Commentary
11/4/2005
08:31 AM
Fred Langa
Fred Langa
Commentary

Langa Letter: Readers Rate Desktop Firewalls

Fred asked; you answered. Here are your top recommendations for the best desktop firewalls.



Fred LangaThe desktop firewall landscape is changing fast. It's not the need for desktop firewalls -- that hasn't changed at all. Desktop firewall software remains one of the three essential components of robust PC security.

Start with a good antivirus tool to help prevent infections from viruses, worms, Trojans, and the like. Add a good anti-malware tool to help guard against spyware, adware, browser hijackers, and other miscellaneous forms of malware. Now include a good desktop firewall to help prevent unwanted network access to the PC (and its contents and LAN connections), and you will have closed most of the worst vectors for security problems.

Even in instances where a PC is protected by an external firewall, a desktop firewall can help both as a last line of defense from outside attack, and also as a way to guard against unwanted outbound connections, such as those triggered by the covert "phone home" activity of some malicious software. (More info? See: "How Much Protection Is Enough" and " ...The Single-Layer Defense Fallacy" Desktop firewall software truly is a vital tool in keeping PCs safe.

But the desktop firewall software industry is in major flux. Some of it is consolidation: For example, Symantec (makers of the Norton Personal Firewall, among many other security products) recently acquired Sygate (makers of the popular Sygate Personal Firewall, and other products). Computer Associates bought Tiny Software (makers of Tiny Personal Firewall); Kerio has partnered with McAfee for some of its offerings; and has announced it will soon stop distributing its popular free firewall. And so on.

Even without mergers, acquisitions, and partnerships, there's significant change: For instance, ZoneLabs, makers of ZoneAlarm (which almost single-handedly created the category of "desktop firewall"), now offers five distinct products ranging from a relatively basic desktop firewall up to a complex Internet security suite. More info.

Even Microsoft is getting into the act. It's been shipping a basic firewall as part of XP for some years now, and is extending the firewall's features and adding additional security services through its "OneCare Live" product, now in limited public beta.

In short: There's a lot of dust in the air, making the choice of a desktop firewall more complex than ever.

So, to try to help sort things out, I recently asked readers to volunteer their opinions on what the best-available current firewall is. I analyzed the first 500 replies and will present the results below. It's very interesting: I learned of a few firewalls I hadn't heard of before; and also saw some product-usage numbers that were, frankly, surprising.

And, possibly, quite useful: After all, this is a collection of first-hand reports from your fellow-readers -- people like you. It's the kind of information you might get if you sat down with a large group of people who use their PCs in ways similar to the way you use yours. It's as though you have a small army of people testing and trying things on your behalf.

That said, it's also worth pointing out that this kind of data is anecdotal; it's not a review; and not a way to generate statistics that can be projected across the PC-using universe at large. As long as you realize that the data you're about to see is interesting, first-hand reporting from your fellow readers -- no more, no less -- you'll have a good context for understanding it.

Surprises In Store
I expected some spread in the data, but was surprised to discover that readers were using -- and recommending -- some two dozen different types and brands of firewall products! I had expected far fewer.

With this many products in use, no one tool emerged as the majority winner. But two tools did stand out from the rest, garnering a combined total of 70% of the reader recommendations: 43% of the respondents named ZoneAlarm their top choice; 27% named Sygate.

The next group was way behind: The Kerio and Outpost firewalls each got 6% of the vote. Norton Personal Firewall and Windows XP's built-in firewall each got 5%. NetVeda had 2%; Tiny and EZ-Armor each got 1% of the recommendations.

The above adds up to 96% of recommendations. The remaining 4% was scattered through a range of products, including OneCare, Freedom, Filseclab, F-secure, Defender Pro, Jetico, Kapersky, System Mechanic, Trend Micro Internet Security, Webroot, V-Com, AVG (Grisoft), McAfee, Panda, Avast, PC-Cillin, BlackIce, and several different Linux-based firewalls and specialty distributions.

chart

Of course, the raw numbers only tell part of the story. For the rest, I selected one or more representative comments from among the E-mails relating to each recommended product so you could hear from the readers in their own words:



ZoneAlarm
(Recommended by 43% of respondents)


ZoneAlarm

(click image for larger view)

The most-recommended product in our survey, ZoneAlarm ("ZA") has grown to five versions ranging from the free, basic ZoneAlarm firewall; to the $70 ZoneAlarm Security Suite, which includes, anti-spyware, anti-spam, anti-virus, and more. This link will let you compare all the versions of ZA.

Of those readers reporting ZA use, the basic ZA firewall received the most recommendations, followed by ZA Pro, and the ZA Security Suite, respectively.

