Tests of Norton Internet Security (NIS)

Key criteria in choosing a personnal firewall are :

• Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

• Price.

How did we test firewall/intrusion detection effectiveness?

1. Ping and accessing shares to and from the test host.

2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sT -P0 -O IP_ADDR).

4. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sP -P0 -O IP_ADDR).

5. A test using Leaktest [4] was done.

6. We checked the system ressource usage of the firewall during the tests (just in case).

7. We tried to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.

8. Test (with nmap [1]) to check if the firewall is statefull or filtering only.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

The Norton Internet Security firewall [3] is full of interesting features :

• Ad blocker

• Cookie manager

• Antivirus

• Possibility to define some specific rules (port/ protocols)

• Download size : 30 MB for 2000/NT , 40 MB for 9x

1. Ping: Impossible (in level High with default security ruled modified to secure your computer). This is a good result.

2. The Netbus server: Norton Internet Security detect the Netbus server when started and it will forbid someone to connect to it if you secured the default rules. The result of this test is good.

3. An nmap scan without Norton Internet Security (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
   
   $ nmap -v -sT -P0 -O IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 445 (state open).
   Adding TCP port 135 (state open).
   Adding TCP port 1025 (state open).
   Adding TCP port 913 (state open).
   Adding TCP port 139 (state open).
   
   The TCP connect scan took 0 seconds to scan 1523 ports.
   
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   
   Interesting ports on (IP_ADDR):
   (The 1518 ports scanned but not shown below are in state: closed)
   Port State Service
   135/tcp open loc-srv
   139/tcp open netbios-ssn
   445/tcp open microsoft-ds
   913/tcp open unknown
   1025/tcp open listen
   
   TCP Sequence Prediction: Class=random positive increments
   Difficulty=6634 (Worthy challenge)
   
   Sequence numbers: 747E9CE8 747F63FC 74800BF5 7480E3FE 7481BC4F 7482B3B2
   
   Remote operating system guess: Windows 2000 RC1 through final release
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
   
   Gloups : you'd better have a firewall installed :+) !!!
   
   An nmap TCP scan with Norton Internet Security (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with options security level High activated and permissive rules deleted, gives events notified and scan detected which is a good result for detection :
   
   $ nmap -v -sT -P0 -O IP_ADDR
   
   Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
   
   Host (192.168.2.27) appears to be up ... good.
   Initiating Connect() Scan against (IP_ADDR)
   The Connect() Scan took 1694 seconds to scan 1542 ports.
   Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
   All 1542 scanned ports on (IP_ADDR) are: filtered
   
   Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint:
   SInfo(V=2.54BETA22%P=i686-pc-linux-gnu%D=4/6%Time=3ACDD693%O=-1%C=-1)
   T5(Resp=N)
   T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
   T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
   PU(Resp=N)
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 1950 seconds
   
   This means that with Norton Internet Security active ports looks unexistant and access attempts are logged, Norton IS do detect the scan and says it wil block the opponent for 30 minutes ! This is a good result.
   
   But be carefull : you must remove many default permissive rules to go to this security state.
   

4. An nmap UDP scan with Norton Internet Security (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) gives events registered in the log which is a good result for detection :
   
   $ nmap -v -sU -P0 IP_ADDR
   
   Starting nmap V. 2.54BETA22 by [email protected] ( www.insecure.org/nmap/ )
   
   Host (IP_ADDR) appears to be up ... good.
   Initiating UDP Scan against (IP_ADDR)
   
   The UDP Scan took 1754 seconds to scan 1453 ports.
   (no udp responses received -- assuming all ports filtered)
   All 1453 scanned ports on (IP_ADDR) are: filtered
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 1755 seconds

   This means that the security seems efficient for UDP at security level High (and security rules improved). The result of this test is good. NIS warns you about the scan, and says it will block the opponent for 30 minutes.

5. The Leaktest : Norton Internet Security detects the launch of Leaktest (cf netbus), but it's able to connect. The result of this test is bad.

6. Norton Internet Security, in normal operations it uses up to 2 % max. Memory usage is 8.4 MB, up to 8.9 MB peek.

7. The substitution test : (you can do it by yourself for example : you replace Iexplorer.exe with leaktest.exe - yes this one - by renaming the last one and launch it). The result is Norton Internet Security allow the trojan horse to connect... the result of this test is bad.

8. The statefull test : Norton Internet Security is not statefull :
   
   $ nmap -v -sA -P0 IP_ADDR
   
   Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
   Host (IP_ADDR) appears to be up ... good.
   Initiating ACK Scan against (IP_ADDR)
   The ACK Scan took 6 seconds to scan 1542 ports.
   All 1542 scanned ports on (IP_ADDR) are: UNfiltered
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

1. Norton Internet Security can be configured to block most trafic from outside.

2. You can scan your computer for Network built applications and apply specific rules to them.

1. Norton Internet Security cannot makes any difference between local network connections and Internet connections.

2. Security rules cannot be fully configured.

3. All the firewall rules are not in the rules list

• Simplify the installation process (very long).

• Simplify the GUI : windows not resizable , very hard to understand which security criteria stands for, and son on.

• Upgrade default rules which are really too permissive.

A very heavy tool , really expansive and with a very low level security power if you don't modify the default rules. Do you really want to spend money for nothing ?

Evaluation :

• Installation process (2) : 5/20

• Configuration , GUI (3) : 5/20

• Filtering security (5) : 15/20

• Additionnal security (3) : 5/20

• Software load and memory usage (2) : 8/20

• Import/Export configuration (2) : 0/20

• Help , FAQ (2) : 10/20

• Product internationalization (1) : 10/20

Total : 8.05 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.

1. Nmap - Network mapper, a really efficient tool to check networks
   http://www.insecure.org/nmap

2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
   http://www.netbus.org/
   download

3. Norton Internet Security firewall
   

   Norton Internet Security 2001 2.5 (the full package)

   Norton Personal Firewall 2001 2.5 (the firewall only)

4. Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
   http://grc.com/
   download