Defensive Computing

If you use a Windows computer connected to a network, a newly discovered bug makes it possible for a bad guy to wreak havoc on the computer without your doing anything. The most vulnerable versions of Windows are XP, 2000 and Server 2003. Vista and Server 2008 are also vulnerable, but not as badly. Microsoft considers the bug important enough to issue the patch immediately rather than waiting for their normal once-a-month patch Tuesday.

Susan Bradley, writing for the Windows Secrets newsletter recommends immediately installing the just-issued patch. Then she offers some unusual advice, suggesting people first restart their computers "to verify that your machine is bootable." Can't hurt. Then she says to install the patch and reboot again. Her article also includes direct links to the patch for each version of Windows. If, for some reason, you can't run Windows/Microsoft Update you can manually download the patch and install it.

A standard of Defensive Computing is that the less software installed and running the better. This particular bug is with a part of Windows known as the Server service. If you are not sharing files and/or printers on a local area network, then you don't need to have the server service running, bug or no bug.

Making a Windows service not run all the time is called disabling and/or stopping. Stopping refers to the instance of the service currently running. Disabling means preventing it from ever starting again. Microsoft describes how to both stop and disable the Server service in Security Bulletin MS08-067. They also suggest doing the same to the Computer Browser service.

Anyone not sharing files and/or printers on a network should also turn off File and Printer Sharing for Microsoft Networks (the Windows XP name) on all network definitions. For example, on a laptop with both wired Ethernet networking and wireless Wi-Fi networking, File and Printer Sharing should be turned off in both network definitions.

If the Server and Computer Browser services are disabled, then some people might consider the last point (and the next) overkill. I think they are a good idea because it means two mistakes would have to be made to enable file and printer sharing as opposed to only one mistake.

Build a better fence around your Windows computer.

For still more safety, look into how your firewall is configured to ensure that it does not allow incoming traffic on TCP port 139 or 445. Again, this is for someone not sharing files and printers. Firewall configuration varies widely, but if you are using the Windows firewall in XP, the exception for this is called "File and Printer sharing."

Firewalls are the first line of defense against this type of problem. With that in mind, you may want to review the series of postings I did recently on adding a second router to a LAN to provide additional firewall protection to your most important computers. See A second router protects adults from kids.

See a summary of all my Defensive Computing postings.

This is the last posting in a trilogy about adding a second router to a Local Area Network to provide an additional layer of protection for high value computers.

The first thing I noticed after setting up a network as described in the previous posting was that a newly protected computer, plugged into the second router just worked. All the hard work is in configuring the new router. Any computer using DHCP, which is the norm, shouldn't need any changes to enable the additional protection.

One side effect of the new LAN segregation is remote control. On the network I tested with, I sometimes use Real VNC to remotely control another computer on the LAN. This is no longer possible across the divide that the second router was brought in to create. To continue with the adult/kid scenario from before, it is no longer possible for an adult to remotely control the computer of a child.

The newly created digital divide also prevents file sharing between an adult and a child. Of course, that's by design.

Also by design, an adults computer can no longer connect to the kids router to make configuration changes. Or so I thought. While this is true when dealing with private IP addresses, the kids router also has a public IP address (you can see your public IP address using www.ipchicken.com). I was surprised to find that entering the public IP address into the Web browser on an adults computer, brought up the internal Web site in the kids router.

From a kids computer, the Web site in the kids router could also be accessed by its public IP address. The router in question was a Belkin Wi-Fi G F5D7230. I'm not sure that other routers will also act this way.

From outside the LAN, the website in the kids router is not reachable. This was expected as the remote administration feature was purposely turned off--a recommended Defensive Computing step.

I use an SSL VPN from WiTopia.net whenever I access an untrusted network. The VPN worked just fine from an adults computer. In fact, it worked so well, that I could no longer see the Web site in the kids router using its public IP address. Thanks to the VPN, I was accessing the Internet from WiTopia rather than from the LAN.

Leo Notenboom, whose article "How do I protect myself from my children?" prompted this trilogy, uses Hamachi, another type of VPN. He said it works fine in this type of network configuration. There are other types of VPNs, such as IPsec, which I can't test.

Wi-Fi should present no problem in a double-router LAN. In fact, each router can have its own Wi-Fi network.

In the best case, one wireless network would use the crowded 2.4GHz band (Wi-Fi B, G and N) and another would use the 5GHz band (Wi-Fi A and N) to avoid stepping on each others feet. But most consumer routers only use the 2.4GHz band, so, if possible, configure each router to use a different Wi-Fi channel.

