|
|
|
|
|
|
|
|
|
|
By John Kemp (kemp@ns.uoregon.edu)
Norton Internet Security | ZoneAlarm | BlackICE Defender | Other Products |
It has become increasingly apparent that the Internet is not as benign as it once was. Denial of Service (DoS) attacks, Internet worms, and major web site break-ins have become commonplace events. Because of the heightened level of awareness of these risks, users are now looking for ways to protect themselves from a wide range of attacks.
Traditionally, the best approach for individual protection has been to
1) make sure you have a good, current backup of critical files, and
2) run antiviral software on a regular basis and keep current with the latest antiviral software updates
These two practices continue to be excellent forms of individual protection, but personal firewall software is now also available to the average user.
A firewall is a mechanism that's used to control the network traffic seen by one or more computers. The set of rules defined by the administrator constitutes the security policy that the firewall implements. These rules specify what types of traffic are allowed in and out, and which sites are permitted to communicate with the computer. Firewalls can also perform additional tests to screen out unusual types of traffic that might be considered harmful.
Hardware firewalls. Firewalls can be implemented as relatively powerful stand-alone hardware devices. These devices are typically used by organizations that have a high-speed connection to the Internet and large numbers of computers they want to protect.
Software firewalls. Firewalls can also be implemented in a lightweight form as software that can be run on a personal computer. Personal software firewalls typically operate as a "shim" below the normal network driver for the computer, or as a complete replacement for the network driver. After installing personal firewall software, you can specify rules that govern how traffic is passed to and from your machine.
A number of personal security packages are currently on the market which are fairly inexpensive and relatively easy to work with. Each of these packages has a slightly different approach to personal computer security, and many contain not only a software firewall type of component, but also additional tools that may increase computer security. A few of these products are summarized below:
Norton Internet Security 2000 [Back
to Top]
Windows 95/98/NT/2000
Symantec Corporation
http://www.symantec.com
$59.95 list, ($39.95 UO Bookstore)
Despite the reference to the year 2000 in the name, Norton Internet Security 2000 (NIS2000) is also a Windows 95/98 product. Symantec purchased the popular "AtGuard" product from WRQ Inc. and made both cosmetic and substantive improvements to the software. Previous AtGuard users will immediately recognize that AtGuard is really at the core of NIS2000.
Control features. Symantec's user-friendly front-end screen makes initial configuration a simple task. On the back end, the product has numerous controls for packet filtering, cookie blocking, web site filtering, advertisement blocking, and so on. In simple mode, these features can be set to "low," "medium," or "high," but each can be controlled more specifically by using the "Custom Level" menus. Here you can specify whether to allow Java applets or ActiveX controls to run, whether you want to allow cookies (or be prompted for them), and so on. Similarly, in the "Advanced Options" section, you can define specific rules for controlling inbound and outbound TCP, UDP, and ICMP network traffic.
Useful extras. NIS2000 has an excellent statistics monitor window. The window shows all active network connections, as well as summaries for network activity, web filtering, ad blocking, and firewall rule-matching results. The statistics window updates automatically and can be customized. Another plus is the ad-blocking feature. Ad blocking is a great way to optimize network performance on slower connections. For example, if you're a dialin modem user, turning on ad blocking can reduce the amount of data your computer downloads by skipping advertisement banners. Finally, Symantec has done a good job of integrating Norton AntiVirus and NIS2000, so the two products work well together.
Summary. On the minus side, NIS2000 can be fairly complicated to work with due to its large number of features. Working on rules definition in the firewall section, for example, might intimidate some. But overall, NIS2000 is a solid product, and the feature set is more than enough for the average user. The ad blocking, web filtering, and cookie controls are not available in most other products, but depending on your needs, they can be valuable features.
ZoneAlarm 2.1 [Back
to Top]
Windows 95/98/NT (2000 in development)
Zone Labs, Inc.
http://www.zonelabs.com/
Free for nonprofit use
ZoneAlarm has been a popular package for personal network security on Windows 95/98 machines for some time. The product is free for personal and nonprofit use, and its simplicity of operation is also a key selling point.
