• PC World
• » Software
• » Antivirus and Security

Shut Out Hackers

By Scott Spanbauer

Though antivirus software protects you from many malicious programs, it might not catch everything. A hacker might attempt to snoop around your system for private passwords, for example, or you might download a file or receive an e-mail attachment containing a backdoor program or a Trojan horse that steals data or opens vulnerabilities. A firewall can protect you from these types of attacks by continuously watching all the data flowing both into and out of your system.

We reviewed six software firewalls--Internet Security Systems' BlackICE PC Protection 3.5, Network Associates McAfee Firewall 3.02, Sygate Technologies' Personal Firewall Pro 5, Symantec's Norton Personal Firewall 2002, Zero-Knowledge Systems' Freedom Personal Firewall 3.2, and Zone Labs' ZoneAlarm Pro 3--to determine which provides the best protection without interfering with common applications or inundating you with false alarms. For comparison, we also examined the Internet Connection Firewall that accompanies Windows XP (but is turned off by default). AV-Test.org conducted all lab tests on Windows XP Professional systems, using the firewalls' default security settings.

We were most highly impressed with Sygate's Personal Firewall Pro 5 and Zone Labs' ZoneAlarm Pro 3, so we gave both of them our Best Buy award. The Sygate product stands out for offering the finest control over how Internet-enabled programs can communicate. ZoneAlarm Pro, a previous Best Buy, has gotten even better with the addition of new ad-blocking tools, along with e-mail filtering and a better setup tutorial. Both Sygate and ZoneAlarm are also available in free editions that provide the basic firewall features.

What Comes In? What Goes Out?

A firewall's primary job is to monitor each of the 65,535 possible TCP and UDP port addresses your system uses to communicate with other computers. If no application on your system is using a particular port, the firewall should ward off incoming data packets destined for it.

Most inbound "attacks" are simple port scans: hackers' attempts to find poorly configured, vulnerable servers. Since few users run the FTP, Telnet, and Web server applications that hackers typically look for, these connection attempts are usually harmless. On the other hand, Trojan horses, backdoor programs, and configuration errors--such as enabling file sharing without restrictions--can open vulnerabilities and give hackers the ability to copy files, delete files, or co-opt your PC and use it as a platform for launching attacks on commercial servers.

Running common port-scanning applications on all the firewalls (including Windows XP's), we found that most products protect all ports from attack. However, in their default settings with Internet access enabled, BlackICE PC Protection, Norton Personal Firewall, and McAfee Firewall do not close port 5000, which the Universal Plug and Play feature in recent versions of Windows uses to detect networked devices. Few products currently support UPnP, but it is enabled by default in Windows XP, thereby opening a server port. A McAfee representative says that in later versions of its firewall the company may add a check box to allow users to close port 5000. And by the time you read this, Norton should have a new, downloadable firewall rule that closes the port.

BlackICE not only leaves port 5000 open but also fails to close any ports over number 1024. According to ISS, pushing the program's security level from default 'Cautious' to 'Nervous' closes all TCP ports, and moving to the highest setting, 'Paranoid', closes all UDP ports, as well.

Keeping an Eye on Apps

The biggest danger to most PCs comes not from outside attacks but from within: Trojan horses and backdoor programs that you install because they appear to be useful downloads or harmless e-mail attachments. Once they've slipped into your system, these programs can turn your PC into a vulnerable server, opening ports to intruders or collecting data--such as passwords--and sending it to hackers. An up-to-date antivirus scanner is your first line of defense against Trojan horses and backdoor code, but if one of these does slip through, a firewall provides further protection.

The Windows XP firewall monitors inbound attacks only, but the six other firewalls we reviewed attempt to thwart Trojan horses and backdoor programs by controlling which applications on your system can connect with remote servers. Most of the firewalls alert you when an application wants Internet access, and they allow you to grant or deny permission. Symantec's Norton Personal Firewall makes the identification process easy by using a signature database of known, safe applications--for example, Web browsers and e-mail clients--to configure access rules automatically. If an application doesn't appear in the database, Norton will ask you to set permissions.

