By Seán Boran
The complexity of Microsoft Windows and browsers/PC applications, and the pervasiveness of networking, have contributed to continual discovery of security weaknesses - which the typical user cannot be expected to follow or understand. Until now the standard tool for defending Windows was the antivirus scanner, but this is no longer enough. The personal firewall has made its debut and may become an essential tool for Windows users connected to hostile networks.
Each product is analyzed in a separate article, with the introduction, summary and conclusions in this document.
This report was awarded "Best Comparative Personal Firewall Review"  thanks to those of you who voted. Help us keep it that way by continuing to provide us with detailed feedback/suggestions.
Network firewalls are great for implementing a security policy between different networks, but are often expensive, complicated, inflexible, or do not progress quickly enough to keep up with new attacks. They may also be rendered useless by dialup access weaknesses, encryption, VPNs, teleworkers connecting directly to the Internet from home, etc.
An interesting new breed of "personal firewalls" have surfaced that are installed on Windows and allow both beginner and expert users to protect their PCs. The risk faced by the home user on the Internet is analyzed in . Basically, there is a significant risk of information being stolen or destroyed; of your PC being misused to attack others, or used to access sensitive (e.g., banking) software; or simply of PC/network resources wasted; and it needs to be addressed.
There are a few measures that Windows users should take, whether they install a firewall or not:
Each test report is in a separate document, so that we can continue testing new products and updating the existing results.
NAI are no longer selling PGP (see also www.pgp.com)
"Network Associates recently announced the closure of PGP Security business unit and the integration of some of its product into other business units. PGP encryption is retained and continues to be the encryption engine within McAfee E-Business Server product line. PGP's Desktop Firewall and VPN client products are continuing as McAfee products. The bundle called PGP Corporate Desktop will be put into maintenance mode. PGPmail, PGPdisk and file, PGPwireless, and PGP Keyserver are also being put into maintenance mode."
Norton (equivalent to Symantec Personal Firewall)
Trend Micro and Zone Labs are involved in a joint venture, joining ZoneAlarm and PC-cillin together. This good news was brought to us by one of our regular readers.
Tiny (see also Uzi Paz's remarks)
Privacyware Personal Firewall
AtGuard by WRQ was purchased by Symantec, changed and resold as Norton Firewall, but the original AtGuard has a loyal following on the Net (i.e., despite its being over a year old users are convinced it is a very good firewall and worth discussing in detail). It can block incoming and outgoing connections.
- WRQ http://www.wrq.com
- AtGuard new home page (unofficial) http://home.pages.at/atguard
- AtGuard user message board http://www.hostboard.com/cgi-bin/forumdisplay.cgi?action=topics&number=233&SUBMIT=Go
PC Viper Personal Firewall (http://pcviper.com)
This only seems to be available for Win95/98/ME. At the moment I have NT4 and Win2K test PCs available, so no tests can be made of this product for now. A review can be found on http://www.dslreports.com/security/sec014.htm
This product is based on Conseal's Private Desktop (www.signal9.com). We only tested the McAfee product, since it is presumed that the Conseal product will no longer evolve. Note that Conseal's "PC Firewall" is a different product - see previous section.
Internet Firewall 2000/IF2K (www.digitalrobotics.com)
Although it installed without error on the test NT4 SP5 system, it would not start, giving the error "Internet Firewall 2000 Failed. Make sure you have full system privileges and try again." I was logged in with Administrator privileges. No further testing was conducted with this product.
Biodata's Sphinxwall Firewall (http://www.sphinxwall.com/) V1.0 build 599 was tested briefly:
- On Win2K/SP1 it installs fine and the GUI works, but the firewall has no effect. In fact, the network driver was not installed.
- NT4/SP5: After installing and rebooting, Sphinx does not automatically start, but when manually started, it asks which adapter needs to be secured (LAN or modem). The modem was chosen. The NT Network Bindings dialog is then shown without an indication as to what has to be done. Looking around, we find a "Biodata transport Driver" now listed in the protocols tab. Clicking OK, a dialog opens asking us to assign an IP address to the "Biodata Virtual Adapter." An address was assigned and another reboot was necessary.
After reboot, the LAN adapter was dead! No local communications would work, all bindings to the local LAN were missing, and all TCP/IP settings were lost.
