Which personal firewall do you like the best ?

Tiny Personal Firewall 6.0

I have experienced several of the popular firewalls, which include Sygate Pro 5.0, ZoneAlarm Pro 4.5, OutPost Pro 2.0, and Kerio 4.0. I wrote my own rules for ZoneAlarm, OutPost, and Kerio, and have quite good protection with them. They are good. However, I finally settled down with Tiny Personal Firewall (TPF).

TPF 6.0 is not easy to use (This is a pain). This is because of two facts. One fact is that TPF is so powerful. It can do so many things. To make TPF do these many things as desired, of course, the user needs to configure a lot more. The another fact is that the UI of TPF 6.0 is not as good as good can be. Indeed, some people complain about its user interface. There is a learning curve to get familiar with it. I installed and uninstalled TPF about 5 times because of the tough learning curve during the trial period. Everytime I tried hard and failed to configure TPF, I lost the patience with it and uninstalled it. Then, I missed the functions of TPF, and also was reluctant to admit my failure, I installed it again. At the end, TPF earned a space on my computer, and it's working well on my computer now.

I love TPF because of its functionality. It has a good rule based firewall (+IDS/IPS), as well as a strong sandbox (application firewall) which can monitor and protect registry, file system, services, dll injection, and a lot more. So only with one software (TPF), I have the functions of a firewall + SSM/ProcessGuard/AbtrusionProtect/Prevx + more. Some people have shown that TPF can beat all the leak tests with correct configurations.

I am happy that I did not give up, and learned to configure TPF. Its new version TPF 6.5 is comming soon with improved new UI. Hopefully, it will be more user friendly.

 

For me the best choice for now is ZA Pro last beta. I m sure this is the best resolution for my style of using Web. I passed by Kerio, Outpost, NPF, Sygate and I'm back with it.

I read in ZA forums about lots of ppl have problems (expecially 5.*), but I never experienced them. May be because I don't use proxies (ISP's), ruters, etc. Here is just me and my ISP without limitations

I tried for some time Outpost and was thinking that I might stay with it, but when spend some time of reading about it (mostly Paranoid - thanks for the knowledge) I saw a big defect in its structure of rules. In fact, they are just opposite to the right sequence (by my own opinion). The application rules have best antecedence, but the global rules LESS!? So is you make any mistake installing/starting/etc or you don't have way to know what is really happening and give any prog permission, it overules all other well though (and lost days to thing what is best) rules!!!

So you must carry this load of responsibility all the time. And if you DL frequently progs from p2p and other unreliable sourses, which ask u for permissions every sec. - you are dead. Or you have to love to be in bondage to the firewall. Coz every permision must be checked very, very well (and I mean really well - components, dlls and so on) and if you make mistake, all your previous work is useless. I don't have time and desire to live like that. In ZA things are diferent - you make global rules that cover most your interactions - DNS, DHCP, undesired IPs, etc, etc. And when u install or miss any trojan and without knowing give him permission, global rules are OVER it!! An it stay inside!! The diference if quite a big one and chance to stay clear is much bigger.

And after all I don't see somethig that is not present in ZA - it have everything!! Full component control including . The only thing that I miss is the log viewer of Outpost. I loved it only for a week using.

Just now I passed all leak tests in http://www.firewallleaktester.com/leaktest7.htm without even 1 leak out! I don't know what will hapen if I'm hastin and don't look so closely, but if I do it - ZA catch everything.

In fact I'm usin all the rules described by Paranoid (in outpost forum) in ZA. And they work perfectly.

regs

 

I dont like personal version of any software. Proffessional usually ensures better security.

Jimbob

 

That's a myth JimBob. The only firewall that will offer competent security is one with a very good and custom-made ruleset. If you'd like, just try to download any trojandropper after turning of your AV/AT and watch and be amazed, as any firewall gets beaten to death (netcat is a good download). ZA is completely gutted by the onslaught of Trojans from the Kazaa network, and I get flooded by classmates' calls every 2nd day to help "repair a nroken ZA".... and since I'm not a PC tech guy (I'm an electrical engg. student) I get really really upset that people fail to even take basic security countermeasures.