In my case, the adults router was a Ruckus 2825 which has a "Smart select" option for the Wi-Fi channel. Testing it on different days, it did indeed chose different channels. So far, the Ruckus router has shown excellent range, but I haven't yet put it to the acid test.

Another way to avoid having the two wireless networks interfere with each other is to turn off the wireless radio in a router when not in use. This is done using the internal Web site in the router and, as noted above, an adults computer can configure both routers. I've yet to see a Wi-Fi router with a physical switch for turning off the radio, if you know of one please leave a comment below.

All in all, the cost and inconvenience seem pretty small for the extra protection a second router can offer adult/high-value computers.

Update: September 29, 2008.The point about remote control needs to be clarified. There are two approaches to establishing the connection between the two computers: direct and with a middle-man. On a normal LAN, you can use the direct approach by entering the IP address of the controllee from the controller machine. Adding a second router limits this option to adults controlling adults or children controlling children. However, since all computers can still access the Internet, the middle-man approach still works. With this scheme, each computer first connects to a middle-man website. GoToMyPC is an example of the middle-man approach whereas Real VNC is an example of the direct approach.

See a summary of all my Defensive Computing postings.

Previously, I wrote about using a second router to provide additional protection to high-value computers--specifically, to protect computers used by adults from those used by children on a shared Local Area Network (LAN).

That article was mostly conceptual, this one covers the nitty-gritty technical details.

First, the good news. Adding a second router has no effect on the first router and no effect on the untrusted (kids) computers. Each is blissfully ignorant of the following changes.

In describing the steps, the existing/first router will be referred to as the kids router since the untrusted kids computers connect to it. The new, second router will be referred to as the adults router since its job is to protect the computers used by adults.

For the sake of simplicity, I'll start with wired Ethernet connections and assume, as is usually the case, that the kids router is handing out private IP addresses* in the range 192.168.1.x using DHCP. The steps below apply regardless of the operating system employed on any particular computer.

Here's what needs to be done:

• The high-value (adults) computers are unplugged from the kids router and plugged into the LAN ports of the adults router.
• The WAN port of the adults router is plugged into a LAN port on the kids router. WAN stands for Wide Area Network, and refers to the Internet. From the perspective of the adults router, the kids router is the Internet. On some routers, the Ethernet WAN port is a different color from the LAN ports, but not always.
• What the adults router thinks is its public IP address is really a private IP address (192.168.1.x) used by the kids router. This is configured in the adults router using the type of Internet connection option. The easiest thing is to set the adults router to DHCP or dynamic. It can, alternatively, be configured for a static IP address, but this requires a knowledge of the private IP address range used by the kids computers and router. Also, if the configuration of the kids router were ever to change in the future, the static IP address may no longer be valid and thus knock the adults computers offline.
• On the WAN/Internet side, the default gateway and the primary DNS server for the adults router is the kids router (probably 192.168.1.1). If you opted for dynamic in the prior step, this should happen automatically, after rebooting the adults router. If you opted for a static IP address, you'll have to set this manually.
• On the LAN side, the adults router can use DHCP to hand out IP addresses in any private address range other than that used by the kids router. For example, it could use 192.168.2.x or 192.168.8.x. To make things as obvious as possible, however, I suggest configuring the adults router to issue IP addresses in the 10.x.x.x range with the default subnet mask of 255.0.0.0. Along with this, set the LAN side IP address of the adults router to 10.0.0.1.
• Each adults computer needs to use an IP address in the 10.x.x.x range. Most likely the computer(s) will already be configured to get an IP address using DHCP, in which case nothing needs to be changed. If, however, one was using a static IP address, a new one probably needs to be assigned, one that is outside the DHCP range handed out by the adults router.

Once this is done, an adults computer, which used to have a TCP/IP default gateway of 192.168.1.1, will now have a default gateway of 10.0.0.1. Likewise, the DNS server and DHCP server for an adults computer will now also be 10.0.0.1.

Not to switch subjects, but elsewhere I've written that I'm a big fan of OpenDNS. Any computer can be manually set up for OpenDNS, but another approach is to configure the router to use the OpenDNS servers and the router will then pass along this setting to computers that connect to it with DHCP.

More about living with this setup, and about Wi-Fi, next time.

*For more on public vs. private IP address, see What does your IP address say about you?
See also How to check if a computer is using OpenDNS
See a summary of all my Defensive Computing postings.

If you live in a home where parents/adults have one or more computers, children have their own computer(s), and everyone shares a single Internet connection, then you should consider a second router.