De-installation was very painful. It was hours before the computer was fully functional again. The procedure that works best was: In Control Panel -> Network settings, remove the Biodata protocol, reboot. Then try to remove any Biodata adapters left, reboot. Remove your LAN adapter, reboot. Deinstall SPHINX, reboot. Search the registry for SPHINX entries and reboot. Add your LAN adapter again and set the IP address or other TCP settings, reboot. Check that TCP/IP is not disabled under the network bindings.
- No further tests were conducted with this product.
The trial version does not work on NT or Win2k, so no tests were carried out. An NT version is coming soon and we hope to test it.
This heavy weight runs on NT and Win2k. Evaluations can only be downloaded from http://www.network-1.com/download/index.html. V6.03 was downloaded and installed on an NT4 SP4 system, but the tests had to be abandoned:
- I could not get any TCP/IP communications working with my 3c905 LAN ethernet interface. (NetBEUI worked unhindered).
- Dial-up adapters are not supported and hence continue working correctly after the cyberwall installation.
- Exiting the tray icon does not stop the engine. Stopping the engine in the NT services applet works, but communications will still not work.
- Even though I created a rule to allow ping in/out to all hosts, the situation did not improve.
- No log entries were posted.
- Impressions: This product looks like a "real" firewall, tuned down for the desktop. The GUI, while extensive, would be difficult for the non-expert user. There is no "learning mode" or wizards to help the newcomer.
- After installing and rebooting, my LAN interface disappeared from Control Panel->Network->Protocol->TCP/IP and the IP address could be found nowhere! The command "ipconfig /all" showed no IP address either.
- On de-installation, the TCP properties windows pops-up confirming the IP address was set (obviously the original TCP/IP settings and bindings are being restored)
- Summary: This is a extensive firewall, that had problems with my configuration, but does have potential for the expert user. It cannot protect dialup connections however.
Smoothwall v0.9.6 (sourceforge.net/projects/smoothwall)
"SmoothWall is a Linux cut down to a complete minimal automated installation, providing out of the box security & functionality as a router and firewall, managed by platform independent web browsers. No prior Linux experience required."
- This is a free Linux based firewall, which allows you to turn a PC into a Firewall/gateway to the Internet for your local network. It is designed to have a LAN connection on one side and a dialup Interconnection on the other. Basically you download a CD image, burn a CD, boot the PC with it and answer the questions to setup your firewall. It is much less daunting that setting up your own Linux /IP chains firewall manually.
- Test: The CD images was downloaded and a Dell Precision 410 Workstation booted with it. Unfortunately it could not find any disks in the system (there were two IDE disks - NT, Solaris and Redhat installed fine on the system -- OpenBSD did not). So it was a question of drivers. A second host, a Compaq Deskpro Exm/P800 was booted and installed, but on the final reboot after removing the CD, the system boots and displayed just "LI" on the screen (LILO problem?). No further tests were carried out, as our purpose here is to find and recommend firewalls that can be set up by beginners. This product does have promise though; the concept is good, and it is after all still in beta.
- Summary: It might work on your hardware. Nice concept. One to keep an eye on for protecting a small LAN from the Internet.
Freedom 2.0 (www.freedom.net)
This free tool from Zero-Knowledge sounds interesting. It contains a personal firewall, form filler, cookie manager, ad manager and keyword alert. It has a few unusual requirements though: no NT support (Windows 95, 98, 2000 and ME are OK) and Freedom will not work behind a firewall if it is configured to deny access to certain data ports (51100 TCP/UDP, 51101 UDP, 51102 TCP, 51107 TCP, 51109 UDP). This means it won't work in my existing test setup, but hopefully I'll get a chance to try it in the future.
Internet Connection Sharing
Windows 98 SE (second edition) and Win2000 include the Internet Connection Sharing (ICS) tool, which can be configured on a gateway PC between a cable modem and a hub of internal PCs. Apparently it provides some measure of protection against external attack, but no firewall is included. It hasn't been tested as part of this review, but is mentioned for reference purposes.
Complementary products to Personal Firewalls
ADSL: Security Risks and Countermeasures
ADSL Firewalls: Product Reviews
I had planned to test the following products but sponsorship has dried up, and I mostly use ADSL hardware firewalls now myself.:
- PC Firewalls: F-Secure Distributed Firewall (a new NT/Win2K release has been received), CyberArmor, Jammer, new version of Norton firewall.
- Integrity checkers: Tripwire, SMART watch, Cybersight lite.