Fred: I recommend the Zone Alarm (free version) because it's robust and free. It also gives visibility to processes and applications that have Internet access.
-- Joseph Colson

Hi Fred! Zone Alarm has been on my computer for many years. This month I upgraded to the Zone Alarm Security Suite. I find it excellent, and have got used to the pop-ups :-). So far, I have resisted turning on the Email Protection to "HIGH: Challenge unknown senders". I hate getting "challenge" messages myself, so I don't feel I should inflict them on others :-). The AV and Anti-spyware are welcome additions and (hopefully!) are working well. As yet they have not caused any problems nor conflicted with AVG PRO I have installed.
-- Lance in Australia

I have used Zone Alarm for years -- through many upgrades. I use the professional version but I believe the free version is very good also. Have had no problems, and experienced excellent protection for my computer which is on a cable modem.
-- Ronald Schwartz

Fred, For me the old ZA Free Version is my pick. Why?..easy to configure, effective, and it has both inbound and outbound protocols. The last has saved me on two occasions when mysterious Trojans got caught by the outbound protocol when they sought permission to connect to the net.
-- John Cash

Fred, I installed the free Zone Alarm 6 a month ago with nary a problem. I've been using Zone Alarm for three years and so far have been intrusion free. I used a cable modem with a router, but the router is fairly recent in my system. I'm a happy camper with Zone Alarm.
-- Rich Warren

Fred: I currently use Zone Alarm Suite 6.0.667 and have not had any of the problems I have been reading about. I have used ZA (free and paid) for some time now and have had very few problems, but excellent protection. I periodically go to Steve Gibson's Web site and run his tests to determine the stealth level of my machine and, to date, the tests have not been able to access my system. I would strongly recommend ZA to anyone.
-- Jerry Lee

Hi, I use ZA Pro, and though I had problems with 6.0.631.003, once I loaded 6.0.667 and after wading through all the alerts, it has settled down. My system does boot and shut down slower, but that's the price of security these days.
-- Robert Matalavage

Sygate
(Recommended by 27% of respondents)


Sygate

(click image for larger view)
The two Sygate firewall products mentioned most by your fellow readers were the free-for-personal-use Sygate Personal Firewall; and the $40 Pro version. You can see and compare the features of both versions here.

Note: On Oct. 10, 2005, Symantec completed acquisition of Sygate, but as of this writing the firewall products mentioned here are still available, unchanged.

Hi Fred! We use Sygate Personal Firewall for several reasons:

  1. Historically, it has been well maintained and has been a robust program;
  2. It is free (if you know where to look);
  3. It is easy to use and configure -- things are logically arranged and easy to understand;
  4. It works!
-- Victor Gascon

Fred, I did a master's degree in network security with Capitol College in Laurel, Md., and part of the curriculum was to do an attack study using no firewall, one firewall, and then two firewalls. I used 2 Windows 2000 machines, one as attacker and one different machine as a target. No firewall yielded the obvious results (no alerts, and I compromised the box). Then I installed ZA free version (using default, out-of-the-box settings). Depending on the attack, it might alert (didn't alert on a low and slow, didn't alert on crafted packets, but did on standard, run-of-the-mill attacks. I also compromised the box again.). Then I uninstalled ZA, and installed Tiny Personal Firewall (again, default settings). Better than ZA, but still didn't alert on the low and slow (results will vary on how paranoid you set the settings. Still compromised the box.).

Then I uninstalled Tiny, and installed Sygate Personal Firewall (again, default settings). Sygate alerted on every attack I tried (and I was unable to compromise the box using my attacks). Then I uninstalled Sygate, installed Tiny and ZA, and even together they weren't as effective as Sygate (not enough alerts, and I compromised the box).

At this point, I stopped and wrote it up. I figured if Tiny and ZA weren't as good as Sygate, there was no use combining Sygate with one of them. One caveat: up until that point in time, Tiny was my preferred firewall. Now, I use Sygate on every computer I own. Most of the folks in my organization come to ask me what to use to protect their home computers from the assorted nasties on the Internet. Obviously, I always (now) recommend Sygate Personal Firewall. I do that for 2 main reasons: the out-of-the-box settings are more than adequate for 95% of the users I've recommended it to, and because of #1, the users aren't bombarded with the normal learning curve of the firewall, which is their biggest source of frustration with a firewall (which causes them to either disable or set the settings so low it's ineffective). I know that most people have their favorites, and hate to see their favorites trumped, but this was about as much of an objective test as I could figure out. I was going to use BlackIce, but decided it didn't really qualify as a firewall, so left it out. Anyway, hope this helps!
-- Regards, Robin Berg MCSE

Hi Fred! Used to use Zone Alarm and recommend it to my clients. After several bad experiences with ZA, I tried and now use Sygate Personal Firewall (free version). Don't know what will happen since the acquisition.
-- Doug T.

