We all know about firewalls protecting your network from outside attacks, but what can you do when those pesky users keep taking their computers outside your network? And what if the attack isn’t coming from the outside at all?

The corporate network might be reasonably secure, layered behind its firewall, traffic analysis modules, and virus defence, but what about laptops out in the field connected through dialup or broadband connections? What about protection from other people on the inside of your network who might have agendas of their own?

Ideally, desktop firewalls provide two basic functions. They protect your system from unsolicited packets coming in from the Internet, and they offer control over the packets going out. There are several ways to go about setting a security policy, but the safest is to simply block everything and then let what needs to pass through, pass through. This will take some learning to work out what needs to go through, but many of these software packages simplify the task. The trick is to make tiny pinprick holes in your firewall, not huge doorways with a welcome mat on the outside.

In this roundup we looked at some of the Desktop Firewall packages that you can install directly onto a Windows PC to keep the outside world where it belongs—outside. These programs are designed to watch the traffic coming in, and also to insulate you from attacks by passing each packet through a filter to decide weather it should be sent through to the operating system or not.

Check Point SecureClient
The Check Point System is very secure and complex and involves a Check Point Secure Platform, a management station (Smart Dashboard), and SecureClient itself. If you are already using Check Point products, this will match together nicely with your system. Installation of the various parts was fairly simple and well documented, but certainly took much longer than the other systems.

The client by itself comes without any security policy and waits for a policy server to provide it with its firewall rules. There are no default rules defined on the Smart Dashboard, so the security policy will have to be specifically crafted by the security administrator.

This is a great solution for an experienced admin, but makes for a steep learning curve for the beginner.

The Smart Dashboard Configuration program is a large and complex tool, but it is designed to manage the security setting for an entire large organisation. It is relatively easy to use once you have been shown how, but it is really the sort of package you need some specific vendor training on.

All results would depend totally on the security policy defined by the organisation. This software is very powerful and has huge scope for many policies for different departments within an organisation, but it requires considerable investment in time to configure properly.

Computer Associates eTrust EZ Firewall
The EZ Firewall installs quickly from the downloaded version and comes up with its default protection after a reboot. The default policy allows selected incoming traffic and all outgoing traffic, which we feel is a little too relaxed. If there are any attempted connections, a popup window reports details of host, protocol, and service, and gives the option to permit or deny the traffic. In the default learning mode, this information will be remembered and the same rule applied to further connections. There is also a default to auto deny in 30 seconds, although the window never changes to reflect this—and simply stays on the screen. This is a little confusing, as you are not sure whether the traffic arrived recently and is still waiting for an answer or not.

The initial configuration screen looks a little confusing; there is no real information about what a lot of the icons do. There are traffic lights for incoming and outgoing traffic, with each having the option to deny all (red), allow selected (yellow), or allow all (green). Clicking again on any of the options allows you to view the firewall rules that apply in this case. There are four icons along the bottom of the screen for daily information, help, close, and about. There does not seem to be any information beyond one day kept at all in the logs.

The port scan produced some unusual results, with all ports below 1024 filtered, but a variety of ports above 1024 open. The test was able to fingerprint the OS correctly. There was no reaction to the ping flood at all, and CPU utilisation was quite high while the flood continued. There were no problems connecting to the Windows share, opening Web pages, or reading e-mail.

There is an option to save all the created firewall rules into a single file and import them to another system, which is handy if you need to set up many systems, but this is the only concession to external management in this product. EZ Firewall has a pair of sister applications; EZ Antivirus and EZ DeskShield, that provide antivirus and desktop e-mail protection respectively, and in fact there is a package called EZ Armor that rolls all three into a single install.

Overall this system is easy to install, but the lack of configuration, logging, and management options mean it is much better suited to the individual/home user than corporate environment. There are other, larger Computer Associates systems that are more relevant, but we were unable to access them in time for the review.

Firewall product tests: part two

ISS RealSecure Desktop Protector
ISS RealSecure Desktop Protector is the enterprise protection tool based on the home-user-focused BlackICE Defender, which has been retained as the name for the SOHO version. The install from the downloaded version was very simple and took only a few minutes. The intrusion detection system was turned on by default to give immediate protection.

When we checked the system tray icon, it said “BlackICE Application Protection Stopped”, which was confusing, but we found that was a secondary part of the software that is not enabled by default. When enabled, the system tray icon simply says “BlackICE”.

When we conducted the port scan using the default settings, the system tray icon flashed, but no other warning was given. The port scan was fairly successful, revealing ports 135, 139, 427, 445, as well as 1025. This was a little disappointing, as all of these were normally visible on this machine, except 1025, which is used for remote management of the software.

