Security on the

Internet is a prime

concern for everyone.

The following

information will fill you

in on what you need to

know.

[ Product Reviews ] [ Security Checklist ] [ Security Web Sites ]

Jeff Sengstack is a Bay Area freelance writer who contributes regularly to PC World. Test procedures were designed by Elliott Kirschling of the PC World Test Center. Steve Gibson, a software publisher and security advocate, consulted on this document.

Hackers come in all flavors. Many are simply curious folks who want to find out how a program or system works. They may not do any harm, and some even provide a service by discovering programming bugs and helping fix them. But malicious or criminal hackers use their skills for devious purposes. Criminal hacking incidents can range from obnoxious to destructive. The latter category includes "denial-of-service" attacks--like those that shut down Internet sites EBay and Yahoo last February when hackers bombarded the sites with data and caused the companies' servers to crash. Is your PC likely to suffer such a massive attack? If you're an individual or small-business user, probably not.

Hacking individual PCs remains a fairly rare phenomenon. Your chances of suffering some type of Internet vandalism are rising, however, especially if you have an uninterrupted, dedicated connection like DSL or cable modem. Fortunately, you can take some simple steps to protect yourself. For most Internet users, changing a few settings, installing a good personal firewall, maintaining updated antivirus software, and using common sense will provide reasonable protection for a small cost.

How do malicious hackers cause damage? They have access to increasingly sophisticated automated software tools that scour the Internet for vulnerable PCs. The tools locate an individual machine by its Internet Protocol address, a unique number that identifies a computer on the Net. Most computers equipped with dial-up connections have dynamic IP addresses: The Internet service provider assigns them a new IP address each time their users log on. By contrast, most high-speed connections, like DSL and some cable modem services, use constant or "static" IP addresses. In the unlikely event that a hacker decides to target you specifically, such a static address makes it easier to track you down.

An IP address identifies a computer but doesn't provide a way inside. To get in, the hacker must find an open port, or connection point. Think of an IP address as a computer's switchboard number and a port as an individual phone extension. Software on your PC creates ports to allow specific networking functions. Web access, for example, generally uses port 80, while FTP runs through port 21. Once they've targeted an IP address, hackers scan the machine for open ports.

Malicious hackers may also trick users into opening ports by sending Trojan horses. Mimicking the tactic invented by the wily Greek invaders of Troy, Trojan horses hide damaging cargo within a seemingly benign shell--in this case, an e-mail attachment or a download. When you double-click and open the shell, the hidden program sneaks out to wreak havoc on your computer. One of the best-known Trojan horses is "Back Orifice." (The name is a play on Microsoft's BackOffice network administration software.) Back Orifice surreptitiously opens a port on your PC that a hacker can then exploit to take control of your machine remotely.

So how can Windows users protect themselves? Before you install any new software, you should perform some simple housekeeping on your operating system to make it safer. The first step is to check the Microsoft Web site for security updates and patches. If you have Windows 9x, Windows NT, or Windows 2000 Professional, point your browser to the Windows Update site and follow the links there to find the updates for your particular operating system.

In addition, David Ursino, Microsoft's product manager for the new Windows Millennium Edition, recommends disabling the File and Printer Sharing option that provides other computers access to a machine running any version of Windows. Go to Start, Settings, Control Panel and double-click the Network icon. In the dialog box that opens, search the list of installed network components for "File and Printer Sharing for Microsoft Networks." If this item is present, highlight it and then click the Remove button beneath the list of components.

Another way you can protect yourself is to use software that blocks Trojan horse programs. Any good antivirus package is designed to identify Trojan horses, but you must keep it up-to-date to defeat the latest subterfuges. You should also make sure your e-mail program is not set to open attachments automatically. And never open an attachment that you don't recognize or that comes from an unknown source.

These measures alone, though, will guarantee security for only a minority of PC users. "Unless you've installed your system from scratch, there's no way of knowing just how secure it really is," says Stuart McClure, coauthor of Hacking Exposed. Security breaches can occur on many fronts, typically through Internet software--like PC Anywhere, Net Meeting, or ICQ--that opens ports hackers can subsequently exploit. Even Microsoft's Ursino sees the need to add another layer of security. "If I were a user who had a home network with a persistent Internet connection," he says, "I would choose to have a firewall."

Personal firewall software goes a step beyond the basic precautions. Like expensive and complex corporate-level firewalls, these affordable and simple products promise to repel intruders by monitoring incoming and outgoing Internet traffic and alerting you to possible dangers. To learn more about how firewalls function, see "How It Works: Personal Firewalls" below. We looked at ten personal firewalls that sell for $50 or less and chose the six strongest contenders for more detailed testing. This is a new kind of software product, and it shows. The firewalls' performance, usability, and interface quality run the gamut from effective and accessible to weak and incomprehensible.