Fred: I have gone from Zone Alarm (free), Zone Alarm (paid), to Kerio (free), and then to Sygate (free), to Sygate Pro (paid). When I upgraded to XP Pro, I used the built-in for about a day and went back to Sygate. I have to say that Sygate has worked the best of any of the firewalls I have used. It is the least obtrusive and least invasive. Meaning it doesn't try to be everything else, just a good firewall. It works invisibly, unless there is a problem and doesn't add much overhead into the operating system. A firewall is kind of like an automobile, it has to fit each person's personal preference anyway.... I am not changing anytime soon.
-- Guy Burdick

Fred: I like Sygate Personal Firewall, myself. It's free, it's powerful, and the advanced features let me allow incoming VNC connections from one MAC address (my wife's computer) and from one other subnet.
-- Eric



Kerio
(Recommended by 6% of respondents)


Kerio

(click image for larger view)
Kerio Personal Firewall ("KPF") is in its final months, at least in the form we now know. KPF will be discontinued on Dec. 31, 2005; although support will continue for another year. KPF is available for $45; group licenses are also available. It appears that the "Kerio WinRoute Firewall" will be the successor, with a base price of $399 for 10 seats.

Hi, Fred, I don't see the big deal about Kerio stopping development of KPF. I've been using it for years without any "upgrades" or support even before there was a Kerio (used to be called Tiny if you remember) with no ill-effects. It does what it's intended to do with (seemingly) no serious flaws. Not perfect, but gets the job done. Unless IP is changed drastically, it should continue to perform well into the future. Who knows, by that time, MS (or someone else) may have their act together and make a firewall worth having!
-- Gary Zollweg

Hi, Fred, I use and recommend Kerio Personal Firewall. I like that it is *just* a firewall, though they have added some features like popup blocking and ad blocking (neither of which I have turned on). It is easy to use, can distinguish between LAN and Internet traffic, is set to "default deny" and pops up if there is something you haven't recognized. At this point you can allow or deny on a once-off basis or create a rule. It also pops up when one application runs another, which can be a little annoying when you are installing something, but otherwise is quite useful. Finally, it keeps track of specific executables, warning you if these have changed -- when next they are executed.
-- Cheers, David McFarlane

Hi Fred. I'll stay with Kerio 2.1.5. It works! Small footprint, faultless performance according to several security test Web sites. And easy to configure. And I've never needed support in 2 or 3 years of use.
-- Cheers, Roger

Outpost
(Recommended by 6% of respondents)


Outpost

(click image for larger view)
Agnitum's Outpost firewall is available for free trial, and retails for $40 for a single license, with group/business discounts available.

Fred: I've used various versions of numerous firewalls, all the way back to the Signal9 Conseal firewall. After a couple of years, I settled on ZoneAlarm (purchased) but found it to be bloated and obtrusive. Not to mention the fact that it didn't seem to work well with certain other programs -- regardless of who was at fault. Switched last year to Outpost. It is much less obtrusive (to me) and seems to work very well. I like it. My subscription is due in 21 days nd I plan to renew. In addition, it now includes spyware protection, but I don't really have a feel for it yet (I use AdAware SE -- purchased) and occasionally SpyBot.
-- Hal

I've been using Agnitum's Outpost for a long time and believe it's a fine product. I purchased it early on and have a lifetime free upgrade license.
-- Larry Peplin

Fred: Very few reviews but a great firewall where it has been reviewed. Big in Europe. Very underrated. Some of the reasons for using:

  1. Far less strain on system resources than most application level firewalls.
  2. Relatively inexpensive (there is a free version as well)
  3. Passes leak tests.
  4. Easy enough for a novice but more than enough features for a techie.
  5. Excellent logs for tracing activity in and out.
  6. User-developed plug-ins for suppression of ads to supplant the built-in feature.

