Tests of Looknstop Firewall

A - Security effectiveness Tests

Key criteria in choosing a personnal firewall are :

• Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

• Price.

How did we test firewall/intrusion detection effectiveness?

1. Ping and accessing shares to and from the test host.

2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With no firewall installed, nmap detected the OS version (NT4 SP5) on the test PC and the following open ports (nmap ST -P0 -O IP_ADDR).

Jump to the test results.

The Looknstop firewall [3] is full of interesting features :

• Control access to networking resources? complete access control according to IP address, service, device and direction. For example, you can allow inbound FTP connections from Ethernet device 1 for only some chosen IP addresses (using masks definition or others).

• Filters all services - filters file and printer shares, protocols that use Winsock (e.g. SMTP, HTTP), operating system services (e.g. ping, rip, FTP, Telnet).

• You don't have to install required special-purpose plug-ins or add-ons to enable applications or services to pass through this firewall.

• Constant monitoring - works quietly in the background while you use your system, constantly monitoring all traffic in or out of your PC.

• Rulesets can be exported or transferred between systems with virtually no changes, making universal "corporate" rulesets feasible.

• Complete logging services - Log files record all network activity to help you track down important events.

• Low level rules - MAC address (physical layer) rules can be defined and applied, really usefull for some LAN operations.

1. Ping: blocked.

2. Netbus Test.

3. An nmap scan without Looknstop (on Win 2000 OS with a "standard" installation, it means NetBios active and so on) :
   
   $ nmap -sT -O -P0 -v -T5 IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 135 (state open).
   Adding TCP port 1025 (state open).
   Adding TCP port 445 (state open).
   Adding TCP port 139 (state open).
   The TCP connect scan took 0 seconds to scan 1523 ports.
   
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   
   Interesting ports on (IP_ADDR):
   (The 1519 ports scanned but not shown below are in state: closed)

   Port	State	Service
   135/tcp	open	loc-srv
   139/tcp	open	netbios-ssn
   445/tcp	open	microsoft-ds
   1025/tcp	open	listen

   
   Too many fingerprints match this host for me to give an accurate OS guess
   TCP/IP fingerprint:
   T1(Resp=N)
   T2(Resp=N)
   T3(Resp=N)
   T4(Resp=N)
   T5(Resp=N)
   T6(Resp=N)
   T7(Resp=N)
   PU(Resp=N)
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds
   
   

4. An nmap scan with Looknstop (on Win 2000 OS with a "standard" installation, it means NetBios active and so on) and the standard ruleset provided give thousands of logged events and Nmap itself reports no open TCP ports, 1146 filtered ports and cannot guess the operating system version. No mention is made in the logs of a scan or nmap. This is an excellent security :
   
   $ nmap -sT -O -P0 -v -T5 IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 1025 (state open). (*)
   Skipping host (IP_ADDR) due to host timeout
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds
   
   Here is the result log :
   
   17/02/01 23:05:28 D 79 'TCP : Bloque tous les au' IP_ADDR_ORIGIN TCP Ports Dest:nntp=119 Src:2780
   17/02/01 23:05:28 D 80 'TCP : Bloque tous les au' IP_ADDR_ORIGIN TCP Ports Dest:tnETOS=377 Src:2781
   17/02/01 23:05:28 D 81 'TCP : Bloque tous les au' IP_ADDR_ORIGIN TCP Ports Dest:687 Src:2782
   17/02/01 23:05:28 D 82 'TCP : Bloque tous les au' IP_ADDR_ORIGIN TCP Ports Dest:5713 Src:2783
   
   Therefore, tight effective security is possible with Looknstop, if configured correctly.

   (*) The rule n° 4 ("Allow other standard internet services") may be a little bit more "restrictive"...

1. Rules can be applied to specific dialup connections or linked to modem.

2. Logging window is useful. It gives a complete packet analysis including its content header, the rules that blocked it, so it's maybe the best result you could have with personnal firewall softwares. The options tab allows you to set log content.

3. The ruleset can be saved, loaded and exported !!!

4. The size: 368 KB to download !!

5. The GUI, website and help are provided in english and is really good !!!!!!!!!!

6. Internationalized product (exist also in French).

7. It's Free !

Honestly I really had heavy problems to find some, so I looked really further to find some little things, then here are some :

1. The log content is really poor compared to the log window... really bad for a backward analysis.

2. Blocks only the IP protocol.

3. The rules can only be applied on one network attachment on Windows 2000 (I think it's a little bit weird but not really dangerous).

4. The intrusion detection could be upgraded with :

   • a security analysis could be provided, a comment could be written in the log line (comment saved with the rejecting rule for example),

   • the port scans are not detected and analysed as so, only an individual port report is done (long and heavy but anyway it's complete),

   • no source tracking is proposed (is this really usefull ?),

• Provide a rule learning window.

• Permettre à l'utilisateur de changer l'ordre des colonnes affichées dans la fenêtre de gestion des règles.

• Create a list of sample rules that the user can add/remove. Rules that are easy for users to understand, like: "Allow computer to be visible in Network Neighborhood," "Allow other hosts to detect your presence (ping)," "Allow Filesharing," "Allow accessing of remote Fileshares," etc.
  Note: sample rulesets are available from the website !

• Associating an application with a rule could be done.

• Optionnal password protection.

A powerful, flexible firewall that expert users and beginners may very well appreciate.

Nearly perfect, it have what Conseal don't really more efficient than Conseal !!!! And it's price is really nice ! Our prefered !!!

1. Nmap - Network mapper, a really efficient tool to check networks
   http://www.insecure.org/nmap

2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
   http://www.netbus.org/
   download

3. Looknstop
   http://www.looknstop.com/