PC Security Round-up:
PC
Personal Firewalls
by Simon Edwards
Anti-virus software is all very well, but with hackers inventing new nasties every day it isn't foolproof. With a personal firewall you can stop online rotters getting a sniff at your system. We test six.
Over the last five years the Internet has proven itself to be a fantastic way to share information. E-mail and Web sites have made electronic files very mobile - these days, a 1Mb video file can traverse the globe in seconds. But while it's now simple to send a photo of your new baby to relatives in the far corners of the Earth, it's just as easy for malicious people to spread less helpful files and cause havoc with innocent people's computers. In this article we'll look closely at the threat presented by hacking, explain how you can protect yourself, and find out who makes the best software to help your PC remain safe.
What is hacking?
To protect yourself against hackers, you need to learn what makes them tick. Why on earth would anyone interest themselves in your 56K modem-equipped Pentium II running Windows 98 and Microsoft Works, when there are sexier potential targets like governmental defence and space programmes? A hacker may take an interest in you for a number of reasons, the most common being to use you as a platform from which to launch a more serious attack. Hackers might also want to steal a draft copy of your developing novel, or might take delight in annoying strangers, but the main reason you will be targeted is to be a patsy. The next time a big firm like Citibank is hacked, you'd better hope the perpetrator didn't use your PC to do it.
But first, a hacker needs to find you. In the likely event that he's merely seeking an easy target, rather than you as an individual, he'll use special tools called scanners that will trawl the Internet looking for systems he knows he can control. ADSL users are very much at risk because they're always connected to the Internet, and so stand a higher chance of being scanned. However, modem users will be probed too - just install any of the firewalls reviewed here, and there's a good chance you'll detect automatic programs attempting to suss out your system.
Once you've been identified as a target, the hacker will use more tools to see if your system is vulnerable to any of his favourite attacks. If you have Windows Print and File Sharing enabled, he'll be able to read and possibly write to parts of your hard disk, and if you have any networking services running, such as Windows 98's Personal Web Server, you've unwittingly given the hacker more ways to enter your PC. Network services sometimes contain known security holes that can open up your system to abuse.
All such programs, which give the outside world various levels of access to your PC, are called 'server' software. And even if you aren't consciously running server software on your PC, it's possible someone else has installed some. The diagram below left shows a simple hacker attack using a program called a backdoor Trojan: SubSeven and Back Orifice are examples of this kind of software at large on the Internet. As you can see, these programs can be introduced to your computer as seemingly useful attachments and provide gut-curdlingly high levels of remote access to your home PC. Our hacker below has sent an e-mail to the victim, with a rude video file attached. When the victim watches it, a Trojan program installs itself to his hard disk in the background.
Once the hacker has control of your computer, he'll download useful tools and set things up so that whenever you go online he'll receive a message or e-mail. The instant notification received by the hacker means that modem users remain at risk. A half-decent hacker could even arrange for your PC to dial out at certain times, perhaps very early in the morning, to ensure that his new toy is still available. He'll steal your accounts files (hope you haven't stored your credit card number in Quicken!), crack your passwords, and read your e-mail. Even worse, he may try to attack other systems via your PC. Such attacks could include expeditions to online stores to pilfer credit card numbers, attempts to bring down Web servers, or even just snooping around governmental sites. Whichever way, the electronic trail will lead back to you.
And if he wants to annoy you, or if he's angry because he couldn't penetrate your system, he may block your Internet connection from outside using one of a million available programs. This is when you'll wish you had a personal firewall. Here, we tell you which one to buy.
What does a firewall do?
The concept of a firewall is a simple one: it controls what's allowed into and out of your PC via the Internet. If you connect to the Net without a firewall, you have no way of preventing people from trying to get in and, as we'll see later, information getting out. As we mentioned above, sharing files and printers on a PC or network that has an Internet connection can be dangerous. But should you revert to moving files around on floppy disks? No. Unless you really don't need file sharing, keep it turned on and simply prevent anyone from accessing these resources from outside your home or office. This is the firewall's basic job. And the best firewalls can also recognise when hackers are trying to do naughty things, and alert you with a meaningful message - this is known as an 'intrusion detection system' (IDS).