When we loaded the system up with the jolt2 ping test, the system logged all the incoming packets, but did not really stop them—acknowledge (ACK) packets were being sent, though only a few. All packets were logged as Unknown IP protocol, and the attack even triggered an ICMP flood warning from the system itself.

All other tests—connection to a Windows file share, Web surfing, and reading mail—were not even noted by the software. Configuration of the software was quite simple. There are four protection levels:

• Trusting: allow all inbound traffic (which is the default)
• Cautious: block some unsolicited inbound traffic
• Nervous: block most unsolicited inbound traffic
• Paranoid: block all unsolicited inbound traffic

We cranked it up to Paranoid, and the Port Scan took much longer and revealed less information, though OS fingerprinting was still possible (though with an incorrect result). The ICMP results were the same in Paranoid Mode.

We also then enabled Application Protection, which warns when non-validated applications are started—in fact, it can be set to terminate or block any unknown application. This prevented all applications running on the system from making connections out, until they were registered with the software.

Other configuration options included the ability to warn of attack with popup windows and sounds, which is more useful than just logging and flashing the system tray icon.

The RealSecure ICEcap Manager application allows you centrally manage and update all remote users, including “silent” installs and automatic synchronisation of configurations when remote systems come online. This ensures consistent application of security policies across the entire network enterprise. Centralised event reporting is available in the RealSecure SiteProtector enterprise management console, which integrates events from Desktop Protector into a complete management environment.

The RealSecure Desktop Protector is fairly easy to use, but it needs to tighten up its default security level and turn on popups and sounds by default. Even in Paranoid mode, nmap was able to fingerprint the system (wrongly, but close) and find open ports.

Kerio Personal Firewall
The Kerio Personal Firewall was very simple and quick to install from the downloaded version. The IDS is on by default, so after the system reboots, it asks a couple of questions about allowing traffic through certain ports— this could cause some problems for inexperienced users. The configuration of system is very easy, and based on the “block everything and then let what needs to pass through, pass through” theory, but often the defaults are less than ideal.

When we port scanned the system, two warnings came up and requested input. We followed the steps to create a rule to stop them. The problem was the rule stopped all pings, not just from the offending system. This is not necessarily too bad, as the host appears invisible, but it is probably going overboard. When we tested with the ICMP flood, the same thing happened.

When we connected to the Windows file share, surfed the Web and started our e-mail client, we received warnings. Once that traffic had been okayed, all transfers were working fine.

Further configuration allowed us to create MD5 application signatures to protect the system from Trojan horses imitating trusted programs. There is also a separate screen that displays which connections are open, and displays clearly what each application is doing at any given moment.

Kerio Personal Firewall can be managed with an encrypted remote management tool, and the system has password protection that keeps users from changing security policy on their own. It can also be run as a service to ensure the computer is protected from start-up. This product is easy to install and use, but there needs to be a bit of care taken when setting the rules so that huge holes are not opened up. Help and online documentation were both quite good.

McAfee Desktop Firewall 7.5
The McAfee product arrived in a standard software box, brimming with manuals and two CDs. The actual Firewall CD did not have an autorun or pretty menu, though the software itself was easy enough to find and install. There were a multitude of licensing options including 30- and 90-day evaluations, perpetual, and one- or two-year licenses. The software took only a few minutes to install, though the system was rather slow to restart. No immediate configuration was required, with IDS available on startup.

The system immediately detected the port scan and notified us with a popup window and audible siren and gave a variety of options including;

• Block indefinitely,
• Block for a time limit (default 20 minutes), and
• Not block (allow traffic).

There is also a trace option, which traces the IP address of the intruder, providing all sorts of interesting data, including IP address, any available server banners, traceroute data, and whois information (basically a return fingerprinting). The port scan returned no information other than that all ports were filtered. The ping flood caused another popup notification, and was immediately blocked and all packets dropped.

Attempts to connect to a Windows file share brings up an alert and describes in detail what the connection is and gives you the option to allow, allow once, or deny. Surfing the Web and reading e-mail give similar warnings the first time, but allow you to simply set up rules to remember what actions should be allowed.

If customisation is needed, there are several protection level settings: Custom, Minimal, Client & Server (High and Medium), and Learning Starter, which is the basic mode that then learns about attacks and blocks them and creates a custom set. Custom rules are also very easy to set up and activate, including intrusion notification and logging.

EPolicy Orchestrator is an add-on product that allows remote distribution, installation, configuration, and reporting of the McAfee Desktop Firewall.

This product is very easy to install and use, comes preconfigured for high security without getting in the way too much, and has excellent manual and online support.

