Personal Firewalls Tests: Conseal PC Firewall

An Analysis of Mini-firewalls for Windows Users

By Seán Boran

This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the Conseal PC Firewall from McAfee.com.

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of Security Protection (penetration, trojans, controlling leaks, Denial-of-service)
• Effectiveness of Intrusion Detection (few false positives, alerting of dangerous attacks)
• User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?
• Price

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) ³ was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) An nmap ² scan was run, to check that incoming ports were effectively blocked. With no firewall installed, nmap detected the OS version (NT4 SP5) on the test PC and the following open ports (nmap -sT -P0 -O IP_ADDR):

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen

Overview

The Conseal PC Firewall  ⁴ from McAfee.com is full of interesting features:

• Filter ALL packets. For example, you can deny outbound web pages on Ethernet device 1 or all inbound email connections from network X over dialup only.
• Control access to networking resources— complete access control according to IP address, service, device and direction. For example, you can allow inbound FTP connections from Ethernet device 1 for only three chosen IP addresses.
• Activate rulesets only for specific applications
• Filters all packet types at the device (link layer) level, including IP (TCP, UDP, etc),
  NetBEUI, IPX, ARP, etc.
• Filters all services - filters file and printer shares, protocols that use Winsock (e.g. SMTP, HTTP), operating system services (e.g. ping, rip, FTP, Telnet).
• You don’t have to install required special-purpose plug-ins or add-ons to enable applications or services
  to pass through this firewall.
• Constant monitoring - works quietly in the background while you use your system, constantly monitoring all traffic in or out of your PC.
• Optional password protection or rulesets
• Rulesets can be exported or transferred between systems with virtually no changes, making universal "corporate" rulesets feasible.
• Complete logging services - Log files record all network activity to help you track down important events.

After installation the user is asked to choose a default policy:

• Basic - allows Internet Access, block ICMP (default)
• Cable/ADSL (It is unclear what this means and no help is available in this dialog)
• Browse: load an existing ruleset
• None

The "Advanced Settings" control options for all IP protocols other than TCP/UDP, i.e. whether they are allowed, incoming fragments blocked or blocked / allowed traffic is logged. A special option allows "Protocols other than IP, RARP, ARP".

Prices:

Win9x/ME US$49.95
Workstation NT/2000 US$150.00
Server NT/2000 US$295.00
Win9x/ME with CD US$59.95
Workstation NT/2000 with CD US$160.00
Server NT/2000 with CD US$305.00

Security Effectiveness

Runs as a service on NT (meaning it is active before logon).

a) Ping: blocked.

b) The Netbus server: Conseal does not stop the Netbus server from being started, not does it complain to the user. However the attempting to remotely connect to the Netbus server pops up the usual dialog box asking the user to allow or deny access to the port in question.

c) An nmap scan causes about 100 logged events and several alert dialog boxes asking whether a particular port should be allowed access. Nmap itself reports no open TCP ports, 1146 filtered ports and cannot guess the Operating System version. No mention is made in the logs of a scan or nmap.

Therefore, tight effective security is possible with Conseal, if configured correctly.

Advantages

1. Rules can be applied to specific dialup connections.
2. Rules can be password protected.
3. "Learning mode" should make it easier for the user to get the initial rules he/she needs installed. This mode can be interactive or automatic.
4. Logging window is useful. The maximum log size can be set and its directory (but not name) changed.
5. Rules can be saved, loaded and exported to text format.

Disadvantages

1. Expensive for NT/win2k users.
2. The GUI is not the easiest to use.
   • Netmasks and port ranges could be better presented.
   • Using rule priority numbers is not trivial to grasp. Why are rules not listed in numerical order?
   • The number of rules can be large and confusing.
   • Creating rules to deal with broadcasts is not easy.
   • Despite enabling "unchecked learning mode" (where appropriate rules should automatically be generated), UDP/137 packets were blocked.
   • Despite adding a rule allowing all UDP ports on an active Dialup connection, outgoing UDP/137 was still being blocked - the rules can collide and create confusing effects that are annoying to correct.
   • The dialog which prompts the user to add new rules needs improvement. A communication can be allowed /blocked for this session or forever. But there is no option to set port / IP ranges, associate an application, associate this network interface only, allow all udp or tcp communications to/from this host etc.. The details dialog is useful but terse. UDP traffic on high ports can be a real pain (many alerts on different ports creating many different rules).
   • Associating an application with a  rule could be easier, no application details are shown, just a lookup list of cryptic names corresponding to running tasks.
   • The log window lists an "NdisWan" numbered dialup interface beside events, but the only Network adaptors that can be selected in rules correspond to RAS Dial-up connection names.
3. There are no corporate features such as centralized alerting, policy updates, rollout or lockdown.
4. Rules cannot be applied to specific LAN adapters.
5. Installation is a little tricky on NT, so follow the install instructions exactly.
6. Constant (annoying) beeping of the computer speaker when alerts are detected cannot be disabled?
7. There is no concept of "trusted addresses" (from which the workstation should accept all traffic).
8. The log cannot be browsed. The Log window shows recent events, but once cleared, previous events cannot be viewed.
9. Intrusion detection is poor:
   • Log events don't have any kind of severity rating.
   • Scans are not detected, only connections to individual ports.
   • No options for tracing the attacker source are provided.
   • Is is very difficult for non expert users to understand what the log entries actually mean.
10. Known problems:
    • The Win2k implementation does not work with dialup, and should NEVER be installed on a Win2k ICS (NAT services is okay) system, as outgoing traffic is not filtered (although incoming is). The developers are working to address both failings.

Suggested improvements:

• Overhaul the rules interface and the dialog which prompts users for leaning mode rules.
• Allow the user to change the order of columns listed in the rules window.
• Create a list of sample rules that the user can add/remove. Rules that are easy for user to under stand, like: 'Allow computer to be visible in Network Neighborhood', 'Allow other hosts to detect your presence (ping)', 'Allow Filesharing', 'Allow accessing of remote Fileshares', etc..
  Note: sample rulesets are available from http://www.consealfirewall.com/buildblk3.htm
• It would be useful to change rule order by drag and drop.

Summary

A powerful, flexible firewall, that expert users may well appreciate. Could be much easier to use though.

Corporate users may be interested in features such as password protecting of rules and exporting/importing or rulesets. However remote policy changes, centralized logging/alerting, centralized rollout and enabling of selected GUI features are not supported.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. Conseal PC Firewall 
   http://www.consealfirewall.com 
   
5. Conseal PC Firewall V2.06
   Trial version for Win95/98: http://download.cnet.com/downloads/0-10069-100-1629045.html?tag=st.dl.10001_103_1.lst.td
   Demo  for NT/Win2k
   http://www.consealfirewall.com/scripts/cfdownload.cfm

Changes to this article

17.Dec.00 sb First Draft

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.