SAN FRANCISCO (07/26/2000) - Our test of 6 personal firewalls finds the best ones for keeping uninvited guests out of your office or home system.
It was getting late, so Jim Jarrard, president of Cinenet, a stock film footage company in Simi Valley, California, decided to leave his computer on overnight to finish downloading a big file. While Jarrard was gone, a hacker accessed his PC over its DSL Internet connection and loaded a program giving the intruder power to commandeer Jarrard's computer, steal valuable film files, and erase the system's hard drives.
Allan Soifer, an Ottawa, Ontario, electronic mailing list administrator, didn't realize a distant hacker had been scanning his home PC for hours. The hacker had found a way in and needed only a password to access Soifer's files. So he pelted the machine with computer-generated words, hoping for a lucky match.
Fortunately, neither of the hackers got the goods.
Jarrard escaped catastrophe because a frozen system and an error message the next morning told him something was wrong. He spent two weeks investigating the problem (and learning more than he wanted to know about hacking) before realizing that he would have to back up his data files and reformat the hard drive to delete the hacker's self-replicating program. Finally, he installed personal firewall software to guard against future attacks.
Soifer was luckier. Before the attack, he had visited Shields Up (www.grc.com), a Web site dedicated to Internet security advice. Soifer followed its recommendation to download and install ZoneAlarm, a free personal firewall program. ZoneAlarm alerted Soifer to the flood of incoming passwords and helped him identify the hacker's ISP--in Anchorage, Alaska. The ISP cut off the intruder's service, but the miscreant could likely open an account with another ISP and continue his misdeeds. And law enforcement is unlikely to take action on any but the largest, most prominent computer crimes.
Hackers come in all flavors. Many are simply curious folks who want to find out how a program or system works. They may not do any harm, and some even provide a service by discovering programming bugs and helping fix them. But malicious or criminal hackers use their skills for devious purposes. Criminal hacking incidents can range from obnoxious to destructive. The latter category includes "denial-of-service" attacks--like those that shut down Internet sites EBay Inc. and Yahoo Inc. last February when hackers bombarded the sites with data and caused the companies' servers to crash. Is your PC likely to suffer such a massive attack? If you're an individual or small-business user, probably not.
Hacking individual PCs remains a fairly rare phenomenon. Your chances of suffering some type of Internet vandalism are rising, however, especially if you have an uninterrupted, dedicated connection like DSL or cable modem.
Fortunately, you can take some simple steps to protect yourself. For most Internet users, changing a few settings, installing a good personal firewall, maintaining updated antivirus software, and using common sense will provide reasonable protection for a small cost.
Many Ports Of Entry
How do malicious hackers cause damage? They have access to increasingly sophisticated automated software tools that scour the Internet for vulnerable PCs. The tools locate an individual machine by its Internet Protocol address, a unique number that identifies a computer on the Net. Most computers equipped with dial-up connections have dynamic IP addresses: The Internet service provider assigns them a new IP address each time their users log on. By contrast, most high-speed connections, like DSL and cable modems, use constant or "static" IP addresses. In the unlikely event that a hacker decides to target you specifically, such a static address makes it easier to track you down.
An IP address identifies a computer but doesn't provide a way inside. To get in, the hacker must find an open port, or connection point. Think of an IP address as a computer's switchboard number and a port as an individual phone extension. Software on your PC creates ports to allow specific networking functions. Web access, for example, generally uses port 80, while FTP runs through port 21. Once they've targeted an IP address, hackers scan the machine for open ports, as happened to Allan Soifer.
Malicious hackers may also trick users into opening ports by sending Trojan horses. Mimicking the tactic invented by the wily Greek invaders of Troy, Trojan horses hide damaging cargo within a seemingly benign shell--in this case, an e-mail attachment or a download. When you double-click and open the shell, the hidden program sneaks out to wreak havoc on your computer. One of the best-known Trojan horses is "Back Orifice." (The name is a play on Microsoft's BackOffice network administration software.) Back Orifice surreptitiously opens a port on your PC that a hacker can then exploit to take control of your machine remotely.
