Personal Firewall Test: Privacyware Privatefirewall 2.0

By Seán Boran

March 16, 2001 - This article is a part of a series of tests on Personal Firewalls/Intrusion Detection Systems. Refer to [1] for an introduction to Personal Firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the Privatefirewall 2.0 by Privacyware.

Security Effectiveness Tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of service.
• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
• Effectiveness of reaction: discovering identity of attacker, blocking attacks, ease of use.
• User interface: ease of use, instructiveness, simplicity, quality of online help. Can rules be easily added/removed/checked? Does the interface suit the way you use your PC? Do you understand the questions the software asks and what it is doing?
• Price: how much are you willing to pay initially and each year for support/updates?

How did we test attack defense effectiveness?

1. Ping and accessing shares to and from the test host.
2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1) 3 was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
3. The telnet server was enabled on the Win2K test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet; we do this purely for testing purposes.
4. An nmap 2 scan was run, to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2K sp1) presented nmap the following (nmap -v -sT -P0 -O IP_ADDR).

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

Overview

Privatefirewall 2.0 by Privacyware [4] is a relatively small and simple firewall:

Privatefirewall continuously checks and changes settings that allow unauthorized users access to information stored on a Windows or NT-based PC. Privatefirewall also constantly monitors other sensitive areas of a PC where intrusion can occur and reports on their status so that users can make regular decisions about these areas and make changes as necessary.

V2.0 build 1.12.16 was tested on Windows 2000 SP1.

To get a feel for the GUI, check out the "test drive": http://www.privacyware.com/pf_testdrive2.html.

Features

• Costs $14.95. A trial version is available for download.
• Works on Win95/98/Me, W2K, and NT environments.
• "Hardens" the Windows PC when installed:
  • Browser (IE) settings are set to "medium" (which is fine, except you may have been using "restricted" before). Other browsers such as Opera or Navigator are not affected.
  • File/printer sharing is disabled.
  • It is suggested that network access to DCOM objects be disabled using the Win2k "dcomcnfg" tool.
• Reports
  • Active ports and the corresponding applications can be listed in Report->Port Tracking Report. No explanation on the applications or ports is given though.
  • All reports can be viewed on-screen or in HTML format.
  • The status reports, whether DCOM, the browser, network, or file sharing are security problems. The network icon was always yellow for me, although no problem was indicated.
  • Firewall log. It's not clear if only failed or successful attempts are logged.
    
• Security model:
  • Target addresses are divided into "Zones" — Internet, Intranet, Trusted and Restricted (like Internet Explorer). Host/network addresses can be added to each of these sites. In addition the firewall rules for each site can be customized, for example ICMP can be allowed, Internet Explorer can be allowed to access websites, etc.
  • There are 3 security levels: high, medium and low, with rules attributed to each.
  • New "applications" can be added. Each application can have resources (i.e. filter rules) attached to it. For example, you might attach a rule allowing outgoing tcp port 22 to your SSH client application. The rule can be enabled for each of the three security levels. This application and its rules then appear as available options in the Zone configuration dialogs noted above.
  • There are three security policies: Home, Office and On the Road. Each of these policies can be configured to have different Zones configurations. This allows the laptop user to easily change firewall behavior depending on whether he/she is working directly on the Internet, the Office LAN, etc.

Security Effectiveness

Effectiveness tests:

1. Ping & shares tests

Incoming ping and access to shares is blocked.

2. The Netbus server

• The firewall did not complain when the Netbus server was started.
• The incoming Netbus connection was stopped.
• The "Port tracking report" did not show Netbus listening on port 30,000, although "netstat -a" did.

3. Telnet

The firewall did not complain when the Telnet server was started. Incoming telnet was stopped though.

4. An nmap scan

All ports are filtered; the operating system version was not detected. The logs are filled with alerts, one for each port scanned.

5. Other tests:

• NetBIOS traffic was not detected or stopped.
• Outgoing SSH and ping were allowed.
• Since outgoing connections are allowed, information could easily be leaked out of the PC without the user knowing. So if an attack could get a Trojan on the PC, a reverse tunnel could possibly be used to take it over.

Advantages

1. Small, simple but quite powerful.
2. Installation and deinstallation were painless.
3. Interesting security model.
4. Cheap, and a working version can be downloaded to test.
5. Works on Windows 2000.
6. Separate policies for Home, "On the Road" and Office use.
7. Prevention: the PC is examined for weaknesses and the user informed on how to improve security. For example, the user is encouraged to disable file sharing.

Disadvantages

1. All outgoing traffic is passed. It should be possible to define rules that block specific traffic, but I was unsuccessful in my attempts to block outgoing SSH, for example.
2. Understanding where and how to edit rules is not easy.
3. Documentation is poor. I could find no detailed information of what the product does on the website. There is online help, but it is limited.
4. User interface:
   • A status icon always indicated that I had a "potential security issue," although the status report was fine.
   • I found the "traffic lights" confusing. Green is completely open, red shut and orange "normal - filtering." It seems probable that the user would hit green thinking that the firewall is active in this state. Suggestion: get rid of the green button. If the user wants to open the firewall fully, he does so by "suspending" it.
   • The GUI is neither the best or worst of products tested so far.
   • Zones: It is not possible to look at the details of a particular rule in the "Custom settings" of a particular zone.
     
5. Intrusion detection:
   • Configuration changes are not logged; neither is starting/suspending the firewall.
   • Each alert can generate a small window, but this is tiring and will be disabled by most users.
   • The detail of data packets cannot be viewed, just the IP addresses and port numbers.
   • Scans are not detected, just each forbidden port connection is logged. This makes it more difficult to understand the attacks in progress. High-level attack analyses are not provided.
     
6. Reaction
   • There is no simple way to block all traffic without logging from an address that is currently scanning the system.
     
7. No corporate features.

Summary

User interface: for some home users, the default configuration is ideal and will work fine, out of the box. If the filter rules need changing, the user will need time to master the tool to configure it correctly. The user might inadvertently open the firewall entirely, as the GUI can be misinterpreted.

Laptop users will appreciate the security policy flexibility.

Security effectiveness: incoming ports are well protected but outgoing ports are allowed, which is not optimal.
Effectiveness of intrusion detection: alert and logging needs improvement.
Effectiveness of reaction: discovering the identity of attackers and blocking attacks is not easy.

Privatefirewall 2 is an interesting product at a good price, but improvement in several areas would be welcome.

References

1. Personal Firewalls/Intrusion Detection Systems (the base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote-control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. Privatefirewall 2.0 by Privacyware
   http://www.privacyware.com/downloadspecial.html

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

16.Mar.01 sb First Publication