Tests of Conseal Firewall

A - Security effectiveness Tests

Key criteria in choosing a personnal firewall are :

• Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

• Price.

How did we test firewall/intrusion detection effectiveness?

1. Ping and accessing shares to and from the test host.

2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With no firewall installed, nmap detected the OS version (NT4 SP5) on the test PC and the following open ports (nmap ST -P0 -O IP_ADDR).

Jump to the test results.

The Conseal firewall [3] is full of interesting features :

• Filter ALL packets. For example, you can deny outbound web pages on Ethernet device 1 or all inbound email connections from network X over dialup only.

• Control access to networking resources? complete access control according to IP address, service, device and direction. For example, you can allow inbound FTP connections from Ethernet device 1 for only three chosen IP addresses.

• Activate rulesets only for specific applications

• Filters all packet types at the device (link layer) level, including IP (TCP, UDP, etc), NetBEUI, IPX, ARP, etc.

• You don't have to install required special-purpose plug-ins or add-ons to enable applications or services to pass through this firewall.

• Constant monitoring - works quietly in the background while you use your system, constantly monitoring all traffic in or out of your PC.

• Optional password protection or rulesets

• Rulesets can be exported or transferred between systems with virtually no changes, making universal "corporate" rulesets feasible.

• Complete logging services - Log files record all network activity to help you track down important events.

1. Ping: blocked.

2. The Netbus server: Conseal does not stop the Netbus server from being started, nor does it complain to the user. However, the attempt to remotely connect to the Netbus server pops up the usual dialog box asking the user to allow or deny access to the port in question.

3. An nmap scan without Conseal (on Win 2000 OS with a "standard" installation, it means NetBios active and so on) :
   
   $ nmap -sT -O -P0 -v -T5 IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 135 (state open).
   Adding TCP port 1025 (state open).
   Adding TCP port 445 (state open).
   Adding TCP port 139 (state open).
   The TCP connect scan took 0 seconds to scan 1523 ports.
   
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   
   Interesting ports on (IP_ADDR):
   (The 1519 ports scanned but not shown below are in state: closed)

   Port	State	Service
   135/tcp	open	loc-srv
   139/tcp	open	netbios-ssn
   445/tcp	open	microsoft-ds
   1025/tcp	open	listen

   
   Too many fingerprints match this host for me to give an accurate OS guess
   TCP/IP fingerprint:
   T1(Resp=N)
   T2(Resp=N)
   T3(Resp=N)
   T4(Resp=N)
   T5(Resp=N)
   T6(Resp=N)
   T7(Resp=N)
   PU(Resp=N)
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds
   
   

4. An nmap scan with Conseal (on Win 2000 OS with a "standard" installation, it means NetBios active and so on) with the ruleset "Cable/DSL" and the same scan give hundreds of logged events and Nmap itself reports no open TCP ports, 1146 filtered ports and cannot guess the operating system version. No mention is made in the logs of a scan or nmap. This is an excellent security :
   
   $ nmap -sT -O -P0 -v -T5 IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Skipping host (IP_ADDR) due to host timeout
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds
   

5. An nmap scan with Conseal (on Win 2000 OS with a "standard" installation, it means NetBios active and so on) gives :
   
   

   • no result with the ruleset provided here,

   • no result but the events are logged with the ruleset verbose,

   • hundreds of logged events and dialog windows with the default ruleset.
     
     

Therefore, tight effective security is possible with Conseal, if configured correctly.

1. Rules can be applied to specific dialup connections.

2. Rules can be password-protected.

3. "Learning mode" should make it easier for the user to get the initial rules he/she needs installed. This mode can be interactive or automatic.

4. Logging window is useful. The maximum log size can be set and its directory (but not name) changed.

5. Rules can be saved, loaded and exported to text format.

1. Expensive for NT/Win2K users.

2. The GUI is not the easiest to use.

   • Netmasks and port ranges could be better presented.

   • Using rule priority numbers is not trivial to grasp. Why are rules not listed in numerical order?

   • The number of rules can be large and confusing.

   • Creating rules to deal with broadcasts is not easy.

   • Despite enabling "unchecked learning mode" (where appropriate rules should automatically be generated), UDP/137 packets were blocked.

   • Despite adding a rule allowing all UDP ports on an active dialup connection, outgoing UDP/137 was still being blocked the rules can collide and create confusing effects that are annoying to correct.

   • The dialog which prompts the user to add new rules needs improvement. A communication can be allowed/blocked for this session or forever. But there is no option to set port/IP ranges, associate an application, associate this network interface only, allow all UDP or TCP communications to/from this host, etc. The details dialog is useful but terse. UDP traffic on high ports can be a real pain (many alerts on different ports creating many different rules).

   • Associating an application with a rule could be easier; no application details are shown, just a lookup list of cryptic names corresponding to running tasks. Since only the application name (not path or a cryptographic hash of the application executable) is checked, it would not detect Trojans pretending to be a trusted application.

3. There are no corporate features such as centralized alerting, policy updates, rollout or lockdown.

4. Rules cannot be applied to specific LAN adapters on the Conseal Win2K/NT Workstation version. Rules can be specified per adapter in the Windows 9x/ME and 2K/NT Server editions.

5. Constant (annoying) beeping of the computer speaker when alerts are detected. To fix this, remove "warning" from rules, activate "logging" instead.

6. There is no concept of "trusted addresses" (from which the workstation should accept all traffic).

7. The log cannot be browsed. The Log window shows recent events, but once cleared, previous events cannot be viewed.

8. Intrusion detection is poor:

   • Log events don't have any kind of severity rating.

   • Scans are not detected, only connections to individual ports.

   • No options for tracing the attacker source are provided.

   • Is is very difficult for non-expert users to understand what the log entries actually mean.

• Overhaul the rules interface and the dialog which prompts users for leaning mode rules.

• Allow the user to change the order of columns listed in the rules window.

• Create a list of sample rules that the user can add/remove. Rules that are easy for users to understand, like: "Allow computer to be visible in Network Neighborhood," "Allow other hosts to detect your presence (ping)," "Allow Filesharing," "Allow accessing of remote Fileshares," etc.
  Note: sample rulesets are available from http://www.consealfirewall.com/buildblk3.htm

• It would be useful to change rule order by drag and drop.

• A separate single dialog for editing existing rules would be better than using the "new rule wizard."

A powerful, flexible firewall that expert users may well appreciate. Could be much easier to use, though.

Corporate users may be interested in features such as password-protecting of rules and exporting/importing of rulesets. However, remote policy changes, centralized logging/alerting, centralized rollout and enabling of selected GUI features are not supported.

1. Nmap - Network mapper, a really efficient tool to check networks
   http://www.insecure.org/nmap

2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
   http://www.netbus.org/
   download

3. Conseal Firewall
   http://www.consealfirewall.com/