Symantec Client Security 8.0
The Symantec Client Security Suite comprises the Symantec AntiVirus Client and the Symantec Client Firewall, making it an excellent integrated package. The setup process for the combined products is rather lengthy, and finishes with the Live Update package which checks with the Symantec servers for the latest signatures.

When we tested the system with a port scan, an alert flashed in system tray and stayed flashing. The port scan found no result from the system at all; it was completely invisible. However, the firewall software detected that it was being port scanned (rather than just registering connections to a series of ports). The ping flood was not blocked or logged (other than as inbound packets). Attaching to a Windows share, browsing the Web, and reading e-mail all created individual alerts and requested a rule be created to block or allow the behaviour in the future.

The Symantec suite is very comprehensive, including antivirus and firewall as well as intrusion detection and content filtering. It also provides snap-ins for Microsoft Outlook/Exchange and IBM/Lotus Notes and is able to run standalone or be managed by the Symantec Client Security Management Server.

The client software was a little difficult to navigate and the interface felt slow, but overall protection is excellent, management is well integrated, and documentation is quite good.

Zone Alarm Pro
Zone Alarm Pro was unique in that it installed quickly and activated without the need of a reboot. When it starts, you are asked to set up basic needs (Web browser and Windows file sharing), and are then taken to a 10-page tutorial slide show of how to use the software. An automatic check is then made with a Zone Labs server to check for any updates available for the software.

The port scan found nothing, and generated a huge slew of popup warnings showing that something was happening. In the ping flood test, the system only logged the first 50, but dropped all the pings with only a small performance hit on the machine.

Configuration of the system is very easy and based on three zones: Internet, Trusted, and Blocked. There is also a “Stop Everything” button, which will basically shut down the network interface if you suspect an attack is underway.

Attaching to the Windows file share was blocked until we placed the server in the trusted zone. Web surfing proceeded normally as the browser was already a registered application. To read e-mail, we had to allow the traffic on that port and set it to remember before proceeding.

There are some extra features included in Zone Alarm that are not in the other packages tested, including ad blocking, cookie control, and pop-up ad control. Zone Alarm also includes a feature to track whoever is trying to hack your PC and attempt to report them. There is also a program control feature to protect against known and unknown Internet threats by monitoring outbound traffic to prevent rogue programs from transferring your data to the outside world.

Zone Alarm Pro can run in standalone mode, or can be managed centrally using a separate product called Zone Labs Integrity Server—which can be used to manage the whole suite of Zone Labs products. Zone Alarm is quite easy to configure, has some great extra features and good default settings and good documentation.

Scenario 1 and how we tested

Scenario 1
Company: Drake Industries
This professional services company wants to install firewalls on all executive notebooks and all PCs that store confidential information.
Approximate budget: Open.
Requires: Firewall software for 50 users.
Concerns: Keeping the data secure is the key factor in making a choice. Installing and maintaining the software on so many PCs would be time consuming, so the company is interested in the ability to remotely deploy and manage the firewalls.
Best Solution: The choice for Drake Industries would depend on its current infrastructure. If the company needs a complete security system, Check Point may be the way to go, for a fully integrated, whole of business approach. If it needs to revisit its antivirus control at the same time, Symantec may well be a good integrated solution. If the budget is tight and antivirus is in place, it is very hard to look past the McAfee Desktop firewall with ePolicy Orchestrator to manage it.

Just focusing on the firewall aspects, McAfee seems like the company's best choice, but Zone Alarm Pro would also be a serious contender.

How we tested
The software was installed on a typical system, an Excel 2700C Notebook with a 1GHz Pentium III processor, 256MB of RAM, running Windows 2000 SP2.

We conducted two tests to assess the software's ability to prevent attacks from outside:

1. The system was port scanned using nmap v3.00 with fingerprinting. This reveals if any TCP or UDP ports are visible to the outside world, which may then be attacked.
2. A ping flood attack was launched at the system using a program called jolt2.exe. This determines how vulnerable the system would be to a denial-of-service attack.

We then ran a series of basic client functions:

• Connect to a Windows share
• Browse some Web pages
• Read e-mail with a dedicated client

These tests determine the firewall's ability to detect and block software on the tested PC connecting to the outside. This is to prevent Trojans or other malicious code from sending data on the PC to the outside world, or from using the PC as a launch-pad to attack others systems.

Interoperability was based on the clients that the systems would run on and some of the management features available.

Futureproofing was based on the user friendliness and configurability of the systems, as well as their potential to be managed in a large environment.

Return on Investment was based on features of the software balanced against the cost (both software and deployment).

Service was based on documentation and support available.

About RMIT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for Technology & Business, they are in direct contact with the client supplying products. Their findings are their ownâ€"only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey, at stevet@rmit.edu.au.

Subscribe now to Australian Technology & Business magazine.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.