Sunday, July 09, 2006

(w)Hole Lot of Firewall Info

It all started with Torpark.

The other day I was experimenting with the newest build of Torpark. This latest version is a wonderful update. Steve Topletz, working with John Haller, has done a remarkable job of packaging it in a standalone mode. I really like it. For the uninitiated, Torpark melds Firefox with TOR (The Onion Router) to provide an "anonymous" IP address for your browsing.

Anyway. I had upgraded ZoneAlarm (free) to v6.5.722.000 a little bit before downloading the latest Torpark version. I'd not had any problems with either application ever before so imagine my surprise when after a few minutes of using Torpark, ZoneAlarm alerted me to the fact that it's True Vector service had been suddenly shut down. It restarted and seemed fine, but then shut down again. As long as I wasn't running Torpark, ZoneAlarm didn't seem to be having any problems.

The prior version of Torpark also now caused the same behavior. Apparently a change in the latest ZoneAlarm version was causing the issue. Let me say I have no reason to believe that Torpark was behaving maliciously--but I didn't like what I was encountering.

So the simple response would be to just refrain from using Torpark. Or, just cope with True Vector service getting turned off and and while using it.

Well, by now you should know Claus couldn't be satisfied with that.

And thus, I began the process of updating both my software firewall and my knowledge of software firewalls.

I first started using a firewall not too long after we got our first home pc back in 1998. The first application I used for a while was called AtGuard. It worked well. Somehow I ended up coming across Steve Gibson's Shields Up site that tested systems over the Internet for open ports, etc. AtGuard didn't perform well, so I took Steve's advice and began using Zone Alarm. I have been ever since without looking back. It provided inbound firewall protection as well as outbound connection rules and monitoring (good for alerting users to programs attempting to contact the Net).

Today I am using a physical router/firewall to protect the system against inbound attacks. So as far as inbound protection, I really don't need a firewall. But having outbound protection still seems like a no-brainer in case some trojan or other malicious program (heck, it's even nice to know for legitimate programs) is calling home to the mother ship.

I believe in a layered defense for computer security. Very simply, a layered approach like below provides a series of rings that must be passed (up and down) for applications operating on the system. If one is breached (it's hoped) the next layer will catch the problem. It is important that they all work together nicely.

User (might seem silly but the best/worst software protection exists between the user's ears)
Firewall/router (physical)
Firewall (software)
Anti-virus application
Anti-malware application(s)
(maybe) Process-level/integrity monitoring application(s)
Root-kit scanner

A primary problem with software firewalls is that they can be tricked or fooled using any number of techniques. These include DLL injection attacks, process thread injections, hijack launch of approved web browser. So basically, if your browser (or another firewall "trusted" application) is used by a malicious program, it may slip unchallenged through your firewall--with no alert.

This is why a hardware firewall/router is a great solution for inbound protection (from the Net to your pc) but (in a standard configuration) isn't as good for guarding against malicious outbound traffic. Unless properly configured, it can let important traffic out (including your SSN, banking info, bot net using bandwidth, etc.) from your pc without blocking.

So, it seemed a good idea to go back and do some research as I re-evaluated my software firewall choices.

Hardware Firewall/Router Tweaking

The first thing I did was to revisit GRC's Shields Up and ran a port scan. A quick test found two problems with my router's configuration. First I had to manually "stealth" Port 113. Next I had to set my router to not respond from outside (WAN) ping requests, but to discard them. It makes sense to ping up from your system to your router and the Net, but since my router sits behind the cable modem, the broadband guys (and anyone else) can ping the local router for troubleshooting and everything else, but any unsolicited packets just die into a black-hole if they get to the router/firewall. Nice.

Reading up about software firewalls.

PC Flank - I started on on this informative site. Andrew Cooper has written some great and easy-to read articles about a variety of security subjects. There are a number of articles here about firewalls, leak tests, and firewall comparisons. Plus he has general pc security articles also.

Firewall Leak Tester - This was my second stop for information. Guillaume Kaddouch provides extensive information about leak tests and how some of the most popular software firewalls (free and $$) stack up against them. It is a very interesting site. I downloaded all 19 leak tests (much to my anti-virus program's displeasure). Note, the posted test results do not necessarily reflect the latest version releases of many of those firewall applications tested.