- Check out newer versions of: Sygate, Norton.
|Product||Security Effect- iveness||Restricts Java Applets & ActiveX||File/
Registry Integrity Checking
|Regular (online) Updates|
|BlackICE||Incoming ports only||No||No||Yes, 1st year|
|Norton||High||Yes||No||Yes, 1st year|
|ZoneAlarm||High, if understood||No||No||No|
|McAfee||Good, if understood||No||No||No|
|PGP7||High||No||No automatic function, but important files could be PGP signed.||Possible|
|ZoneAlarm Pro||High||No, but does restrict dangerous email attachments.||No||No|
|Conseal||High, if understood||No||No||No|
|Privacyware||Incoming ports only||No||No||No|
|TermiNET||High, if understood||No||No||No|
|Product||Allows Custom Rules||Platform||Other tools/ features included|
|BlackICE||Possible||NT, Win2k buggy||-|
|eSafe||Yes||Win9x, NT, Win2k||Sandbox, antivirus (Low quality)|
|Norton||Yes||Win9x, NT, Win2k||-|
Does not work with Win2k + dialup.
|VirusMD||No||Win9x, NT, Win2k||-|
|PGP7||Yes||Mac, Win9x, NT, Win2k||File, disk, folder, email, icq encryption. VPN. File wiping. Fully functional MAC version.|
|ZoneAlarm Pro||Yes, but could be more flexible.||Win9x ME, NT,
|MailSafe: useful checking for dangerous Mail attachments.|
|Sygate||Yes, but could be more flexible||Win9x, ME, NT, Win2k||Time limited and screen saver limited rules.|
|Tiny||Yes||Win9x, NT, Win2k||Time periods for rules, small footprint, syslog logging, remote admin.|
|Conseal||Yes||Win9x ME, NT, Win2k||-|
|Privacyware||Yes||Win2k, others unknown||-|
|TermiNET||Yes||Win9x ME, NT, Win2k||Available in 11 languages.|
|Norton||$50.95||$50.95||Support: $29.95/issue of $2.95/minute|
|ZoneAlarm||Free||$20||$19.95 technical support online and by email|
|PGP7||$32- $200||$32- $200|
|Tiny||Free for home use||$39|
|Conseal||$49-305||$49-305||Updates: 60% of cost price|
|Product||Ease of Use||User Level|
|McAfee||Very good||All, if limitations understood.|
|ZoneAlarm Pro||Very good||All|
|Sygate||Good||All (v4 or later)|
Annoying buggy error dialog boxes in Win2k, but evolving fast and interesting.
There was a request to cover more aspects that interest use of Personal Firewalls in a business environment. Some vendors offer special versions for the corporate environment; these are indicated in brackets.
|Runs as service
|yes, with predefined update times.
Upgrades can be pushed too.
(Symantec Desktop Firewall)
|yes: LDAP or download||no||yes|
|Prevent user from changing
selected options (lockdown)?
(Symantec Desktop Firewall)
|SMTP email||yes||password protection|
Other issues that may interest the corporate user are:
Personal firewalls are useful and should be considered by any Windows user who directly connects to hostile networks, such as the Internet. They have a role to play in both the corporate and SOHO (Small Office/Home Office) markets. Although many products are immature, there have been major advances over recent months. All these products need to be subjected to more scrutiny and given time to prove their security effectiveness. None of these products is provided with source code.
SOHO (Small Office/Home Office) users willing to pay:
Windows 2000 users may prefer Sygate, Norton or Tiny, until ZoneAlarm Pro, BlackICE and McAfee have sorted their problems out.
Laptop users may not like Norton or McAfee, which won't allow powersaving modes to be used (Sygate and Tiny, for example, allow Win2k to hibernate).
Corporate users would probably be interested in ZoneAlarm Pro, PGP7, BlackICE or Sygate
due to their support for centralized configuration and rollout. Tiny Personal Firewall
allows remote administration.
Personal Firewalls Under Fire - Gary Bahadur
Many readers provided feedback and useful inputs. Thanks to Interceptor, Tom Chmielarski, Larry Adams, Geoffrey Kidd, Thomas Rude, Paul Rarey, Bill Curnow, Lissi Paffrath, Peter Klammer, Réjane Forré, Michael Semling, Nathan Legg, Lindsay Macauley, Jammie Czaplewski, Henry Markus, Harry Choughcon, John Ceddie, Eagle10, Roderick Davies and the readers specifically noted below.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
|© Copyright 2002, Seán Boran Last Update: 16 avril, 2002|