Personal Firewall Test: PGP7

An Analysis of Mini-firewalls for Windows Users

By Seán Boran

November 29, 2000 - This article is a part of a series of tests on Personal Firewalls/Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on "hardening" your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on the PGP7 Personal Firewall.

Security Effectiveness Tests

Key criteria in choosing a personal firewall are:

• Effectiveness of security protection (penetration, Trojans, controlling leaks, denial of service)
• Effectiveness of intrusion detection (few false positives, alerting of dangerous attacks)
• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC?
• Price

How did we test firewall/intrusion detection effectiveness?

1. Pinging and accessing shares to and from the test host.
2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1) [3] was installed on the system on a non standard port (to make detection more difficult). The Netbus server started and attempts were made to connect from a remote system.
3. The telnet server was enabled on the Win2K test PC. A remote connection was attempted. It is not recommended that you enable telnet. We did this purely for testing purposes.
4. An nmap [2] scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2K sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) the following.

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

PGP Desktop Security 7

First, a quote from the Network Associates Website [4]:

PGP Desktop Security 7.0 is the first and only security product to combine personal firewall, intrusion detection, VPN client, and encryption technologies into a single solution that fully protects computers against intruders and theft/loss of data.

Product repackaging/variations: There seems to be several variants of the PGP firewall, we test the first one:

PGP Desktop Security 7.0 [4]

PGP Desktop Security - Personal Firewall Edition 7.0 (Network Associates)
http://www.pgpinternational.com/products/dtop-security-firewall/default-vpn.shtml
This product is to be 'released soon'

McAfee PGP Personal Security V7.0, Price: $31.95
http://www.us.buy.com/retail/product.asp?sku=20320219&loc=105
This product seems to have most features and is well priced.

Personal firewall functions have been added in the new PGP version 7 alongside the usual PGP features of email, file, disk encryption, secure file wiping and VPN. PGP is an excellent tool for email, file and disk encryption, but how good is the firewall?

Cost

There is no freeware version of PGP7 yet, and the older versions don't have a personal firewall. PGP7 can cost between $31.95 and $300 depending on the configuration and who you buy it from! A 30-day evaluation version is also available [7].

Test Platform

PGP v7.0 was tested for this review on Win2K SP1 and also for a short time on NT4 SP5.

Features

• Enterprise features with "PGPadmin":
  Administrators can pre-configure all settings within PGP 7.0 (ranging from cryptographic policies to Personal Firewall settings) prior to deploying PGP to their end users. Administrators can also specify, on a very granular level, which settings in PGP are 'locked down' from user modification. Locked down settings appear grayed out in the GUI to end users, and are protected in storage using cryptographic methods.
• Automated configuration updating:
  Computers protected by PGP 7.0 can automatically download updated configuration information on a scheduled basis from any PGP Keyserver 7.0 or standard LDAP v2 or v3 compliant directory. Updates can be downloaded using standard LDAP or LDAPS (LDAP over SSL - which provides configuration data over a strongly authenticated and encrypted connection).
• Improved support for multiple users using a single Windows NT/2000 system by storing all user-specific information (keyring, PGP configuration data, random data pool, etc.) in each user's Windows profile area. Computer specific information, such as VPN settings, are stored in a central location on the system.
• Intrusion detection: PGP provides protection from common attacks, including SYN floods, ping floods, Smurf, Bonk, Ping of Death, Back Orifice, Teardrop, and so on.
• PGP provides packet filtering as the second line of defense for computers it protects. The product comes with six specific pre-defined levels of protection (none, minimal, client medium, client high, server medium, server high), each with its own associated list of packet filtering rules. Administrators can also create custom rules. Rules contain services (port, list or range), addresses (individual, range or networks), action (block, permit, alert), protocol (udp, tcp, icmp, igmp, IPSec)
• Attack alerts can be sent by email. By default, alerts cause a dismaying noise and a flashing tray icon.
• If attacks are alerted, PGP can try to trace the source by using the results of telnet, HTTP, snmp, dns connections.