Using Kaddouch's list (and a few reviews) I narrowed down my potential choices for a freeware firewall replacement to the following candidates:

ZoneAlarm Free - It's what I was currently using.
Sunbelt Kerio Personal Firewall - It's what Steve Gibson at GRC has been recommending now instead of ZA.
Jetico Personal Firewall - Passed almost all leak-tests according to what I read.
Comodo Personal Firewall - Found a number of glowing reports in forums, as well a getting a glittering review in PC Magazine.

If you are curious, more firewalls can be found listed in a forum at Wilders Security.

I was only choosing from freeware firewall applications. There are a number of commerical firewall applications as well that received high ratings and you can find them in the links I've provided including at Firewall Leak Tester.

Firewall Testing.

My initial plan was to create a virtual machine of XP that I could run and install these applications for testing. I still would recommend this, but I didn't have the time I expected so I just got daring and installed and tested them directly on my running system. I don't recommending doing this--bad things can happen, but I was feeling brave and I did obtain "real-word" performance results.

First I downloaded all 19 the leak test tools from over at Firewall Leak Tester. I had to disable my "real-time" anti-virus scanner as it kept alerting on a number of these tools. The tools aren't "bad" but because they do what virus-scanners check for, many may alert. I also wanted to keep an eye on the memory usage requirements of the firewalls so I used Process Explorer for that task.

ZoneLabs Free - I started with ZoneLabs since it was already installed and running on my system. It uses two processes zlclient.exe (6644K) and vsmon.exe (22,928K). I quickly discovered that it failed almost all of the leak tests--miserably. Not good at all.

One of the tests that was particularly shocking to me was PCAudit. It provided (via email as I requested) a list of what I typed in a text field, a list of files/folders in my "My Documents" folder, a screen shot of my desktop, as well as my computer name, IP address and user account I was logged in under. Yikes!

Zone Alarm Free looked like it was on it's way off my systems. Bummer.

Sunbelt Kerio Personal Firewall - Installation went easily. Memory usage appeared to be confined to three processes: kpf4ss.exe at 14,304K, and two instances of kpf4gui.exe at 5,856K and kpfgui.exe at 9,472K. This was more than ZA, but certainly not a deal-breaker.

I had learned that when installing Kerio, if you select "Simple" mode, it only acts as an inbound firewall, but lets all outbound traffic out unchallenged. Not good if you are primarily interested in "leak" monitoring like I am. It passed a majority of leak-tests I tossed at it--though not all. I really liked the clear listing of applications (like in ZoneAlarm) and what they were allowed to do. It also come with additional Internet monitoring features. The interface was pretty intuitive. It comes with a slew of additional monitoring features, some shut down when the program revert to "free" mode after 30 days. Two extra items I really liked were the ability to import and export the Kerio settings. ZA Pro allows this but not the free version. This is a really great feature. It also monitors and knows when one application tries to launch another one out to the web.

I highly encourage anyone interested in switching to this program download and read the informative (PDF) Sunbelt Kerio Personal Firewall User's Guide Sunbelt offers.

Comodo Firewall
- As I had previously mentioned, PC Magazine recently gave a gushy review of this "newcomer" to the freeware firewall software field. The article is heavy on screenshots so it is a good place to get an overview.

Installation went smooth. No problems. After installation I found two processes cpf.exe at 30,972 K and clptray.exe 5,136 K. Again, not exactly "tiny" but acceptable. The interface was ok and the activity prompt warnings seemed informative for deciding to allow or not. It seemed to pass all the leak-tests I tossed at it with flying colors. One of the benefits of this program is that it carries a list of "trusted" applications and doesn't prompt the user when these run. In addition it looks like it can run a manual scan of your Program Files folders looking for more.

I did find a couple of issues that caused me to be concerned. First, the firewall does not provide a system tray icon to show Internet activity. I just like to see it there. Second, despite all my attempts and tips from forums, I could not get Comodo to play nicely with my AVG email scanning plugin. Yes, I could disable that feature in AVG but as email is a likely vector for virus/trojan attack in our family (pre-teen child) I just wasn't comfortable with that. Finally, I never could find an application list of which applications/rules were established in the firewall system in case I wanted to go back and change them. While not deal-breakers for all users, I just wasn't satisfied with those deficiencies. To give credit to the developers, I found them to be very active across a wide variety of security forums seeking feedback and offering advice. I think they are working hard to make a trusted and valuable product. I'm keeping an eye on this one.