Close The Windows
So how can windows users protect themselves? Before you install any new software, you should perform some simple housekeeping on your operating system to make it safer. The first step is to check the Microsoft Web site for security updates and patches. If you have Windows 9x, Windows NT, or Windows 2000 Professional, point your browser to windowsupdate.microsoft.com and follow the links there to find the updates for your particular operating system.
In addition, David Ursino, Microsoft's product manager for the new Windows Millennium Edition, recommends disabling the File and Printer Sharing option that provides other computers access to a machine running any version of Windows. Go to Start*Settings*Control Panel and double-click the Network icon.
In the dialog box that opens, search the list of installed network components for "File and Printer Sharing for Microsoft Networks." If this item is present, highlight it and then click the Remove button beneath the list of components.
Another way you can protect yourself is to use software that blocks Trojan horse programs. Any good antivirus package is designed to identify Trojan horses, but you must keep it up-to-date to defeat the latest subterfuges. You should also make sure your e-mail program is not set to open attachments automatically. And never open an attachment that you don't recognize or that comes from an unknown source.
These measures alone, though, will guarantee security for only a minority of PC users. "Unless you've installed your system from scratch, there's no way of knowing just how secure it really is," says Stuart McClure, coauthor of Hacking Exposed. Security breaches can occur on many fronts, typically through Internet software--like PC Anywhere, Net Meeting, or ICQ--that opens ports hackers can subsequently exploit. Even Microsoft's Ursino sees the need to add another layer of security. "If I were a user who had a home network with a persistent Internet connection," he says, "I would choose to have a firewall."
Good Fences Make Good Neighbors
Personal firewall software goes a step beyond the basic precautions. Like expensive and complex corporate-level firewalls, these affordable and simple products promise to repel intruders by monitoring incoming and outgoing Internet traffic and alerting you to possible dangers. To learn more about how firewalls function, see "How It Works: Personal Firewalls" (www.pcworld.com/how_it_works/firewalls). We looked at ten personal firewalls that sell for US$50 or less and chose the six strongest contenders for more detailed testing. This is a new kind of software product, and it shows. The firewalls' performance, usability, and interface quality run the gamut from effective and accessible to weak and incomprehensible.
The perfect personal firewall would be inexpensive and easy to install and use, would offer clearly explained configuration options, would hide all ports to make your PC invisible to scans, would protect your system from all attacks, would track all potential and actual threats, would immediately alert you to serious attacks, and would ensure nothing unauthorized entered or left your PC.
Only two products come reasonably close to meeting that ideal: Network ICE's $40 BlackICE Defender 1.9 and Zone Labs' ZoneAlarm 2.1, which is free for home users and nonprofit organizations. Though neither package is perfect, each has strengths that will make it attractive to particular users. Ultimately, we decided that these two products should share the title of Best Buy.
McAfee.com Corp.'s Personal Firewall ($40) and Symantec Corp.'s Norton Personal Firewall 2000 version 2 ($50) fall into the second tier of products. Sybergen Networks' Secure Desktop 2.1 ($30) performed unimpressively in our tests and didn't provide sufficient feedback (or even an indication that it was running).
And Aladdin's free ESafe Desktop 2.2 fared poorly because it is essentially an antivirus product with what our tests showed to be a kludgy, leaky firewall tacked on.
Four other products that we examined--Digital Robotics' Internet Firewall 2000 ($40), Delta Design's Net-Commando 2000 ($30), Plasmatek Software's ProtectX 3 Standard Edition ($25), and Tiny Software's Tiny Personal Firewall ($29)--failed to get past our preliminary cut because they exhibited more-serious flaws, such as incomprehensible instructions, weak documentation, or limited functionality.
We assessed the six contending products on three criteria: user-friendliness, ability to work with common programs that access the Internet, and prowess at repelling hacking attempts. In each case we independently installed the firewall on an otherwise unprotected Quantex QP6 350 M2X, a Pentium II-350 machine equipped with 64MB of RAM and running Windows 98 SE.
