Five Firewalls For Your Desktop PC
It's a dangerous world out there -- but which firewall should you use? We rate the five top software firewalls and let you know which is the best.
August 16, 2006
It's amazing to think there was once a time when the idea of a firewall for one's desktop computer was thought of as overkill, if not downright ridiculous. Now it's practically mandatory -- not just to protect your computer from outside threats, but to keep Trojans and e-mail viruses from hijacking your system from within.
Other things have changed, too. Today, standalone firewall products are more the exception than the rule. I took a look at five major firewalls on the market today, and almost everything that came my way was either available both as a standalone and as part of a suite of security products from the same manufacturer, or was only available as part of that suite. For the most part, this is good news -- it means you can get more for your money than ever before. On the other hand, it might also mean you're forced to buy more than you really need; but the sheer diversity of the products out there helps alleviate that a bit.
Firewalls |
---|
• Introduction• McAfee Internet Security • Microsoft Windows Firewall• Norton Personal Firewall • Trend Micro PC-cillin • ZoneAlarm Security Suite• Conclusions |
• Vista: No Need for Firewalls? |
The nature of the problems a firewall has to guard against has also changed. The problems have shifted from outside attacks (the "ping of death," and so on) to compromising a system from the inside via Trojans. To that end, most of the testing I did of these products was twofold, both from the outside -- using the DSLReports.com PortScan utility -- and from the inside, to see if they were as good at stopping emergent threats from within.
Incidentally, although the dangers to PCs may have changed, some operating systems have stayed the same. If you're still using Windows 98 or ME, your choice of a firewall will be somewhat more limited: While Norton Personal Firewall and PC-cillin Internet Security support the older operating systems, McAfee and ZoneAlarm do not.
One somewhat controversial program that I used to test, but didn't rely on as an absolute indicator of a firewall's value, was the Atelier Web Firewall Tester. This program uses a number of dirty tricks to open a connection to the outside world, mostly by invoking Internet Explorer or the IE ActiveX control, and its makers claim that very few, if any, personal firewalls can block this kind of spoofing. For that reason, the fact that many of the firewalls here flunked this test is more informational than anything else; it's a sobering hint of how tough it can really be to block unauthorized traffic from a program on your computer.I should point out that there will probably never be a perfect software solution to computer security as long as the user remains the weakest link. If I have a firewall that blocks outbound connections from programs it doesn't know by default, that's a good thing -- until a well-written Trojan comes along and uses a bogus name like "Windows Network Process" to fool me into granting it access. To that end, anyone who plans on investing in a firewall -- or, for that matter, using the Internet at all -- deserves to know as much as they can about what not to do with their PC, and how a firewall isn't in itself total protection from anything, least of all carelessness or stupidity.
Some of the features I've seen packaged with firewalls and security software are becoming more explicitly educational, such as McAfee's SiteAdvisor browser plug-in. I'm hoping in the future we'll see more software that works in a behavioral fashion to guide people away from doing the dumb things that most often get them infected.
McAfee Internet Security Suite
McAfee has, of course, been known for antivirus products in the past, and like many of its competitors the company has now packaged AV software, a firewall, and a number of other network-safety tools into a single comprehensive suite. An even more advanced version of the product offers wireless network protection as well.
The first thing that struck me about McAfee is its speed -- it's noticeably slower to open up and respond to user feedback than ZoneAlarm or PC-cillin. When you open the McAfee SecurityCenter -- the suite's main hub of activity -- it takes several seconds to gather data about each notification topic and present you with it. It's not fatal, just annoying, and it's a close cousin to the same slowness that plagues many of Symantec's products.
Firewalls |
---|
• Introduction• McAfee Internet Security• Microsoft Windows Firewall• Norton Personal Firewall • Trend Micro PC-cillin • ZoneAlarm Security Suite • Conclusions |
• Vista: No Need for Firewalls? |
Adding a program to the network block/allow list isn't difficult: In McAfee's Program Permissions list, you click on "Add Allowed Program" and point to the .EXE file in question. The same process applies for blocking a program outright or allowing it outbound-only network access. If a given application is registered with McAfee's HackerWatch online database, you can call up information about it by selecting it from the Permissions list and clicking "Learn More." For the sake of accuracy, the database works by looking up an MD5 hash of the executable rather than a filename (which could be easily changed); as a result, most of the database entries I found were for crucial system services rather than standalone applications.The DSLReports tests came up fine, and I could block applications that attempted to access the network directly (such as the Forte Agent newsreader), but McAfee failed all of the Atelier tests, even after I had explicitly blocked that application from having network access.