Jetico Personal Firewall
- This application installed quickly and easily. It runs a single process named fwsrv.exe in the 8472 K memory range. Sweet. I had downloaded and reviewed the help file first which I found to have a good bit of documentation.

I ran the battery of leak-tests and it blocked them all. Good sign. It was pretty chatty. There are a number of choices you have to make when prompted, and it can be a little overwhelming. The GUI interface is sparse but does provide you with the important items easily. It took me a while of re-reading and digging to find my way to the application/rule list to make some rule changes, but once done was fine. I had to reboot my system several times to get all the auto-runs to launch their attempts before I had all the rules set. Jetico also monitors on-board processes so it is likely you will get prompted to allow/deny some activity that doesn't have anything to do (on the surface at least) with Internet activity. That's a good thing if you are security minded, but annoying if not.

Wilders Security Forums has a great post thread "Jetico making me crazy" that was very useful to understanding what to select and how to navigate the application.

Final Loads

So which software based firewall did I switch to? Well, I ended up choosing two.

Jetico Personal Firewall - Selected for implementation on our desktop system.

I chose this one for a number of reasons: it's light on memory and I only have 512MB system RAM, it had superior process monitoring and leak blocking, and it plays well with my AVG program. Drawbacks are that it requires a more "advanced" level of systems knowledge in deciding what actions to allow/disallow. The benefit of having a good clean system is that most all processes can be allowed up-front and only questioned after new software or files are downloaded and installed. I'm having to give Alvis more time while she is on the pc while Jetico learns what is good, but that's ok. It eventually does quiet down--just takes a longer time to happen.

Sunbelt Kerio Personal Firewall 4 - Selected for implementation on our laptop system.

I chose this one for laptop because with 1GB of RAM, I'm not worried about memory issues. Also, it also plays well with AVG. Finally the interface and activity prompts are much more "user friendly" than Jetico--which is great as Lavie and Alvis use the laptop pretty intensively. It's much easier for them to use.

I haven't given out hope for Comodo Personal Firewall and will continue to keep an eye on it. Once I get my virtual pc set up, I will be able to easily test out newer releases of it and get to know it a little better.

So there you have it. I've found a much more secure firewall than ZoneAlarm Free and no small animals or systems were harmed in the process. I'll keep you updated as I continue to use them if I encounter anything interesting.

And ZoneAlarm Free? I might still recommend it to noobies. It is pretty easy to use and does a good job on protecting against inbound traffic (for those users without a hardware based router/firewall solution). The messages aren't too confusing and the control panel is easy to navigate and make changes to. But advanced users can now pick from a wide range of more leak-proof firewall offerings.

More Discussions:

Jetico vs Comodo - Wilders Security Forums
Comodo Firewall - Wilders Security Forums

Get your blockage on!
--Claus

9 comments:

Anonymous said...

Grand Street has been great reading lately.

I'm still not using a software firewall aside from what comes in XP SP2. I have a hardware firewall, a Linksys WRT54G, that DMZ's all incoming ports to a nonexistent IP, except for SSH/22 that goes to my linux box.

This article has given me something to think about, though, and I'm going to investigate using one of the programs you recommend.

Anonymous said...

You must be really busy Simon.

Where do you find the time?

http://www.google.com/search?q=simon+scatt

Anonymous said...

nice article. what brought me here was zone alarm shut down with torpack running. i googled my problem and came to ur page. i was aware of grc web page. i shut my firewall off and went to the pcaudit. like you, i think za free doesnt do as much as it once did. now i have to decide where to go from there, think ill look at those programs u listed here and give them a try, tnx martin

Anonymous said...

Hi martin,

I never could figure out 100% what was wigging out ZoneAlarm when using TorPark. It only started happening after I had upgraded the version of ZoneAlarm. Older verions of TorPark had the same effect so it was something in ZoneAlarm itself. TorPark cycles the IP proxy address periodically. Maybe ZA couldn't keep up with the rotating proxy address changes. Didn't seem to harm anything, and would eventually get back on track, but that killed my confidence level.