While the main function of a router is to let multiple computers share a single broadband connection to the outside world, it is also invaluable in offering firewall protection. Firewalls that run on your computer have their place, but you are much safer with the additional protection offered by the firewall in a standard, ordinary, consumer-grade router. Previously, I suggested that even someone with only one computer get a router, just for the firewall protection.

Last week, Leo Notenboom, of Ask-Leo.com, wrote about using a second router to protect adults from children sharing the same Local Area Network (LAN) at home (see How do I protect myself from my children? )

Leo targets Windows users, and I take it as a given that no mix of defensive software offers perfect protection on a Windows machine. That said, the networking scheme he discusses is applicable and sensible regardless of the operating system running on any single computer. If you are an adult, sharing a network with children, and the health and well-being of your computer is important to you, then investing in a second router makes sense.

The basic idea that Leo suggests is to put the adult computers in their own LAN, protected by the second router from the LAN segment with the children's computers. Everyone still shares the single Internet connection.

In addition to the firewall, the NAT feature in a router also offers protection. For example, if the kids use private IP addresses* such as 192.168.1.x then the adults can use private IP addresses in the range 192.168.8.x. Assuming everyone uses the default subnet mask of 255.255.255.0 (a topic for another day) then the adult computers and the kids' computers can't directly talk to each other.

This networking scheme does not eliminate the need for firewall software in each individual computer.

This approach may also apply to a small business if certain computers do work that is judged to be much more important than others. Here too, the small expense of a second router offers additional protection to the most important computers. Taking this even further, it is not at all unreasonable for a small business to ban an important computer from ever touching the Internet.

Finally, anyone installing a new router should read my earlier posting Defending your router, and your identity, with a password change.

Update. September 27, 2008. For more on this subject, see my follow-up Using a second router: A techie how-to

*For more on public vs. private IP address, see What does your IP address say about you?
See a summary of all my Defensive Computing postings.

As is so often the case with networking problems, the firewall was source of the Verizon DSL problem I wrote about recently.

I had experienced problems making outbound connections at two Verizon DSL business customers and was told by another Verizon DSL customer that they too had a similar problem.

The problem first came up when trying to use NetMeeting from a Verizon DSL customer to remotely control a computer. Despite there being no firewall on the receiving computer NetMeeting still couldn't make a connection. Even a simple ping of the target computer failed.

I suspected Verizon was the source of the problem when, a few days later, from another Verizon DSL customer, Real VNC failed to connect to a computer (another remote control attempt). Again, a ping of the target computer failed, but so too, did pings of websites such as yahoo.com, cnet.com and cbs.com that normally respond to pings (not all websites do).

When Verizon tech support and press relations made it clear that they don't block outgoing traffic, the problem had to be with the configuration of their modem/router.

In a standard consumer grade router, the firewall has a simple task: block all unsolicited incoming traffic. It doesn't try to govern outgoing traffic at all. Thus, any connection to the Internet that starts from a computer on the LAN is allowed. This is similar to the way the Windows XP firewall works, except that the XP firewall is likely to have some pre-defined holes in it.

The firewall in the Verizon Westell 7500 router/modem is a bit more ambitious, it tries to also exert control over outgoing connections that originate from the LAN. In some circumstances this is a good thing, but it caused me problems.

The actions of firewalls are easily quantified. They control a TCP/IP networking concept; a port. Ports are assigned numbers ranging from zero up to roughly 65,000. Some port numbers are reserved for specific types of traffic, others can be used by any networking software for any purpose. For example, you requested this web page using port 80. When you request a secure web page you are using port 443.

To see this for yourself, try to go to www.cnet.com:80 (the colon 80 may not show in your web browser status line when hovering over this link, but it is in the link). Everything works fine, the colon 80 is explicitly stating that port 80 should be used. Normally, the port number is implied when using the HTTP protocol. If you use any port number other than 80, you'll get an error message from your browser rather than the CNET home page.

Each port is either:
-- inbound or outbound
-- used by TCP or UDP or both (low level protocols)
-- open, closed or stealthed (stealth is the best)

That's it. Everything a firewall is doing can be quantified with rules about ports that are allowed and ports that blocked.

The Verizon DSL problems that I experienced stemmed from their using vague words to describe the functioning of the firewall. Nothing about the actions of the firewall in the Westell 7500 is explained in terms of ports. Thus, no one is sure exactly what the firewall is doing (I spoke to tech support twice).

When you configure the firewall in the Westell 7500, you get the choices shown below (full size image).

Take, for example, the "Minimum Security (Low)" setting which "allows all traffic except for known attacks". Is it allowing everything coming in or everything going out or both? And, what is a known attack? Firewalls control ports, not attacks. A given piece of malicious software may use one port number to phone home this week and a new variant can use a different port number next week.

