet traffic, perhaps because you want to host a web server or an internet game. In this case your firewall should allow you to create a hole through which this traffic can flow. This process should not allow more access than is necessary. Some firewalls aren't very bright when it comes to this and you may have to set up addition rules to lock things up tightly.
If the firewall has a good intrusion detection system, it will keep an eye on the data flowing through this hole and inspect it. If it discovers that some of the information is harmful, perhaps a known exploit to hack into a web server, it should alert you. Ideally it should also prevent the data reaching the server. As we'll see, some of the firewalls on test here checked all incoming traffic, while others blindly allowed it through as long as it was intended for the web server.
Blocking attackers dynamically
Blocking an attacker for a set period of time is a nifty feature available on many firewalls. For example, one of the first things a hacker might do before launching an attack on your PC is to run a scan to see which holes are open. An open hole is an avenue for further investigation and potentially provides access to something that can be broken into. A firewall should detect the scan and ideally ignore any more requests for information from the attacking PC for a period of time. That way the attacker cannot even access the public services you're running for an hour, day, week or whatever time you want to send them to Coventry for. If you've scanned yourself from another computer you'll want to be able to unblock yourself. This is easy on some firewalls and tricky on others.
Added extras
If a firewall can do all these things then we're happy with it. But some come with extra features such as anti-virus, advert and web site blocking as well as data privacy features. Data privacy can range from rejecting web cookies to preventing you from accidentally sending your credit card number of PINs out to web sites or through email. Some firewalls will also scan mail attachments to check for problems, in the same way as some anti-virus programs.
HOW WE TESTED
These firewalls were tested using a combination of scans and attacks that you might expect to receive while connected to the internet, either with a dial-up account or a broadband connection. These included a simple port scan, a denial of service attack, a Windows file sharing attack and a range of web server probes.
We set up Microsoft's IIS web server on the target PC and enabled the mail and FTP services too. But we only wanted the web service to be available to the network. We tested how simple it was to set the appropriate firewall rules to achieve this, as well as how easy it was to unblock attackers and manage which programs were allowed to access the internet.
ATTACKS
If firewalls block out the internet traffic you don't want, how can your PC be attacked? While a properly designed personal firewall will help keep certain types of attackers out, there are other threats that a personal firewall can't defend against. These include viruses and worms, but there are other techniques an attacker can use to target your computer.
Web browser attacks
Many issues exist in common web browsers that could allow an attacker to
compromise the security of your PC. For example, a recently discovered
cross-site scripting flaw in Internet Explorer (http://xforce.iss.net/xforce/xfdb/13846)
makes it possible for an attacker to install and run applications of their
choice on your PC.
Passive internet traffic attacks
An attacker may passively intercept your internet traffic. Passive traffic
attacks using software like dsniff (http://monkey.org/~dugsong/dsniff) are also
used to gather sensitive information such as passwords and credit card details.
Active internet traffic attacks
An insertion attack involves an attacker inserting or replacing information in
to the internet traffic with a view to falsifying information to the end user or
attacking weaknesses in the client applications to gain control of the user's
system, such as cross-site scripting vulnerabilities in Internet Explorer.
Man-in-the-middle attacks involve intercepting your communication (e.g. when
purchasing online). The attacker operates as a middle man, taking your requests
and sending them to the server on your behalf and then issuing you with forged
responses.
The solution
Keeping your anti-virus software and operating system up to date is essential.
Other than that, there's little you can do except hope that your ISP and the
people that run internet services you trust are capable of keeping hackers out
of their own systems.
REVIEWS
F-Secure Internet Security 2004
ISS BlackICE PC Protection 3.6
McAfee Personal Firewall Plus 2004 v5
Symantec Norton Personal Firewall 2004
Agnitum Outpost Personal Firewall Pro 2
Sygate Personal Firewall Pro 5.5
F-Secure Internet Security 2004
RATING 5
PRICE £34.99 inc VAT
SUPPLIER www.f-secure.com
DETAILS www.f-secure.com
PROS: Includes top of the range anti-virus software
CONS: An expensive option if you only want a firewall
F-Secure Internet Security 2004 is a powerful combination of an accurate anti-virus system (see Shopper, February 2004) and a personal firewall. The firewall element is certainly very easy to use and transparently allows applications access to the internet. In fact it's a little to lax in some cases and allowed internet users access to our FTP and mail services. We only wanted to expose the web service. To secure the system we had to create two rules manually, one to block port 21 for FTP and another to block port 25 for the SMTP mail service.
