Firewall Net tests, install & configure
FireWall.net - Guide to install and configure a PC FireWall
 
Choose
Firewall-Net
Looknstop
Tests
Scan Test
 
Firewall Windows
 .  Look'n'Stop
 .  McAfee Desktop Firewall
 .  Steganos Online Shield
 
Firewall Linux
 .  iptables
 
Firewall Mac
 .  Netbarrier
 .  Other
 
Security, tools
 .  Wingate
 .  BlackIce
 .  Nuke
 .  Backdoors
 
Check
Compare
Directory
Forum
Thanks
Statistics
 
Contact Firewall Net
 .  e-mail
 

Tests of Look'n'Stop 2.04
 
Tests descriptionOverviewPriceResultsProsConsImprovementsSummaryReferences
A - Overview

The Look'n'Stop 2.04 firewall[3] is full of interesting features :

  • Provides a permanent and highly secured protection against Internet hackers attacks.

  • Protects you against the programs like "trojan horse" that try to transmit your personal data to the outside without your agreement.
B - Price

39 € (Euros) equiv to US $.
C - Security Effeciency

  1. Test Ping : Blocked. This test result is good.

  2. Test Netbus : LookNStop detects Netbus start and if you forbid it, Netbus complains about 'port busy'. Connexions attempts are blocked. This test result is good.

  3. An nmap scan without Look'n'Stop 2.04 (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
    $ nmap -sT -O -P0 -v IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Adding TCP port 135 (state open).
    Adding TCP port 1025 (state open).
    Adding TCP port 445 (state open).
    Adding TCP port 139 (state open).
    The TCP connect scan took 0 seconds to scan 1523 ports.

    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable

    Interesting ports on (IP_ADDR):
    (The 1519 ports scanned but not shown below are in state: closed)

    Port State Service
    135/tcp open loc-srv
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open listen

    Too many fingerprints match this host for me to give an accurate OS guess
    TCP/IP fingerprint:
    T1(Resp=N)
    T2(Resp=N)
    T3(Resp=N)
    T4(Resp=N)
    T5(Resp=N)
    T6(Resp=N)
    T7(Resp=N)
    PU(Resp=N)

    Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds

    An nmap TCP scan with Look'n'Stop 2.04 (on Win 2000 SP2 OS with a "standard" installation, it means NetBios active and so on) with the statefull packet inspector activated :
    nmap -v -sT -P0 -O 192.168.85.130

    Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )

    Host 192.168.85.130 appears to be up ... good.
    Initiating Connect() Scan against 192.168.85.130
    The Connect() Scan took 1773 seconds to scan 1605 ports.

    Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    All 1605 scanned ports on 192.168.85.130 are: filtered
    Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint:
    SInfo(V=3.10ALPHA4%P=i586-pc-linux-gnu%D=12/11%Time=3DF75FC2%O=-1%C=-1)
    T5(Resp=N)
    T6(Resp=N)
    T7(Resp=N)
    PU(Resp=N)

    Nmap run completed -- 1 IP address (1 host up) scanned in 2028.526 seconds


    No ports found !
    Note : During a scan, if you look to the log, the CPU goes up to 60% !...This test result is good.

  4. An nmap UDP scan with Look'n'Stop 2.04 (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) :

    $ nmap -sU -O IP_ADDR
    nmap -sU -P0 192.168.85.130

    Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
    All 1468 scanned ports on 192.168.85.130 are: filtered

    Nmap run completed -- 1 IP address (1 host up) scanned in 297.029 seconds

    No opened ports found.This test result is good.

  5. Test Leaktest : LNS blocks the Leaktest.This test result is good.

  6. Test Yalta : LNS blocks the Yalta test.This test result is good.

  7. Test Tooleaky : LNS blocks the Tooleaky test.This test result is good.

  8. Test FireHole : LNS blocks the Firehole test.This test result is good.

  9. Test OutBound : Test result not available

  10. Look'n'Stop 2.04 use 2 peek CPU load. It uses 3 MB of memory during normal operations and up to 7.6 MB peeks.

  11. The substitution test : (you can make it yourself : for example you substitute Iexplorer.exe with leaktest.exe - yes this one :) - by renaming the latest and running it). Looknstop doesn't detect the substitution. The trojan succeed.This test result is bad.

  12. For the second test (the trojan replace the executable file at the software start) : Looknstop doesn't detect the substitution. The trojan succeed.This test result is bad.

  13. Network speed test : The network loss are negligeable, no ping loss.This test result is good.
D - Pros 

  • An ultra light firewall (size, etc.) and efficient.

  • Optional password protection is nice.
E - Cons

  • its price ?
F - Suggested improvements

  • Add a protection (in case of authorized soft modifications)

  • A better memory management.

  • Upgrade the stateful inspection.

  • Provide a learning mode (IP).
G - Summary 

A great surprise is the driver bug correction (used to occurs during the install process). Looknstop blocks most trojan tests which is a good result. One of the best firewall today.

Evaluation :

  • Installation process (2) : 15/20

  • Configuration, GUI (3) : 19/20

  • Import/Export configuration (3) : 20/20

  • Filtering rules (1) : 17.5/20

  • Antitrojan protection (3) : 14/20

  • Filtering security (5) : 18/20

  • Software load and memory usage (2) : 15/20

  • Network speed (3) : 20/20

  • Product Internationalization (1) : 10/20

  • HELP, FAQ (2) : 20/20

Total : 17.46 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.
H - References

  1. Nmap - Network mapper, a really efficient tool to check networks
    http://www.insecure.org/nmap

  2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
    http://www.netbus.org/
    download

  3. Look'n'Stop 2.04
    http://www.looknstop.com/
    download

  4. Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg :-[ ).
    http://grc.com/
    download
 
I - Description des tests

Key criteria in choosing a personnal firewall are :

  • Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

  • Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

  • User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

  • Price.

How did we test firewall/intrusion detection efficiency ?

  1. Ping and accessing shares to and from the test host.

  2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

  3. An nmap [1] TCP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sT -P0 -O IP_ADDR).

  4. An nmap [1] UDP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sU -O IP_ADDR).

  5. A test using Leaktest [4] was done.

  6. New : The tests with other tools inspired by Leaktest, are now done.
    Yalta Tooleaky FireHole Outbound

  7. We checked the system ressource usage of the firewall during the tests (just in case).

  8. The first substitution test : We try to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.

  9. The second substitution test : we start iexplorer.exe, rename iexplorer.exe to iexplorer.old and rename leaktest.exe to iexplorer.exe :) then you try to start it. Be careful the Windows system will replace the executable file quickly after the first rename. assez rapidement). This means that we start a modified release of IEXPLORER.EXE while this one is already running and check if the firewall detects it (note that this test is not possible on Windows 9x systems).

  10. New : After many remarks, a network impact test is done. At this time it still simple : A la suite de nombreuses remarques, un test d'impact sur les performances réseau est réalisé. Pour le moment la méthodologie est simple : whe make a ratio on the same server with and without firewall of the network transer speed (on a 100 Mb/s local netork). Without a firewall we reach 90 Mb/s , near the nominal speed on such network.
    Each time 3 measures were done, we keep the best one to compute the ratio.
    A good firewall shouldn't lower this speed (a maximum of 5% is correct).

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the tests results.
 
This site is copyright © Chryjs 1999-2003, all copies forbidden.