 

I was under the impression that personal firewall refers to software firewalls running on the machine they are protecting, it does not matter if they are free or pay versions.

Basic security countermeasures like what? He's running a firewall isn't he? ZA free has strictly limited rule settings functions, not much you can tweak there if you want to use kazza.

 

Zone alarm's suite is the only firewall i have found that examines instant messanger services and that is a major detriment in other firewalls
Couldbe

 

just get Copycat and Thermite from PCflank or www.firewallleaktester.com ... ok?

 

I know of them for a while already. What's your point?

 

They'll muck up even the best firewall lacking app verification. Similar stuff can be downloaded off kazaa without ur knowledge. Kazaa messed up my Kerio v2 BAD... (then I had to go to a free ftp to get an 8 mb project... the HORROR)

What's missing from above post (dunno how, my bad) is that if Tiny can beat them? I'm on the verge of picking up Tiny, and I've started a new thread since at https://www.wilderssecurity.com/showthread.php?t=54724
So if you want, u cn reply there...

 

Tiny Personal Firewall 6.0 (for me personnaly)

...........it is difficult to configure (even with lots of FW experience),
and it's (TPF's) forum is not helping you with examples etc...

But if you can configure it the correct way, it is without a shadow of a doubt the best there is.

And i have tested (for my job) about 26 Software Firewalls last 6 months.

Of course, i prefer a good hardware firewall like Cisco Pix, Snapgear or Sonicwall.

 

There's been a lot of debate about this in the Outpost forums and the consensus has ultimately been that it is better to have application rules take precedence otherwise a global Allow rule would affect every application which could create some significant security problems.

However Outpost 2.5 does allow you to set a priority flag to individual global rules which then gives them priority over application rules - so if you want to be certain that a specific traffic type is blocked, you can use this. The downside is that there is no clear visual indication of which global rules have a priority setting and it makes Outpost's rule structure that little bit more complex. For complete control of rules order you would probably find Kerio a better bet.

Every firewall has to be configured so the burden of responsibility is the same. As for P2P programs, some can be difficult to create rulesets for but search the Outpost forums and you will find recommended rulesets for pretty much every one.

Component Control is a difficult issue and Outpost does prompt a lot during a first few days of installation. There is a Component Control in Outpost 2.5 FAQ which should answer many questions though.

Outpost and ZA are similar in that they will block (or prompt) for traffic you have not defined. However Outpost makes it easier (in my view) to set specific permissions for applications - this does require knowledge of what access is appropriate and this is where the forum tries to help out. As for trojans, both should be as effective in detecting and blocking network access as long as a tight ruleset is used.

The main difference comes down to the user interface - and which is preferable is a personal choice. Outpost does include preset rules for common applications (with ZA I believe you have to create rules from scratch) and it does offer more in the way of plugins (Blockpost, SuperStealth, HTTPLog, TrafficLED). The connection-level Stateful Inspection option can be useful for a few applications. Outpost 2.5 also checks incoming localhost connections which improves security if you are running a local proxy (webfilters like Proxomitron or WebWasher and anti-virus email scanners being common examples) since it would detect any attempt to hijack the proxy (see the long Proxomitron default ruleset question thread for a discussion of this).

ZA doesn't do badly here - but it doesn't get 100% either. Are you running process protection software like System Safety Monitor or Process Guard? If so, then these will make the process control feature of any firewall redundant.

Good to hear the guide helps with other firewalls - I take it that you were using ZA's expert rules?

 

Paranoid2000,

With much respect for your knowledge, I must disagree with the following excerpt from what you just wrote (toward the end of last post):

" Are you running process protection software like System Safety Monitor or Process Guard? If so, then these will make the process control feature of any firewall redundant. "

Redundant? Too strong a word.