Unfortunately, Norton failed to alert us when we replaced an approved application with another application that had the same file name--a trick that a Trojan horse or backdoor program might try in order to slip past the firewall. Norton did ask permission for the replacement program to run, but it identified the app only by its file name. Similarly, BlackICE PC Protection and McAfee Firewall failed to note that the original file had been overwritten.

BlackICE suffered from other problems, too. We've awarded Best Buys to earlier versions of the program because of their demonstrated ability to fend off and track attacks from outside. This time around, we focused more on application control, a feature that's new to the current version--but this feature failed to pass muster. By default, BlackICE grants full Internet privileges to any applications already installed on your PC. Because of this setting, BlackICE was the only firewall (other than Windows XP's) that failed to block a backdoor program preinstalled on our test system. You can restrict applications after installing BlackICE, but that requires you to review its list of the several hundred executable files installed on your PC and to configure rules for each.

The star of the application control tests, Sygate's Personal Firewall Pro, was the only firewall that resisted our attempts to shut it down using a third-party system-monitoring application--mimicking a trick some Trojan horses and worms use to disable a PC's security software.

Feedback and Control

Most of the six non-Microsoft programs we tested do a good job of reporting possible outside attacks, by changing the utility's system tray icon, popping up a warning dialog box, playing a sound, or doing all three. However, Freedom Personal Firewall's alerts are rather vague, and you don't miss much information by keeping them disabled, as they are by default. All six display real-time logs of suspicious incoming traffic, showing the originating IP address, the type of attack, and in most cases its severity. In addition, Freedom, Sygate, and ZoneAlarm perform "Whois" traces that can sometimes pinpoint the source. Sygate's firewall also lets you do a trace route showing the exact path the attack took, from the source to your PC. Both techniques can help you identify a probable attacker's ISP so that you can report the abuse.

For application control, all the non-Microsoft firewalls let you drill down to control settings and specify whether a program may initiate outgoing communications (acting as a client) or receive incoming connections initiated remotely (acting as a server). Sygate offers the greatest level of control, letting you dictate even specific days and times when a program can communicate.

Protect Yourself With Hardware

Many small offices and wired homes use inexpensive gateways/routers to share an Internet connection, files, and printers or other peripherals. The makers of gateways/routers often advertise built-in firewalls as well. How does this type of protection compare with a software firewall?

Using Network Address Translation and Dynamic Host Control Protocol, a basic hardware gateway/router such as the Linksys BEFSR41 EtherFast Cable/DSL Router ($75) distributes private IP addresses to computers on the network. It transforms those private addresses into its public IP address in the course of sending communications to Internet servers. Because the individual PCs don't have their own public IP addresses, they should be protected from outside attacks. We found the four-port Linksys to be simple to install. We didn't have to enter its setup screen because it retrieved a dynamic IP address from our ISP and then created a NAT network automatically.

More-expensive routers such as NetGear's eight-port FR318 ($250) add other safeguards, including stateful packet inspection, which scrutinizes both the address headers and the contents of data packets for signs of suspicious behavior. (Many of the software firewalls that we reviewed also use SPI.) In contrast, firewalls that use static rules look only at address headers; they are more susceptible to advanced attacks that disguise the packet's true source. The NetGear router required more work to configure during setup than the Linksys did, but it offers handy Internet content filtering that lower-cost routers like the Linksys don't. However, even advanced hardware firewalls can't perform the application checking that the software products can.

Hardware firewall manufacturers agree that software adds a layer of protection. Linksys, for example, has joined with Zone Labs to offer discounted multiple-computer ZoneAlarm Pro licenses along with its routers. And NetGear offers buyers of its RP114, RP334, RT311, and RM356 firewall routers eight free one-year subscriptions for Zero Knowledge's Freedom security and privacy suite.

• See more like this:
• security,
• protect,
• protection,
• virus,
• antivirus,
• hacker,
• firewall,
• stealthware,
• adware,
• ad blocker,
• spam,
• e-mail,
• junk