Firewall Net	tests, install & configure

Choose
• Firewall-Net
• McAfee Desktop Firewall
• Tests
• Scan Test

Firewall Windows
.	Look'n'Stop
.	McAfee Desktop Firewall
.	Steganos Online Shield

Firewall Linux
.	iptables

Firewall Mac
.	Netbarrier
.	Other

Security, tools
.	Wingate
.	BlackIce
.	Nuke
.	Backdoors

• Check
• Compare
• Directory
• Forum
• Thanks
• Statistics

Contact Firewall Net
.	e-mail

Tests of McAfee Desktop Firewall 7.5.1

• Tests description • Overview • Price • Results • Pros • Cons • Improvements • Summary • References •

A - Overview

The McAfee Desktop Firewall 7.5.1 firewall[3] is full of interesting features :

Performs automatic updates and product upgrades
Provides complete protection of personal information
Offers Immediate Alerts and response options
Creates detailed event information logs
Blocks or allows specified Internet systems
Offers a comprehensive, multi-layered PC security solution when combined with VirusScan Online

B - Price

40 € (Euros) equiv to US $.

C - Security Effeciency

Test Ping : Blocked. This test result is good.
Test Netbus : McAfee Firewall does not detect the Netbus start, but the connection attempt is blocked. However the connection is established until you choose to block it (very bad) !!!!This test result is medium.

An nmap scan without McAfee Desktop Firewall 7.5.1 (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
$ nmap -sT -O -P0 -v IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 135 (state open).
Adding TCP port 1025 (state open).
Adding TCP port 445 (state open).
Adding TCP port 139 (state open).
The TCP connect scan took 0 seconds to scan 1523 ports.

For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable

Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)

Port	State	Service
135/tcp	open	loc-srv
139/tcp	open	netbios-ssn
445/tcp	open	microsoft-ds
1025/tcp	open	listen

Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds

An nmap TCP scan with McAfee Desktop Firewall 7.5.1 (on Win 2000 SP2 OS with a "standard" installation, it means NetBios active and so on) with the "personalized" filter activated :
nmap -sT -P0 -v -O 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Host 192.168.85.130 appears to be up ... good.
Initiating Connect() Scan against 192.168.85.130
The Connect() Scan took 1774 seconds to scan 1605 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1605 scanned ports on 192.168.85.130 are: filtered
Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
SInfo(V=3.10ALPHA4%P=i586-pc-linux-gnu%D=2/23%Time=3E591F5A%O=-1%C=-1)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 1993.748 seconds

McAfee Firewall detects the port scan and warns you. It allows you to blocked the attacker and also to trace him backward.This test result is good.

An nmap UDP scan with McAfee Desktop Firewall 7.5.1 (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) :
$ nmap -sU -O IP_ADDR
nmap -v -sT -P0 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Host 192.168.85.130 appears to be up ... good.
Initiating Connect() Scan against 192.168.85.130
The Connect() Scan took 1774 seconds to scan 1605 ports.
All 1605 scanned ports on 192.168.85.130 are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 1773.528 seconds
McAfee Firewall also detects this port scan and warns you. It allows you to blocked the attacker.This test result is good.
Test Leaktest : McAfee Firewall detects and blocks the Leaktest. This test result is good.
Test Yalta : McAfee Firewall detects and blocks the Yalta test. This test result is good.
Test Tooleaky : McAfee Firewall doesn't detect the Tooleaky test. This test result is bad.
Test FireHole : McAfee Firewall doesn't detect the FireHole test. This test result is bad.
Test OutBound : Test result not available
McAfee Desktop Firewall 7.5.1 use 3 peek CPU load. It uses 5 MB of memory during normal operations and up to 18 MB peeks.
The substitution test : (you can make it yourself : for example you substitute Iexplorer.exe with leaktest.exe - yes this one :) - by renaming the latest and running it). McAfee detects the substitution and warns you.This test result is good.
For the second test (the trojan replace the executable file at the software start) : McAfee doesn't detect the substitution and the trojan succed to connect.This test result is bad.
Network speed test : Test result not available

D - Pros

A simple and light tool.

E - Cons

Some leaks substits.
The logs are not available in an open format by default.
Its price for one year.
The McAfee web portal nearly forbids you to use another browser but MS IE (and its embedded security leaks)...

F - Suggested improvements

Improve the log management.
Solve the leaks.
Upgrade the online help (for example the default ruleset might be described more precisely).
Select the default ruleset according to the user wishes do not leave it with the automatic learning mode because it's too dangerous for beginners).

G - Summary

A good product, you can use it without big problems.Remind to stop the automatic learning mode quickly, and choose your ruleset according to your needs.

Evaluation :

Installation process (2) : 11/20
Configuration, GUI (3) : 18/20
Import/Export configuration (3) : 20/20
Filtering rules (1) : 17.5/20
Antitrojan protection (3) : 9.5/20
Filtering security (5) : 12/20
Software load and memory usage (2) : 9.2/20
Network speed (3) : 14/20
Product Internationalization (1) : 15/20
HELP, FAQ (2) : 13.5/20

Total : 13.776 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.

H - References

Nmap - Network mapper, a really efficient tool to check networks
http://www.insecure.org/nmap
Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
http://www.netbus.org/
download
McAfee Desktop Firewall 7.5.1
Network Associates (McAfee editor's)
McAfee Personal Firewall
Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg :-[ ).
http://grc.com/
download

I - Description des tests

Key criteria in choosing a personnal firewall are :

Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.
Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?
Price.

How did we test firewall/intrusion detection efficiency ?

Ping and accessing shares to and from the test host.
A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
An nmap [1] TCP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sT -P0 -O IP_ADDR).
An nmap [1] UDP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sU -O IP_ADDR).
A test using Leaktest [4] was done.
New : The tests with other tools inspired by Leaktest, are now done.
Yalta Tooleaky FireHole Outbound
We checked the system ressource usage of the firewall during the tests (just in case).
The first substitution test : We try to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.
The second substitution test : we start iexplorer.exe, rename iexplorer.exe to iexplorer.old and rename leaktest.exe to iexplorer.exe :) then you try to start it. Be careful the Windows system will replace the executable file quickly after the first rename. assez rapidement). This means that we start a modified release of IEXPLORER.EXE while this one is already running and check if the firewall detects it (note that this test is not possible on Windows 9x systems).
New : After many remarks, a network impact test is done. At this time it still simple : A la suite de nombreuses remarques, un test d'impact sur les performances réseau est réalisé. Pour le moment la méthodologie est simple : whe make a ratio on the same server with and without firewall of the network transer speed (on a 100 Mb/s local netork). Without a firewall we reach 90 Mb/s , near the nominal speed on such network.
Each time 3 measures were done, we keep the best one to compute the ratio.
A good firewall shouldn't lower this speed (a maximum of 5% is correct).

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the tests results.