Firewall Net	tests, installation & configuration

" Esafe " Tests of Esafe Firewall -->

Choice
? Tests
? Install
? Configure
? Checking
? FAQ

Firewall Windows
.	ZoneAlarm
.	Tiny
.	LookNStop
.	Norton
.	Private firewall
.	Sygate
.	WinRoute
.	BlackIce
.	Conseal
.	WinGate
.	AtGuard

Firewall Linux
.	ipchains
.	iptables

Firewall Mac
.	Netbarrier
.	Others

Other
.	Nuke
.	Backdoors

? Checking
? Compare
? Directory
? Forum
? Thanks
? Statistics

Contact Firewall Net
e-mail

Tests of Esafe

A - Security effectiveness Tests

Key criteria in choosing a personnal firewall are :

Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.
Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?
Price.

How did we test firewall/intrusion detection effectiveness?

Ping and accessing shares to and from the test host.
A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sT -P0 -O IP_ADDR).
An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sP -P0 -O IP_ADDR).
A test using Leaktest [4] was done.
We checked the system ressource usage of the firewall during the tests (just in case).
We tried to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.
Test (with nmap [1]) to check if the firewall is statefull or filtering only.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

B - Overview

The Esafe v 3 firewall [3] is full of interesting features :

Many tools : Cookie manager, application "sandbox" (protection), Microsoft shares protection, private firewall
Network software detector,
Download size : 9.9 MB

C - Price

Free for private (home) use.

D - Security Effectiveness

Ping: Possible at all levels (even "Total"). The result of this test is bad.
The Netbus server: Esafe do detect the Netbus server when started, if you don't enable it Netbus will complain about busy ports. The result of this test is good.
An nmap scan without Esafe (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :

$ nmap -v -sT -P0 -O IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 445 (state open).
Adding TCP port 135 (state open).
Adding TCP port 1025 (state open).
Adding TCP port 913 (state open).
Adding TCP port 139 (state open).

The TCP connect scan took 0 seconds to scan 1523 ports.

For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled

Interesting ports on (IP_ADDR):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
913/tcp open unknown
1025/tcp open listen

TCP Sequence Prediction: Class=random positive increments
Difficulty=6634 (Worthy challenge)

Sequence numbers: 747E9CE8 747F63FC 74800BF5 7480E3FE 7481BC4F 7482B3B2

Remote operating system guess: Windows 2000 RC1 through final release

Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds

Gloups : you'd better have a firewall installed :+) !!!

An nmap TCP scan with Esafe (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with hich security level (Total) :

$ nmap -v -sT -P0 -O IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 445 (state open).
Adding TCP port 135 (state open).
Adding TCP port 1025 (state open).
Adding TCP port 139 (state open).

The TCP connect scan took 0 seconds to scan 1523 ports.

For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled

Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen

TCP Sequence Prediction: Class=random positive increments
Difficulty=6634 (Worthy challenge)

Sequence numbers: 747E9CE8 747F63FC 74800BF5 7480E3FE 7481BC4F 7482B3B2

Remote operating system guess: Windows 2000 RC1 through final release

Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds

This means that with these options alls port remains opened and access attempt are not logged ! This is a bad result.
An nmap UDP scan with Esafe (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) :

$ nmap -v -sU -P0 IP_ADDR

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host (IP_ADDR) appears to be up ... good.
Initiating UDP Scan against (IP_ADDR)
The UDP Scan took 4 seconds to scan 1453 ports.
Interesting ports on (IP_ADDR):
(The 1453 ports scanned but not shown below are in state: closed)

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds

This means that the security seems efficient for UDP, but there's nothing in the log. This is an average result.
The Leaktest : Esafe do detect the software start and unless you autorize it, it won't be able to connect. It's a good result.
Esafe 3.0 uses up to 1% of CPU and 3.6MB of memory up to 3.9 MB peek.
The substitution test : (you can do it by yourself for example : you replace Iexplorer.exe with leaktest.exe - yes this one - by renaming the last one and launch it). Esafe does not detect the trojan attempting to connect. This is a bad result.
The statefull test : Not done.

E - Advantages

Simple to install it.
Price !

F - Disadvantages

No protection, too bad !
Esafe cannot be configured to ignore ping from unknown sources.
Esafe cannot makes any difference between local network connexions and Internet connexions.
Esafe generate a bug when closing IE 5.01 , a window open with "Memory error at ..."
The GUI could be much more easy to use (messy Advanced configuration).

G - Suggested improvements

Correct the problem of no filtering (except UDP) !
Improve the Help (too messy, no answer on how to debug a problem).
Improve the GUI.

H - Summary

This tool could be a good one. But it provides absolutely no protection.

Evaluation :

Installation process (2) : 10/20
Configuration , GUI (3) : 8/20
Filtering security (5) : 0/20
Additionnal security (3) : 5/20
Software load and memory usage (2) : 12/20
Import/Export configuration (2) : 0/20
Help , FAQ (2) : 5/20
Product internationalization (1) : 15/20

Total : 5.4 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.

I - References

Nmap - Network mapper, a really efficient tool to check networks
http://www.insecure.org/nmap
Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
http://www.netbus.org/
download
Esafe
http://www.esafe.com/
Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
http://grc.com/
download