Then it says "your modem is visible by other computers on the Internet". First off, the Westell 7500 is not just a modem, if it were, this posting wouldn't exist. Then, it's not clear if this means that no incoming ports are blocked or if it just means that the 7500 will respond to pings.

The bottom line is that these words have no meaning. Think of it as a gas station with pumps labeled "best", "medium" and "worst" without the octane rating.

In my case, the term "Typical Security (Medium)" tripped me up. That's what one modem was set to when I couldn't do ping or traceroute or Real VNC remote control. Lowering the setting to "Minimum Security (Low)" fixed the immediate problem.

What's the difference, in terms of ports being blocked, between Medium and Low? Even Verizon doesn't know.

In a scenario very reminiscent of WiFi routers shipping with encryption disabled, Verizon normally uses the "low" and "none" firewall settings. "Typical Security (Medium)" is not, according to tech support, typical. They rely on security software on the computers of their customers.

Shields Up!

A great service for testing ports is Shields Up! from Steve Gibson at grc.com. It too, pointed out how vague the firewall security description is.

With the Westell 7500 set to "MaxiumSecurity (High)" Shields Up! reported that the FTP port (21) was closed rather than stealthed. This is not maximum security. The boring, ordinary, years-old, dusty Belkin router that sits between me and the Internet as I write this, is, according to Shields Up!, fully stealthing all the common ports.

During a recent installation of a new Verizon business DSL line, the customer was not given a choice as to the equipment Verizon would provide. Later, tech support said they do offer dumb modems, presumably without firewalls. That may be the better way to go in terms of Defensive Computing as it lets you chose a router with better documentation.

See a summary of all my Defensive Computing postings.

Recently, someone at a small business with a Verizon DSL Internet connection couldn't connect to my computer with NetMeeting. I've done this often enough to know that NetMeeting wasn't the problem, so I asked them to ping my computer - and it failed (timed out).

The TCP/IP ping command is a network debugging tool available on any operating system with TCP/IP (which is just about every operating system). It sends a simple command to the target computer which answers with a small amount of data. As the name implies, ping is just a tap on the shoulder to see if the networking is working between two computers on a TCP/IP network. Because pings are so simple, any problem is a networking problem.

In this case, the ping should not have failed. The target computer was one of mine and it was naked on the Internet, without a firewall protecting it. It seemed that Verizon was blocking it at the source, but I couldn't be sure.

A few days later, while working at another small business with a Verizon DSL connection, I couldn't establish a remote control connection using Real VNC. This was a bit more complicated, as it involved port forwarding on the target router and poking a hole in the firewall on the target computer. But here too, my first step in debugging was a ping of the target public IP address - and it failed. The target was a router under my control and it was configured to respond to public pings. Again, it seemed like Verizon was blocking the ping at the source.

To be sure, I tried a more advanced network debugging tool, traceroute. Long story short, traceroute proved that Verizon was blocking things. The trace was able to get from my computer on the LAN to the Verizon Westell 7500 modem/router that connected the LAN to the outside world, but could not get any farther.

A third test provided strike three. Someone I know with a Verizon DSL account, when told about this problem, also tried to ping some public websites and couldn't. The box used in this case was a Westell Wirespeed C90.

Verizon DSL is blocking outgoing ping, traceroute, NetMeeting, Real VNC and probably more.

This is bad. The blocking of outbound remote control software was a real problem to the first businesses as it prevented me from helping them with another problem.

Update August 5, 2008: Pings to websites don't always work. This has nothing to do with an ISP, rather it is an attribute of the website, or more specifically, the routers fronting the site. A website may simply choose not to respond to pings. The examples in this posting do respond to pings. Many consumer grade routers have a configuration option governing whether they respond to pings. However, even if a website opts to not respond to pings, a traceroute (in Windows the command is tracert) should at least show that the request got out to the Internet and bounced around a bit before failing. This was not the case with Verizon DSL.

Update August 5, 2008: I spoke to Verizon tech support and the technician said this is not by design. In fact, the person said they had never had a complaint that a DSL customer couldn't do something as simple as pinging yahoo.com. If this is true, the problem must lie in the configuration of the Westell modem/router. To be continued.

Update August 7, 2008: Verizon's press relations office made it clear they do not block traffic. And, it seems they don't - at least not on purpose. The problem has been resolved with one of the three customers, the issue was with the firewall in the router. More to come soon...

Update August 11, 2008: To see how this played out, see Verizon DSL traffic blocking explained

See a summary of all my Defensive Computing postings.

If there were ever a place for Defensive Computing, it's at a hacker conference.

