Network Computingwww.networkcomputing.com

Most software SOHO firewalls adequately protect you from outside hackers who try to access your files or otherwise probe your PC. But what if the danger comes from within? Several personal SOHO firewall vendors have released updates addressing vulnerabilities to intruders who get in when users unsuspectingly run a malicious application that masquerades as a friendly one.

Thanks to the Gibson Research Web site (http://grc.com/) -- best known for ShieldsUp, a test designed to expose a firewall's vulnerability to external attacks -- the vulnerability problem has been solved. Gibson's latest offering, dubbed LeakTest, is a free, easy-to-run download that will tell you whether your SOHO firewall can detect and stop an internal Trojan horse program -- innocent-looking software that is spread via e-mail or download. Antivirus software can alert you to known Trojan horses, but if a new one gets through, your SOHO firewall is supposed to provide a second line of defense. Unfortunately, most SOHO firewalls failed LeakTest when it was released in December 2000.

Disguised applications: All SOHO firewalls are meant to block unauthorized attempts to access a PC from the outside. However, many legitimate applications running on your computer open it to outside access. SOHO firewalls have to let you receive e-mail and Web pages, for example.

So how does a SOHO firewall know when an application is legitimate? Most rely on the name of the executable file -- for example, netscape.exe -- together with the port number assigned to an Internet connection created by a specific application. A malicious Trojan horse could fool the firewall into thinking it is a legitimate application by renaming itself when it runs and using an appropriate port.

Safe attack strategy simulation: LeakTest safely simulates such an attack strategy. After you download the 27-KB program, it is recommended that you change its name to that of a popular executable Internet application such as Internet Explorer or Eudora. When you run the program, it uses the FTP protocol to attempt to connect to one of the Gibson servers. If it succeeds, it confirms your PC's vulnerability (but doesn't send any personal data).

No LeakTest-style Trojan attacks are known to have occurred outside a lab. Still, most major SOHO firewall vendors now have updates that address the problem.

When the test was released, only one major SOHO firewall, Zone Labs' ZoneAlarm, passed. Vendors whose products were fooled by LeakTest include McAfee.com, Network Associates, Sygate Technologies and Symantec Corp. Almost all of them offered free updates by early February 2001. These patches change the way the SOHO firewall identifies applications users have authorized to access the Web. Instead of relying on name and port, the firewalls look at content or code.

Getting this extra protection may be inconvenient. To fully update Norton SOHO Firewall, for example, you may have to run Live Update, its downloadable upgrade service, more than once. Symantec also turned off Norton's automatic rule-creation feature, which results in users being pestered by pop-up authorization request windows.

All SOHO firewalls (even ZoneAlarm) rely first on the user's good judgment. That means not authorizing suspect software. The bottom line: When it comes to protecting your data, caution is king. It's better to put up with a strict SOHO firewall now than to cry later when some stranger downloads all your company's financial documents.

Don't Underestimate the Need for Smart Planning

While analysts predict that the market ultimately will consolidate into a single desktop security product or suite that includes intrusion-detection tools, a SOHO firewall, a VPN and antivirus protection, there's no consensus on just how this will be accomplished. Already, almost every SOHO firewall offers VPN capabilities. Vendors are merging and partnering to bundle mixed products into one integrated product. Some companies, including infoExpress and Symantec, are taking the suite approach.

Then there's the debate over where these Linux-based SOHO firewalls will wind up -- as hardware, software or something more like a network adapter, according to analysts. That's why many IT managers say they'll just wait a while before deploying Linux-based firewalls, in spite of the risks.

Finally, one of the reasons why people seem to be fond of SOHO firewalls and other network-based security measures is that they assume that they can allow host security to lapse if they secure the perimeter of their network. They are only somewhat correct. Network security is mostly host security. If host administrators assume that the SOHO firewall will protect their hosts from access violations, sooner or later they're in for a nasty surprise. No standalone technology can protect hosts from all access violations, so only the most complex of network and Linux-based security systems, including both SOHO firewall and monitoring programs, can ensure the safety of your hosts.

At the heart of all these technologies is the need for smart planning of the security system as a whole. A bunch of security systems that aren't integrated with one another are no more helpful than the Do Not Enter! sign on an open door.