Personal Firewall Test: TermiNET

An Analysis of Mini-firewalls for Windows Users

By Seán Boran (sean at boran.com)

March 27, 2001 - This article is a part of a series of tests on Personal Firewalls/Intrusion Detection Systems. Refer to [1] for an introduction to personal firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison, and a summary of analyses.

This report focuses on TermiNET by DANU Industries.

Security Effectiveness Tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of security protection: penetration, Trojans, controlling leaks, denial of service.
• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
• Effectiveness of reaction: discovering identity of attacker, blocking attacks, ease of use.
• User interface: ease of use, instructiveness, simplicity, quality of online help. Can rules be easily added/removed/checked? Does the interface suit the way you use your PC? Do you understand the questions the software asks and what it is doing?
• Price: how much are you willing to pay initially and each year for support/updates?

How did we test attack defense effectiveness?

1. Ping and accessing shares to and from the test host.
2. A powerful, well known 'remote control' trojan (Netbus Pro v2.1) [3] was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
3. An nmap [2] scan was run, to check that incoming ports were effectively blocked. With no firewall installed, the test PC (WinME) presented nmap with port 139 being open.

Overview

Terminet, by DANU Industries [4], is a relatively simple firewall. From the website:

• Access Control - no unauthorized access from outside your PC.
• Stealth Mode - makes your PC invisible to the outside world.
• Web Blocking - block access to undesirable web sites.
• Supports multiple users profiles.
• Blocking notification on Intrusion detection.
• Flexible control for Web Browsing.
• Restricts access by IP Addresses, URLs, Ports and Protocols.

Costs $49.95 (it should be reduced to $39.95 by the time you read this)

V1.6.5.4 was tested on Windows ME (millenium).

To get a feel for the GUI, check out the "test drive":
http://www.privacyware.com/pf_testdrive2.html.

Security Model

• There are 3 security levels: Stealth(default: allows outgoing but blocks incoming communications), open and closed mode (advanced: open selectively).
• Rules can be created per system user. The user must logon to TermiNet with a user/password pair.
• A password is required for the TermiNet administrator, who can setup groups, users and configure rules.
• Custom firewall rules can be added based on web/IP address, direction (client/server), application, protocol, local/remote port/range, and time (day of week).

Security Effectiveness

The system was tested in the default "stealth mode":

1. Ping & shares tests

   Incoming ping and access to local shares is blocked; outgoing ping and access to remote shares work fine.
   
   

2. The Netbus server
• The firewall did not complain when the Netbus server was started.
• The incoming Netbus connection was stopped, but no specific alerts was issued.
  
  
3. Nmap scan

   All ports are filtered; the operating system version was not detected. The logs are filled with alerts, one for each port scanned.
   
   

4. Other tests

• NetBEUI traffic was not detected or stopped.
• Since outgoing connections are allowed, information could easily be leaked out of the PC without the user knowing. So if an attack could get a trojan on the PC, a reverse tunnel could possibly be used to take it over.

Advantages

1. Simple but quite powerful.
2. Installation and deinstallation were painless.
3. Evaluation version can be downloaded to test.
4. Works on most Windows versions.
5. Stable.
6. Available in 11 different languages.
7. Firewall rules:
   • Rules can be deactivated without deleting.
   • Custom rules are very flexible, with, for example, time based access (day of the week) and selection of both remote and local ports.

Disadvantages

1. Documentation: online help is limited.
2. User Interface: The GUI is OK, but could be improved.
3. Protection
   • The custom firewall rules would not allow me to enter a deny rule for all IP addresses.
   • IP address cannot be specified as ranges, or networks.
   • I added a rule to block outgoing SSH (remote port 22) to one target address, and could not find the reason why it was not blocked, until I noticed that the 'local port' was set to '0' instead of 'all ports'. Other users could easily make this mistake, perhaps the GUI should warn the user if the local port is set to zero?
   • I also somehow had one situation where all incoming ports were open, although the firewall was enabled in stealth mode.
     
4. Intrusion Detection
   • Configuration changes are not logged, neither is starting/suspending the firewall.
   • Each alert can generate a large window, but this is obstructive, tiring and will be disabled by most users.
   • The information of the alert window is minimal and does not explain to a novice how serious the attack is, or what countermeasures should be taken.
   • The detail of data packets cannot be viewed, just the IP addresses and port numbers.
   • Logs cannot be exported to html or text format.
   • Scans are not detected, just each forbidden port connection is logged. This makes it more difficult to understand the attacks in progress. High level attack analyses are not provided.
   • Passed as well as blocked packets are logged.
     
5. Reaction
   • There is no simple way to block all traffic (without logging) from an address that is currently scanning the system.
     
6. No corporate features such as feature lockdown, creating of custom installs, remove administration, central logging etc. are available.

Summary

• User interface: for some home users, the default configuration is useful and will work fine out of the box. If the filter rules need changing, the user will need time to master the tool to configure it correctly.
• Protection effectiveness: incoming ports are well protected but outgoing ports are allowed, which is not optimal. It is possible to have the firewall open without being aware of this.
• Effectiveness of intrusion detection: alert and logging needs improvement.
• Effectiveness of reaction: discovering the identity of attackers and blocking attacks is not easy.

TermiNET has some interesting concepts such as multi-user profiles and is available in many languages. However, it could do with some improvements and is not cheap.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu
   
4. TermiNET by DANU Industries
   http://www.danu.ie/terminet.htm
   http://www.danu.ie/tnet_use.htm

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

19.Mar.01 sb First release