Monday, October 1, 2007

Thinking Outside The (Windows) Box,Part 4: Free Windows Firewalls

Since the birth of the public internet, host firewalls have been sound practice. But high-speed broadband and wireless access have heightened risk and accelerated demand. Today, providers like AOL include host firewalls in client software bundles. Many large enterprises routinely install security suites containing firewalls on employee laptops. Last year, Microsoft even rolled a personal firewall into Windows XP SP2.

Integrated firewalls like these are great for those who already use—or have the budget to buy—the associated commercial products. But some regional ISPs and small businesses prefer to recommend freely-available programs that are not tied to a specific OS patch or AV/VPN product. In this article, we take a brief look at five Windows firewalls that won't cost individuals a dime: Check Point ZoneAlarm, Comodo Personal Firewall, NetVeda Safety.Net, Primedius Firewall Lite, and Sunbelt Kerio Personal Firewall

ZoneAlarm runs on Windows 98/ME/2000/XP, with 50 MB disk and 128 MB RAM (XP). For this review, we tried the free-for-individual-use version of ZoneAlarm (v6.1.737), a bi-directional desktop firewall that can enforce network and program rules. The commercial ZoneAlarm Pro ($49.95, not tested) adds anti-spyware, e-mail virus scanning, pop-up blocking, and automated firewall configuration features.

After installation, ZoneAlarm uses a short wizard to create initial firewall rules. For example, if the user plans to surf the web, the wizard creates a rule that lets the default web browser (iexplore.exe) and a related OS program (svchost.exe) access the Internet.

Click to view larger imageThose initial rules can be added, changed, or deleted over time, at the user's request, whenever new applications attempt to use the Internet, or whenever new networks and unsolicited inbound traffic are detected. When each new situation is encountered, pop-up alerts prompt the user to choose whether to allow the activity once or forever (see figure at right). Novices can click an advice URL to view descriptions of programs commonly associated with filenames or ports, and learn whether they are likely to be trustworthy or malicious.

This learn-as-you-go approach makes ZoneAlarm seem awfully chatty—perhaps even a bit intrusive—for the first day or two of use. But once rules are created, these alerts die down and you may even forget that the firewall is there until something unusual occurs. If these alerts bug you, a less-secure learning mode can be used to silently auto-create rules as new programs run. To prevent trusted programs from being abused (e.g., overwritten by trojans), it is recommended that users run in high security mode. Unfortunately, that mode is only available in the Pro version.

Dig a little deeper, and you'll find that ZoneAlarm applies rules at two levels: firewall (network) and program (application). Program rules determine server (inbound) and access (outbound) permissions, depending upon whether a packet's origin/destination is located in the "trusted" or "Internet" zone. For example, the default web surfing rule gives IE "access" permission for both the trusted and Internet zones. If IE should load a web page with active content that unexpectedly opens a listening port, ZoneAlarm would ask whether IE should be given "server" permission as well.

Click to view larger imageServer programs should often accept requests from the local LAN (e.g., home or office network) but not from outsiders (e.g., public Internet or Wi-Fi hotspot). This is where ZoneAlarm "zones" come into play, letting you treat specified networks or hosts as trusted (see figure at left).

By default, all adapters are placed in the Internet zone, with security set to high—the host operates in "stealth" mode, ignoring all unsolicited inbound requests. Trusted zone security defaults to medium, permitting Windows file and printer sharing. Any zone's security can also be set to low, disabling the firewall for subnets and hosts in that zone. Zone rules can be fine-tuned to permit DNS/DHCP in high security mode, or block servers altogether. However, you won't find granular protocol/port-level control in the free version of ZoneAlarm—for example, you cannot allow inbound ICMP ping but not ICMP redirect.

Click to view larger imageZoneAlarm lets you see what's happening in several ways (see figure at right). First, Internet In/Out gauges give a rough idea of traffic flow. Second, a series of program icons identify programs currently using network services. Third, a log of firewall and program alerts is maintained, so that you can determine which activity has been permitted or blocked by ZoneAlarm. Novices may never even look at the ZoneAlarm log. But we believe that a detailed log like this is essential to enable problem diagnosis. Without it, users could be tempted to disable the firewall when programs are blocked, reverting to unsafe operation instead of adjusting firewall rules.

The free version of ZoneAlarm also alerts when AV stops running and can quarantine VB scripts received in e-mail. Many additional e-mail, privacy, and spyware defenses can be found in the Pro version, available by itself or in combination with sibling Anti-Spyware and Anti-Virus programs. Multi-user licenses are available in small business versions of ZoneAlarm. Zone Labs has been refining these firewalls for years, building a reputation in the market. The free ZoneAlarm is aimed at home users who really need GUI simplicity and alert advice. Users with more granular firewall requirements will need to spring for Pro or try another firewall.


http://www.isp-planet.com/technology/2006/secure_windows_4a.html