Firewall Net tests, installation & configuration
FireWall.net - Guide to install and configure a PC FireWall
 
" Neowatch 2 " Tests of Neowatch 2 Firewall -->
 

Tests of Neowatch 2

 
oTests oOverviewoPrice oResultsoAdvantagesoDisadvantages oImprovementsoSummaryoReferenceso

A - Security effectiveness Tests

Key criteria in choosing a personnal firewall are :

  • Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

  • Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

  • User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

  • Price.

How did we test firewall/intrusion detection effectiveness?

  1. Ping and accessing shares to and from the test host.

  2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

  3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sT -P0 -O IP_ADDR).

  4. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sP -P0 -O IP_ADDR).

  5. A test using Leaktest [4] was done.

  6. We checked the system ressource usage of the firewall during the tests (just in case).

  7. We tried to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.

  8. Test (with nmap [1]) to check if the firewall is statefull or filtering only.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

 
B - Overview

The Neowatch 2 firewall [3] is full of interesting features :

  • Possibility to see all blocked packets.

  • Download size : 1.3 MB

C - Price

Free for private (home) use.

 
D - Security Effectiveness
  1. Ping: Impossible (security level at Tight) and "Accept ICMP ping request = No - Log/aler me". An event is logged and a window prompts (you can turn this off). The result of this test is good.

  2. The Netbus server: Neowatch doesn't detect the Netbus server when started. But it remains impossible to connect to Netbus server from outside (security level at Tight) and an event is logged. The result of this test is good.

  3. An nmap scan without Neowatch 2.2 (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :

    $ nmap -v -sT -P0 -O IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Adding TCP port 445 (state open).
    Adding TCP port 135 (state open).
    Adding TCP port 1025 (state open).
    Adding TCP port 913 (state open).
    Adding TCP port 139 (state open).

    The TCP connect scan took 0 seconds to scan 1523 ports.

    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled

    Interesting ports on (IP_ADDR):
    (The 1518 ports scanned but not shown below are in state: closed)
    Port State Service
    135/tcp open loc-srv
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    913/tcp open unknown
    1025/tcp open listen

    TCP Sequence Prediction: Class=random positive increments
    Difficulty=6634 (Worthy challenge)

    Sequence numbers: 747E9CE8 747F63FC 74800BF5 7480E3FE 7481BC4F 7482B3B2

    Remote operating system guess: Windows 2000 RC1 through final release

    Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds

    Gloups : you'd better
    have a firewall installed :+) !!!

    An nmap TCP scan with Neowatch 2 (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with security level at High = Lock-down:

    $ nmap -v -sT -P0 -O IP_ADDR

    Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
    Host (192.168.2.27) appears to be up ... good.
    Initiating Connect() Scan against (IP_ADDR)
    Adding TCP port 139 (state open).
    The Connect() Scan took 1 second to scan 1542 ports.
    For OSScan assuming that port 139 is open and port 1 is closed and neither are firewalled
    For OSScan assuming that port 139 is open and port 1 is closed and neither are firewalled
    WARNING: OS didn't match until the try #2
    Interesting ports on (IP_ADDR): (The 1541 ports scanned but not shown below are in state: closed)
    Port State Service
    139/tcp open netbios-ssn

    Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000
    TCP Sequence Prediction: Class=random positive increments
    Difficulty=14337 (Worthy challenge)
    IPID Sequence Generation: Incremental

    Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds


    This means that with these options one port remains opened but not any access attempt is logged ! This is a bad result.

  4. An nmap UDP scan with Neowatch 2 (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with security level at High = Lock-down :

    $ nmap -v -sU -P0 IP_ADDR

    Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
    Interesting ports on (192.168.2.27):
    (The 1450 ports scanned but not shown below are in state: closed)
    Port State Service
    137/udp open netbios-ns
    138/udp open netbios-dgm
    500/udp open isakmp

    Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

    This means that the security seems unefficient for UDP, and there's nothing in the log. This is an bad result.

  5. The Leaktest : Neowatch 2 doesen't detect the software start, and leaktest is able to connect (any event logged), the result of this test is bad.

  6. Neowatch uses up to 50% of CPU during heavy scans and 3% in normal operations. It uses 3.2 MB memory up to 256 MB peek during heavy scans (multiple instances of "Autotrace", I had up to more than 250 processes hopefully I got 512 MB of RAM !!! It's better idea to deactivate window alerts...do not try to see either the event log at this time because it may crash also..) !!!

  7. The substitution test : (you can do it by yourself for example : you replace Iexplorer.exe with leaktest.exe - yes this one - by renaming the last one and launch it). Neowatch doesn't detect anything, it's possible to connect without anything logged. This is a bad result.

  8. The statefull test : Neowatch is not statefull :

    Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
    All 1542 scanned ports on (192.168.2.27) are: UNfiltered

    Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds

E - Advantages 
  1. It seems to have plenty of usefull parameters.

  2. It's possible to select "trusted" IP for your LAN.

  3. It's possible to ignore IP packets from a specified source.

  4. Possibility to backtrace the IP source of a supposed cracker (not really usefull but nice).

  5. Price !

F - Disadvantages
  1. The window warning option can leads into slow down (and maybe crash), if experiencing a good portscan.

  2. Doesn't detect against network software operations.

  3. Log window really slows down and may crash during heavy scans...

  4. You cannot specify port/protocols to filter/allow.

G - Suggested improvements
  • Improve network software detection.

  • Lower the log and the warning windows CPU and memory uses !

  • Product internationalization.

H - Summary 

A good firewall , really efficient for filtering !!! It's really better than Blackice tool.

Evaluation :

  • Installation process (2) : 12/20

  • Configuration , GUI (3) : 8/20

  • Filtering security (5) : 12/20

  • Additionnal security (3) : 5/20

  • Software load and memory usage (2) : 3/20

  • Import/Export configuration (2) : 0/20

  • Help , FAQ (2) : 10/20

  • Product internationalization (1) : 0/20

Total : 7.45 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.

I - References
  1. Nmap - Network mapper, a really efficient tool to check networks
    URL http://www.insecure.org/nmap

  2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
    URL http://www.netbus.org/
    URL download

  3. Neowatch 2
    URL http://www.neoworx.com/
    URL download

  4. Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
    URL http://grc.com/
    URL download