Tests of Looknstop Firewall v 2.x

Key criteria in choosing a personnal firewall are :

• Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

• Price.

How did we test firewall/intrusion detection effectiveness?

1. Ping and accessing shares to and from the test host.

2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sT -P0 -O IP_ADDR).

4. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With another local PC launching nmaps againts the test PC and the following options (nmap -v -sP -P0 -O IP_ADDR).

5. A test using Leaktest [4] was done.

6. We checked the system ressource usage of the firewall during the tests (just in case).

7. We tried to launch a modified (by us) release of IEXPLORE.EXE (C:\Program Files\Internet Explorer\IEXPLORE.EXE ) to check if the firewall detects the problem.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

The Looknstop v 2.01 beta 01 firewall [3] is full of interesting features :

• Control access to networking resources? complete access control according to IP address, service, device and direction. For example, you can allow inbound FTP connections from Ethernet device 1 for only some chosen IP addresses (using masks definition or others).

• Filters all services - filters file and printer shares, protocols that use Winsock (e.g. SMTP, HTTP), operating system services (e.g. ping, rip, FTP, Telnet).

• You don't have to install required special-purpose plug-ins or add-ons to enable applications or services to pass through this firewall.

• Constant monitoring - works quietly in the background while you use your system, constantly monitoring all traffic in or out of your PC.

• Rulesets can be exported or transferred between systems with virtually no changes, making universal "corporate" rulesets feasible.

• Complete logging services - Log files record all network activity to help you track down important events.

• Low level rules - MAC address (physical layer) rules can be defined and applied, really usefull for some LAN operations.

• Filtering network software.

Windows 9x : 199 FF - 27.95 $US

Windows 2000 : 259 FF - 35.95 $US

1. Ping : blocked, the result of this test is good.

2. The Netbus Test : Looknstop 2.x do detect the netbus launch, and unless you autorize it, its unable to connect (and it will complains about busy ports) so connexions attempts from outside to the Netbus server won't be allowed. The result of this test is good.

3. An nmap scan without Looknstop 2.x (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
   
   $ nmap -v -sT -P0 -O IP_ADDR
   
   Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 445 (state open).
   Adding TCP port 135 (state open).
   Adding TCP port 1025 (state open).
   Adding TCP port 913 (state open).
   Adding TCP port 139 (state open).
   
   The TCP connect scan took 0 seconds to scan 1523 ports.
   
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   
   Interesting ports on (IP_ADDR):
   (The 1518 ports scanned but not shown below are in state: closed)
   Port State Service
   135/tcp open loc-srv
   139/tcp open netbios-ssn
   445/tcp open microsoft-ds
   913/tcp open unknown
   1025/tcp open listen
   
   TCP Sequence Prediction: Class=random positive increments
   Difficulty=6634 (Worthy challenge)
   
   Sequence numbers: 747E9CE8 747F63FC 74800BF5 7480E3FE 7481BC4F 7482B3B2
   
   Remote operating system guess: Windows 2000 RC1 through final release
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
   
   Gloups : you'd better have a firewall installed :+) !!!
   
   An nmap TCP scan with Looknstop 2.x (on Win 2000 OS with a "standard" installation, it means NetBios active and so on) and the standard ruleset provided give thousands of logged events and Nmap itself reports only one open TCP ports. No mention is made in the logs of a scan or nmap. However it's a good result :
   
   Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
   
   Host (IP_ADDR) appears to be up ... good.
   Initiating Connect() Scan against (IP_ADDR)
   Adding TCP port 1025 (state open).
   The Connect() Scan took 148 seconds to scan 1542 ports.
   
   For OSScan assuming that port 1025 is open and port 113 is closed and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate
   For OSScan assuming that port 1025 is open and port 113 is closed and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate
   For OSScan assuming that port 1025 is open and port 113 is closed and neither are firewalled Insufficient responses for TCP sequencing (0), OS detection may be less accurate
   
   Interesting ports on (IP_ADDR): (The 1164 ports scanned but not shown below are in state: filtered)
   Port State Service
   113/tcp closed auth
   1024/tcp closed kdm
   1025/tcp open listen
   1026/tcp closed nterm
   1030/tcp closed iad1
   1031/tcp closed iad2
   1032/tcp closed iad3
   ...
   4672/tcp closed rfa
   5000/tcp closed fics
   
   Too many fingerprints match this host for me to give an accurate OS guess TCP/IP fingerprint:
   SInfo(V=2.54BETA22%P=i686-pc-linux-gnu%D=4/24%Time=3AE50ADB%O=1025%C=113)
   T1(Resp=N)
   T2(Resp=N)
   T3(Resp=N)
   T4(Resp=N)
   T5(Resp=N)
   T6(Resp=N)
   T7(Resp=N)
   PU(Resp=N)
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 182 seconds
   
   Therefore, tight effective security is possible with Looknstop, if configured correctly.

