Firewall Net	tests, install & configure

Choose
• Firewall-Net
• Steganos Online Shield
• Tests
• Scan Test

Firewall Windows
.	Look'n'Stop
.	McAfee Desktop Firewall
.	Steganos Online Shield

Firewall Linux
.	iptables

Firewall Mac
.	Netbarrier
.	Other

Security, tools
.	Wingate
.	BlackIce
.	Nuke
.	Backdoors

• Check
• Compare
• Directory
• Forum
• Thanks
• Statistics

Contact Firewall Net
.	e-mail

Tests of Steganos Online Shield 1.52

• Tests description • Overview • Price • Results • Pros • Cons • Improvements • Summary • References •

A - Overview

The Steganos Online Shield 1.52 firewall[3] is full of interesting features :

Better security.

B - Price

30 € (Euros) equiv to US $.

C - Security Effeciency

Test Ping : No blocked at "Default Security". You must use 'High security' to block the pings.This test result is medium.
Test Netbus : Steganos do detect Netbus and blocks (!) the access attempts.This test result is good.

An nmap scan without Steganos Online Shield 1.52 (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
$ nmap -sT -O -P0 -v IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 135 (state open).
Adding TCP port 1025 (state open).
Adding TCP port 445 (state open).
Adding TCP port 139 (state open).
The TCP connect scan took 0 seconds to scan 1523 ports.

For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable

Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)

Port	State	Service
135/tcp	open	loc-srv
139/tcp	open	netbios-ssn
445/tcp	open	microsoft-ds
1025/tcp	open	listen

Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds

An nmap TCP scan with Steganos Online Shield 1.52 (on Win 2000 SP2 OS with a "standard" installation, it means NetBios active and so on) at "Default security" :
nmap -sT -O -T4 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on 192.168.85.130:
(The 1600 ports scanned but not shown below are in state: closed)
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1720/tcp filtered H.323/Q.931
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP

Nmap run completed -- 1 IP address (1 host up) scanned in 3.459 seconds

So "Default security" means no security at all... for TCP...

At "High Security " the results are :

nmap -sT -O -T4 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on 192.168.85.130:
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
53/tcp filtered domain
135/tcp open loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp open NFS-or-IIS
1720/tcp filtered H.323/Q.931
Remote OS guesses: Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3

Nmap run completed -- 1 IP address (1 host up) scanned in 4.692 seconds

Not better...

You must go to 'Very high security' :
nmap -sT -O -T4 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1605 scanned ports on 192.168.85.130 are: filtered
Too many fingerprints match this host for me to give an accurate OS guess

Nmap run completed -- 1 IP address (1 host up) scanned in 188.088 seconds

To have efficient results...
Recommendation : unless used "Very hiugh security" useless.
This test result is medium.

An nmap UDP scan with Steganos Online Shield 1.52 (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) at "Default security" :
$ nmap -sU -O IP_ADDR
nmap -sU -T4 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on 192.168.85.130:
(The 1463 ports scanned but not shown below are in state: closed)
Port State Service
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
445/udp open microsoft-ds
500/udp open isakmp

Nmap run completed -- 1 IP address (1 host up) scanned in 5.168 seconds

So "Default security" means no security for UDP also...
NB at 'High Security' we have :

nmap -sU -T4 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on 192.168.85.130:
(The 1463 ports scanned but not shown below are in state: closed)
Port State Service
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
445/udp open microsoft-ds
500/udp open isakmp

Nmap run completed -- 1 IP address (1 host up) scanned in 5.139 seconds

So not better either...

