Tests of Look'n'Stop 2.04
|
|
• Tests description • Overview • Price • Results • Pros • Cons • Improvements • Summary • References • |
|
A - Overview |
The Look'n'Stop 2.04 firewall[3] is full of interesting features :
-
Provides a permanent and highly secured protection against Internet hackers attacks.
-
Protects you against the programs like "trojan horse" that try to transmit your personal data to the outside without your agreement.
|
B - Price |
39 € (Euros) equiv to US $.
|
C - Security Effeciency |
-
Test Ping : Blocked. This test result is good.
-
Test Netbus : LookNStop detects Netbus start and if you forbid it, Netbus complains about 'port busy'. Connexions attempts are blocked. This test result is good.
-
An nmap scan without Look'n'Stop 2.04 (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
$ nmap -sT -O -P0 -v IP_ADDR
Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 135 (state open).
Adding TCP port 1025 (state open).
Adding TCP port 445 (state open).
Adding TCP port 139 (state open).
The TCP connect scan took 0 seconds to scan 1523 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)
Port |
State |
Service |
135/tcp |
open |
loc-srv |
139/tcp |
open |
netbios-ssn |
445/tcp |
open |
microsoft-ds |
1025/tcp |
open |
listen |
Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds
An nmap TCP scan with Look'n'Stop 2.04 (on Win 2000 SP2 OS with a "standard" installation, it means NetBios active and so on) with the statefull packet inspector activated :
nmap -v -sT -P0 -O 192.168.85.130
Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Host 192.168.85.130 appears to be up ... good.
Initiating Connect() Scan against 192.168.85.130
The Connect() Scan took 1773 seconds to scan 1605 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1605 scanned ports on 192.168.85.130 are: filtered
Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint:
SInfo(V=3.10ALPHA4%P=i586-pc-linux-gnu%D=12/11%Time=3DF75FC2%O=-1%C=-1)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 2028.526 seconds
No ports found !
Note : During a scan, if you look to the log, the CPU goes up to 60% !...This test result is good.
-
An nmap UDP scan with Look'n'Stop 2.04 (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) : $ nmap -sU -O IP_ADDR
nmap -sU -P0 192.168.85.130
Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
All 1468 scanned ports on 192.168.85.130 are: filtered
Nmap run completed -- 1 IP address (1 host up) scanned in 297.029 seconds
No opened ports found.This test result is good.
-
Test Leaktest : LNS blocks the Leaktest.This test result is good.
-
Test Yalta : LNS blocks the Yalta test.This test result is good.
-
Test Tooleaky : LNS blocks the Tooleaky test.This test result is good.
-
Test FireHole : LNS blocks the Firehole test.This test result is good.
-
Test OutBound : Test result not available
-
Look'n'Stop 2.04 use 2 peek CPU load. It uses 3 MB of memory during normal operations and up to 7.6 MB peeks.
-
The substitution test : (you can make it yourself : for example you substitute Iexplorer.exe with leaktest.exe - yes this one :) - by renaming the latest and running it). Looknstop doesn't detect the substitution. The trojan succeed.This test result is bad.
-
For the second test (the trojan replace the executable file at the software start) : Looknstop doesn't detect the substitution. The trojan succeed.This test result is bad.
-
Network speed test : The network loss are negligeable, no ping loss.This test result is good.
|
D - Pros |
|
E - Cons |
|
F - Suggested improvements |
-
Add a protection (in case of authorized soft modifications)
-
A better memory management.
-
Upgrade the stateful inspection.
-
Provide a learning mode (IP).
|
G - Summary |
A great surprise is the driver bug correction (used to occurs during the install process). Looknstop blocks most trojan tests which is a good result. One of the best firewall today.
|
Evaluation :
-
Installation process (2) : 15/20
-
Configuration, GUI (3) : 19/20
-
Import/Export configuration (3) : 20/20
-
Filtering rules (1) : 17.5/20
-
Antitrojan protection (3) : 14/20
-
Filtering security (5) : 18/20
-
Software load and memory usage (2) : 15/20
-
Network speed (3) : 20/20
-
Product Internationalization (1) : 10/20
-
HELP, FAQ (2) : 20/20
Total : 17.46 / 20
Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.
|
|
H - References |
-
Nmap - Network mapper, a really efficient tool to check networks
http://www.insecure.org/nmap
-
Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
http://www.netbus.org/
download
-
Look'n'Stop 2.04
http://www.looknstop.com/
download
-
Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg :-[ ).
http://grc.com/
download
|
|
I - Description des tests |
Key criteria in choosing a personnal firewall are :
-
Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.
-
Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
-
User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?
-
Price.
How did we test firewall/intrusion detection efficiency ?
-
Ping and accessing shares to and from the test host.
-
A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
-
An nmap [1] TCP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sT -P0 -O IP_ADDR).
-
An nmap [1] UDP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sU -O IP_ADDR).
-
A test using Leaktest [4] was done.
-
New : The tests with other tools inspired by Leaktest, are now done.
Yalta Tooleaky FireHole Outbound
-
We checked the system ressource usage of the firewall during the tests (just in case).
-
The first substitution test : We try to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.
-
The second substitution test : we start iexplorer.exe, rename iexplorer.exe to iexplorer.old and rename leaktest.exe to iexplorer.exe :) then you try to start it. Be careful the Windows system will replace the executable file quickly after the first rename. assez rapidement). This means that we start a modified release of IEXPLORER.EXE while this one is already running and check if the firewall detects it (note that this test is not possible on Windows 9x systems).
-
New : After many remarks, a network impact test is done. At this time it still simple : A la suite de nombreuses remarques, un test d'impact sur les performances réseau est réalisé. Pour le moment la méthodologie est simple : whe make a ratio on the same server with and without firewall of the network transer speed (on a 100 Mb/s local netork). Without a firewall we reach 90 Mb/s , near the nominal speed on such network.
Each time 3 measures were done, we keep the best one to compute the ratio.
A good firewall shouldn't lower this speed (a maximum of 5% is correct).
NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).
|
Jump to the tests results.
|
|