The best configuration process should be comfortable for a neophyte while giving an advanced PC user the opportunity to tweak the settings. Most of the products we tested offer only three security settings: block all traffic, allow some traffic, and provide no security at all. This scheme works fine if you just surf the Web and check e-mail, but it's too limiting for many users.
BlackICE Defender and McAfee.com Personal Firewall have the best configuration options and default settings. BlackICE has the simplest, best-explained security options, and it offers four levels of security for finer adjustment by the user. McAfee.com defaults to a middle "filter" security level that is an excellent starting point for most users. ZoneAlarm ranks near the top, too, but we thought it would have benefited from offering a fourth level of security between its high and medium settings.
Even the best documentation for the firewalls we tested is scarcely adequate, especially since hacking remains a mysterious aspect of computing for most PC users. In particular, none of the products we looked at fully explains its advanced configuration features. If you take into account its reasonably clear and organized online help, BlackICE Defender scores highest in the documentation category. But in this case that's a small honor.
Things That Go 'bump' On The Net
The ideal firewall would also work quietly in the background but alert the user to anything worth reporting, and provide comprehensive logs of events.
Unfortunately, most of these products tend to overwhelm the user with data.
Firewall novices may be stunned at how often someone "touches" their PC. Most of that contact, however, is innocuous traffic that security expert Steve Gibson calls IBR--Internet background radiation. According to Gibson, who maintains the Shields Up Web site, "All firewalls overreport, and they don't do a useful job of discriminating between IBR and actual attacks."
Spikes of IBR occur for various reasons. For example, Internet services like WebTV sometimes send data to the wrong IP address when they attempt to contact users. A firewall might interpret that activity as a port scan. Internet privacy and security guru Simson Garfinkel, author of Database Nation, criticizes the misinformation typical firewall products generate. The most frequent complaint ISPs receive is no longer about spam, he says, but about firewall alerts of attempted scans. "Lots of people are going to scan you," he says. "You just can't react every time."
Of the products we examined, BlackICE--using carefully crafted reporting windows--provides the clearest, most useful information. The program notes the source of any probe, and it's the only personal firewall we tested that automatically looks up IP addresses and provides contact information about whoever "touched" your PC. An honorable mention goes to Norton and Secure Desktop, which log events in accessible text windows. But ZoneAlarm went a bit overboard: We finally turned off its endless stream of pop-up alert windows, relying instead on its comprehensive event logging for detailed information.
However, only ZoneAlarm effectively alerts you in real time to all potential threats--a level of detail that may appeal to some hands-on users. (For more on using ZoneAlarm, see www.pcworld.com/heres_how/zone.) Most firewalls simply flash an icon in the system tray when they detect something, but you won't see it if your system tray is covered or if you're not looking for it.
We ran each of the six firewalls through a number of scenarios to check its compatibility with other applications and its responsiveness to a potential Trojan horse. Compatibility is an important concern with applications that access the Internet: A poorly designed firewall might misconstrue as hacking attempts such legitimate activities as opening ports for Internet communication, and it may mistake legitimate programs for malware, or malicious software. Some firewalls will ask the user for permission to run applications, while others will allow or block the apps without providing feedback. In overall compatibility, BlackICE Defender had nearly flawless results, and McAfee.com finished close behind. Norton and ZoneAlarm worked well in most instances; Secure Desktop and ESafe performed poorly.
A good firewall can distinguish between network traffic related to trusted applications and malicious traffic from a hacker or Trojan horse. Some firewalls focus on applications, while others focus on data traffic. In the first case, Norton uses a lookup table of preapproved applications. BlackICE Defender, on the other hand, doesn't note what apps are running. Instead, it scrutinizes all data passing to and from the computer for suspicious behavior, or signatures. BlackICE has an extensive, updatable signature file of known hacking techniques, so it can often identify and explain exactly what is happening to your PC.
In our tests, we connected to the Internet over DSL and evaluated each firewall's ability to work with common applications that access the Internet:
Microsoft Internet Explorer and NetMeeting, WS-FTP LE (a file-transfer program), ICQ (a messaging program), Napster (MP3 music search and download software), PC Anywhere (a program that allows remote control of one computer by another), and RealPlayer (music and video player software).
