 |
 Personal firewalls vs. Stealth Test, part II
August 12, 2002
Almost six months ago we tested leading personal firewalls with our Stealth test. The results were surprising: only four firewalls were able to pass the test. Now we decided to check if other developers have improved their products.
Just to remind, Stealth Test gives you opportunity to determine if your firewall is successful in making your computer "stealthed". The "stealthed" system is invisible to others on the Internet, so it is harder for intruders to "detect" such system and thus far harder to attack. Indeed, "stealthed" system is not absolutely safe system, and we should not overrate it, but it is the first barrier made by firewall to stop intruders and it is better if this barrier works.
The Stealth test uses five scanning techniques: TCP ping, TCP NULL scanning, TCP FIN scanning, TCP XMAS scanning and UDP scanning. Using each technique the test creates a packet and sends it to to port number 1 of your system. If your firewall drops the packet and does not send any response it will mean that your computer is "stealthed". Otherwise if there is any response from your system it will mean that your computer is "non-stealthed" and your firewall has failed this test.
Here is the descriptions of each packet:
- TCP ping packet
Description: An uniquely configured TCP packet with the ACK flag
- TCP NULL packet
Description: An uniquely configured TCP packet that contain a sequence number but no flags
- TCP FIN packet
Description: The TCP FIN scanning is able to pass undetected through most personal firewalls, packet filters, and scan detection programs. The scan utilizes TCP packet with the FIN flag
- TCP XMAS packet
Description: The TCP packet with the URG, PUSH(PSH) and FIN flags
- UDP packet
Description: An uniquely configured UDP packet with empty datagram.
Selected tools
We have selected and downloaded ten leading pesonal firewalls for our test. Each firewall was tested with default settings.
Firewalls vs Stealth Test
| |
Firewall |
|
TCP
ping |
|
TPC
NULL |
|
TCP
FIN |
|
TCP
XMAS |
|
UDP |
| |
Deerfield, ver. 3.0
|
|
 |
|
 |
|
|
|
|
|
|
| |
Kerio, ver. 2.1.4 |
|
|
|
|
|
|
|
|
|
|
| |
Look'n'Stop Lite, ver. 1.04 beta1
|
|
|
|
|
|
|
|
|
|
|
| |
Look'n'Stop, ver. 2.03
|
|
|
|
|
|
|
|
|
|
|
| |
McAfee, ver.3.02.1029.0
|
|
|
|
|
|
|
|
|
|
|
| |
Norman personal firewall, ver. 1.20
|
|
|
|
|
|
|
|
|
|
|
| |
Norton Personal Firewall 2002
|
|
|
|
|
|
|
|
|
|
|
| |
Outpost, ver. 1.0.1817.1645
|
|
|
|
|
|
|
|
|
|
|
| |
Sygate, ver. 5.0 b1117
|
|
|
|
|
|
|
|
|
|
|
| |
Tiny personal firewall, ver. 3.0
|
|
|
|
|
|
|
|
|
|
|
| |
ZoneAlarm Pro, ver. 3.0.133 |
|
|
|
|
|
|
|
|
|
|
| |
ZoneAlarm Plus, ver.3.1.274 |
|
|
|
|
|
|
|
|
|
|
|
|
- "stealthed"
- "non-stealthed"
Then after the test each firewall was given a point for each "stealthed" result, and here are the standings:
| |
Firewall |
|
Points |
|
| |
Kerio |
|
5 |
|
| |
Look'n'Stop Pro and Lite |
|
5 |
|
| |
McAfee |
|
5 |
|
| |
Outpost |
|
5 |
|
| |
Sygate |
|
5 |
|
| |
Tiny |
|
5 |
|
| |
ZoneAlarm Pro and Plus |
|
5 |
|
| |
Deerfield |
|
2 |
|
| |
Norman personal firewall |
|
0 |
|
| |
Norton personal firewall |
|
0 |
|
|
|
Important notes:
- Now only three firewalls fail the test: Deerfield, Norman and Norton;
- Tiny personal firewall and McAfee firewall now pass the test;
- Unexpectedly Norton still fails the test, hopefully Symantec will fix this soon;
- All firewalls were tested "out of box" with default settings, however firewalls which failed the test cannot be configured to pass it;
|
|