4. An nmap UDP scan with Looknstop 2.x (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) gives :
   
   $ nmap -sU -P0 IP_ADDR
   
   Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
   All 1453 scanned ports on (IP_ADDR) are: filtered
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 1765 seconds
   
   No port seem opened and attempts are logged. This is a good result.

5. The Leaktest : Loonstop do detect the software start (like Netbus), the connection attempt is filtered. The result of this test is good.
   

6. Looknstop in normal operations uses up to 3 % max. Memory usage is 4 MB, up to 10 MB peek.

7. The substitution test : (you can do it by yourself for example : you replace Iexplorer.exe with leaktest.exe - yes this one - by renaming the last one and launch it).
   Looknstop detects the application modification (when its not already started) : this is a good result.
   Looknstop doesn't detect the modification when the application is already running : this one is a bad result.

8. The statefull test : Looknstop seems statefull (the nmap test doesn't proove it's true) :
   
   $ nmap -sA -P0 IP_ADDR
   Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
   All 1542 scanned ports on (IP_ADDR) are: filtered
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 2131 seconds
   

1. Rules can be applied to specific dialup connections or linked to modem.

2. Logging window is useful. It gives a complete packet analysis including its content header, the rules that blocked it, so it's maybe the best result you could have with personnal firewall softwares. The options tab allows you to set log content.

3. The ruleset can be saved, loaded and exported !!!

4. The size: 368 KB to download !!

5. The GUI, website and help are provided in english and is really good !!!!!!!!!!

6. Network software detection.

7. Internationalized product (exist also in French).

1. The log content is really poor compared to the log window... really bad for a backward analysis.

2. The rules can only be applied on one network attachment on Windows 2000 (I think it's a little bit weird but not really dangerous). The authors says you can run one instance per interface (not tested but this is a little bit strange).

3. The intrusion detection could be upgraded with :

   • a security analysis could be provided, a comment could be written in the log line (comment saved with the rejecting rule for example),

   • the port scans are not detected and analysed as so, only an individual port report is done (long and heavy but anyway it's complete),

   • no source tracking is proposed (is this really usefull ?),

4. The software drivers install and uninstall remains hasardous with Windows 20000.

5. The price !

• Provide a rule learning window.

• Allow the user to change the column order in the rule window.

• Create a list of sample rules that the user can add/remove. Rules that are easy for users to understand, like: "Allow computer to be visible in Network Neighborhood," "Allow other hosts to detect your presence (ping)," "Allow Filesharing," "Allow accessing of remote Fileshares," etc.
  Note: sample rulesets are available from the website !

• Allow to import/export one or more rules (and not all the ruleset).

• Optionnal password protection.

• Separate the administration module (GUI) from the filtering module.
• Improve the sofwtare install and uninstall (mostly the driver part).
• Mark the network software detected with an MD5 key, or at least show that this function is used (confirm its existence).

A powerful, flexible firewall that expert users and beginners may very well appreciate.

Nearly perfect, it have what Conseal don't really more efficient than Conseal !!!!

Some real upgrades since release 1.0, but there still remains work to be at the market level.

Evaluation :

• Installation process (2) : 15/20

• Configuration , GUI (3) : 15/20

• Filtering security (5) : 15/20

• Additionnal security (3) : 15/20

• Software load and memory usage (2) : 12/20

• Import/Export configuration (2) : 15/20

• Help , FAQ (2) : 15/20

• Product internationalization (1) : 15/20

Total : 14.2 / 20

Note : the result may be modified with the release , and when adding new criteria or re-evaluating their weight or their content.

1. Nmap - Network mapper, a really efficient tool to check networks
   http://www.insecure.org/nmap

2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
   http://www.netbus.org/
   download

3. Looknstop 2
   http://www.looknstop.com/
   download

4. Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
   http://grc.com/
   download