Sometimes the biggest challenge was determining whether the firewalls were working at all. For instance, in its default installation, McAfee.com does not launch at system start-up or appear in the system tray. You must select those options in the program's configuration. And even though Secure Desktop launches automatically at start-up, it runs entirely in the background--there isn't even an icon for the program in the system tray.
Secure Desktop did ask for permission to run some applications, but when operating at its highest security setting, the program would not allow other applications--ICQ, Napster, or NetMeeting--to run at all. McAfee.com and ZoneAlarm worked fairly smoothly, asking permission for each application.
Norton automatically configured rules to permit some apps, but in other cases it made us walk through an overly detailed, six-screen Q&A to manually configure rules for future use of the app. BlackICE doesn't scrutinize applications per se, but it accurately monitors the types of data they send and receive.
Finally, we ran a not-so-trusted application: the freeware version of PKZip (file-compression software). This download includes a built-in application called TSAdbot, which acts as a conduit for advertisements from the Internet and displays them while PKZip is running. TSAdbot is not a malicious program, but it does function similarly to a Trojan horse and thus tests the firewalls' sensitivity to these intruders. McAfee.com, Norton, Secure Desktop, and ZoneAlarm detected TSAdbot and asked us for authorization. ESafe failed to react; BlackICE did not recognize TSAdbot's behavior as harmful. When we asked Network ICE about this result, spokesperson Robert Graham said, "Currently, Network ICE does not consider adbots to be malware." But he added, "Maybe we should reconsider our position."
We then hit each firewall with three simulated hacks: installing and accessing the Back Orifice Trojan horse, running a port scan, and conducting a denial-of-service attack. We ran each test at the programs' default security settings. (Some default to the highest security setting, while others default to the second-highest.) If a firewall failed a test, we tried it again at a higher setting.
In the Back Orifice test, BlackICE did not stop the attack at its default security setting. However, it did stop the Trojan horse when we bumped the security up a notch. (The newest BlackICE version, not available in time for our comparison testing, does stop Back Orifice at its default setting.)Three products--McAfee.com, Norton, and ZoneAlarm--identified Back Orifice by its file name, Umgr32.exe, and asked permission to run it. Not many PC users have heard of Back Orifice, let alone Umgr32.exe, so they might not know whether to block the app or let it run. ESafe's built-in virus checker identified the Umgr32.exe file and asked whether we wanted to delete it. Secure Desktop failed the Back Orifice test--and all other attack tests--even at its highest security setting.
We next hit our test PC with a port scan, having deliberately left two ports open to see how the firewalls would handle them. The first port, called NetBIOS, is opened when printer and file sharing are enabled. The second port was opened for our Back Orifice Trojan horse. (Some firewalls look for standard ports used by Trojan horses, but we upped the ante by choosing a nonstandard port.) A personal firewall can hide your PC by putting ports into stealth mode so they will not respond to a hacker's port scan; the ports will thereby offer no evidence that your computer exists.
At their default settings, BlackICE, McAfee.com, and ZoneAlarm put the two ports into stealth mode, but ESafe, Norton, and Secure Desktop failed to hide the ports we left open.
Finally, we ran a miniature denial-of-service (DoS) attack, hitting each firewall with a flood of meaningless data intended to confound the operating system. In the real world, a DoS attack overwhelms your Internet connection, making it difficult or impossible to access the Net. It can also crash your system. Malicious hackers can increase the pressure by launching a distributed-denial-of-service (DDoS) attack, in which multiple computers are commandeered and used to launch an attack. Such assaults are usually directed against major Web sites and the servers that support them. In the unlikely event your PC is targeted for a full attack, a good firewall may block the incoming data packets and prevent your machine from crashing, but no firewall can ensure that your Internet connection will remain open.
At their default settings, four of the firewalls we tested--BlackICE, McAfee.com, Norton, and ZoneAlarm--prevented a crash, although BlackICE was the only product that correctly identified the nature of the attack. Norton gave no indication an attack was under way. We were disappointed that ZoneAlarm repelled the attack only at its default (High) setting, and Secure Desktop and ESafe failed to prevent a crash even at their highest settings.