Creating these rules was a quite simple process of following a wizard. When it's time to choose what to allow or block you have to choose from a list of services rather than ports. It would have been nice to see the port numbers listed next to the services to ensure that the correct rules are created. You can apply rules to all systems on the internet or specific individual IP addresses.
The firewall blocked the port scan, as does every other firewall we've seen, but it couldn't cope with our denial of service attack. Most other software firewalls, including Windows XP's own in-built protection, fails to block this attack. We'd like to see improvements in this across the board.
The intrusion detection system didn't recognise our Windows network sharing attack either, which is surprising. However, as the firewall blocks file sharing by default, and you would be mad to change the settings, this isn't a critical failure. The software doesn't block attackers in the sense that it can ignore them for set periods of time, but you could manually block attackers with a firewall rule if their addresses turn up in your log files regularly.
This is a serious package that comes at a serious price. You effectively have to buy it at the full price of around £35 every year. But considering that anti-virus and firewall updates from other vendors cost around £15 per year each this isn't quite as bad as it first looks. If you want a good all-round security package buy F-Secure's Internet Security 2004.
ISS BlackICE PC Protection 3.6
RATING 5
PRICE £34.95 inc VAT
SUPPLIER Guildsoft 01752 895100
DETAILS http://blackice.iss.net
PROS: Simply the best desktop intrusion detection system available
CONS: Expensive, considering the lack of extra features
ISS, best known for its enterprise level intrusion detection system, also produces a cracking desktop version. BlackICE PC Protection detected every attack we threw at it, including web-based ones. Because it has a blocking facility, you can drop all of the traffic that comes from an attacker once he starts scanning you or launching any attacks. This can be deactivated for individual addresses, which is particularly useful for when you're testing your firewall rules.
It recognised and logged our denial of service attack but it couldn't prevent the PC from slowing down, even with a setting that should block all network traffic. This is the same for all of the firewalls reviewed here. Allowing people on the internet to access the web server was quite tricky and involved manually creating a rule to allow incoming traffic on port 80. Anyone with a bit of personal firewall experience won't have a problem but complete beginners could be stumped.
BlackICE has quite a serious module for controlling which applications can and cannot access the internet. It's designed to detect when an attacker has managed to subvert legitimate programs like Internet Explorer. It works by scanning all of your files, which it assumes are all in good shape, and stores their details in a database. Any changes will show up and the Application Protection system will prevent an altered program from either running or accessing the network. In earlier versions this became tedious if you regularly updated your software or installed new programs because you needed to re-run the scanner after every change you make. With this latest version an install mode will automatically add the updated files to the database.
Considering it lacks most of the extras offered by the other packages here, BlackICE PC Protection looks quite expensive. Combined with a good anti-virus package such as Kaspersky Personal 4.5 (£28 inc VAT and £20 inc VAT for second year updates) you're looking at a top-performing combination for an initial outlay of £63 and an annual fee after the first year of £37.50.
McAfee Personal Firewall Plus 2004 v5
RATING 4
PRICE £29.99 inc VAT
SUPPLIER McAfee 0207 949 0107
DETAILS www.mcafee.co.uk
PROS: Very easy to use, even with complicated tasks
CONS: The intrusion detection system is poor
McAfee's firewall is the easiest firewall to use in this group. The installation process starts a setup wizard that asks some very simple questions and you don't need to do anything to set up internet access rules for your applications. Making the web server accessible to internet users could not have been simpler.
