speedguide.net   

Tiny Software Personal Firewall

Tiny Software Personal Firewall v1.0
A great ICSA certified software firewall
Date: 07.26.2000 10:43
Type: Software
Author: S. McDougall
Manufacturer: Tiny Software  
Product/Model: Personal Firewall  
List Price: $29.00 


I've been using hardware routers (Internet sharing and Firewall protection) for so long that I was really thrilled when Tiny Software offered to let me try out their products. I had almost forgotten how much I preferred soft Sharing/Firewall software packages over their hardware based brothers and sisters.

Tiny Software currently sells three different products, starting with a home/small-business network router, and a very heavy duty professional version that has many advanced features (including features like a built in mail server and DNS forwarding). Both of these software packages come with a very highly praised Firewall. Tiny's 3rd product is that Firewall in a standalone version. It doesn't even seem like they ever set off to release a stand alone Firewall, and this is also what they claim. Apparently there were a great deal of requests for this.

Click to expand
I chuckled a little when I saw this. The uninstall routine doesn't say it's going to uninstall Tiny's Personal Firewall; it says it's going to uninstall the WinRoute software from which it was born. It really is the Firewall from the big package. I guess someone forgot to change the message box.

There are a lot of personal Firewall packages out on the market (including a really good free one). Why should we look at buying this one? Even after using the product, I can't give a straight answer. On one hand this Tiny's Personal Firewall is completely devoid of "extra" features that appear in other products (such as ad blocking, etc.). On the other hand, it's a slim 100% top quality Firewall with very little network overhead or impact, which can be rare. Some Firewall products can really slow down a network.

The most important thing to consider is that this Firewall is the same as the one in WinRoute, which is ICSA Certified. You won't find anything like BlackIce, ZoneAlert, or Norton Internet Security 2000 on the ICSA Certified list (but I'm sure they want to be). I'll talk more about ICSA Certification later on and give some links.

If you are in the market for a Firewall program, you will have to decide between extra features or the slim and fast Tiny's Personal Firewall that is the most secure one I've ever used. You may also decide it's best to go with a free one. Many other Firewalls do come close to the security provided by Tiny's Personal Firewall.

So who is Tiny Software? To be honest, I had never heard of them before a month ago. Here's the bio information from their website:

Founded in 1997, TINY Software has been developing sophisticated, powerful software products that have been offered to customers in small, easy-to-use packages.

As a technology leader in Firewalls for medium size networks, TINY Software has built an impressive portfolio of technical achievements within its networking industry.

With market demands to enhance and optimize Internet connections; whether by dial-up, DSL, cable modem, DirecPC or leased line, TINY Software has provided the solution in a reliable, affordable and easy-to-use software product. Branch offices, telecommuters, Small Offices/Home Offices (SOHO), medium size networks as well as large corporations utilize TINY Software products.

TINY Software distributes its products through the Internet and by more than 2,000 resellers. There are currently more than 150,000 networks in 70 countries using WinRoute, TINY Software's flagship product.

TINY Software is committed to continue its delivery of high-quality products as well as customer services. TINY Software's corporate headquarters is based in Santa Clara, California.

When I looked around for additional information on the company I became impressed fairly quickly. It seems they're leaders in their chosen industry, getting more press than most of their larger and more powerful competitors. And hey, they even mention Napster in their product description of the Firewall, so you know their cool!

Their biggest fame lately seems to be coming from being the Proxy/Firewall supplier to the U.S. Naval Aviation Systems Team, and for quickly developing a solution to a serious Microsoft Outlook Security Flaw.

Let's install the Firewall and kick it's tires....


Installation

I tested out the Firewall in both Windows 98se and Windows 2000. I didn't have any problems (of any kind) in either OS after using the Firewall for a period of days. Just as a note, almost all of the screenshots and security tests were done while in Windows2000.

I didn't see what I expected after the installation. The Firewall installation does not set the Firewall to run automatically. I love to see things that don't make a mess of my registry (cough - Norton), but there should have (at least) been an option during installation to configure the Firewall to start automatically with the system (or to run the Firewall as a service in Windows 2000). As it is, you will have to manually create a registry key or (more simply), copy a shortcut to the Firewall executable into your Startup folder on the Start Menu.

After starting the program only one process was listed relating to the Firewall. I have to say I think of this as a "plus". With some other Firewalls there is the Firewall software itself and a more hidden engine. Completely disabling a Firewall can be necessary at times, at you'll have one stop shopping (or closing) with this one. This is something I didn't like though, I could not find a way to remove the application button from the taskbar. I would very much prefer to be able to minimize the Firewall application down to the Systray icon only.

