Personal firewalls block the inside threat

Personal firewalls block the inside threat

End-user software products can protect against attacks when enterprise firewalls fall short

By Michael Cheek

GCN Staff

In an environment rife with hackers and denial-of-service attacks, it is a foregone conclusion that government administrators need enterprise firewalls. but they're no longer sufficient.

An enterprise firewall protects all client PCs and servers on a network, much like the stone ramparts that once encircled medieval towns. But attacks can come from inside, too. Not every insider is trustworthy, and the townsfolk occasionally wander beyond the walls, where highwaymen lurk.


Norton Internet Security 2000's customizable settings can selectively block Java applets and ActiveX controls.


Enter the personal firewall. Like a deadbolt lock on every villager's home and a suit of armor when venturing forth, a personal firewall protects a computer from threats inside the network'and even from outside, because attacks sometimes do penetrate enterprise firewalls.

A personal firewall is also becoming essential for any notebook computer that frequently connects to the office LAN using the Internet as a conduit.

The GCN Lab tested three software firewalls: BlackIce Defender, Norton Internet Security 2000 and ZoneAlarm 2.0. All provide adequate protection. Their individual features, as well as some operating system limitations, can help determine your choice.

If you have no idea how vulnerable your networked client or on-the-road notebook might be, click on the Shields Up logo at the www.grc.com site operated by Gibson Research Corp. of Laguna Hills, Calif. Shields Up probes benignly to tell how exposed your system might be.

Enterprise firewalls do not automatically guarantee safety. Of the 65,535 packet ports available on every computer, one just might be open for something to sneak in. And if enterprise users have enabled file- and print-sharing for such innocent purposes as giving colleagues access to a color printer, the possibility of hacker attack grows.

Shields Up can tell you whether a PC has any exposed ports and whether they are invisible in the state known as stealth mode.

The three tested firewall applications close all the common ports, preventing most unauthorized access. Many ports end up in stealth mode.

Behind an enterprise firewall or a proxy server, most ports remain closed but visible. A resourceful hacker can see them and sneak in. It's better for all ports to stay in stealth mode so a hacker won't even suspect their presence.

The Gibson Research probe examines the PC's most common entry ports, such as those used for File Transfer Protocol, Simple Mail Transfer Protocol, Telnet and other common Internet traffic.

Visible ports are not the only concern, however. A user generally can't mask the system's IP address'the string of numbers such as 123.12.456.78 that identifies it on the Internet.

While online, every PC has an IP address. In dial-up connections, the numbers generally are assigned dynamically, which means the address changes every time the user dials up a provider.

That in itself is a protection. But embedded inside every network adapter card is a MAC, or media access control, address that doesn't change. The binary MAC address, which looks something like 0C-F6-64-09-12-A5, is a unique identifier on the Internet.

Modems don't identify themselves with such a number. But many modern hotel rooms are being outfitted with high-bandwidth Internet connections that require an Ethernet card. So even if your IP address changes, your MAC address won't.

All three of the tested firewalls blocked exposure of the MAC address and any shared resources. For the most part, all were effective at fending off probes.

That still isn't enough. Maintaining a configurable level of security and privacy is important, too.

I came close to giving a Reviewer's Choice designation to Norton Internet Security 2000. It has the most comprehensive features beyond hacker protection and is the most complete and easily configurable of the three personal firewalls.

Limited operability


BlackIce Defender shows all traffic and suspicious traffic at intervals of minutes, hours and days.


Unfortunately, it won't work on computers running Microsoft Windows NT 4.0 or Windows 2000. The current version operates only under Windows 9x. I've heard that Symantec Corp. plans to release a new personal firewall product for NT and Win 2000 next month.

The Symantec package includes Norton Antivirus 2000; it's the only one of the three personal firewalls to extend complete virus protection.

Viruses can behave creatively enough to be considered hacks. The service-denial strikes against Web business sites this year, in fact, had their origin in a viral hack.

A hacker or hackers invaded vulnerable computers, dropping off a virus that, when triggered, sent a flood of requests to a particular Web site designated for the attack.

Other viral hacks can be more personal, waiting for a user to enter a password or a credit card number and intercepting the keystrokes for later transmission across the Internet. Some such Trojan horse attacks sneak in under the guise of friendly downloads.

I once inadvertently downloaded a virus embedded in a Web page. Although the Kak Worm virus caused no harm, the kak.html page somehow downloaded itself secretly while I was surfing.

Two of the personal firewalls I tested, BlackIce Defender and ZoneAlarm, have some Trojan horse defenses, but Norton Antivirus 2000 provides for regular updates to Symantec's virus definition database, as well as scans for viruslike behavior. In contrast, ZoneAlarm and BlackIce Defender are less automated, requiring new downloads and installations to stay up-to-date.

The straightforward controls and options in Norton Internet Security 2000 might appeal the most to government administrators concerned about cookies, Java and ActiveX controls.

Government users will focus on the security and privacy functions in the three products. Symantec includes parental controls that can block pornography sites, as well as Web topics deemed distracting'sports, entertainment, gambling and weapons, for instance. The parental controls can even block certain applications such as network games and chat.