Stealthy settings made our PC seem invisible to potential attackers. It does this by not returning 'ping' packets sent by network scanners. All of the firewalls we've tested here use this trick, but if a hacker knows you're there (the web server is a bit of a giveaway) he can still scan your ports. It didn't immunise our target PC from the denial of service attack either. Blocking the connection didn't provide any relief either. The intrusion detection system didn't even realise anything was amiss, which is not encouraging. In fact we'd go so far as to question whether the IDS truly was checking the incoming traffic because it missed our Windows file sharing attack and our web server scans too. Only Outpost Personal Firewall Pro 2 was similarly poor at this job.
The traffic monitor is a nice little utility that provides a list of applications with open connections. You can use this to see which programs are talking to the internet, or are being talked to. There are loads of statistics you can view and the main Summary screen (see the screenshot) provides loads of information for the curious. Thankfully you're not bombarded with pop-up alerts every time your system has a port scanned.
McAfee's firewall comes at an attractive price and the purchase options are flexible. You can buy online and pay a further £23 annually after the first year to receive upgrades as well as updates, or you can buy the boxed version and get updates, but not upgrades, for free until the product becomes unsupported. If you're on a budget and have no interest in configuring a firewall this is a reasonable choice.
Kaspersky Anti-Hacker 1.5
RATING 4
PRICE £28.30 inc VAT
SUPPLIER Kaspersky Lab 0870 011 3461
DETAILS www.kaspersky.co.uk
PROS: Efficient and quiet to run
CONS: Expensive to keep after the first year
Anti-Hacker is a simple firewall. It doesn't make a big deal when someone scans your system, and it can block those who do. Unblocking them isn't so easy, and once you've found the settings you'll discover that you can't unblock an individual system. Blocking is on or off, and that's that.
The intrusion detection engine is above average, detecting many of our attacks. It was one of only three that managed to identify the Windows file sharing attack correctly. The firewall couldn't handle the denial of service attack, though.
Adding rules to the firewall is relatively simple, but it shouldn't be necessary in most cases. We allowed the software to create an incoming web server rule automatically, which it did properly without opening up the mail and FTP ports. We had to request a web page from another PC to prompt the firewall to create the rule, which isn't ideal.
Anti-Hacker also takes the pain out of managing which applications can access the internet. Many common applications are preconfigured without needing any further input from the user. When you want to add a new program you can use simple allow and deny rules, or drop into an advanced mode where extra tweaks can be added. You can specify the type of traffic associated with an application, which is useful if you want to use Internet Explorer for web browsing but prevent it from being used as an FTP client.
This is an excellent firewall that is priced very competitively against the others here - it's nearly the cheapest, beaten on price only by the Sygate software. But there's a shock in store for buyers when the summer of 2005 comes around, because the licence renewal price will be over £19. This is twice Norton Personal Firewall's update price, and slightly more expensive than BlackICE's. If not for this significant future expense we'd recommend this firewall.
Symantec Norton Personal Firewall 2004
RATING 4
PRICE £39.99 inc VAT
SUPPLIER Symantec 0207 616 5600
DETAILS www.symantec.co.uk
PROS: Loads of extra features and good intrusion detection
CONS: Very expensive
Symantec's anti-virus software might not be the best around but there are few flies on its personal firewall software. The interface is great, as we've come to expect from the Norton range of products, but we were also very impressed with what was going on beneath the hood. The intrusion detection engine made mincemeat of our web scans, although it didn't log our successful denial of service attack.
It automatically creates rules for essential Windows systems, which saves you the hassle and sometimes uneasy experience of allowing access to programs you've never heard of. It's automatic settings also made our web server visible to the internet, but unfortunately it decided to allow access to the entire range of services provided by IIS, which includes FTP and SMTP mail. We removed the automatic rule and created a single one that allowed port 80 traffic. This worked fine, but illustrates you should use a port scanner or port-scanning web site to test your firewall just in case similar slip-ups occur.
The alerts come thick and fast in the shape of pop-ups. Initially you might feel gratified that your newly bought firewall is protecting your from a digital onslaught, but you'll get bored quickly and annoyed soon after. Luckily it's easy to disable the alerts. If you really want to keep an eye on things, the log files are always available.
