Vista Stand Alone Firewall Survey

It seems right now the choices for stand alone firewalls is a very short list, especially if the beta versions are excluded.

The List:
Windows Vista Firewall (Outbound filtering available, for experts only)
Zone Alarm Free (pro version only available as a suite)
PCTools (Some comments in this forum question their implementation of SPI)
Jetico 2 (Runs on anything, another product for experts, IMO)
Look'n'Stop (Is this out of beta for Vista?)
Comodo (Has extensive HIPS capability, still in beta)

Questions:

1. Zone Alarm claims to be the first vendor using the Vista Windows Firewall Filtering API. Are there any others now and is this a significant benefit? I assume the built in Vista firewall uses this API.

2. What did I miss? Please add to this list. Links to reviews of the Vista versions of these firewalls are welcome.

3. If you run the Windows Vista firewall, what to you use to identify outbound connections? So far I have tried only TCPView. Is there something (especially free) that would provide a simple log of blocked outbound connections? I tried the free version of Sphinx, but was not too impressed.

 

What I use is documented on my website, under PDA, then under PC Security.

The ones I would consider at this time, in alphabetic order, are:

• Comodo
• Jetico
• Kaspersky
• Outpost
• PCTools Free
• ZoneAlarm Security Suite Pro

Unfortunately, not all of those are ready for Vista or complete on Vista, and some are downright expensive.

 

John I checked your site out, and other than a nice photo I don't see anything that helps out here.

 

You missed the facts that Windows Vista Firewall was discarded as a contender, ZA Free wasn't even considered, and ZASS isn't complete on Vista, eh?

 

If its there on your site, I did not see it. If you are making judgments and discarding this or that, I want to know why. You might have good reasons of broad consequence, or it may simply be an unusual configuration or set of requirements that you have. Why don't you put your cards on the table here?

Other than the difficulty in identifying blocked outbound connections, I think the Vista firewall is pretty good. Perhaps you can give me an analysis that is different.

You seem to like PCTools. What is the deal? Every time this one gets mentioned I ask why is it good, and no one has an answer. Perhaps there is no answer. Of course, there is no spoon, either.

 

That is it's major flaw. Generally, a good hardware firewall or even a configured router will protect against many inbound connections. If WVF had an outbound real-time detector it would be quite good. But is does not.

It works reasonably well. Not great. It's free. It has a relatively small footprint. It does not consume resources excessively. Actually each of these points was already made on my website. I'm not trying to promote it. I get no revenue from it. I just don't want to retype everything.

 

Bottom line is that the options for Vista are limited, and those that are available are either good (not excellent) and free or they are expensive. Some of the big names are just not there in the Vista world yet.

 

Not a big deal if you know what network apps you are running (assuming you're using the advanced configuration) and don't change them much. If some network activity doesn't work, you can guess that you need to add a rule. Of course you would probably need some type of HIPS to prevent against thread injection and other such exploits.

Diver, here's a nice little log viewer. You'll have to change the location of the logfile in the settings (C:\Windows\System32\LogFiles\Firewall\pfirewall.log)

http://www.izcity.com/lib/25012005/windows-firewall-log-viewer-0-0-32.htm

 

It IS a big deal, because the outgoing rules DON'T EXIST in Windows Firewall until you create them, so any new (or unknown to you) application is NOT BLOCKED until you go through the effort of manually blocking it, which is anything but a user-friendly interface and process.

A simple pop-up that an application is attempting to use the network and has not been granted/denied access previously would be all it would take to improve Windows Firewall. Of course, actually doing something to grant/deny would also be a big plus.

 

Adding to your list:
Norton

 

The assumption is that you would set it to block all by default and create the rules for each app you allow, as I have done. The interface is pretty straightforward for doing so.

Hopefully someone will utilize the API and develop a nice control app/log viewer for it.

 

My conclusion after using the Vista firewall for a while and pretty much mastering its rule making process is that he outbound filtering is really designed to enforce corporate IT policy. It gets set up for a defined set of net applications and that is it.

Too many things don't install and worse yet a few things installed incorrectly and could not be fixed without complete removal and re-installation with outbound filtering disabled. It is simply not possible to anticipate some of these network enabled portions of some installers. I had a very bad time with Adobe Flash. Someone advised that I could have used a stand alone installer, but they were forgetting I did not know in advance how much of a problem it would cause.

Frankly, outbound filtering is a total PITA. Passing leak tests produces firewalls that are rather bothersome, and turning off features that make the firewall bothersome reduce its effectiveness. A demonstrated relationship between passing leak tests and improved security is nowhere to be found. Stories of how a firewall discovered an infection are rare, probably because the user blindly responds to all prompts, there being all to many to deal with.

 

Yep, it wasn't developed with flexibility in mind. Enforce the network policy and stop asking. This doesn't work in the home market.

The "workaround" for this situation is the suite: blacklists, whitelists, behaviour analysis, IDS, content filtering, etc.

 

Someone said Norton, is it available separately from a suite now?

Webroot is also Vista compatible according to the publisher.

Lucas, I am glad you put "workaround" in quotes. The question is how far do you have to go? I run Vista with UAC on, and all older versions of windows in a limited user account. Any of these non firewall HIPS seems as likely or more likely to do the job as outbound filtering. Everyone says layers, but I suspect the leak proofing layer is thin. Somehow I don't understand how far this leak test thing has gone. Scott Finney, a widely read pundit, thinks leak testing is the "holy grail" of firewall performance. He gives conditional approval to Comodo 3 beta, pending a release. Scott has also ditched Widows for his main OS and now uses a Mac.

None the less, a simple blacklist AV is probably not enough today given that thee malware authors change their stuff every few days, and test it against popular AV's. Hueristics adds another level, but is still based on a flat file scan. HIPS is next and Symantec's proactive protection (and perhaps Online Armor) seems to be a smart HIPS focused on important elements like keyloggers.

Symantec also takes a different approach with its firewall design abandoning the quest to catch leak tests, which are mainly proof of concept, and focusing on signature and generic based identification of malware communication.

 

AFAIK, NPF (Norton Personal Firewall) is dead as a standalone product.

I have little trust in Webroot, but that's a personal (and possibly biased) opinion.

I choose to run a rule-based firewall. I'm no network guru, but I can make good rulesets. My firewall scores good in leaktests, but this doesn't matter me (the Process Attack Table is disabled for the most part)
IMO, users who can't make good rulesets should opt for a silent application-based firewall and/or forget about outbound control and leaktests.

IMO, a "smart" firewall should do all kind of traffic/content/process analysis before prompting the user.
Example: a new process (not in the whitelist) is writing an encrypted file while the user is visiting his/her online bank. The firewall/suite should analyze if it's doing keylogging or if it's associated to a BHO. This behaviour is highly suspicious and worth a second look by the integrated AV with more aggressive analysis. If nothing is found, this process should be kept in a "watch list" and track any attempt to initiate outbound connections.
Do you see what I mean?

 

Outpost 2008 is out and Vista compatible. It is significant as it is near the top of the leak test charts. Jetico performs well but is beta, as is Comodo 3. Reports are that Jetico is not for everyone as it is rather noisy. The most recent Comodo 3 beta works for many. The Comodo road map shows a RC before final release, which looks to be sometime in December.