Network services - such as sharing files, hosting a Web site or distributing e-mail - all generally work using a protocol called TCP/IP. This is the same system as used by the Internet as a whole, with all the computers accessing each other via unique addresses called IP addresses. When you dial up your ISP or log in using ADSL, your PC becomes an extension of the Internet and is assigned a spare IP address that no-one else in the world is using.
A single PC on the Internet can be running both a Web server and e-mail server. If the PC's IP address is 227.134.196.101, a Web browser that looks at 227.134.196.101 will find Web pages there, while an e-mail program will find mail at 227.134.196.101. They don't get confused because (this is the crucial part) TCP/IP uses different 'ports' for each type of service. Ports are like lanes on a motorway, and keep the Web traffic and e-mail traffic separate. Web services generally run on port 80, while e-mail runs on ports 25 and 110. There are thousands of ports to choose from, and you can run any service on any port, but there are standards that most people abide by.
When you run a Web server on your desktop, it opens port 80 to the 'outside world' (your network and the Internet), so that others can view your pages. If you only want internal users to have access, you can prevent outsiders getting in by installing a firewall and telling it to disallow attempts to access port 80. It'll still let you browse the Internet - it just means that the Internet cannot browse you!
Until recently no consumer version of Windows had any in-built port-blocking abilities. However, Windows XP does now provide some protection, and we'll see how good it is below.
In addition to closing selected ports, firewalls can stop certain types of network activity from affecting your system. The Internet transmits tiny electronic signals known as network 'packets', which carry data from one place to another. When you send a 10Mb e-mail to Australia, it's chopped up into millions of pieces, which are reassembled at the other end, a bit like the transporter in Star Trek. These pieces are called packets, but not all packets are friendly. A hacker can send special packets to your PC that will bounce back, telling him something about your operating system. If he wants, he can try to send improperly formed packets that can cause your PC to freeze, or he can send so many packets through your modem that your connection becomes saturated and you might as well disconnect. This kind of attack is known as a Denial of Service (DoS) attack, and a decent personal firewall will block it.
What makes a good firewall?
A good firewall will make it easy to block the Internet traffic you don't want. It will resist hackers' attempts to work out what services you're running, it can even hide your presence from these evildoers altogether. Should you be targeted by a backdoor virus, it'll stop it from 'phoning home', and possibly warn you that you've been infected. And it should ward off DoS attacks. What it doesn't need to do is scan for viruses, although some more expensive products do include virus checking. We recommend running a separate antivirus package in addition to the firewall. If one crashes, at least some protection remains.
Finally, even an expensive, powerful personal firewall is only any good if it is easy to configure. Most of us don't have extensive networking knowledge, and we shouldn't need it to protect our systems from common attacks. We've rated each of these firewalls out of six for their ease of use, their effectiveness in dealing with attacks and probes, and their overall value for money.
Pay for protection, or stick to freebies?
Windows XP does have a firewall included, but this only does the basic job of closing unused or unwanted ports. Worse still, it only blocks these from the outside, so backdoor viruses are free to steal data and send it out to the Internet and into a hacker's hands. So whether you have XP or not, you should install extra protection. We recommend installing McAfee Personal Firewall if you want to seal your system really well. At the very least, you should download ZoneAlarm to provide some decent protection for free.
Reviews
Preventon
Preventon lacks many of the features included in other products here, including the free ZoneAlarm. Simple is good where firewalls are concerned, but Preventon is just a little bit too basic to be a contender - even if it were free.
Because this is a very basic firewall, it isn't hard to use. The configuration options are sparse to say the least, and there's no option to turn off logging - which is actually a shame as this program logs every piece of traffic, filling your disk with junk you may not want, and burying the real threats! Basically, its reports are not very meaningful.
Although it detected and blocked our backdoor test, Preventon didn't suggest the cause. It simply reported a failed connection.
Our scanning attempts were thwarted too, and each attempted connection was logged. As with most of these programs, the log files will need a regular clear out as they're likely to mount up, particularly for those with ADSL.
