Firewall product tests: part two
ISS RealSecure Desktop Protector
ISS RealSecure Desktop Protector is the enterprise protection tool based on the home-user-focused BlackICE Defender, which has been retained as the name for the SOHO version. The install from the downloaded version was very simple and took only a few minutes. The intrusion detection system was turned on by default to give immediate protection.
When we checked the system tray icon, it said “BlackICE Application Protection Stopped”, which was confusing, but we found that was a secondary part of the software that is not enabled by default. When enabled, the system tray icon simply says “BlackICE”.
When we conducted the port scan using the default settings, the system tray icon flashed, but no other warning was given. The port scan was fairly successful, revealing ports 135, 139, 427, 445, as well as 1025. This was a little disappointing, as all of these were normally visible on this machine, except 1025, which is used for remote management of the software.
When we loaded the system up with the jolt2 ping test, the system logged all the incoming packets, but did not really stop them—acknowledge (ACK) packets were being sent, though only a few. All packets were logged as Unknown IP protocol, and the attack even triggered an ICMP flood warning from the system itself.
All other tests—connection to a Windows file share, Web surfing, and reading mail—were not even noted by the software. Configuration of the software was quite simple. There are four protection levels:
- Trusting: allow all inbound traffic (which is the default)
- Cautious: block some unsolicited inbound traffic
- Nervous: block most unsolicited inbound traffic
- Paranoid: block all unsolicited inbound traffic
We cranked it up to Paranoid, and the Port Scan took much longer and revealed less information, though OS fingerprinting was still possible (though with an incorrect result). The ICMP results were the same in Paranoid Mode.
We also then enabled Application Protection, which warns when non-validated applications are started—in fact, it can be set to terminate or block any unknown application. This prevented all applications running on the system from making connections out, until they were registered with the software.
Other configuration options included the ability to warn of attack with popup windows and sounds, which is more useful than just logging and flashing the system tray icon.
The RealSecure ICEcap Manager application allows you centrally manage and update all remote users, including “silent” installs and automatic synchronisation of configurations when remote systems come online. This ensures consistent application of security policies across the entire network enterprise. Centralised event reporting is available in the RealSecure SiteProtector enterprise management console, which integrates events from Desktop Protector into a complete management environment.
The RealSecure Desktop Protector is fairly easy to use, but it needs to tighten up its default security level and turn on popups and sounds by default. Even in Paranoid mode, nmap was able to fingerprint the system (wrongly, but close) and find open ports.
Kerio Personal Firewall
The Kerio Personal Firewall was very simple and quick to install from the downloaded version. The IDS is on by default, so after the system reboots, it asks a couple of questions about allowing traffic through certain ports— this could cause some problems for inexperienced users. The configuration of system is very easy, and based on the “block everything and then let what needs to pass through, pass through” theory, but often the defaults are less than ideal.
When we port scanned the system, two warnings came up and requested input. We followed the steps to create a rule to stop them. The problem was the rule stopped all pings, not just from the offending system. This is not necessarily too bad, as the host appears invisible, but it is probably going overboard. When we tested with the ICMP flood, the same thing happened.
When we connected to the Windows file share, surfed the Web and started our e-mail client, we received warnings. Once that traffic had been okayed, all transfers were working fine.
Further configuration allowed us to create MD5 application signatures to protect the system from Trojan horses imitating trusted programs. There is also a separate screen that displays which connections are open, and displays clearly what each application is doing at any given moment.
Kerio Personal Firewall can be managed with an encrypted remote management tool, and the system has password protection that keeps users from changing security policy on their own. It can also be run as a service to ensure the computer is protected from start-up. This product is easy to install and use, but there needs to be a bit of care taken when setting the rules so that huge holes are not opened up. Help and online documentation were both quite good.
McAfee Desktop Firewall 7.5
The McAfee product arrived in a standard software box, brimming with manuals and two CDs. The actual Firewall CD did not have an autorun or pretty menu, though the software itself was easy enough to find and install. There were a multitude of licensing options including 30- and 90-day evaluations, perpetual, and one- or two-year licenses. The software took only a few minutes to install, though the system was rather slow to restart. No immediate configuration was required, with IDS available on startup.
