It is an unfortunate
reality that, if you connect to the Internet and haven't
done anything to protect your machine, you are a target
and you will be attacked. How much damage you sustain
depends on the configuration of your computer and the
skill and aims of the attacker. One way to protect your computer
is to use a hardware router such as the LinkSys which I
reviewed earlier this year (see opcug.ottawa.com/public/reviews/etherfast.htm).
Another option is to use a personal firewall product or
an intrusion detection system (IDS). I've reviewed a
couple of these programs over the past few years.
Firewalls started out at
the corporate level a number of years ago. They were
complex to configure and typically very expensive.
Fortunately, vendors realized the need to provide a cost-effective
solution for home use. Unfortunately, unless you know
what you should be looking for, it can be difficult to
pick out the product that protects adequately. You can
get a false sense of security if you choose poorly.
An intrusion detection
system (IDS), such as BlackICE Defender, looks for known
attack patterns. If you want configurable protection, an
IDS is generally a poor choice. It will rarely allow you
to block all traffic initiated from the Internet and will
almost never block outbound traffic. But it does provide
protection from the specific attacks it knows about.
Inadequate as your sole protection, in combination with a
firewall, an IDS can be very valuable.
Most personal firewalls
are packet filters. They look in the header of packets
for the source and destination addresses and port numbers
and protocol. Based on this information, they allow or
deny traffic according to rules, either automatically
configured or configured by the user.
A stateful inspection
firewall goes further by also looking inside the packets
to examine the packets in context. They can do things
like detect HTTP (web) traffic on non-standard ports or
block a particular combination of FTP PORT commands that
you decide you don't want to allow. It is the most
powerful type of firewall, as well as the most difficult
to configure. I don't know of any personal firewall
products that do stateful inspection.
Some personal firewalls
have a learning mode that can detect inbound and outbound
traffic and ask you if you want to allow the traffic.
Lack of learning mode generally means that the software
allows all outbound traffic. This can be dangerous. If
you somehow get a trojan program installed on your
machine, it can initiate a connection to an attacker's
computer. The attacker can use the connection to do
anything their trojan program is designed to do, such as
remote control of your computer. Your firewall allows the
traffic because your computer initiated the connection.
PGPfire 7.1, part of the
PGP suite of security tools, seems to be a very nice
balance of the various firewall options available to home
users. It has an IDS and an easy-to- configure packet
filter firewall. It has some base configurations with
varying degrees of protection and a learning mode to
handle traffic not covered by an existing rule.
When PGPfire is first
installed, the firewall is disabled, which seemed a
little strange to me. Once enabled, all traffic in and
out of your computer is blocked unless covered by a rule.
You can select from any
of the predefined firewall settings or choose to create a
custom configuration. The predefined levels are "minimal",
two client levels, two server levels, and the default -
"Learning Starter". The manual gives a good
description of the levels. Any of the predefined levels
may also be used as a starting point for a custom
configuration, speeding overall configuration.
With learning mode turned
on, when an program on your computer tries to access a
remote address for the first time, PGPfire displays a
dialog box with the application name and path, version
number and vendor. It reports the IP address and port
number the app is trying to access along with the name of
the service typically used by that port, such as FTP for
port 21 or World Wide Web for port 80. You choose to
allow or deny the access. PGPfire then creates a rule to
handle this application accordingly in the future.
If someone or something
is trying to connect to your computer, the pop-up
notification identifies the local program the remote
process is trying to connect to along with the remote and
local port numbers and the remote IP address. You can
allow or deny the connection and a rule is created for
the application being accessed.
PGPfire considers more
than just the application name and will not automatically
permit access if the program is not the same as when the
rule was created. This is good protection against a
trojan program being substituted for a trusted
You should review any
automatically-created rule. They are typically pretty
broad rules and this may not be what you really want to
permit. By default, the rule will allow traffic to or
from the specified local application (depending on
whether the connection was initiated by the application
on your local machine or from a remote address) with any
external IP address using any protocol and any port.
While this is usually OK, it is worth considering.
Fortunately, it is quite simple to modify rules.
To edit the properties
for a rule, double-click the rule in the rules list. You
can specify if the rule allows or blocks traffic. You can
set the protocol (ICMP, IGMP, TCP, UDP, Ipsec ESP, Ipsec
AH, or All), and the direction (inbound, outbound
traffic, or both). If applicable, you can specify the
local application you want to allow to access remote
resources or allow connections from the network. You can
specify the local or remote service by service name or
port. This is not a stateful inspection firewall. The
list of services is there as a convenience so that you
don't have to remember things like a POP3 service
normally uses port 110. When you specify a service, you
are really specifying the port number. You can restrict
the remote IP address this rule applies to by specifying
a single address, a range of addresses or a complete
One thing that PGPfire
does not provide that some other personal firewall
products do is to permit or deny access for a limited
time or current connection only. PGPfire rules stay in
effect until you manually change the rule by modifying,
disabling or deleting it.
PGPfire also has an
Intrusion Detection System. While nowhere near as
comprehensive as a dedicated IDS such as BlackICE
Defender, it is a handy addition to this package. The
manual lists 17 attacks the IDS can protect you from,
including Back Oriface, IP Spoofing, Ping of Death, Port
Scanning, Smurf, and Winnuke. There is no indication of
any way that this list can be updated to cover new attack
types. If you choose, any of the filter rules on the
Firewall tab can be set to be considered an intrusion.
You can configure the IDS
to block the attacking source for a specified number of
minutes or until you manually clear it. PGPfire can also
send you an email about the attack and provide a visible
or audible alarm. While I personally think it is a waste
of time, you can also attempt to trace an attacker.
PGPfire can attempt to find out the DNS and NetBIOS names.
If the attacker is running services, PGPfire can pick up
the banner from Telnet, FTP and SMTP services as well as
the HTTP version. Finally, it will run a WHOIS to attempt
to learn more about the attacker.
You can also manually add
addresses to the Intruder list if you want to block all
traffic between your computer and a particular hos
PGPfire 7.1 requires a
minimum of a Pentium 166 with 32MB RAM running Win98/ME
or 64MB RAM running WinNT4/2K. On my Win2K system, it
generally uses about 4MB RAM and about 10MB disk space.
CPU utilization is minimal. The price is CAN$105 from the
PGP web site. A 30-day trial version may be downloaded
All in all, I think
PGPfire is a very nice personal firewall. Is it worth
spending $105 when there are "free for personal use"
firewalls available, such as Zone Alarm and Tiny Personal
Firewall? Check the feature list of those other products.
If they satisfy all your requirements, there is little
reason to spend money on PGPfire. But don't underestimate
your needs when protecting your computer.
Originally published: September, 2001