The perfect personal firewall would be inexpensive and easy to install and use, would offer clearly explained configuration options, would hide all ports to make your PC invisible to scans, would protect your system from all attacks, would track all potential and actual threats, would immediately alert you to serious attacks, and would ensure nothing unauthorized entered or left your PC. Only two products come reasonably close to meeting that ideal: Network ICE's $40 BlackICE Defender 1.9 and Zone Labs' ZoneAlarm 2.1, which is free for home users and nonprofit organizations. Though neither package is perfect, each has strengths that will make it attractive to particular users. Ultimately, we decided that these two products should share the title of Best Buy.

McAfee.com's Personal Firewall ($40) and Symantec's Norton Personal Firewall 2000 version 2 ($50) fall into the second tier of products. Sybergen Networks' Secure Desktop 2.1 ($30) performed unimpressively in our tests and didn't provide sufficient feedback (or even an indication that it was running). And Aladdin's free ESafe Desktop 2.2 fared poorly because it is essentially an antivirus product with what our tests showed to be a kludgy, leaky firewall tacked on.

Four other products that we examined--Digital Robotics' Internet Firewall 2000 ($40), Delta Design's Net-Commando 2000 ($30), Plasmatek Software's ProtectX 3 Standard Edition ($25), and Tiny Software's Tiny Personal Firewall ($29)--failed to get past our preliminary cut because they exhibited more-serious flaws, such as incomprehensible instructions, weak documentation, or limited functionality.

We assessed the six contending products on three criteria: user-friendliness, ability to work with common programs that access the Internet, and prowess at repelling hacking attempts. In each case we independently installed the firewall on an otherwise unprotected Quantex QP6 350 M2X, a Pentium II-350 machine equipped with 64MB of RAM and running Windows 98 SE.

The best configuration process should be comfortable for a neophyte while giving an advanced PC user the opportunity to tweak the settings. Most of the products we tested offer only three security settings: block all traffic, allow some traffic, and provide no security at all. This scheme works fine if you just surf the Web and check e-mail, but it's too limiting for many users. BlackICE Defender and McAfee.com Personal Firewall have the best configuration options and default settings. BlackICE has the simplest, best-explained security options, and it offers four levels of security for finer adjustment by the user. McAfee.com defaults to a middle "filter" security level that is an excellent starting point for most users. ZoneAlarm ranks near the top, too, but we thought it would have benefited from offering a fourth level of security between its high and medium settings.

Even the best documentation for the firewalls we tested is scarcely adequate, especially since hacking remains a mysterious aspect of computing for most PC users. In particular, none of the products we looked at fully explains its advanced configuration features. If you take into account its reasonably clear and organized online help, BlackICE Defender scores highest in the documentation category. But in this case that's a small honor.

The ideal firewall would also work quietly in the background but alert the user to anything worth reporting, and provide comprehensive logs of events. Unfortunately, most of these products tend to overwhelm the user with data. Firewall novices may be stunned at how often someone "touches" their PC. Most of that contact, however, is innocuous traffic that security expert Steve Gibson calls IBR--Internet background radiation. According to Gibson, who maintains the Shields Up Web site, "All firewalls overreport, and they don't do a useful job of discriminating between IBR and actual attacks."

Spikes of IBR occur for various reasons. For example, Internet services like WebTV sometimes send data to the wrong IP address when they attempt to contact users. A firewall might interpret that activity as a port scan. Internet privacy and security guru Simson Garfinkel, author of Database Nation, criticizes the misinformation typical firewall products generate. The most frequent complaint ISPs receive is no longer about spam, he says, but about firewall alerts of attempted scans. "Lots of people are going to scan you," he says. "You just can't react every time."

Of the products we examined, BlackICE--using carefully crafted reporting windows--provides the clearest, most useful information. The program notes the source of any probe, and it's the only personal firewall we tested that automatically looks up IP addresses and provides contact information about whoever "touched" your PC. An honorable mention goes to Norton and Secure Desktop, which log events in accessible text windows. But ZoneAlarm went a bit overboard: We finally turned off its endless stream of pop-up alert windows, relying instead on its comprehensive event logging for detailed information. However, only ZoneAlarm effectively alerts you in real time to all potential threats--a level of detail that may appeal to some hands-on users. (For more on using ZoneAlarm, see "Instant Internet Security" below.) Most firewalls simply flash an icon in the system tray when they detect something, but you won't see it if your system tray is covered or if you're not looking for it.

According to Murphy's Law, anything that can go wrong, will. People are putting more sensitive data (such as financial records) on their PCs, and sending other sensitive data (such as credit card numbers) over the Web. They're also switching from dial-up modem-based service to broadband connections, with continuous service and fixed IP addresses. Meanwhile, hackers are acquiring more devious software tools and putting more potential victims at risk. Hacking will inevitably increase. But the good news is, you can protect yourself now.