One of the things McAfee provided that seems like a genuinely new way to protect people from opportunistic damage is a browser plug-in (for both IE and Firefox) called SiteAdvisor, which uses community-collected data about Web sites to warn you if you're about to browse something that isn't safe. (SiteAdvisor can also be found as a separate free download.) That said, SiteAdvisor will only work for sites that you actually browse directly, rather than something opened through the kind of ActiveX hijacks used by Atelier. There are other lines of defense that come in handy as well, such as SystemGuard, which alerts you if a program tries to make certain key changes to your system and lets you safely undo them.
Most of the security suites out there offer some kind of parental control functions. McAfee has such a feature, but also includes something with it that I found interesting but questionable: an "image analysis" function. Switch it on and images that the program thinks are objectionable will be blocked. I tried it on a few sites and got mixed results -- it seems to work, but in a very spotty, unpredictable way, so it's not something I would rely on.
Microsoft Windows Firewall
Don't laugh. There are many people, whatever the reason, for whom Microsoft's own Windows Firewall is about the only protection they do have. The kindest word for the level of protection that Windows Firewall affords is "limited" -- it's as basic as it gets, and it's debatable whether it affords any real protection at all given the nature of Internet-borne threats these days. Some would say that's by design, whether to avoid antitrust issues or simply to give Microsoft's own ISA Server something to do in an enterprise setting.
Windows Firewall appeared in the original iteration of Windows XP as the Internet Connection Firewall, and wasn't even enabled by default. The Blaster and Sasser worms made Microsoft think twice about including such a security without turning it on, and the first version of the Windows Firewall we know today appeared with Windows XP Service Pack 2 -- this time, enabled by default, and with a set of Group Policy extensions that made it configurable in an enterprise.
Firewalls |
---|
• Introduction• McAfee Internet Security• Microsoft Windows Firewall • Norton Personal Firewall • Trend Micro PC-cillin • ZoneAlarm Security Suite• Conclusions |
• Vista: No Need for Firewalls? |
The majority of the protection afforded by the Windows Firewall is against outside attacks, such as the aforementioned worms, and it also provides a level of protection against exposing things like File and Printer Sharing to the outside world. The folks at Redmond were also smart enough to allow selective exceptions for certain programs and services -- File and Printer Sharing, and Remote Desktop, for instance, is enabled by default for the local subnet only, but not for outsiders. These exceptions are configurable -- you can set some exceptions by network connection (for a machine that uses more than one network adapter), by port, by network scope, and by application. The DSLReports test showed the system to be nicely stealthed with only the out-of-the-box settings, but as expected, Windows Firewall failed the Atelier outbound test across the board.
Even in the time since it was first rolled out, the number of things Windows Firewall doesn't have is striking. Most importantly, it doesn't have the ability to block outbound access by a program; you can't restrict outbound access to only a group of known-good applications. There's also very little in the way of profiles -- the ability to change firewall settings to suit different network environments for people using notebook computers. Some third-party programs that are not themselves firewalls let you do this, but that hardly makes up for the vast majority of what else is missing. In short, Windows Firewall is something to be quickly outgrown and replaced -- again, probably by design.
Symantec Norton Personal Firewall 2006
I've developed a dislike for many of Symantec's desktop products over the past several years, mostly because, as time has worn on, they have become cumbersome and slow compared to competing programs. Norton Personal Firewall 2006, which can be installed as a standalone product or as a snap-in with other Symantec security offerings, doesn't do much to undo that reputation.
It's not a bad program, but its desperately sluggish interface makes it a chore to use, a problem I've observed with many of Symantec's other programs in this space. The speed of the PC and the amount of memory seems to have nothing to do with it: I observed the same lag on a 3.0GHz desktop machine with 2GB of RAM that I did on a 1.0GHz notebook computer with 256MB. I'm guessing the slowness has to do with the program gathering information from various components, much as it seems to be with the McAfee suite.
Firewalls |
---|
• Introduction• McAfee Internet Security• Microsoft Windows Firewall• Norton Personal Firewall • Trend Micro PC-cillin • ZoneAlarm Security Suite• Conclusions |
• Vista: No Need for Firewalls? |
NPF works much like the other programs I've discussed here. When you run a program that isn't in the known-programs list, the firewall asks for user intervention. You can grant the requesting program unlimited access, or you can allow Norton to create a rule based on that program's behavior. The latter is what Symantec recommends, and most conventional programs like Firefox work fine that way. To my surprise, NPF did better out of the box with the Atelier test than everything else listed here, but still allowed some leakage through; even when Atelier was explicitly blocked it still worked (although most of the other firewalls had the same problem).