Sadly, Preventon failed to foil our DoS attack, which uses techniques more than a year old. Not only did the PC freeze, its screen went blank briefly before Windows entered a loop of blue screen hell. Successive tests induced other fatal crashes, meaning that the firewall actually seems to amplify the effects of this DoS attack!
BlackICE Defender
BlackICE Defender is a popular program that's sold as a firewall and intrusion detection system (IDS) in one.
The idea behind BlackICE is that it intelligently inspects network traffic and only blocks the stuff that will cause havoc. This makes it generally easy to use. One neat feature is the way the firewall charts attacks and other Internet activity in a graph that can span months. This works to justify installing it - you can see what the outside world is throwing against you. But it's better to use this feature as an interesting barometer rather than proof of something to get worked up about. You're probably not being singled out with a storm of frenzied hacking, but are mere seeing general Internet hacking weather.
We were certainly impressed during the backdoor test. Not only did it detect and block our attempt to connect to the infected PC, but it correctly identified Back Orifice 2000 as the offending program.
The port scan kicked BlackICE into overload. It correctly reported a TCP port scan only after false alarms for various Trojans that were not used. A full port scan will check every port between 1 and 65,535, which includes ports frequently used by Trojans. If you didn't know this, BlackICE's false alarms would probably leave you feeling very anxious!
Time to bring the system to its knees with a DoS attack. On minimum 'Trusting' settings, BlackICE detected our DoS attack, but the PC's performance dropped significantly. There was little the victim could do, and even moving up through to the maximum 'Paranoid' settings didn't help. Ultimately, BlackICE Defender let us down here.
Norton Personal Firewall 2002
We expected good things from the PC utility masters at Symantec. Norton Personal Firewall didn't disappoint.
Norton's control panel provides a raft of advanced features including the ability to trust and restrict certain computers, or specify which applications can access the Internet. There's a reasonable IDS, but if you really want to see what's been hitting your modem you'll need to click through a few menus to find the logs - a bit techie, but the contents make enlightening reading. A handy AlertTracker icon sticks itself on the desktop, keeping you up to date with the latest hacking attempts. This isn't just a firewall, it's also a privacy protection program that tracks the data requested and deposited by Web sites.
Our backdoor program was foiled. The firewall blocked our hacker's access, but the default option following our attempt was to allow entry. The lesson here is to read messages properly before you click OK. We'd prefer a more fail-safe system.
Our port scan was detected immediately and blocked. The attacking PC's IP address was then blocked for the default period of 30 minutes, so we couldn't attempt any more hacks until this time was up. A remote hacker wouldn't know how long the blocking would last, so this is likely to deter them completely.
After half an hour, we launched a vicious DoS attack. It failed. The only settings we could find that allowed the attack to work were to untick the Enable Security box, or to edit the Personal Firewall settings to Allow all Internet communications - and we hope no-one would be daft enough to do either.
Even the standard Minimal security settings completely blocked our nefarious ploy. An excellent performance from Symantec.
Zone Alarm 2.6
The perennial favourite of computer magazines and many Web sites, ZoneAlarm is an easy-to-use, free firewall that works well and provides a good deal of reassurance.
The friendly interface, complete with simple sliders and clear text descriptions of different settings, makes Zone Alarm a good first firewall. You can graduate up from choosing general settings to tweaking your own configurations without much pain, but ultimately you will want to graduate to a more sophisticated firewall after a while.
ZoneAlarm blocked our backdoor connection, but simply reported it as a failed connection, rather than telling us exactly what was going on. This is fair enough, but if you should constantly receive failed attempts on certain strange ports (e.g. 31337) you'll need to investigate manually to see why someone is so interested in you.
In fact, logging is one of ZoneAlarm's weaknesses. It logged and blocked our hacker's scanner but logged each of the 65,535 attempts into separate records. This is not very helpful, because you have to click your way through each record, whereas the other firewalls here list all hacking attempts on one page. It's possible to make ZoneAlarm display a text file containing the raw log files, but the other programs use meaningful coloured logos to indicate which entries are worth investigating.
ZoneAlarm couldn't deal with our DoS attack at all. Although the PC didn't freeze, as would have happened had the firewall not been installed, it became so slow as to be rendered virtually useless. Even the Internet Lock feature, which is supposed to 'block all network activity inbound and outbound', was no help.