The system immediately detected the port scan and notified us with a popup window and audible siren and gave a variety of options including;
- Block indefinitely,
- Block for a time limit (default 20 minutes), and
- Not block (allow traffic).
There is also a trace option, which traces the IP address of the intruder, providing all sorts of interesting data, including IP address, any available server banners, traceroute data, and whois information (basically a return fingerprinting). The port scan returned no information other than that all ports were filtered. The ping flood caused another popup notification, and was immediately blocked and all packets dropped.
Attempts to connect to a Windows file share brings up an alert and describes in detail what the connection is and gives you the option to allow, allow once, or deny. Surfing the Web and reading e-mail give similar warnings the first time, but allow you to simply set up rules to remember what actions should be allowed.
If customisation is needed, there are several protection level settings: Custom, Minimal, Client & Server (High and Medium), and Learning Starter, which is the basic mode that then learns about attacks and blocks them and creates a custom set. Custom rules are also very easy to set up and activate, including intrusion notification and logging.
EPolicy Orchestrator is an add-on product that allows remote distribution, installation, configuration, and reporting of the McAfee Desktop Firewall.
This product is very easy to install and use, comes preconfigured for high security without getting in the way too much, and has excellent manual and online support.
Symantec Client Security 8.0
The Symantec Client Security Suite comprises the Symantec AntiVirus Client and the Symantec Client Firewall, making it an excellent integrated package. The setup process for the combined products is rather lengthy, and finishes with the Live Update package which checks with the Symantec servers for the latest signatures.
When we tested the system with a port scan, an alert flashed in system tray and stayed flashing. The port scan found no result from the system at all; it was completely invisible. However, the firewall software detected that it was being port scanned (rather than just registering connections to a series of ports). The ping flood was not blocked or logged (other than as inbound packets). Attaching to a Windows share, browsing the Web, and reading e-mail all created individual alerts and requested a rule be created to block or allow the behaviour in the future.
The Symantec suite is very comprehensive, including antivirus and firewall as well as intrusion detection and content filtering. It also provides snap-ins for Microsoft Outlook/Exchange and IBM/Lotus Notes and is able to run standalone or be managed by the Symantec Client Security Management Server.
The client software was a little difficult to navigate and the interface felt slow, but overall protection is excellent, management is well integrated, and documentation is quite good.
Zone Alarm Pro
Zone Alarm Pro was unique in that it installed quickly and activated without the need of a reboot. When it starts, you are asked to set up basic needs (Web browser and Windows file sharing), and are then taken to a 10-page tutorial slide show of how to use the software. An automatic check is then made with a Zone Labs server to check for any updates available for the software.
The port scan found nothing, and generated a huge slew of popup warnings showing that something was happening. In the ping flood test, the system only logged the first 50, but dropped all the pings with only a small performance hit on the machine.
Configuration of the system is very easy and based on three zones: Internet, Trusted, and Blocked. There is also a “Stop Everything” button, which will basically shut down the network interface if you suspect an attack is underway.
Attaching to the Windows file share was blocked until we placed the server in the trusted zone. Web surfing proceeded normally as the browser was already a registered application. To read e-mail, we had to allow the traffic on that port and set it to remember before proceeding.
There are some extra features included in Zone Alarm that are not in the other packages tested, including ad blocking, cookie control, and pop-up ad control. Zone Alarm also includes a feature to track whoever is trying to hack your PC and attempt to report them. There is also a program control feature to protect against known and unknown Internet threats by monitoring outbound traffic to prevent rogue programs from transferring your data to the outside world.
Zone Alarm Pro can run in standalone mode, or can be managed centrally using a separate product called Zone Labs Integrity Server—which can be used to manage the whole suite of Zone Labs products. Zone Alarm is quite easy to configure, has some great extra features and good default settings and good documentation.
