It's hard to believe, but it's only two years since ZoneLabs blew the doors off the desktop firewall market by offering the free and excellent ZoneAlarm 2.0. I first wrote about the software in February 2000, and many of you stampeded to the ZoneLabs site--so many, in fact, that Gregor Freund (then president, now CEO of ZoneLabs) wrote:

"Fred, I very much appreciate your article on ZoneAlarm (except that it nearly brought down our servers!). We've had 100K plus downloads in less then a week, and it is accelerating."

ZoneAlarm is offered in two versions: the free-for-personal-use basic edition (now at version 2.6.362), and a new $50 version 3.0.118 pro edition. The 3.x pro version is, in fact, very new; in the last month or so, it's been undergoing rapid modification, with almost weekly updates.

ZoneLabs' competitors haven't stood still. Many have released new versions. Nearly all the vendors offer similar free-for-personal-use basic versions of their desktop firewalls and enhanced versions for commercial and heavy-duty use. (The exceptions are Norton and McAfee.) Most of these packages are priced at around $40 to $50 per seat, with discounts available for quantity purchases.

'Desktop' Versus 'Real' Firewalls
Put down those flamethrowers. I know that a desktop firewall isn't a "real" firewall in the formal sense of standalone hardware/firmware. And, indeed, keeping intruders from reaching your desktop in the first place is clearly a better solution than letting the bad guys get to the desktop, then trying to stop them there. That's why most enterprises use a real firewall, where the LAN connects to the outside world. Plus, many small office and home office installations have firewall functions built into the external routers and other Internet-connection sharing devices they may employ. That's good.

But I believe it's risky--almost foolish--to depend on a single line of defense (see How Much Security Is Enough?). First, a firewall can fail; no piece of hardware or software is perfect. Second, a conventional firewall may do nothing at all to protect against attacks that originate on the "safe" side of the connection or that attempt their dirty work via the usually lightly guarded outbound Internet link. These attacks can result from intramural hacking (across the local network) or from Trojans, worms, and "phone-home" spyware installed on local systems.

A good desktop firewall can help. First, it can serve as a primary firewall if the main firewall goes down or is otherwise absent or compromised. Second, a desktop firewall can help thwart LAN-side hacking and also block attempts by locally installed software to co-opt or hijack the Internet connection, preventing back-door or phone-home activities.

For these reasons, I believe all PCs--desktops and laptops, in businesses and at home--should have some kind of desktop or personal firewall. But which one?

Many Hands Make Light Work
I have a variety of machines here in my office: Intel and AMD systems in 10 hardware configurations, running Win98, ME, 2000, XP Home, and XP Pro. But I'm not a testing lab, and what follows is not a formal review--please don't take it as such. Rather, this reflects my personal experiences and my likes and dislikes regarding six popular firewalls.

I've looked at and tested the current basic and pro versions of ZoneLabs' ZoneAlarm, the base and pro versions of Agnitum's Outpost, and the free versions of Sygate Personal Firewall and Tiny Personal Firewall. To test them, I used many of the security sites listed here and also used LeakTest as a simple check for the ability to detect and prevent phone-home behavior.

But there are many other firewalls and configurations I couldn't test. That's where you come in. Collectively, we've probably used just about every firewall ever made, in just about every possible configuration. So, when you finish reading this article, please click to the discussion area and share your firewall experiences. By pooling our knowledge, we can come up with results that can be better than some lab work--because our results will be from real people in real-life situations.

Here's what I've found in my tests.