Review: NetBarrier 1.5.1
Developer: Intego Software
Requirements: Power Mac with System 7.5.5 or higher, monitor with 800 x 600 or higher resolution.
Let’s face it: it’s downright rare, if ever, that you hear about someone’s Mac being hacked into. Macs are just less prone to invasion over the Internet than Windows machines. That, at least, was my first thought when I heard about NetBarrier: why do I need this? Macs are safe.
Thing is, though, Macs aren’t immune to attacks over a network. Over a month or so of using NetBarrier, I have been alerted to someone trying repeatedly to log in to my Mac with the wrong password, a few ping floods, and quite a few port scans. What would have happened if none of these had been detected? Admittedly, probably not much. Whoever was trying to log on to my Mac would get bored after discovering I didn’t use an obvious password, port scans themselves aren’t necessarily hostile, and a ping flood doesn’t have any long-term effects to worry about. On the other hand, who knows? For me, that’s a big part of what NetBarrier is all about: not just being, but feeling, more secure.
How it Works
NetBarrier’s configuration panel offers you three types of computer security: Firewall protection, which protects against data moving to or from your computer through various protocols; Anti-Vandal protection, which guards against things like ping attacks and intrusion attempts; and a data Filter, which prevents certain specific bits of text (like credit card numbers) from leaving your computer in raw form. Each of these can be configured to work as you want, or can be turned off entirely. Each, however, is also capable of causing problems if configured incorrectly.
Fortunately, NetBarrier doesn’t assume all its users are networking experts. Its manual, on the contrary, is written with the networking novice in mind. It gives a brief, non-technical description of each of its pre-programmed options—just enough information for you to decide which option is best for you. On the other hand, if you have a question that requires a somewhat technical answer, you’re left in the dark. For example, one of the Firewall options is “Client, Local Server,” which allows your computer to act as a server only to local machines. It’s not unreasonable to wonder just what Local means. The glossary, somewhat redundantly, defines a Local Network as, “A network of computers linked together in a local area.” Gee, thanks for clearing that up. It adds, “This may be a single building, site or campus.” Unfortunately, there’s a big difference between a building and an entire campus! While it’s generally a good thing to keep the manual easy to understand for someone who’s not a networking professional, sometimes a somewhat more technical explanation is required, and NetBarrier’s manual is unfortunately silent.
Once you have NetBarrier configured, it functions invisibly, in the background. If it detects an intrusion attempt of some sort, it can play a sound of your choice (the default is a positively shocking sound that still makes me jump), send you an e-mail, automatically block the intruder for a standard length of time, or prompt you for action. I like to have it prompt me, just to keep me informed of what’s going on; I’m just curious about who’s doing what to my machine over the network.
The Firewall function protects data travelling to and from your computer through various protocols. The preprogrammed Firewall options you can choose from revolve around client/server options. Each is given a few lines of basic explanation in the manual to help you decide which best suits your needs, but they’re named well enough on the Firewall pane that you probably won’t need the manual here.
The Firewall Options
Those options by no means exhaust the possibilities of the Firewall. If you know what you’re doing, you can build custom rules for your Firewall. You can use your Firewall as an IP filter, allowing only specified IP addresses (or a range of IP addresses) access to your computer. You can allow other computers to access only certain services on your computer (such as HTTP if you are serving Web pages), blocking them from otherwise accessing your Mac. Or, of course, you can combine IP filtering and services, giving you extremely versatile control over access to your machine. (Yes, you can also control access from your machine in the same way.)
You can also accidentally cripple your network access, if you don’t know what you’re doing. It can be difficult to walk the line between easy-to-use and extreme versatility, but NetBarrier handles this very well, offering advanced options and making it clear you should be careful if you use them.
The Firewall section is also where the activity log is found, although the log shows all activity, not just that of the Firewall. (Ideally, the Log should be accessible from all panes of NetBarrier.) It categorizes each logged item visually, with a colored dot: red for alerts, yellow for acceptable network activity, and green for starting and closing the NetBarrier control panel. Guess which of those is the only one you’re likely to care about (not that I mind the other stuff being logged)?
The problem is that the log gives you options of which logged items to display in the log, but those options don’t correspond to the colored dots. There’s no way I have found, for example, to manipulate the options so that I will only be shown “red-dot” items. The closest to this I can come is to show everything and sort the list by dot color; thankfully, the red comes out on top. Unfortunately, however, there is no secondary sort order; I get all my alert items listed together, but not in order of time, network address, or type of alert.
Worse still, the log seems to lose alert items. While I’ve had NetBarrier installed for over a month (and not once cleared the log), the oldest alert item in the log is from merely a few days ago. I have lots of yellow-dot items in the log going all the way back to when I first installed NetBarrier, but the first green-dot item in the log is from just yesterday. I have had many alerts in the last month, and have often opened up NetBarrier’s Configuration screens, but those actions don’t show up in the log. Okay, I can’t pretend to care that there’s no record of my having opened the control panel early in the month. I am very bothered, however, that “red-dot” items have vanished from the log. That’s exactly the kind of thing I want to analyze: if I get port scanned, and can determine that I was scanned from the same domain a week ago, and 2 weeks before that…well, at the very least, I’d want to permanently add that IP to my “Stop List” (see below). Since this information is lost from the log, however, I have no way to know this is the case.