The last but.. at 'Very high security' :

nmap -sU -T4 192.168.85.130

Starting nmap V. 3.10ALPHA4 ( www.insecure.org/nmap/ )
Interesting ports on 192.168.85.130:
(The 1463 ports scanned but not shown below are in state: closed)
Port State Service
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
445/udp open microsoft-ds
500/udp open isakmp

Nmap run completed -- 1 IP address (1 host up) scanned in 4.953 seconds

So it's not better...
This test result is bad.
Test Leaktest : Steganos detects and blocks the Leaktest.This test result is good.
Test Yalta : Steganos detects and blocks the Yalta test.This test result is good.
Test Tooleaky : Steganos doesn't detect and doesn't block the Tooleaky test.This test result is bad.
Test FireHole : Steganos doesn't detect and doesn't block the FireHole test.This test result is bad.
Test OutBound : Test result not available
Steganos Online Shield 1.52 use 1 peek CPU load. It uses 5 MB of memory during normal operations and up to 9 MB peeks.
The substitution test : (you can make it yourself : for example you substitute Iexplorer.exe with leaktest.exe - yes this one :) - by renaming the latest and running it). Steganos doesn't detect the substitution and let the trojan connect.This test result is bad.
For the second test (the trojan replace the executable file at the software start) : Steganos doesn't detect the substitution and let the trojan connect.This test result is bad.
Network speed test : The problem is that SOS blocks our tests... (ftp active mode). No ping loss.This test result is bad.

D - Pros

A very light interface (GUI).
A light product.

E - Cons

A too light protection moreover with the default configuration.
The installation on windows 2000 is bugged with the not certified driver (you must confirm abbout 10 times) wich remembers us the old Loknstop drivers problems.
The GUI look and feel is... anoying , you must have good eyes. Daltonism go away...

F - Suggested improvements

Upgrade the security and the filtering. Other upgrades are useless regarding security.

G - Summary

Firewall-net is really disappointed by this product results...
This software must quickly improved to be able to follow the others. If you really want to use it (not recommanded) jump to "Very High security".

Evaluation :

Installation process (2) : 3/20
Configuration, GUI (3) : 13.5/20
Import/Export configuration (3) : 0/20
Filtering rules (1) : 5/20
Antitrojan protection (3) : 8/20
Filtering security (5) : 0/20
Software load and memory usage (2) : 15.1/20
Network speed (3) : 0/20
Product Internationalization (1) : 10/20
HELP, FAQ (2) : 14/20

Total : 5.748 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.

H - References

Nmap - Network mapper, a really efficient tool to check networks
http://www.insecure.org/nmap
Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
http://www.netbus.org/
download
Steganos Online Shield 1.52
Steganos
Steganos
Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg :-[ ).
http://grc.com/
download

I - Description des tests

Key criteria in choosing a personnal firewall are :

Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.
Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?
Price.

How did we test firewall/intrusion detection efficiency ?

Ping and accessing shares to and from the test host.
A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
An nmap [1] TCP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sT -P0 -O IP_ADDR).
An nmap [1] UDP scan was run, to check that incoming ports were really blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -sU -O IP_ADDR).
A test using Leaktest [4] was done.
New : The tests with other tools inspired by Leaktest, are now done.
Yalta Tooleaky FireHole Outbound
We checked the system ressource usage of the firewall during the tests (just in case).
The first substitution test : We try to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.
The second substitution test : we start iexplorer.exe, rename iexplorer.exe to iexplorer.old and rename leaktest.exe to iexplorer.exe :) then you try to start it. Be careful the Windows system will replace the executable file quickly after the first rename. assez rapidement). This means that we start a modified release of IEXPLORER.EXE while this one is already running and check if the firewall detects it (note that this test is not possible on Windows 9x systems).
New : After many remarks, a network impact test is done. At this time it still simple : A la suite de nombreuses remarques, un test d'impact sur les performances réseau est réalisé. Pour le moment la méthodologie est simple : whe make a ratio on the same server with and without firewall of the network transer speed (on a 100 Mb/s local netork). Without a firewall we reach 90 Mb/s , near the nominal speed on such network.
Each time 3 measures were done, we keep the best one to compute the ratio.
A good firewall shouldn't lower this speed (a maximum of 5% is correct).

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the tests results.