I use PG and I briefly used SSM (still installed here). Yes, they and application-filtering firewalls do monitor applications (among other things). But PG and SSM are UPSTREAM of the firewalls in the sense that they do not check outbound network connections, whereas process-controling firewalls do. This is a significant difference that no one should overlook. Yes, this difference may not be critical in the classic case of a Trojan that launches itself to immediately connect to the Internet. PG would intercept such a program if we never asked PG to authorize this program to go into memory before. So, if you and I are alert when PG asks to authorize the Trojan in RAM, we would ask PG to block it, and our firewall would not have been necessary to do any further police job. This was the drift of your remarks, I believe. And I obviouisly agree with you here.

However, although this scenario is a classic one, undesirable connection attempts can happen in many different ways. A process could have been allowed to get into memory by accident, out of user's doubt, or because of a clever malicious scheme invented by a smart hacker (and smart hackers enjoy concocting new types of surprises for us). In other words, whatever the cause, it is perfectly conceivable that a malicious program may have gotten into memory despite all of our live watchdogs. So, if this malware then seeks to connect to the network, PG and just about all the other watchdogs will stay silent, EXECPT for the app filtering firewall that happens to see this new CONNECTION seeker for the first time. Acting on the database that it keeps on applicants for outbound connections, such a firewall gives us the last chance to catch the malware by raising that last red flag.

My reply to your specific point ends here. But your point, surprisingly for a paranoid (such as Paranoid2000), also fits a pattern of polarization that many posters on this board lapse into (maybe after they get tired) when it comes to choosing firewalls. So I will address the larger pattern of polarization below. Many may not care to continue beyond this point.

-------------------------------------------------------------------------

By polarization, I refer to the fierce debate about SPI and app. filt. firewalls; or the debate about SPI + PG being enough. Even after many posters were smart enough to recognize the value of features complementarity, they managed to relapse into drawing fault lines between 2 approaches which, in fact, should be simultaneously embraced.

Security is about avoiding risks, not taking additional risks. Therefore, the prudent approach is NOT to let key "gates" (I am not being technical here) unwatched. Watch a good army or police at work when it wants to lay a tight control grid. Nothing is left to chance. Therefore, as we are bracing for smarter hacking, it's inconceivable to me that a prudent operator would leave the "departure gate" of a computer unguarded, despite all the good control upstream or elsewhere.

Even if an expert tells me that I don't need to watch that last gate under the guise that some deceptive exploit could always be designed to fool me ("so, why waste your time?"), I would also consult my common sense. To begin with, even if such exploits exist, I will still catch some if not most of attempts the better my firewall is at checking on outbound apps.

By the way, "legitimate" programs that were allowed in memory have caught me by surprise by seeking "unexpected" connections. In those cases, it is not PG or Prevx that alerted me but rather some software monitoring further downstream (firewall or port mapper. These warnings teach you about the behavior of programs (including Windows) and prepare you for the critical decisions about what to authorize through or not.

In practice, multilayered security also means SOME overlapping of functions, since software vendors are not divinely choreographed to produce the perfect concatenation of products that we need. Frankly, even if such concatenation existed, one silent software that runs all such products is the user's brain a brain that can be tired or be fooled even if cautious. So if I make just one wrong click, then it's good to know that another piece of security software will save me from my mistake. Heck, even within the same areas of competence, different software do different things (SSM will do things that PG won't, and vice versa; ditto for PG and Prevx which I like to keep paired despite SOME overlapping). This is even truer when the areas of competence are supposed to be different in the first place, such as app. filt. firewalls and process monitors.