Play It Safe
According to Murphy's Law, anything that can go wrong, will. People are putting more sensitive data (such as financial records) on their PCs, and sending other sensitive data (such as credit card numbers) over the Web. They're also switching from dial-up modem-based service to broadband connections, with continuous service and fixed IP addresses. Meanwhile, hackers are acquiring more devious software tools and putting more potential victims at risk. Hacking will inevitably increase. But the good news is, you can protect yourself now.
Jeff Sengstack is a Bay Area freelance writer who contributes regularly to PC World. Test procedures were designed by Elliott Kirschling of the PC World Test Center. Steve Gibson, a software publisher and security advocate, consulted on this story.
Best Buys Good Cop/Bad Cop: BlackICE Defender (shown here), from Network ICE ($40), worked well with programs that access the Internet, and it provided the clearest explanations of what was going on. It is easy to install--even for newbies--and it permits advanced users to fine-tune its features. Zone Labs' ZoneAlarm can be a bit cantankerous when dealing with applications, but it offered the tightest security in our simulated attack tests. And the price can't be beat: It's free for home users and nonprofit organizations.
Jim Jarrard spent two weeks uncovering and undoing the damage a hacker inflicted on his company's computer in one night. "What a hassle," he says. "It was crazy."
No computer connected to the Internet is 100 percent safe from hacking. But take heart: These five easy steps can make a PC running Windows virtually impervious to online attacks.
*Check Microsoft's Web site regularly for the latest Windows security updates and patches.
*Remove File and Printer Sharing for Microsoft Networks under the Network Control Panel.
*Use up-to-date antivirus software to block Trojan horse programs. Exercise caution when deciding whether to open e-mail attachments, even from trusted senders.
*Install personal firewall software. We recommend BlackICE Defender for users not interested in becoming security experts and ZoneAlarm for those who want to know all the details about their Internet connection.
*If you maintain a persistent Internet connection, and you really want to play it safe, then just shut down your system whenever you will not be using it.
Play by the Rules Zone Labs' ZoneAlarm monitors applications that access the Net--including ones you may not be familiar with--and blocks out those that misbehave.
A Hacker's Glossary
Internet security is a complex subject. Here are some key terms and concepts for PC users to know.
*Denial-of-Service (DoS) Attack: Flooding an IP address with data, causing computers to crash or lose their connection to the Internet. Most DoS attacks are aimed at large Web servers, with the objective of rendering the target site unavailable to other visitors.
*Distributed Denial-of-Service (DDoS) Attack: Using multiple computers to launch a DoS attack. A hacker commandeers several outside computers and uses them as platforms to launch the attack, magnifying its intensity and cloaking the hacker's identity.
*Hacker: Someone who deliberately gains access to other computers, often without a user's knowledge or permission. Malicious hackers do this to steal valuable information, disrupt service, or cause other damage.
*IP (Internet Protocol) Address: The identifying number of a computer or other device. Two machines connected directly to the Internet cannot have the same IP address at the same time. Computers with static IP addresses (most systems with DSL or cable modem connections) always use the same IP address; those with dynamic addresses (most systems with dial-up connections) are assigned a new IP address each time they log on to the Internet.
*Personal Firewall: Software that keeps unauthorized users from accessing a stand-alone PC. It also prevents malicious programs from sending data out.
*Port: An electronic connection that allows data to travel between a client PC and a server over a network.
*Port Scan (or Port Probe): Data sent by a hacker over the Internet to locate a PC or network and determine whether it has open ports that will accept a connection.
*Stealth Mode: A protective setting that hides a port so it isn't visible over the Internet. A port that has been put into stealth mode will give no reply to a port scan, thereby providing no evidence that a computer exists at the scanned IP address.
*Trojan Horse: A malicious program masquerading as something harmless, usually an e-mail attachment or a download that you open and run. A Trojan horse opens your computer to incursions by a hacker.