The ZoneAlarm interface is intuitive: a network traffic meter showing incoming and outgoing network activity is displayed in the system tray. To make interacting with the software quick and easy, the latest version also has a mini-panel interface that can be configured to appear in the toolbar area.
Control features. A "lock" icon pushbutton is used to quickly disable or enable subsequent access to the Internet. Similarly, a "stop" icon pushbutton adds to the lock functionality by also terminating existing connections to the Internet. The lock can be configured to engage when the screen saver is activated, or after any number of minutes of inactivity. The program front panel also shows icons for any running applications that have open network connections.
Traffic management. ZoneAlarm takes a slightly different approach to managing network traffic. The configuration of ZoneAlarm allows the user to specify which applications on the local machine are allowed to open network connections. For each of the applications, the user can specify the scope of machines with which the application is allowed to communicate. These are grouped into two zones: the "Local" zone, and the "Internet" zone. The local zone can also be expanded to included other subnets or machines, based on IP address or subnet address.
The application-centric paradigm makes ZoneAlarm fairly intuitive to use. Once the local zone is defined and an application is launched for the first time, ZoneAlarm prompts the user to decide whether to allow, disallow, or "prompt each time" the application opens a connection to either or both the local and Internet zones. An application can also be set to allow connections from the outside using the "server" setting.
Summary. Overall, ZoneAlarm is a nice product, although it can sometimes be a little rough around the edges and it does have some impact on networking performance. Sophisticated users might wish for the ability to do more complex configuration. But for the average user, ZoneAlarm's ease of use is a real plus. When an unauthorized connection attempt is detected, ZoneAlarm issues a popup alert and blocks the attempt. And having an auto-lockout timer for Internet access is also very convenient. The latest version of ZoneAlarm is also reported to be able to block VBScript attachments, like the ones seen in the recent "ILOVEYOU" trojan/worm. For the price, ZoneAlarm has a feature set that's hard to beat.
BlackICE Defender [Back to Top]BlackICE Defender is perhaps the most unobtrusive of the three personal security packages reviewed here. In normal operation it runs in the background and doesn't call attention to itself.
Settings. Defender is a personal intrusion detection program with an automated blocking mechanism that can lock out sites when it senses an attack. Its security settings are based on IP address and "security level." The four levels available are "Trusting," "Cautious," "Nervous," and "Paranoid." Each of these levels has a predefined set of TCP or UDP ports that are controlled by this setting. (The "Nervous" setting, for example, causes Defender to examine all incoming TCP traffic on all ports, but only incoming UDP traffic on low-numbered ports. In contrast, the "Paranoid" setting examines all incoming traffic on all ports.)
Two lists of IP addresses are also configurable, one containing "trusted" sites, the other containing "blocked" sites. Trusted sites are exempt from all checks. And one other feature, namely the blocking of Microsoft File Sharing over the Internet, is available independent of the security level.
The tasks that Defender performs best are intrusion-detection logging and automated blocking. Defender recognizes a wide range of well-known attacks, ranks them by severity, and only blocks a site when the attack is considered critical. The attack log is detailed and can provide useful information for anyone tracking a specific incident. Each log entry also includes a link to the Network ICE web site, which has detailed information on the specific type of attack. Defender also has a history section that displays graphs of the amount of network traffic, and the number of attacks seen, over a given time period.
Summary. One criticism of BlackICE Defender is that the security controls are fairly coarse. Not being able to precisely control which ports are being allowed or blocked can be frustrating. Another problem is that the Defender installation can be quirky if a machine has more than one network interface. But these drawbacks are usually not critical. A typical user will find that the simplicity of the user interface and the unobtrusive nature of operation of the product more than make up for these shortcomings.
Two other products you might want to explore are
DoorStop Personal 1.1. (Mac)
Open Door Networks, Inc
http://www.opendoor.com/
$59 (Education discount: $49)
McAfee.com Personal Firewall (formerly Signal9 ConSeal PC Firewall)
McAfee.com Corporation
http://www.mcafee.com/
$49.95