So while attending the Last HOPE conference, a number of my previous postings came to mind.

First, there was the list of available Wi-Fi networks (see below) at the conference which, at times, showed four computer-to-computer networks (using the Windows XP terminology). These networks, also known as ad-hoc networks, are not governed by a router. While they may be set up on purpose, they are more likely to be accidental creations on the part of nontechnical computer users, or a purposeful trap set by someone with ill intentions. I wrote about this back in May. (See "A warning about 'free' public Wi-Fi.")

Everyone knows not to send anything sensitive, such as a password, over a wireless network. At a hacker convention, even a wired Ethernet connection to the outside world should be treated with caution. Not to pick on hackers, at any convention or at any hotel, a wired Ethernet connection deserves the same caution as a public wireless network. Back in January, I wrote that "wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections." (See Ethernet connections in a hotel room are not secure.)

What to do? Rent a personal VPN.

The classic use for a VPN is an employee of a company using it to make a secure, encrypted connection to the office. But someone without a corporation, can rent a VPN that offers a secure connection to the VPN provider. Once data gets to the VPN company, it is dumped, unencrypted, on the Internet with everything else. The point is to encrypt everything coming into and out of your computer to protect it from any local bad guys.

The downside is speed. The speed test at Speakeasy.net showed that while I was connected to my VPN, the speed dropped by over half compared to using the Internet in an unprotected way.

The laptop I had with me was running the Online Armor firewall instead of ZoneAlarm, and as I noted a few days ago, I really missed not being able to see a log of intrusion attempts on my machine. At home, behind a router on my personal LAN, this isn't very interesting. But at a hacker conference, using a shared Wi-Fi network, it would have been fascinating to see who, if anyone, was knocking on my virtual door.

Something easily overlooked when connecting to public networks is file and printer sharing. While it's not the be all and end all, you're safer with it turned off. Windows XP users can find this with Control Panel -> Network Connections -> Properties of the network connection (you may want to do this for both wired and wireless networks) -> General tab -> checkbox for "File and Printer Sharing for Microsoft Networks."

Another easily forgotten protection involves turning off the wireless radio when you are not using it. This goes beyond the obvious issue of disconnecting from a public Wi-Fi network when you don't need it. There was a case where, due to a bug in some driver software, a computer could be hacked even when it was not logically connected to any network. All that was needed was for the Wi-Fi radio to be physically turned on. Plus, turning off the radio saves battery power.

Some laptops have a physical switch that turns off the radio. ThinkPads use Function-F5. As a last resort, Windows XP users can disable the Wi-Fi network. In my experience, that also turned off the radio.

Update July 19: Added topics on file and printer sharing and turning off the radio--thus proving, they are easily forgotten.

See a summary of all my Defensive Computing postings.

As I mentioned previously, based on a recommendation from Scot Finnie, I installed the Online Armor firewall on a couple Windows XP machines.* Scot recommended the paid version, I opted to get my feet wet with the free edition (v2.1.0.131). These are my first impressions, not a review. I don't think anyone can base a firewall review on merely a couple days experience, it's the sort of software you have to live with for a while.

My previous firewall was ZoneAlarm, whose best feature was its ease of use. Unfortunately, for a number of reasons, I no longer think that's sufficient. For example, ZoneAlarm seems bloated. The download for Online Armor is 9.9MB, ZoneAlarm is over four times larger.

The install process for Online Armor was uneventful, but then things went downhill. After installing, you have to reboot, no surprise there, I would expect this with any firewall. But, on the first computer I installed it on, the reboot looked like it wouldn't happen. For what seemed like an eternity, I was staring at the Windows desktop image with no icons. Perhaps a watched pot never boils, but I was sure glad that I had made a disk image backup beforehand.

This was bad documentation. Online Armor doesn't tell new users that special processing takes place during the first boot after the product is installed. There is a warning on their website, but there is no warning where it needs to be, alongside the message that says the installation worked and you have to restart Windows. After Windows finally restarted, Online Armour said something about completing an initial "learning process".

One of the first things I noticed was that Online Armor has two icons in the system tray (the leftmost two in the screen shot above). To me, one is enough. Other software makes do with a single icon (Avast antivirus defaults to two but there is an option to combine them). Someone else pointed out that both icons have the same right click menus. One icon (leftmost one above) looks like a shield and doesn't seem to change. The other icon looks very much like the Task manager icon which, at first, I thought it was (judge for yourself - the two are next to each other in the picture above). This icon does change, it's a vertical bar graph showing inbound and outbound traffic.

I poked around and found an option to suppress the bar graph traffic icon and another option to suppress both icons. What I wanted to do, see just the bar graph icon, doesn't seem possible.