Because Norton Internet Security 2000 accommodates multiple users and has a password-protected supervisor account, an administrator could apply the parental controls to enforce agency policy against games or inappropriate Web sites.

The Symantec utility also incorporates ad blocking, which stops some of the advertisements that show up on Web pages. Just keep in mind that any graphic containing the word ad might be blocked.

Norton Internet Security 2000 monitors in three areas: the firewall, Java applets and ActiveX controls. The firewall can block all communication unless a user permits it. Java and ActiveX are controlled independently. The user can block all, allow all, or choose whether to let certain Java or ActiveX content execute.

Although Symantec says the dialog box can block all ports, Norton Internet Security 2000 failed to block two ports on my test PC from being seen, according to www.grc.com. The ports might not have been in stealth mode, but they were closed.

Privacy controls


ZoneAlarm 2.0's security section lacks the granular control found in Norton's product.


The privacy portion of Norton Internet Security 2000 is quite powerful. The user can input specific strings'numbers, passwords, e-mail addresses, names and so on'and the utility will query before letting them be sent across the Internet. This is especially helpful in stopping stealth attacks that try to uncover private information.

Cookie controls are also present; most current Web browsers have such a feature, too.

Norton Internet Security 2000 costs more than the other two personal firewalls and takes up at least 60M of hard drive storage. That said, it's a good option. It would be better if it hid ports perfectly and ran under NT and Win 2000.

BlackIce Defender gives solid protection but not much more. Without any detailed configuration tools or privacy guards, BlackIce simply monitors all network traffic. If something suspicious occurs, the icon in the taskbar tray begins to flash red.

BlackIce finds a lot of suspicious things going on. Every network ping causes it to flash.

The BlackIce screen shows what was attacked or probed and from where but otherwise does little. It's a bare-bones firewall.

When www.grc.com attempted to probe my test system, BlackIce Defender fended off much of the attack. Only one port was visible but closed; all the rest were hidden.

BlackIce Defender is compact, taking up about 5.5M. It could use more configuration options. And it definitely should filter out 'friendly fire' across the network, such as when a client chats with its server or other clients.

For protection on a budget, ZoneAlarm 2.0 wins out among the personal firewalls tested. It's free, at least for personal and nonprofit use.

The publisher's Web site lists no corporate prices but allows free use for at least 60 days. The software takes up only about 2M of storage.

For a free application, ZoneAlarm is very strong. It hid all the common ports on my test system under stealth mode'better than the other two firewalls.

Repetitive queries

When an installed application attempts to use the Internet, ZoneAlarm queries the user as to whether it should be permitted. The repetitive queries can become annoying. Of course, the user can set ZoneAlarm to always let Netscape Navigator or Microsoft Outlook access the Internet, and ZoneAlarm never asks again.

A handy little icon shows the amount of data traveling into and out of the computer, although it serves no purpose except to alert the user to the movement of data traffic.

ZoneAlarm's taskbar, when activated, shows a stop-sign icon that will lock down the computer at a click. It's a good feature if the user has reason to expect unauthorized access attempts. Moreover, the lock can be set to engage automatically, for example, whenever a screen saver starts, so no unauthorized communication can occur while the user is absent.

The security settings window divides access into two zones: local and Internet.

Local access lets users inside a network share files. The Internet zone controls communication outside the LAN.

This seems simple enough, but the controls need improvement. Users can select only high, medium or low protection.

The dialog box explains the results for each setting, but ZoneAlarm lacks the granular protection of Symantec's personal firewall'especially the ability to block Java and ActiveX controls. The product has no privacy protections.

Personal firewalls got their start protecting always-on cable or digital subscriber line connections at home. Look for them to start showing up in the workplace as employees bring their personal PCs'portable computers'to the job with them.




















































Three personal firewalls armor PCs on the road or on the LAN
BlackIce Defender
Network Ice Corp.
San Mateo, Calif.
650-532-4100
www.networkice.com
Norton Internet Security 2000
Symantec Corp.
Cupertino, Calif.
888-411-1932
www.symantec.com
ZoneAlarm 2.0
Zone Labs Inc.
San Francisco
415-547-0050
www.zonelabs.com
Price$40$58Free
Pros+ Automatic protection
+ Clearly visible attack information
+ Highly configurable
+ Includes antivirus protection
+ Can't beat the price
+ Hides all ports in stealth mode
Cons' Not configurable
' No privacy protection
' No NT or Win 2000 version
' Some ports visible
' Quirky, bothersome alerts
' No privacy protection
Operating SystemsWindows 9x, NTWindows 9xWindows 9x, NT
Real-life requirementsPentium or better processor, 32M of RAM, 5.5M of storage, Internet connection to download product and updatesPentium or better processor, 32M of RAM, 60M of storage, CD-ROM drive, Internet connection to download product and updatesPentium or better processor, 32M of RAM, 2M of storage, Internet connection to download product and updates
Port probesAlmost all undetectable; one seen as closedMost undetectable; two seen as closedAll undetectable
Overall grade

inside gcn

  • firefighters

    National system to help firefighters quickly locate nearby resources

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group