Besides, as I posted, I think there are better solutions available now, besides just ZA.

Thanks for stopping by!

Anonymous said...

After you installed the Jetico and Sunbelt firewalls, did you test them with Steve Gibson's ShieldsUP while Torpark was running? I have ZoneAlarm installed and when I run Torpark, ShieldsUP Shows several open ports. When I use regular Firefox, ShieldsUP shows all the ports stealthed. This is what they said on the Torpark site: "The port scans that are going on are not really scanning you, but scanning the tor exit node. No worries." What do you think? Thanks for the great article.

Anonymous said...

Good question! I hadn't checked TorPark with them against GRC's ShieldsUp.

I just did a quick test and got full stealth from GRC on my Jetico system using the latest release of TorPark. I don't have time tonight to pull out the laptop and check it (running Sunbelt Kerio). (It did "fail" in that the IP provided by TorPark responded to the GRC ping test. That's not a fault of the firewall or TorPark, just how it is configured, but ports were stealthed.)

If I have more time this weekend I will try to repost with more details.

Glad you found the article useful.

Anonymous said...

From what I've read, the reason that Comodo passes all leak tests, is that the design is based mainly on such tests, so it is specifically geared to pass them. This doesn't neccessarily mean that it's more secure against real threats - the detailed report I read suggested that some of the others may have a more robust security model. Check out http://www.matousec.com/projects/windows-personal-firewall-analysis/ for some interesting views

Still trying to track down the torpark/zonealarm issue...

Anonymous said...

I'm not a programmer or high-level firewall expert...not by any means.

You've touched on one of the reasons why I think it is so important to get a wide range of background before making a decision.

I can't say whether or not Comodo (or any of the other's for that matter) specifically design their firewalls to pass known and popular leak-tests. However that is always a possibility folks need to keep in mind.

You've kinda beat me to the punch here, but I have a collection of updated firewall related links I'm planning to post very soon.

Information on the Matousec website is very helpful as you have pointed out.

I've been a bit "disappointed" to hear about the vulnerabilities reported recently in some of the more popular firewalls of late by Matousec:

Another method to bypass Outpost Self-Protection (2007/01/15 20:57)

Kerio firewall vulnerable to DLL injection (2007/01/01 13:45)

Comodo Firewall not much better than others (2006/12/19 17:49)

Bypassing process identification of several personal firewalls and HIPS (2006/12/15 18:53)

FYI, I'm still running all our systems safely behind a configured hardware based firewall/router....and right now have Kerio on both of my systems. My other family members find it much easier to deal with than Jetico...and it runs "lightly".

Which points out that for most users--especially non-techie ones--one of the most important issues in picking a personal software based firewall is to find one that has a good overall ballance between two key factors: outbound/inbound security design and function and an interface/alert prompting that makes it useful.

If it is highly effective--but downright confusing, a home user might abandon it. If it is so simple--it might also be too weak to be effective.

I am looking forward to a final release of Jetico Personal Firewall version 2 (beta) as the newest version is currently still in Beta.

Finally, like I'm sure you know, firewalls should be just one layer in a pc-security defense line. Every system should have (in my opinion) a firewall, an active/updated AV scanner, maybe a process/registry guard system. And then the user should run frequent anti-malware/rootkit scans as well. Hopefully this model will balance out and protect weaknesses any one component might have by itself.

It's a bit of work, but there is lots of junk out there trying to creep onto home user's system and compromise it for its own ends....

Thanks for stopping by and keep an eye out for the updated firewall post soon.

And I haven't figured the Torpark/ZA issue either...but since I'm now using Sunbelt's Kerio...I haven't had any more issues, nor did I with Jetico.

Anonymous said...

Here’s a Broadband Video that will show you how to check availability by postcode, how perform a broadband speed test and where to find broadband forums to answer your questions. There are also offers for PlusNet Broadband.

Here is a broadband beginners guide and below are common broad band questions;
>What is Broadband?
>Types of Connections?
>Connection speeds and download limits
>How to compare ISP’s