The second thing of note is the cool looking status display shown below. I haven't yet found the graphs at the top to be very useful, but the Active Connections section at the bottom offers very interesting information, data that ZoneAlarm did not provide.

Main Menu

Judging by the General tab, shown below, there are four main sections/features to Online Armor, two of which are included in the free edition - Program Guard and the Firewall.

After installing Online Armor I was getting, what I felt were excessive warnings. Granted, "excessive" is subjective, but I was getting warnings that had nothing to do with networking.

For example, below is a warning from Online Armor that IrfanView wants to run. IrfanView is a picture viewer and editor. It has nothing to do with networking and therefore it's not something a firewall needs to worry about. Disabling Program Guard (you can see the checkbox is off in the screen shot above) was one of the first things I did. Program Guard may be a good thing, but all firewalls are chatty at first, that's the nature of the beast. Adding warnings about safe, non-networked programs such as IrfanView just makes things worse.

The first hint that Online Armor is not just a firewall comes from this introduction to the product on the Tall Emu website which refers to Online Armor as an antivirus program. The page also refers to trusted programs and programs allowed to access the internet as two different things. As a former ZoneAlarm user these are, to me, the same thing.

The fact that Online Armor is not just a firewall may be what leads to my biggest gripe with the product - it's confusing. Compared to the simplistic, free edition of ZoneAlarm, the Online Armor configuration options seem strangely spread out. For example, some Firewall options are in the Firewall section, others are in the Options section and the main on/off switch for the Firewall is in the "General" section.

Controlling Programs

The heart of a firewall are the rules governing the networking that programs are allowed to engage in. Online Armor controls this in three different places.

First, there is a Programs tab where you can allow or block programs. Allow them to do what? It doesn't say. I turned off Program Guard, yet this window seems fully functional. Only by clicking the Block button, does it become obvious this is blocking programs from running so it must be part of Program Guard rather than the firewall. There should be some indication here that Program Guard is disabled because a user can easily make changes here and expect them to take effect, when they are, in fact, being ignored.

There is a "Hide Trusted" checkbox as part of this display. Yet, even with it checked, you still see programs that are "allowed". So, there is a difference between "allowed" and "trusted" that I'm not getting. You also see this in the Firewall section of the Options tab, which has a checkbox for "Automatically allow trusted programs to access the Internet". What about a program is trusted, if not Internet access? This is, after all, a firewall.

Programs are also controlled in the "Program Access" section in the Firewall tab, which seems to do the same thing. That is, it too has a list of programs that you can Allow or Block. Allow to do what what was not immediately clear here either. Finally, there is a rules section in the Firewall tab (shown below) which also controls programs.

To try and understand things, I looked into how each of these three configuration areas dealt with Firefox.

On one computer running Online Armor there is a normally installed copy of Firefox 2, a portable copy of Firefox 3 and two portable copies of Firefox 2. The Program Access section of the Firewall tab shows all four, but calls each one "Firefox". By accident, I discovered that if you hover the mouse over the program name, a tooltip displays the path to the program. The rules section shows only two copies of Firefox and, likewise, the Programs tab shows only two of them.

The other computer with Online Armor had a normally installed copy of Firefox 2, a portable copy of Firefox 3 and a portable copy of Firefox 2. I ran them all at least once. The Programs tab only knows about the normally installed copy of Firefox 2. The Program Access section of the Firewall tab shows all three but the Rules section of the Firewall tab has one entry for the portable copy of Firefox 2, no entries for the portable copy of Firefox 3 and two entries for the normally installed copy of Firefox.

Go figure.

Rules

In all this configuration, I miss what ZoneAlarm calls "server rights', the ability to accept incoming connections. The Online Armor equivalent is a rule with a "Dir" of "in" ("Dir" means "direction"). Online Armor commits a cardinal sin here, it uses abbreviations without explanations. This same window has an "Adv" column whose meaning I couldn't even guess at initially.

The product help is not part of the installed software, rather, it's on the web, so if you're off-line it doesn't exist. And, the Help button is not context sensitive. That is, it always goes to the same introductory web page rather than going directly to the page with help for the feature you are looking at. In this case, I want to read about the Rules tab, within the Firewall tab. Because there is more than one Firewall tab, finding the right section in the help takes time. The page for the Rules tab doesn't explain these columns but the page for editing rules does. This is harder than it needs to be.