One faintly annoying behavior: if you use the "High" security mode and browse sites that have Java applets or ActiveX controls, the firewall will nag you about it -- something that's best left to your browser these days. That was the first feature I disabled -- and that feature is actually the main difference between the "Medium (recommended)" and "High" security modes.
The only options that can be configured from level to level are the degree of blocking used by the firewall, Java and ActiveX security, and any access-control alerts -- but then again, most of the other products I looked at were only marginally more configurable in this regard. One feature I liked a great deal was that you can configure more than one set of firewall rules for how traffic is handled -- a general set that applies to everything, and a secondary rule set that is applied afterwards and can be used to create specific exceptions to the first rule set.
There are few bonus features that come with NPF. As with ZoneAlarm and PC-cillin, you can designate certain kinds of personal information as non-transmissible over unsecured connections, and you can designate multiple network location profiles if you're using a notebook or simply taking a desktop PC with you. (Symantec can also automatically detect what network you're using and switch profiles on demand.)If you're already sold on a Symantec product of some kind, the one big advantage of using NPF is its ready integration with other Symantec programs, but if you're not, there are plenty of other places to start.
Trend Micro PC-cillin Internet Security 2006
I was and still am a big fan of the PC-cillin antivirus product -- it works well, is lightweight and fast on its feet, and doesn't get in the way when I have work to do. The firewall is part of a larger suite of security applications. If you're instinctively allergic to this approach, PC-cillin is one of the few products that makes the bundle worth it. The vast majority of the other programs in the package are genuinely useful and well-integrated -- not just shoveled in.
By default, the firewall comes equipped with four "profiles" -- direct connection, home network, office network, and wireless network -- which are vague analogues to ZoneAlarm's zone settings. You can opt to have the program automatically detect which network you're using and switch to the needed profile, or change on demand. Each profile lets you configure a whole slew of access rules by application, port, system component, IP subnet, protocol type, and so on. The DSLReports tests came up satisfyingly enough, but PC-cillin flunked the Atelier test across the board -- even when set to explicitly deny that program access to the network.
Firewalls |
---|
• Introduction• McAfee Internet Security• Microsoft Windows Firewall• Norton Personal Firewall • Trend Micro PC-cillin • ZoneAlarm Security Suite • Conclusions |
• Vista: No Need for Firewalls? |
If you're using a computer that's either on a wireless network or has a wireless extension (such as a home router with both wired and wireless connections) and you're uneasy about how secure the network is, PC-cillin has a Wi-Fi intrusion detection system. Any computers not explicitly authorized to be on the network will trip an alert. It's still up to you to enforce any restrictions on your network hardware, though. However, other machines on the same network with copies of PC-cillin can be remotely managed -- perfect for parents and children, or people in workgroups.Many security programs now have some kind of anti-fraud/anti-phishing mechanism as well. PC-cillin has a few such features: it can block the sending of unencrypted personal information such as credit card numbers or passwords (or anything else you don't want sent over an open channel). However, you have to take the time to set it up for it to work; it can't automatically detect such things without training. PC-cillin can also be set to block sets of predefined categories of Web sites -- such as "Phishing," "Sex," or "Gambling" -- but it's not possible to edit or examine the criteria that are used to define these sites, so it's a bit of a black box. Incoming e-mail can also be screened for fraud as part of the anti-spam engine, but that feature is also only moderately configurable.
The tools in the rest of the suite run the gamut from handy to thoughtful to somewhat redundant. PC-cillin's antivirus and anti-spyware protection is solid. If you have unique passwords for every Web site you use, an included IE toolbar can speed this up, but Mozilla/Firefox users will have to enter that data manually. On the near-redundant side, PC-cillin can automatically check for updates to any known security issues with Windows or Microsoft Office, and run Microsoft Update as needed -- except that Microsoft Update itself covers most of this territory.
ZoneAlarm Internet Security Suite 6.5
Zone Labs' ZoneAlarm is one of the most widely known personal firewalls, thanks to a broadly distributed freeware edition that provides some basic protection. Part of how ZoneAlarm got its name is through its network-zone mechanism, which lets you define different access rules for different network segments. You could allow file and printer sharing for in-house machines while disabling it for the rest of the world -- in fact, that's one of the default configurations.