There are a lot of extras including a data privacy section. Enter confidential data into its database and, when you accidentally try to send this out to a web page or in an email, the software will block it and alert you. An advert blocker is a nice, in inessential addition.
But make no mistake, you pay for these features. At around £40 this is an expensive program and after the second year, when an update fee becomes payable, it works out as costly as Kaspersky Labs' Anti-Hacker.
Zone Labs ZoneAlarm Pro 4
RATING 4
PRICE £39.99 inc VAT
SUPPLIER WSKA 0709 203 0352
DETAILS www.zonelabs.com
PROS: Stacks of extras
CONS: Very expensive and sloppy server settings
Zone Labs is best known for its free firewall and application control program ZoneAlarm. The Pro version is essentially the same program with some bolt-on extras. If you're used to the free one, upgrading will be painless and you should be able to get to grips with the new advert blocker, web cache cleaner and mail attachment scanner quickly.
The intrusion detection engine is effective. Along with Anti-Hacker and BlackICE it detected the Windows file sharing attack, which shows that it does actually check the data as it flows through, rather than simply allowing or denying it based on its port number.
Setting up the web server was relatively easy, although as with the Norton firewall, it exposed the FTP and SMTP ports too. Luckily the application control rules are very easy to use, being represented as a grid with crosses for deny, ticks for allow and question marks for prompt. Each application has two sets of these rules, one for connecting out to the internet and one for incoming connections. If you want to learn about firewall rules this is a good place to start.
It's an expensive program, though, rivalling Norton Personal Firewall in both features and cost. At press time the dollar was cheap compared to the pound and the annual update price for ZoneAlarm Pro came to around £11. Potential buyers should consider whether they need the extra features. Ad blocking is available with free software such as Google's toolbar, and data privacy features aren't number one on our list of must-haves. Anti-virus software should scan emails, so when you strip out these extras you're left with the essentially free ZoneAlarm, which we'd recommend you download if you can't afford either the F-Secure or ISS firewall.
Agnitum Outpost Personal Firewall Pro 2
RATING 3
PRICE £39.99 inc VAT
SUPPLIER avventure 01543 306729
DETAILS www.agnitum.com
PROS: An interesting collection of extra features
CONS: Much too expensive and a poor intrusion detection system
Outpost addresses some of the security issues we mention in Attacks, below. It has an ActiveX scanner that blocks harmful web content and can even stop web pages containing bad language and explicit images. There's a DNS cache for speeding up domain name lookups and it can scan email attachments. Its price fits the pattern that has emerged from this test - lots of extras add at least a tenner to the price of a basic package.
This might not be too bad if you really wanted these extras and they were added to a great firewall, but sadly we weren't too impressed with Outpost's intrusion detection. It certainly blocked the port scans and reported the fact, but that's not really intrusion detection. It missed our Windows file sharing attack and the web scans, putting it next to McAfee's firewall in terms of poor performance. It's £10 more expensive than McAfee's product, though, costs more to run after the first year and not quite as simple to use.
Sygate Personal Firewall Pro 5.5
RATING 4
PRICE £26 inc VAT
SUPPLIER Sygate US 510-742-2600
DETAILS www.sygate.com
PROS: The least expensive firewall on test
CONS: The hardest firewall to use we've seen
We wanted to like Sygate's firewall. It certainly does the job, with a good intrusion detection engine, great price tag, clever stealthing (see below) and zero running costs. But it's only suitable for people who know their way around a fairly advanced firewall. It's simply too complicated for anyone who just wants to protect their computer and get on with their online lives.
The feature that really stood out for us was that our attacking system could browse the web site hosted on the target, as you'd expect, but couldn't scan the web server's ports. This is an unusually good feature for desktop firewall software.
It asked a lot of questions when first installed, not trusting a single application. This is not a bad thing, but beginners can worry when all these alerts pop up. In common with the others, it didn't stop our denial of service attack, but it was one of the few programs to record the fact that it happened. This competent software is for experts on a budget only.