Kicking The Tires

One problem ZoneAlarm had was that it created an always-growing log file. I had to put a reminder in my PIM to delete this file every couple months. With this in mind, I looked to see how Online Armor dealt with logging. It seems to have both a log file and a history, the difference between them isn't clear. Even with logging disabled (there is a checkbox in the Firewall section of the Options tab), the history is still created. Neither one seems to have an option to limit the total size of the output.

I was disappointed by the history, which doesn't show the outbound endpoint. For example, it showed that Thunderbird, my email program, made an outbound connection on port 443, but to where? Of the millions of computers on the Internet, which one did my email program connect to? Online Armor doesn't log this, ZoneAlarm does.

Online Armor is a step up from ZoneAlarm in that it includes a database of known trusted programs. So, for example, the first time I run the Ping command it allows it and pops up an alert. The free ZoneAlarm knows nothing, so it objected to Pings. In the Online Armor history, there are two entries for that first ping. Neither shows the website that I pinged and one says it was a user decision, which is was not.

I maintain a number of websites using an FTP program. One type of FTP chooses port numbers randomly which meant that every time I used the program, it generated a pop-up notice that the new port was auto-approved. The pop-up doesn't say that explicitly (see below) but that's what it means. When an already approved program uses a new port for the first time, you get this pop-up and it wasn't obvious how to turn this off.

When a program was approved with ZoneAlarm, you never heard another thing about it. That said, ZoneAlarm doesn't offer the level of control that Online Armor does. Specifically, ZoneAlarm can't restrict the ports a program uses. And, if you really care about network security, you would want to be notified if a program used an unexpected port. Still, I would have liked some way to not be notified every time my FTP program used a new port.

Speaking of notifications, below is the standard alert from Online Armor, one that was generated by installing Java. It leads with "A program wants to use the Internet". It doesn't say if it wants to make an outbound connection or if wants to accept an incoming connection, something ZoneAlarm makes very clear. The last option has to do with sessions, what a session is to Online Armor, I don't know.

The most important thing a firewall does is keep the bad guys out. That is, it prevents unrequested connection attempts from the outside world. Even the basic firewall in Windows XP does this (that's all it does). ZoneAlarm excelled at two things in this regard, it logged these blocked intrusion attempts and it had an option to issue an alert when it blocked something. After reviewing all the options in Online Armor, it doesn't seem able to do either. This, to me, this is a big omission. Not only did I like to audit my firewall by occasionally reviewing the log of unsolicited incoming connections, I also found it educational. There is no better way to drive home the danger that is the Internet, than to see how often bad guys come knocking at your door.

Like ZoneAlarm, Online Armor can protect the hosts file, something I think any firewall should do. I found that it let me modify the comments in the hosts file without objecting, but as soon as I changed something that really mattered, it caught me and issued the alert below. In other words, it works great. If you want to test this yourself, the hosts file in Windows XP is in C:\WINDOWS\system32\drivers\etc.

A nice feature of Online Armor is that it shows you other computers on your LAN, something that ZoneAlarm does not. But, every time I've looked at it, the status of the other computers is "unknown", it continued to show computers that had been turned off hours ago and there is a yellow light bulb icon whose meaning is a mystery.

Online Armor also deals with Internet Explorer extensions, which ZoneAlarm does not. On both machines, it trusted the few extensions it found, which isn't a surprise, as I hardly use IE.

In Internet Explorer 7, you can see the installed Add-ons with: Tools -> Manage Add-ons -> Enable or Disable Add-ons. On both machines, when I selected "Add-ons that have been used by Internet Explorer" the list was much longer than the list in Online Armor. On one machine, IE7 displayed 20 Add-ons and Online Armor listed 7. I'm not sure what to make of this.

Windows Messenger is an IE7 browser extension that I always disable, since I don't use the product. Online Armor trusted it, so for good luck I tried to block it. This produced the warning below saying it will be uninstalled rather than blocked. The warning is wrong - if you say yes, the Windows Messenger extension is blocked rather than removed. After unblocking the Windows Messenger extension, I deleted it and that seemed to work, it no longer appeared in IE7.

Final Thoughts

In the interest of brevity (this is already my longest posting), I won't go into some other quirks in the user interface but suffice it to say, there is room for improvement.

Before Scot Finnie recommends a firewall, he runs it through a battery of tests. Online Armor got an excellent score, so I don't doubt it's protecting my computer. Still, it will be a while before I feel comfortable with it.

And, I don't know that it's a good fit for non-techies. Not only is it more ambitious than just being a firewall, the paid version is a very ambitious firewall. The list of features is huge. The free version of ZoneAlarm is skimpy on features, but sometimes less is more.

That said, two features of Online Armor sound very interesting. The "Run safer" feature is much like DropMyRights, which I wrote about last year. The "banking mode" (only available in the paid version) is also intriguing. I may research these a bit more.