Click to expand
This is the application window. As you can see there's not a lot to look at. There is only one Menu Bar listing which contains selections for: Settings, Log Window, About, and Exit. The main window temporarily displays logging information which expires in a few minutes. However, a permanent text file with more detailed logging information is constantly updated. If you'll notice, I highlighted the column bar in yellow. I was a little annoyed when I discovered that the information can not be sorted by column, but it is only a temporally window.
Click to expand
This is the settings windows. The listed items are basically rules that you can create or that are created for you, with at least one default rule for your own network. The thing that seems to be missing here is any kind of port specification. I would like the ability to place (for example) an IP under normal or high security restrictions, yet allow it complete access to a specific port.

Also missing is the ability to remove ports or port ranges completely from the Firewalls protection. If (for example) I want to play Quake3 and run Quake3 servers, I might want to remove the "Quake" ports from the Firewalls security without having to lower the protections settings for the entire Firewall program. To run a game server you will need to disable the Firewall or set it to the "Low" security level. In my opinion the is the #1 feature they need to add.

Those two items are my biggest complaints with this this Firewall, and I hope that they can be added in a future release. This is only Version 1.0/Beta1 so there's still hope.

Click to expand
the window where you can create or modify security rules. You can give the rules a name and specify whether or not the rule applies to a whole group of computers (under the same domain/mask scheme). It's sleek and functional, but no bells and whistles.
Click to expand
These are the security settings available to any item on the settings list.
Click to expand
These are the advanced options. The first option is selected by default and seemingly a nice feature. If you have any network operation in progress when the Firewall is started, it won't break that connection until the transaction is completed. The "Don't accept broadcast" option is for those with static IP addresses, in which case you'd want to choose this, because it will block broadcast of DHCP.
Click to expand
The permanent log provides detailed information. It appeared to have a set "roll-over" limit, but the list gets pretty long. What was missing here is that good 'ol attack logging style of BlackIce. If you've never used BlackIce before, it maintains a log of attacks and labels them by what type of attack they were. Further, you can select the attack and get detailed information about it from the BlackIce website. Sure it's nice to know that an unsolicited request came from IP 'xyz', but I'd like to know what kind of request (attack) it was, and what the purpose of the request was. Was it an OS sniff or a Telnet probe? Perhaps someone was port scanning trying to find systems running PC Anywhere.

Of course advanced logging like that doesn't make a Firewall good, and we already know that BlackIce has some holes in it. I'll admit it is eye candy, but I do enjoy knowing how violent my Internet connection can be. Also, I use to enjoy attacking the attackers. That only brings bad karma though, so I had to stop.

Let's do some testing.... 


Testing

The first thing I wanted to see was how big of an impact the Firewall software would have on network performance. I just did one test and decided to use the Thief2 demo from Download.com as a testing platform. It's a very large demo (130MB), that isn't downloaded too frequently anymore. It seems the demos real home is the FTP server of Dailyradar now though.

I started the downloads and stooped them about 30 seconds later (after things had stabilized). There was less than a 1% difference in speed with the Firewall running, so there was almost no impact on throughput because of the Firewall. On the flip side, home Firewalls like Norton's Internet Security 2000 (more features but twice the price - and they didn't write the Firewall, they bought AtGuard out), is a now violator of bandwidth. Not to mention it's installation is like exploding a can of Norton spray paint on your registry (I hate that).

My first stop on the security checklist was Steve Gibson's Shields Up test:

Click to expand
That would be a perfect score from Shields Up port probe test. Not only that but, unless you approve a request, all of your ports won't respond at all to unsolicited requests. This will make you invisible to hackers, or anyone running a port scanner.
Click to expand
do need to point out that at the standard "normal" security settings, you will be asked if you wish to allow communications requests. This happened frequently while security testing. However, if you're not around to approve the request, nothing will happen anyway. I do like being given the choice.

Now it's time for the grand finale..... the mother of all security scans: Secure-Me's full (paid for) scan, which covers so much more ground than anything else I've seen. We'll get: a Fragmented IP test, the deadly pings of death, some web exploitation scanning action, an SMTP (mail port) scan, and a full TCP and a UDP scan all in one (as well as some other stuff).

I should point out here that ) if you are running your system without a Firewall of some type, Microsoft OS's do almost nothing to protect you (especially if you have Cable or xDSL). You might has well just take your computer over to a hackers house and leave it on the doorstep. I actually felt somewhat creepy while the "naked" tests were running. I don't like feeling that "exposed" with an always on connection. I usually log 10-20 attacks per day, and sometimes much more.