Because the basic edition of ZA is free with no strings attached, I usually recommend it as one of the first choices for people who want something better than the native Windows Firewall product, but are still twitchy about shelling out money. If they like it, they can then pay to upgrade to a higher-end version of the product that contains many more features. (The other products I looked at here have free full-trial versions, but they're time-limited.) The two major upgrade editions are ZoneAlarm Pro ($39), a more full-featured version of the firewall product itself, and ZoneAlarm Internet Security Suite ($49), which contains antivirus/anti-spyware products as well. The cost of each tier of the program includes one year of free updates for one PC, but bulk discounts are available.
Firewalls |
---|
• Introduction• McAfee Internet Security• Microsoft Windows Firewall • Norton Personal Firewall • Trend Micro PC-cillin • ZoneAlarm Security Suite• Conclusions |
• Vista: No Need for Firewalls? |
ZA was one of the first consumer-level firewall programs to not only block incoming attacks, but to disallow outbound network use on the local machine by unauthorized applications. At first people didn't like this much -- you had to allow network access for a lot of cryptically-named Windows services, for instance -- but the most recent version of the program comes with the most common Windows services pre-approved for network access. You'll still have to do some training with the program, but it's a lot less ornery than it used to be (this is the case with most firewalls that do this), and the program does its best to learn what each program is and what it's trying to do when it alerts you.
The Atelier test didn't block any outbound leaks on the freeware edition of ZA, even when I specifically denied that program network access, but the Pro and Suite editions fared much better. When ZA was set to "Stealth" mode (the highest setting), the DSLReports.com scan reported back entirely in the green.
If something goes wrong and you think you're under attack -- or have a rogue process phoning home -- the main ZA program window has a big red panic button you can slap to kill all network access in both directions instantly, a feature that's been copied by a number of other firewall apps. The rest of the interface is pretty logical and easy to navigate, although it suffers a little from having a number of options buried behind "Advanced Options" buttons that aren't always obvious.
The freeware version of ZA also has reduced versions of many little features available in a more complete implementation in the full product, like a slimmed-down version of the full program's antifraud detection. This checks for eBay password spoofs, while the full version works with many other common site scams, too. Other goodies in the full version of the program include wireless network protection, advanced security for instant-messenger programs and Web-based mail interfaces, and the MailFrontier anti-spam engine. But start with the freeware program; if you like it, trade up and see how that suits you.
Conclusions
Since the Microsoft Windows Firewall ships with Windows itself, the only recommendation to make is to replace it with something more robust as quickly as possible. McAfee's best attraction is SiteAdvisor, which adds a layer of behavioral protection on top of all the other things you normally get (although it is available separately), and Symantec's firewall is best if you want to integrate it into an existing suite of Symantec products already on your system.ZoneAlarm is the best freeware choice, and can be readily upgraded to a full version later on. PC-cillin has the best all-around protection and sports a collection of nice bonus tools.
Vista Security: No Need for Firewalls? | |
---|---|
Will Vista bring with it no need for firewalls? Or at least no need for third-party ones? Even if that's not what Microsoft actually achieves with the rewritten firewall and networking system in Windows Vista, the company is certainly aiming to provide a firewall for Vista that is written to better address the realities of defending a computer from both the outside and the inside. Aside from a badly needed way to perform outbound packet filtering by port or application, there are also convenience features like location profiles (home vs. work vs. on the road), and better management features for the firewall through Group Policy and Active Directory. These features have already showed up in the beta builds as far back as January 2006, although they were criticized as too difficult to find and use. Microsoft left the original Windows Firewall console untouched for the sake of familiarity, but the newer console that governs all the new features such as two-way filtering has only been available as a Management Console snap-in that you had to configure manually. One can hope the final version isn't this obscure. Along with the firewall and network stack itself, the Windows kernel is also getting a heavy revamp to protect it against attacks via process-hooking strategies (a common tactic of viruses and Trojans). Ironically enough, the very kernel-level changes to Windows that are designed to protect it from attack are now apparently making it all the harder for third-party developers of legitimate security software to do their thing. Symantec was one of the loudest complainers, but the argument has the flavor of a doctor complaining that less of his patients get sick nowadays thanks to better prenatal vaccinations. There's always going to be room for a third-party developer to improve on what Microsoft provides, whether it's in the form of kernel-level defenses or behavioral functionality like SiteAdvisor (which doesn't need kernel hooks to work). |
0
You May Also Like