We ran each of the six firewalls through a number of scenarios to check its compatibility with other applications and its responsiveness to a potential Trojan horse. Compatibility is an important concern with applications that access the Internet: A poorly designed firewall might misconstrue as hacking attempts such legitimate activities as opening ports for Internet communication, and it may mistake legitimate programs for malware, or malicious software. Some firewalls will ask the user for permission to run applications, while others will allow or block the apps without providing feedback. In overall compatibility, BlackICE Defender had nearly flawless results, and McAfee.com finished close behind. Norton and ZoneAlarm worked well in most instances; Secure Desktop and ESafe performed poorly.

A good firewall can distinguish between network traffic related to trusted applications and malicious traffic from a hacker or Trojan horse. Some firewalls focus on applications, while others focus on data traffic. In the first case, Norton uses a lookup table of preapproved applications. BlackICE Defender, on the other hand, doesn't note what apps are running. Instead, it scrutinizes all data passing to and from the computer for suspicious behavior, or signatures. BlackICE has an extensive, updatable signature file of known hacking techniques, so it can often identify and explain exactly what is happening to your PC.

In our tests, we connected to the Internet over DSL and evaluated each firewall's ability to work with common applications that access the Internet: Microsoft Internet Explorer and NetMeeting, WS-FTP LE (a file-transfer program), ICQ (a messaging program), Napster (MP3 music search and download software), PC Anywhere (a program that allows remote control of one computer by another), and RealPlayer (music and video player software).

Sometimes the biggest challenge was determining whether the firewalls were working at all. For instance, in its default installation, McAfee.com does not launch at system start-up or appear in the system tray. You must select those options in the program's configuration. And even though Secure Desktop launches automatically at start-up, it runs entirely in the background--there isn't even an icon for the program in the system tray.

Secure Desktop did ask for permission to run some applications, but when operating at its highest security setting, the program would not allow other applications--ICQ, Napster, or NetMeeting--to run at all. McAfee.com and ZoneAlarm worked fairly smoothly, asking permission for each application. Norton automatically configured rules to permit some apps, but in other cases it made us walk through an overly detailed, six-screen Q&A to manually configure rules for future use of the app. BlackICE doesn't scrutinize applications per se, but it accurately monitors the types of data they send and receive.

Finally, we ran a not-so-trusted application: the freeware version of PKZip (file-compression software). This download includes a built-in application called TSAdbot, which acts as a conduit for advertisements from the Internet and displays them while PKZip is running. TSAdbot is not a malicious program, but it does function similarly to a Trojan horse and thus tests the firewalls' sensitivity to these intruders. McAfee.com, Norton, Secure Desktop, and ZoneAlarm detected TSAdbot and asked us for authorization. ESafe failed to react; BlackICE did not recognize TSAdbot's behavior as harmful. When we asked Network ICE about this result, spokesperson Robert Graham said, "Currently, Network ICE does not consider adbots to be malware." But he added, "Maybe we should reconsider our position."

We then hit each firewall with three simulated hacks: installing and accessing the Back Orifice Trojan horse, running a port scan, and conducting a denial-of-service attack. We ran each test at the programs' default security settings. (Some default to the highest security setting, while others default to the second-highest.) If a firewall failed a test, we tried it again at a higher setting.

In the Back Orifice test, BlackICE did not stop the attack at its default security setting. However, it did stop the Trojan horse when we bumped the security up a notch. (The newest BlackICE version, not available in time for our comparison testing, does stop Back Orifice at its default setting.)

Three products--McAfee.com, Norton, and ZoneAlarm--identified Back Orifice by its file name, Umgr32.exe, and asked permission to run it. Not many PC users have heard of Back Orifice, let alone Umgr32.exe, so they might not know whether to block the app or let it run. ESafe's built-in virus checker identified the Umgr32.exe file and asked whether we wanted to delete it. Secure Desktop failed the Back Orifice test--and all other attack tests--even at its highest security setting.

We next hit our test PC with a port scan, having deliberately left two ports open to see how the firewalls would handle them. The first port, called NetBIOS, is opened when printer and file sharing are enabled. The second port was opened for our Back Orifice Trojan horse. (Some firewalls look for standard ports used by Trojan horses, but we upped the ante by choosing a nonstandard port.) A personal firewall can hide your PC by putting ports into stealth mode so they will not respond to a hacker's port scan; the ports will thereby offer no evidence that your computer exists.

At their default settings, BlackICE, McAfee.com, and ZoneAlarm put the two ports into stealth mode, but ESafe, Norton, and Secure Desktop failed to hide the ports we left open.