Click to expand
I've tested a lot of Firewalls (hard and soft - insert joke here), and a score of "0" is very rare for anything a normal human can afford for home use.

Look at that...... "smack"

I've tested a lot of Firewalls (hard and soft - insert joke here), and a score of "0" is very rare for anything a normal human can afford for home use.

Again, if "normal" security settings are selected you will be questioned on every unsolicited request. Normally this will be a rare occurrences, and I think it is much better to get a choice.

Let's wrap things up


ICSA Certification

ICSA's website explains very well who they are and what they do. Also, it's a great website to checkout from time to time to keep up with Internet security issues (including viruses and current hacking methods, etc.). They don't "Certify" a product unless it's really good; this in not a lightweight certification by any means.

Links to ICSA's website are at the bottom of this page. If you read up on the certification that Tiny Software received, you'll need to keep in mind that the "mothership" product "WinRoute PRO" itself was certified before the Firewall was separated to be sold as an individual program. But, the Personal Firewall is the Firewall from WinRoute PRO.

Next, I'll be reviewing the home version of WinRoute PRO which is called WinRoute Lite, followed by the full WinRoute package. The "Lite" version is comparable to software such as WinGate or Sygate or Microsoft's ICS included with Windows 98se, Windows ME, and Windows 2000. If you are using ICS (Internet Connection Sharing) now I'd suggest you do some reading on it, as it is a security nightmare untweaked (of course no configuration tool comes with it either). ICS is not a Firewall and does not include one.

If you do share your Internet connection and are interested in the personal Firewall, I'd suggest looking into buying the full version of WinRoute Lite. The cost for a 3 user license is $59, so it will cost you only $20 more to get the Firewall and Internet Sharing. Especially if you run a business (small or otherwise) it is more cost effective to centralize your Firewall on the proxy server. With any Firewall software, package you are required to purchase a separate license for each computer it is installed upon.

You should be looking at Tiny's Personal Firewall if: You share your Internet connection with ICS (to be placed on the sharing system with ICS), or if you only use the Internet on one system only. Remember, if you have cable or xDSL service you are especially at risk.

The Good

  • Part of the ICSA Certified WinRoute Pro!
  • Best Firewall performance (by far) in it's class
  • Perfect scores from every Firewall test I personally knew of - Even the mighty "Full" Secure-Me scan
  • Good control (rule creation and modification)
  • Good logging
  • Very sleek, barely any bandwidth overhead is used
  • Quick access to Firewall settings (they can be adjusted very quickly)
  • Very clean install
  • Very clean uninstall
  • Cheap: $29 aint bad at all
  • Tiny Software maintains an e-mail list to send out notifications and news

The Bad

  • No option during install to have the Firewall start automatically on system startup
  • Firewall does not run as a TSR or Service
  • No "detailed" logging or explanation of attacks
  • No ability to remove ports or port ranges from the Firewall's scrutiny
  • No remote access
  • No ad blocking
  • No advanced filtering (Java/Java script pop up windows, etc.)
  • No advanced user control/filtering (i.e. multiple Firewall accounts and parental control).
  • Web based support is confusing to locate (and lacking) for the Personal Firewall as most of it relates to the full WinRoute software. The installation however is simple enough so generally no manual is needed.

Recommendations for Tiny Software

I hear the former Taco Bell dog is out of work..... he'd make a good mascot. You could call him "Tiny" and have commercials where he ankle bites evil hackers and then steals their tacos. Or maybe he could jump through windows and chew through network cables.

Basically everything in the "Bad" section is just a feature that could be added... I'd love to see these features appear over time. Knock Knock... anyone listening? :)

Keep in mind that this is the very first version of a Firewall that was stripped out of a larger Proxy software package by popular demand. I have no doubt that it will improve and be enhanced. I'm sure many things that I consider stand alone Firewall features were part of the larger WinRoute packages.

 

McDougall: I worked at Intel for a few years, so I guess that's impressive.... Every day I regret the fact that I quit (I had to move back to my home state). Now I'm a corporate slave designing circuits for perhaps the largest baby bell phone company in America. The sick thing is my job now is really high tech data entry. I've got that nasty 1+ hour rush hour commute each way that makes life o' so fun. But, it pays good... Have you sold your soul to corporate America too? Play by the rules but don't let them break your mind....

Rating
Price:
Features:
Setup Ease:
Protection:
Web Based Support:
Reliability:
Performance (speed/latency):
Overall Rating:


Copyright © 1998 - 2003 Speed Guide, Inc. All rights reserved.
All trademarks and logos are © of their respective owners.