This is the part of NetBarrier that I’ve found the most useful. With Anti-Vandal protections, you can be protected against people trying to break into or crash your computer. I could tell you what the protections offered are, but a picture is worth a thousand words (see Figure 3).
The manual explains each of these options briefly, giving you just enough information to decide which options to enable and which to leave off.
When someone violates an Anti-Vandal rule, NetBarrier gives you the opportunity to add the would-be intruder to the Stop List for a specified period of time, or forever. (It can also automatically add the intruder to the Stop List, if you don’t want to be bothered.) Once someone’s IP address is on the Stop List, all communications to and from that machine will be rejected. For example, if someone does a port scan on your computer, you put him on your Stop List, and then he tries to read a Web page you’re hosting, he’ll be locked out. Of course, you can always remove someone from the Stop List manually, if the need arises.
A useful additional feature here, I think, would be to link up the Stop List with a (not so forgetful) Log of intrusion attempts. It would be quite useful if I could be informed not just of an attempted port scan, but that someone from the same domain ping-flooded me last week. Also, it would be great if, when clicking on a particular entry on the Stop List, you could see other intrusion attempts, if any, from that domain.
The Filter’s job is to prevent specific strings of text from leaving your computer. The manual suggests credit card numbers be filtered; I know a few people who keep all their passwords in one simple unencrypted document; that would also be a great choice for Filter.
Essentially, you give Filter a string of text that you don’t want to be able to leave your computer. Once the Filter is active, if you try to send a file with that string in it to another machine, or if someone else with access to your computer tries to make a copy of that file, the Filter will alert you, and you can stop the file from transferring by adding the receiving machine to your Stop List. (Since the Stop List applies to the Filter function as well as the Anti-Vandal function, it should also be available from the Filter pane, but it’s not.) A really neat idea, at least in theory (read on), that protects your data not just from others but from your own error as well.
What happens, though, if you try to send a file with a protected word to another computer? The result, unfortunately, sucks. You get a warning from NetBarrier, as you should, and press Stop List to prevent the transfer from taking place. Here comes the bad news: the File Copy dialog in the Finder freezes, and after a moment, so does your computer. After a few minutes, you find that you’ve been disconnected from the server you were sending the file to, and you can’t reconnect! Now, you can’t reconnect because that host is on your Stop List. This makes it painfully obvious that the Stop List is the wrong way to prevent me from accidentally sending off secret data; I should be warned of my action and given the options of not sending the data, or sending it anyway. Since Stop List is my only option for not sending the data, and an IP on the Stop List can’t communicate in any way with my computer, I lose my connection with the machine when all I wanted to do was cancel the sending of a file. I also can’t open Web pages hosted on that machine, or interact with it in any other way, until I remove it from the Stop List. This is just not well thought out.
It gets worse. When I try to copy a file whose name contains the secret word onto another computer over the network, my cursor turns to a timer, and stays that way awhile. Finally, I get a message that the server closed down, I hear the NetBarrier alarm, and instead of the window asking me to add the machine to which I was sending to the Stop List, the NetBarrier configuration panel opens up! I never get the option to transfer the file, even though it contains a filtered word, and I lose use of my computer for several minutes while I wait for NetBarrier to open up.
Yep, there’s more. The Filter can get hopelessly confused in certain circumstances, blocking you from sending any text at all to a particular host. Here’s a specific example: I set up a secret word for the Filter, and logged on to IRC. If I sent that word to someone (myself, on another computer), the Filter alerted me, with the options “Ignore” and “Stop List,” just as it should. Clicking “Stop List” prevented the secret data from getting out, but then in order to continue my conversation with myself (heh), I had to take my alternate off the Stop List. (Again, Stop List is overkill.) However, even with my alternate removed from the Stop List, I couldn’t send him any messages whatsoever. Any time I sent something, a few seconds would pass, and I would be alerted that I’m sending out protected data, even though I wasn’t. Even if I used the “Ignore” option, which should allow the (so-called) protected data to be sent, the message wouldn’t be received on the other side. I had to turn filtering off (and then back on) in order to continue my conversation.
All things considered, the Filter is a great idea that just isn’t ready for Prime Time.
Conclusion: Do I Recommend it?
There’s no easy answer here. If you’re concerned about the security of your computer, I recommend it: it offers great protection, and will set your mind at ease. If you use IRC, I recommend it: that’s where the overwhelming majority of my port scans came from, usually on joining more popular chat rooms. While it hasn’t happened to me, there is a good bit of ping-flooding going on in there as well. On the other hand, if you connect to the Internet over a modem just long enough to check your e-mail, you probably don’t need NetBarrier.
Even if you give up on the Filter and disable it, as I ultimately did, NetBarrier is an impressive product that fills a real need on the Mac networking scene. While I’m by no means an expert hacker, NetBarrier caught every attack I threw at it. Because of the troubles I had with Filter and the Log, however, the best rating I’m comfortable giving NetBarrier is Good, even though it’s an otherwise excellent program.