Update July 17 2008: Revised the topic on incoming connections and added mention of the status display.

*Online Armor supports Windows XP and 2000, a Vista version is in the works.

See a summary of all my Defensive Computing postings.

Finding a new firewall program has been on my to-do list for a long time. I was a long time fan of the free version of ZoneAlarm, but the upgrade from version 6 to 7 was a put-off. The file size increased tremendously (it's now 44.6MB) and the functionality hardly changed at all. That made me suspicious of what all that extra code was there for. Still, old habits die hard and I was used to it like an old pair gloves. But a few days ago, when a bug fix for Windows broke ZoneAlarm, and no other firewalls, it lost my confidence.

I can't yet recommended a firewall based on personal use, but someone I trust, Scot Finnie, recommends two. Scot, who now works for Computerworld, has been writing a free newsletter for years. I was lucky enough to discover it long ago and I've come to trust his recommendations. Recently, it morphed into a blog.

Back in March, Scot wrote The Best Firewall Software of 2008: Online Armor, the final chapter in his 19 month investigation of firewalls. That's not a typo, he spent a year and a half researching firewalls.

Cutting to the chase, he recommended two firewalls: Online Armor 2.1 and Comodo Firewall Pro 3.0.

In his own words, "Tall Emu's Online Armor 2.1 is The Scot's Newsletter Blog Best Firewall Software of 2008 ... [with] the best blend of a high degree of protection with a high level of usability."

There is a free and a paid version of Online Armor, Scot reviewed and recommended the paid version. Vista users are out of luck, Online Armor only works with Windows XP (32 bit only) and Windows 2000.

Scot felt that Comodo Firewall Pro 3.0 offered excellent security, but that it was high maintenance and thus more appropriate for techies. He doesn't like being frequently interrupted by firewall alerts, a sentiment I agree with. Comodo Firewall Pro is free and works with Windows XP (both 32 and 64 bit) and Vista.

A big reason I liked ZoneAlarm was ease of use. When it popped up an alert, the explanation of why was simple and clear. Likewise granting permissions to programs couldn't have been easier. I tried a handful of firewalls and none came close in terms of ease of use.

Once, when I was teaching a class, and a student brought in a screen shot of an alert from the Norton firewall asking what it meant. It wasn't clear if the firewall was asking the user something or telling them, let alone whether the alert was about something coming in to the computer or going out. If you watch, the TV show Boston Legal, think word salad. And, I know the lingo.

Ease of use was a big reason that Scot recommended Online Armor, saying "Online Armor's user experience is on par with ZoneAlarm Free and Sunbelt Personal Firewall -- the two firewalls I've pointed to in the past as having the best user interfaces in this field."

Part of this entails running silently, after the initial getting-to-know-you period that any firewall requires. As Scot put it "When pop-ups are too repetitive or too frequent, it's only human nature for a large segment of the user base to start ignoring them. That behavior leads to a severe loss of security." I agree completely, as, I'm sure, many Vista UAC users do too.

The criteria Scot used in his evaluation were "usability, company support, stability, compatibility, and bug resolution". Sounds perfect to me.

Another thing I agree with Mr. Finnie on, is a dislike of all-encompassing software suites. Both his recommended firewall programs are just that, firewalls. Nothing more. As he puts it:

"The impetus for this review came after more than a decade of using and reviewing multifaceted, everything-but-the-kitchen-sink security suites such as Norton Internet Security. When I kicked that habit, I looked around for something better and realized that most mainstream computer publications were for the most part reviewing only the big-name, large-footprint products. It was clear to me that there was a better way that involved selecting a small set of best-of-breed security products that work well together."

I never heard of Tall Emu, the company behind Online Armor. But, Scot was impressed with them:

"What's especially impressive about the talk and actions emanating from Australia-based Tall Emu is a strong corporate culture that values communication, honesty, a willingness to talk openly about problems, a responsive attitude, open-mindedness, and respect. I'm not sure how to say this, but I trust Tall Emu to do the right thing. I can't remember the last time I felt that way about a software company in the post-Microsoft-antitrust era."

A small point in the article bears repeating. Someone with a single computer connected to a broadband modem, doesn't need a router. Technically. Yet installing a router is nonetheless a good thing - for the firewall. Rather than depend on a single software firewall (Windows security and all that that entails) the hardware firewall in a standard, relatively cheap, consumer router provides an extra layer of defense.

It's a very long article but well worth reading.

On July 16, 2008, I wrote up my first impressions of Online Armor

See a summary of all my Defensive Computing postings.