Perimeter Defense: Firewalls
A firewall forms the first line of defense against hackers, worms, spyware, and other evils. PC World partnered with German security firm AV-Test to find the best.
Many homes and businesses use routers to share a broadband connection. To gauge the protection such devices provide, we tested two sample models of router and 802.11g wireless access point: Linksys's Wireless-G Broadband Router WRT54G and Microsoft's Wireless-G Base Station MN-700. Routers provide a basic firewall as a by-product of the way they handle Internet traffic. Using Network Address Translation (NAT) and Dynamic Host Control Protocol (DHCP), a router distributes private IP addresses to PCs on the network, thereby hiding them from outside computers, which see only the IP number of the router itself. Routers open ports to the Internet only if you set them to open or if the PCs on the network request data (in retrieving a Web page, for example).
The routers withstood assaults from port-scanning tools, which hackers use to find vulnerable targets. Since no system on the network had requested the data packets, the routers simply dropped them. Both products let us open select ports and assign them to the IP addresses of specific PCs. Known as port forwarding, this process lets you run servers for online games or Web sites without exposing other PCs on the network. One nice feature about Microsoft's unit: It enabled WEP encryption by default and generated a key to help protect wireless traffic. (For more on Wi-Fi security, see May's "Beating the Wireless Blues.")
Software Firewalls Watch Your PC
A router defends against outside attacks. But some types of malware--such as worms, Trojan horses, and spyware--work from within. You need a PC-based software firewall to stop them.
A purely permissions-based firewall alerts you when any application tries to communicate over the network, and enables you to block it. This will draw your attention to potential malware apps.
As a convenience, the firewalls in Panda Platinum Internet Security and in Symantec Norton Internet Security 2004 automatically granted permission to many Windows applications, but this measure can compromise protection. For example, Panda's provision to allow access for Windows services left open port 135--which the infamous Blaster worm uses to squirm into PCs. Panda fixed this vulnerability after we alerted the company.
Obviously, a security suite should permit its own components to run. McAfee Internet Security Suite 6, however, did not. Our attempts to send e-mail were thwarted by McAfee Privacy Service alerts reporting that MCSHIELD.EXE and MGHTML.EXE (two components of its own suite) were attempting to access a "guarded file,"--the e-mail client's application.dat file.
Sygate's Personal Firewall Pro 5.5 and Zone Labs' ZoneAlarm Pro 4.5 neither attacked themselves nor granted carte blanche to other applications. Consequently, they give you great power to monitor your system. But if you don't have the patience to ponder an alert before clicking 'OK', you may put yourself at greater risk.
Consider the Bagle worm, which hides its identity by injecting itself into the Windows Explorer application. When AV-Test infected a system with this worm, the McAfee, Norton, Sygate, and ZoneAlarm firewalls asked if Windows Explorer could access the Internet. Attentive users might wonder why the app was spontaneously trying to access the Internet, but others might simply click the OK button without considering the implications.
To avoid such problems, you might opt for a port-filtering firewall of the type included in the Windows XP operating system or a port- and packet-filtering firewall like the one in Trend Micro's PC-cillin Internet Security 2004 suite. Packet-filtering firewalls monitor data passing to and from the computer and look for known vulnerabilities or suspicious behavior. For example, they can block attempts to access backdoor ports that e-mail worms may have opened to receive instructions from remote hackers.
Normally, you won't need a firewall to catch a worm or backdoor program; that's the job of an antivirus utility. But antivirus scanners work best when they can compare potential viruses against databases of previously identified viruses. New threats usually go undetected until specific updates can be created, released, and applied--a lapse in coverage that may range from a few hours to a few days, as AV-Test found in a separate, extensive survey of antivirus companies' outbreak response times.
For our review, AV-Test challenged the firewalls with common worm attacks. For example, testers installed a program that attempts to mass-mail several hundred copies of itself as an executable attachment. Both the McAfee and the ZoneAlarm firewalls stopped the action by using a throttling feature that warns of attempts to send messages to many recipients at once or to send a single message repeatedly. Panda thwarted the worm with a feature that blocks outgoing e-mail containing executable attachments.
In another test, Panda did not block an attempt by the Bagle worm to open a backdoor port on a system and receive instructions from a remote hacker. The two routers did block the action, and the software firewalls from McAfee, Norton, Sygate, and ZoneAlarm provided alerts about the attempt, but they identified Windows Explorer as the application using the port, and could not tell that a worm was piggybacking on Windows Explorer in order to evade detection. The port-filtering PC-cillin and Windows XP firewalls blocked attempts to access the worm through the port, thereby silently protecting the computer, without requiring users to interpret alerts as they would have to with the permission-based software firewalls from McAfee, Norton, Sygate, and ZoneAlarm.
In addition to opening backdoor ports, malware may try to expose a PC by disabling security software. Panda, Sygate, and ZoneAlarm Pro resisted such attacks. But invading code shut down the Windows XP firewall and McAfee, Norton, and Trend Micro suites, and deleted the program files of the latter three.
Routers like the Linksys and Microsoft models fend off externally launched attacks, while software firewalls protect systems from worms spread through shared drives, by e-mail, or via file-sharing applications such as Kazaa and Gnutella. Software firewalls are also a must for laptops that leave the protection of a home or office router and connect to public Wi-Fi hotspots or hotel networks.
We liked Sygate's performance and granular configuration options but found the program confusing. Consider this Sygate alert: "Internet Explorer (IEXPLORE.EXE) is trying to connect to www.microsoft.com (184.108.40.206) using remote port 80 (HTTP - World Wide Web)." ZoneAlarm asked, "Do you want to allow Internet Explorer to access the Internet?" ZoneAlarm Pro 4.5's usability and performance earned it our Best Buy. If you don't have the patience to configure a permission-based firewall, PC-cillin's port-filtering firewall is a worthy alternative Best Buy.