One last example about multilayered security. I used to use ZA Pro. Despite all the sophisticated software watching upstream, I could have been fooled by a ZA trick, were it not for a port mapper (Port Explorer in my case) that showed ZA Pro's VSMON.EXE secretly connecting to the Web. Having authorized VSMON in memory, PG was not supposed to warn about this secret connection. ZA Pro was supposed to, but never showed VSMON asking for any permission (to run or to connect). Neither is VSMON listed on the ZA page where the permission status of eachl software with a connection history is listed. ANOTHER LAYER of monitoring, the lowly port mapping, was necessary to find out that VSMON was stealthily connecting to a particular site.

Multilayered security is more expensive and ought to be balanced, of course, with the usual cost and affordability considerations. Are my processor and RAM adequate to deal with the loads, the cost of software, etc. Then I do the best I can under those constraints. but I know that the smart norm is multi-layered security.

 

Pigitus,

A big post with a number of points - so pardon my delayed reply.

PG or SSM should intercept all leaktests listed at Firewallleaktester except Leaktest (the original, which does not attempt any process manipulation), DNSTester (no process manipulation, tries to exploit the DNS protocol instead) and the first Wallbreaker test. On that basis, I think "redundant" is an appropriate description since firewall process-control features do duplicate the functionality of PG/SSM.

I presume you are talking about allowing a trojan to run with PG's Execution Protection or SSM's Application Watching feature. While these are useful checkpoints in their own right, I do not consider them an adequate defense on their own. My comment really meant the following:

1) PG/SSM prevents malware from "masquerading" as another process
2) This allows a firewall's application filtering facility to work properly.

If the trojan attempts any process manipulation, this will be blocked by PG or prompted for by SSM - over and above the execution prompts mentioned above and before any firewall gets involved. If you choose to allow such activity, then yes, your system can be compromised. This however applies to virtually all security programs.

I'm not aware of any "polarization" on this forum though there have been some in-depth technical discussions on various firewall features. Perhaps you may care to provide some links?

I presume you are now talking about the debate in the Firewall with these features?? thread. If so, I would repeat the point made there about most firewalls offering both application filtering and SPI (to some level) so I don't see this as an issue of choosing one over the other. SPI and PG without application filtering however would be an incomplete solution and in this situation I would agree that malware could slip through.

I would say there are several approaches to good security:

• Avoiding or minimising risks (avoiding insecure software, being stealthed online);
• Limiting vulnerable areas (running a firewall and process protection software);
• Checking for and countering known threats (running anti-virus/trojan/spyware scanners and checksumming key files);
• Restricting the damage that can be done (using NTFS file permissions, restrictive Windows account setup and software like PG to limit possible abuse by malware);
• Providing a means of recovering from those threats that get through (keeping regular backups of important data).

PrevX and PG are not intended to monitor network connections but instead monitor process activity on your system - so this result should not be a surprise. If a process modified your registry so it could run on Windows startup, your firewall would be similarly silent (unless you were running Tiny) but PrevX and SSM would pick this up. If a process tried to install a service, again a firewall would not detect this but PG/SSM/PrevX would. This is a division of responsibilities based partly on the evolution of security products (firewalls became available 4-5 years ago while process manipulation is a more recent threat - Tiny Trojan Trap was, I believe, the first software that attempted to address this) and partly on the complexities involved in either role (a program that does both would be very complex and require an exceptional UI to be usable).

Most software can be configured to minimise (or at least reduce) overlap - but this comes down to a personal choice between security and usability.

This is ZoneAlarm's "phone home" feature - while I would agree that it should not be doing this without user consent, I would consider it a ZA-specific failing.

Having to configure different security programs not to step on each other's toes is another "cost". For example, anti-virus/anti-trojan scanners may need to be configured to exclude firewall or process monitor logfiles to avoid excessive CPU utilisation or one security program may identify another as a threat (like PrevX did with PG recently). Outpost's Open Process Control feature will block network access to modified processes, but SSM and SpySweeper trigger this feature on all running processes.

However there is another benefit - using multiple products from different countries means you should be less likely to be affected by "legislative compromises" (e.g. legal requirements not to detect certain snoopware like the FBI's Magic Lantern).