Tiny Personal Firewall
Tiny Personal Firewall really is tiny. Its install file is only 1.3Mb, which makes it a quick download for anyone with a modem. Although it's free, the software has a business-like feel to it, supporting remote configuration and the ability to write log files to another machine called a log server.
Tiny isn't hard to set up, and offers the usual options for ignoring certain conditions or alerting you to important ones. The main control is a single slider that defaults to 'Ask Me First'. Nothing is allowed to pass to or from your PC unless you explicitly allow it. Whenever you try to use a program like Internet Explorer or Messenger, the firewall asks whether or not it should permit the connection, and a simple tick box will set up a rule that always allows or denies a particular program. As we'll see, these rules can be very important.
Tiny's firewall detected an attempted backdoor connection but didn't recognise it as Back Orifice. This is acceptable, but our hacker wasn't content with that. To make sure the victim's machine was still connected, he used the Ping command - this sends a signal to another machine, which usually replies. The firewall blocked each of these, which is good, but displayed warnings for each signal. Pinging usually sends a signal every two seconds or so, which meant we had to click these alerts away and set up a rule, denying pings. We were no longer bothered by these annoying alerts.
The same goes for port scans. It's possible to manually block troublesome IP addresses, but this involves playing with the Advanced settings and isn't as easy to do as with McAfee and Norton's products.
Our disgruntled hacker resorted to his DoS attack. Bingo! The system froze completely. Even with the high-security 'Cut Me Off' settings, and with rules set to block standard pings, our system was brought down time and time again.
Although free, and equipped with some useful corporate features, Tiny Personal Firewall doesn't quite cut it. Use ZoneAlarm if you can't afford McAfee's Personal Firewall 3.
McAfee Personal Firewall 3
McAfee has broad experience of the Internet, with antivirus and encryption products as well as this firewall. And it shows!
The first thing that strikes you about McAfee's home firewall is its colourful activity graph, which highlights attacks and probes. There are three big buttons, Allow all, Filter and Block all, which represent the three basic security options. Filter is a good compromise, although it's reassuring to know that you can batten down the hatches instantly by pressing Block all. Dig a little deeper and you can finely adjust the settings, choosing whether or not to block baddies after their initial attacks. This works by looking at the IP address of the attacker and adding it to a list of banned systems. Addresses can be blocked forever, or allowed to drop off the list after a certain number of hours or days. Neat.
Our first attack was an attempt to connect to a backdoor program called Back Orifice 2000. If the connection succeeded we'd have complete remote control of the target, and the game would be over. McAfee firewall realised what we were up to, detecting the attempt and reporting which port we were trying to attack. This information is helpful when trying to track down and delete a virus on your PC. Even turning security down to Allow all didn't leave us vulnerable.
Using the port scanner nmap (popular in the hacking world), we tried to find out which ports were open on the target. Again, we hit a virtual brick wall when using the conservative Filter option. There were no alarms or flashing lights - just some quiet entries in the log files. This is a more sensible approach than the rather hysterical reaction of BlackICE. You don't need to panic if someone scans you. They can't even tell you exist if you have this software installed.
Our imaginary hacker friend gave up and childishly attempted a denial of service attack to exact his revenge. This worked, and completely froze our Windows 98 test machine. Rebooting or waiting for the hacker to stop are the only options. The Block all option does neutralise DoS attacks, but it also stops you using the Internet too.
McAfee Personal Firewall 3 is easy to set up, requiring no knowledge of networking to achieve a well protected but usable Internet system. You can adjust advanced settings, such as blocking the attackers' Internet addresses and changing the levels of logging, which will satisfy those who would rather become intimate with TCP/IP than with the world of hackers. The price is fair, making this the personal firewall of choice out of the group. The one thing it lacks is the full complement of flashing warning lights, preferring the subtle but effective approach. If you want to see what's going on, install the trial version of BlackICE Defender as well, just to prove to yourself that you've spent wisely.
First Published in Computer Buyer, issue 129, February 2002.
The above article is © Dennis Publishing Limited 2001. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.