Security Effectiveness

• With protection level "client high," not even an outgoing or incoming ping would work - only outgoing tcp and dns are allowed. No alerts are logged.
• "Client medium" was very tight too - ping, shares, Netbus and nmap were ineffective. Unfortunately, working on an office LAN with typical applications was also impossible! No alerts are logged.
• In "minimal" mode, outgoing ping is allowed, incoming fails, Netbus can be connected to, and an nmap scan sets a "scan" alert, which causes the source address to be blocked for 20 minutes.

Advantages

• Part of an excellent encryption package.
• Useful enterprise options for controlled rollout and automatic reconfiguration and update.

Disadvantages

The is the first version of PGP to have a personal firewall, and it is still a little rough on the edges:

• Personal firewall is not so easy to use. GUIs could be much better.
  • If a filter-set other than custom is used, the rule details cannot be examined, and rules cannot be added/removed.
  • There is no option for logging or alerting per firewall rule.
  • An application cannot be associated with a rule.
  • When an attack is detected, there is no way of viewing the details on what data was received on what port.
  • Logging and alerting is way behind the competition.
  • The user is not prompted to allow traffic.
• Cost: expensive; no trial or freeware version; no source code available.
• Neither the VPN, firewall nor encrypted disk features are available in the Unix version.
• The Personal Firewall module cannot be installed on its own; it comes as part of the VPN.
• Complexity: Originally (v2.6) PGP was small - sources were available and possible to verify. NAI has added feature after feature over the last few years, and sources are protected. Hence there are worries that its security effectiveness/assurance has diminished. For example, a serious security weakness was discovered in August regarding its handling of ADKs (additional decryption keys). The fix was an update to v6.5.8. Hot news: NAI has just published the sources of v6.5.8 for all platforms [6].

  On the other hand, no sources are available for any of the other PF tools evaluated, nor is there evidence that they have been subject to serious security scrutiny. See also [5] for further discussion of this topic.

• Stability: PGP7 was tested on Win2000 SP1 and NT4 SP5. The NT4 system sporadically "hung," and PGP seems to be the culprit. Backing out to v6.5.8 returns life to normal, so either PGP7 has a bug, or it kicks in a bug in one of my other applications. The Win2000 system did not exhibit this behavior.

  On another NT4 test system, it always starts with a service failure: "The PGPmemlock service failed to start due to the following error: The system cannot find the file specified", and there have been several crashes (blue-screens) in the NTOSKRNL.

Summary

The PGP7 firewall is useful...

• for existing advanced PGP users,
• for the corporate environment with centralized rollout and support,
• for protecting NT servers,

... but not for the novice user looking for an easy-to-use personal firewall.

The instability mentioned above is also worrying.

Hopefully, NAI will continue refining the PGP firewall features. It is a welcome addition to the PGP desktop suite.

The release of sources for PGPv7, as already done with v6.5.8, would be welcome. This could result in peer review by open source experts, and hence provide additional assurance of security effectiveness.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article)
   pf_main20001023.html
   
2. NMAP
   www.insecure.org/nmap
   
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. PGP Desktop Security 7
   www.pgp.com
   
5. The PGP "ADK Bug"
   • The Discovery by Ralf Senderek http://senderek.de/security/key-experiments.html
   • NAI Advisory http://www.pgp.com/other/advisories/adk.asp
   • French cryptographers ask "What has happened to PGP"? http://www.geocities.com/SiliconValley/Bay/9648/pgp2000.html (French) http://www.geocities.com/SiliconValley/Bay/9648/pgp2000-eng.html (English)
     
6. PGP International and freeware site
   www.pgpi.org
   
7. PGP Firewall: 30-day evaluation version
   http://www.nai.com/asp_set/buy_try/try/products_evals.asp

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

06.Oct'00 PGP7 first draft
09.Oct'00 Updates: PGPmemlock instability, summary & spelling.
22.Nov.00 Add notes on different packaging variations, update pricing.
19.Dec.00 Eval version, introduction, some formatting.