 |
PC Flank challenges firewalls!
February 11, 2002
Recently we, here at PC Flank, have released the Stealth Test that gives opportunity to determine if your firewall is successful in making your computer "stealthed". The "stealthed" system is invisible to others on the Internet, so it is harder for intruders to "detect" such system and thus far harder to attack. Indeed, "stealthed" system is not absolutely safe system, and we should not overrate it, but it is the first barrier made by firewall to stop intruders and it is better if this barrier works.
The Stealth test uses five scanning techniques: TCP ping, TCP NULL scanning, TCP FIN scanning, TCP XMAS scanning and UDP scanning. Using each technique the test creates a packet and sends it to to port number 1 of your system. If your firewall drops the packet and does not send any response it will mean that your computer is "stealthed". Otherwise if there is any response from your system it will mean that your computer is "non-stealthed" and your firewall has failed this test.
Here is the descriptions of each packet:
- TCP ping packet
Description: An uniquely configured TCP packet with the ACK flag
- TCP NULL packet
Description: An uniquely configured TCP packet that contain a sequence number but no flags
- TCP FIN packet
Description: The TCP FIN scanning is able to pass undetected through most personal firewalls, packet filters, and scan detection programs. The scan utilizes TCP packet with the FIN flag
- TCP XMAS packet
Description: The TCP packet with the URG, PUSH(PSH) and FIN flags
- UDP packet
Description: An uniquely configured UDP packet with empty datagram.
Selected tools
We have selected and downloaded eight leading pesonal firewalls for our test. Each firewall was tested with default settings.
Firewalls vs Stealth Test
| |
Firewall |
|
TCP
ping |
|
TPC
NULL |
|
TCP
FIN |
|
TCP
XMAS |
|
UDP |
| |
Agnitum Outpost, ver. 1.0.1420 RC1
|
|
|
|
|
|
|
|
|
|
|
| |
AtGuard, ver. 3.22 |
|
|
|
|
|
|
|
|
|
|
| |
BlackIce, ver. 2.9.cai
|
|
|
|
|
|
|
|
|
|
|
| |
Look'n'Stop, ver. 2.02
|
|
|
|
|
|
|
|
|
|
|
| |
Norton Personal Firewall 2002
|
|
|
|
|
|
|
|
|
|
|
| |
Sygate, ver. 4.2.872
|
|
|
|
|
|
|
|
|
|
|
| |
Tiny personal firewall, ver. 2.15
|
|
|
|
|
|
|
|
|
|
|
| |
ZoneAlarm, ver. 2.6.357 |
|
|
|
|
|
|
|
|
|
|
| |
| |
- "stealthed"
- "non-stealthed"
Then after the test each firewall was given a point for each "stealthed" result, and here are the standings:
| |
Firewall |
|
Points |
|
| |
Agnitum Outpost |
|
5 |
|
| |
Look'n'Stop |
|
5 |
|
| |
Sygate |
|
5 |
|
| |
ZoneAlarm |
|
5 |
|
| |
BlackIce |
|
4 |
|
| |
Tiny personal firewall |
|
1 |
|
| |
AtGuard |
|
0 |
|
| |
Norton personal firewall |
|
0 |
|
| |
| |
Important notes:
- Unexpectedly only four firewalls were able to pass the test: Agnitum Outpost, Look'n'Stop, Sygate and ZoneAlarm. This means that only these firewalls are able to make your system invisible to others on the Internet;
- Such popular and trusted firewalls like Tiny and Norton have failed the test;
- All firewall vendors where notified about the test and its results. So they would be able to fix the flaw;
We will re-test the firewalls as soon as most developers release new versions or updates.
|
|