Finally, we ran a miniature denial-of-service attack, hitting each firewall with a flood of meaningless data intended to confound the operating system. In the real world, a denial-of-service attack overwhelms your Internet connection, making it difficult or impossible to access the Net. It can also crash your system. Malicious hackers can increase the pressure by launching a distributed-denial-of-service attack, in which multiple computers are commandeered and used to launch an attack. Such assaults are usually directed against major Web sites and the servers that support them. In the unlikely event your PC is targeted for a full attack, a good firewall may block the incoming data packets and prevent your machine from crashing, but no firewall can ensure that your Internet connection will remain open.

At their default settings, four of the firewalls we tested--BlackICE, McAfee.com, Norton, and ZoneAlarm--prevented a crash, although BlackICE was the only product that correctly identified the nature of the attack. Norton gave no indication an attack was under way. We were disappointed that ZoneAlarm repelled the attack only at its default (High) setting, and Secure Desktop and ESafe failed to prevent a crash even at their highest settings.

According to Murphy's Law, anything that can go wrong, will. People are putting more sensitive data (such as financial records) on their PCs, and sending other sensitive data (such as credit card numbers) over the Web. They're also switching from dial-up modem-based service to broadband connections, with continuous service and fixed IP addresses. Meanwhile, hackers are acquiring more devious software tools and putting more potential victims at risk. Hacking will inevitably increase. But the good news is, you can protect yourself now.

Personal Firewall   Street price (6/2/00)   Security settings (default in bold)   Automatically blocks file sharing   Asks permission for Internet applications   Detects TSAdbot1   Blocks Back Orifice1   Puts open ports into stealth mode1   Detects port scanning1   Repels denial-of-service attack1   Comments                                           Aladdin Knowledge Systems ESafe Desktop 2.2 800/562-2543 www.eAladdin.com/esafe   Free2   Extreme, Normal, Low   No   No   No   Yes3   No   No   No   Poor performance and confusing configuration. Comes with built-in antivirus utility and filter to block obscenities in Web content.   McAfee.com Personal Firewall 408/992-8100 www.mcafee.com   $40   Block Everything, Filter Traffic, Allow Everything   Yes   Yes   Yes   Yes   Yes   Yes   Yes   Easy configuration and good interface, but event log is difficult to access. User must configure firewall to run automatically at system startup.   Best Buy Network ICE BlackICE Defender 1.9 650/532-4100 www.networkice.com   $404   Paranoid, Nervous, Cautious, Trusting   Yes   No   No5   No6   Yes   Yes   Yes   Easy installation and configuration. Clear, easily accessible event log. Best documentation of the products we tested. Identifies type of attack and attacker.   Sybergen Networks Secure Desktop 2.1 510/742-2600 www.sybergen.com/products   $30   Ultra, High, Medium, Low   No   Yes   Yes   No   No   No   No   Poor performance. Provides little feedback and no indication that it is running, but it does have a good, readily accessible event log.   Symantec Norton Personal Firewall 2000 version 2 800/441-7234 www.symantec.com   $507   High, Medium, Minimal   Yes   Yes   Yes   Yes   No   Yes   Yes   Provides good protection, but interface is overly complex and controls are clumsy. Also includes filter to block obscenities or objectionable Web content.   Best Buy Zone Labs ZoneAlarm 2.1 415/547-0050 www.zonelabs.com   Free8   High, Medium, Low   Yes   Yes   Yes   Yes   Yes   Yes   Yes   Easy to install and set up. Provides solid protection and plenty of feedback--sometimes too much. Scans e-mail attachments for potential viruses or Trojan horses.

¹As tested at default setting.
²Free to home users; the price for business customers depends on the number of users.
³Caught by the product's built-in virus scanner.
⁴Includes updates for one year; update fee is $20 per year thereafter.
⁵Network ICE does not consider TSAdbot to be harmful.
⁶Blocked Back Orifice at its "Nervous" security setting.
⁷Includes updates for one year; update fee is $7 per year thereafter.
⁸Free to individuals and nonprofits; licensed at $20 per seat per year for business users.

Security Checklist

No computer connected to the Internet is 100 percent safe from hacking. But take heart: These seven easy steps can make a PC running Windows virtually impervious to online attacks.

• Check Microsoft's Web site regularly for the latest Windows security updates and patches.
• Remove File and Printer Sharing for Microsoft Networks under the Network Control Panel.
• Remove the NetBEUI Network protocol under the Network Control Panel.
• Use up-to-date antivirus software to block Trojan horse programs.
• Exercise caution when deciding whether to open e-mail attachments, even from trusted senders. (They may inadvertantly send you a virus without thier knowledge)
• Install personal firewall software. We recommend BlackICE Defender for users not interested in becoming security experts and ZoneAlarm for those who want to know all the details about their Internet connection.
• If you maintain a persistent Internet connection, and you really want to play it safe, shut down your system whenever you will not be using it.