 

Paranoid2000,

The central point of my message was lost, I guess. I was saying that, except for firewalls that CHECK applications, no other category of software that I know of actuall asks the user to AUTHORIZE AN OUTBOUND CONNECTION. The 3 firewalls that I have tested -- ZA, Outpost, LnS -- do, and I love it. I expect that most other application-checking firewalls do too (Tiny, for instance). But applications that control processes upstream from the network gate -- such as PG, Prevx, and SSM -- do not ask this PARTICULAR question to the user. Their programmers could have easily added that feature, but so far I am not aware that they do.

You might counter that PG and/or SSM and/or Prevx would have stopped the malware before it could even ask for the outbound connection. Therefore, you would then ask what's the point of checking for outbound connections? I spent lots of lines explaining that a good security apporach does not reason like that. You want to provide the authorization for outbound connection yourself because something or some thingS could have cleverly slipped in RAM and the application checking firewall would be the LAST point to catch it. It's one more hurdle for the malware to go through and one more chance for you to catch it. Good security mentality (in my view) does not assume that since there was a preceding checkpoint (filter) then there is no more need to test down the line. I say : don't underestimate good hackers. The keep surprising us. So, that extra layer (permission for outbound connection) may appear to you as redundant, but I don't think so. https://www.wilderssecurity.com/newreply.php#
Smile
------------------------------------------------------------
As to your last point:

"However there is another benefit - using multiple products from different countries means you should be less likely to be affected by "legislative compromises" (e.g. legal requirements not to detect certain snoopware like the FBI's Magic Lantern)."

I never looked at it that way, and I thank you for that excellent observation. By trying to buy the best of breed, I buy from may countries and I have accidentally applied your advice.

 

Hi All. I gotta say that I've been ussing ZoneAlarm for aout 3 years now. I have the Pro version 5.5.094.000.

I ran some test in the past but I wasn't sure if It failed because I did not have it well configured or because back then, it was the free version.

I just finish running some Tooleaky.exe and some other test and it failed. I have the WinXP firewall set to ON, and Zone Alarm. The test was succsesful in penetrating both. LokNstop however, when I turn it ON and test it again, IT IS THE ONLY FIREWALL that blocks all test ran on this site.


I've had LookNstop for about a year, I believe is the free version. I hardly ever used it, but from now on, I'll start ussing that one instead..

Well, there you have it, that is my input on firewall preference..

-Don Debrasco

 

running two firewalls isnt good idea and *possibly* the reason zonealarm failed. but anyways my vote goes to outpost as it is easy to use and offer top notch protection tho zonealarm might be my second coice.

 

I have used ZA Internet Security Suite, BitDefender Pro Plus, Norton, PCCillin and OutPost. Here's my 2 cents on each-
ZA- is a really good firewall, however I think their anti-virus sucks; therefore don't get the secuity suite (which includes AV) just go for ZA Pro
BitDefender- has an awesome AV, but I wasn't incredibly impressed with their firewall; maybe the ZA firewall with a BitDefender AV would be the ultimate combo (however I don't know if you can just get BitD AV). Oh ya and BitD sucks up a ton of your resources, if you don't have at least 512k worth of memory forget about BitD (but you should have at least 512k RAM- as memory is dirt cheap right now, like $80 for 512k Corsair RAM)
Norton- sucks, in my opinion. mainly because it sucks up even more RAM than BitD and doesn't work as good.
PC-Cillin- is the firewall with training wheels; if you do not know how to configure firewalls or get sick of constantly being asked permission for programs to access the internet PC-Cillin is for you. Experienced firewall users will not like the lack of control. Overall I thought it did a good job considering.
Outpost- the king of customization; you can really fine tune the way this firewall functions. There are tons of plugins you can add
My favorite- Outpost, followed by ZA. For AV run AVG Pro with Outpost

 

I use Bitguard & the XP one together. Works flawless.