[I've been] 18 years in the computer business, I've seen firewalls from just about every vendor running on every type of system. This one is one of the few that has ever impressed me.
-- Lee Shornick

Fred: I have been using Agnitum's Outpost Pro firewall since it was in beta. Outpost is not for the average user unless they are willing to go through an education on computer networking. I am a computer engineer, who also is a computer hobbyist, working with computers everyday, all day. Outpost Pro is more powerful and configurable than ZoneAlarm but at the cost of increased complexity. However, I can tune it to allow/disallow anything I want, based on source IP, destination IP, protocol, port, process, etc. I have gone through many, many upgrades (it is now in version 3.0.543.5722) without ever having an issue that shut me down or required backtracking to the previous version.
-- Kelly Baker

Fred: I have tried many of the software firewall solutions. The reasons why I chose Outpost:

  • Excellent reporting capabilities. You can really see what your computer is doing. I have installed this on computers to track down worms and other nasties that are trying to phone home.
  • Seems to detect everything. I have tested using many of the on-line port test sites. I have even run my own custom scans and could not break through without the application requesting explicit permission.
  • Simple to set up rules
  • If needed, the built-in automated selection of options are strong -- without bothering the user for input (however, I always choose to use the custom rules -- I like the idea of completely controlling access)
  • Has some nice add-ons that come with the application (active content filter, ad filter, anti-spyware, attachment quarantine, attack detection, content filter, DNS cache).

-- Ira



XP's Built-In Firewall
(Recommended by 5% of respondents)


XP's Built-In Firewall

(click image for larger view)
Available in all versions of XP, the built-in firewall is basic, but has just about every necessary feature except for outbound filtering (e.g. "phone home" protection) and a slick interface. More info here and here.

Hi -- My favourite by far is the built-in Windows Firewall that came with XP SP2. I work in computer support for an NGO in SE Asia and firewalls and computer security in general is what a lot of people worry about. My people here use ZA free edition on their own computers and in my opinion it is way, way too complicated for the average user and way too powerful. In many cases I would describe it as killing a spider with a canon. I truly believe that Internet security is small part software and large part user awareness. I tell the people who ask my advice that the software they want on their machines is software that will not hassle them, slow down their computer, and will look after itself -- whether they agree or not, they will not keep it working fully if they have to do anything every week or every day as they will just get bored.

Windows firewall is by far the best firewall that matches this; it works like a NAT firewall, stopping everything that wasn't requested from inside and it does it with only asking me a question once in a blue moon. I then tell the user not to open up any attachments or surf to any dubious sites and they will be fine. Almost all of my users also sit behind a NAT firewall built into their routers as well. To date (and I also support 50 computers in local schools in the same way) I have not had any successful attacks on the machines.
-- Mark

Hi, Fred, I know this may sound cavalier, but I just use the XP SP2 Windows firewall in conjunction with a properly configured hardware firewall (router). I always had issues with computers on the LAN failing to see each other intermittently when using ZA or another software firewall, and gave up. I realise this doesn't give me the level of protection most advocate, but in a year there haven't been any major intrusions, and file transfers on the LAN are much simpler.
-- Greg Frederick

Symantec/Norton
(Recommended by 5% of respondents)


Symantec/Norton

(click image for larger view)
Not counting Sygate (above, which was newly acquired by Symantec) the two Symantec-specific firewall products recommended by readers were the $50 Norton Personal Firewall ("NPF") and the $70 Norton Internet Security ("NIS"), which bundles antivirus, anti-spyware, and anti-spam tools along with NPF. Symantec also markets a wide range of higher-end products as well. To see the full range, check this link.

Hi Fred: I am using Norton's Firewall and have no problems with it.
-- Robert Bailey

I use Norton Internet Security and AntiVirus. Why? Well, I have the feeling, correct or not, that the more programs you can use that can get along with each other, the better off you are, and Norton handles my firewall duties along with a spam fighter, ad killer, and the anti-virus software all wrapped in one package and everything is settable by me, and seems to work just fine. Gets rid of any virus before I even know I got it, tells me if someone is trying to get into my system, and even where they are. And lets me set it up so I can let the other computers on my home network use my printer and files that I tell it to share. Seems trouble-free to me, and the price is good, $39 for each new edition. You can upgrade the virus definitions for a little less, but for the $39, you get the whole new version and a new subscription, too.
-- Donovan

I'm using Norton Personal Firewall. It's configurable, interface is user-friendly (at least to this user), does what it says it's going to do and nothing else. No conflicts with Windows from 98 through XP current service pack.
-- David J. Baxter

Norton...but a PITA to pass the Gibson's Shields Up! test to get 100% Stealth...I had to create Rules to close ports...afterwards no problem...but this is beyond most users' abilities.
-- Dean Ross

I've been using Norton Internet Security for the last 5 years. The recent versions (2004, 2005) do not seem to have the horrible installation problems of the earlier ones. However, in the last 5 years, (2 on broadband), with copious Internet access, I've never had (knock-wood) a virus, Trojan, etc. NIS has caught several attempts. I note that many E-mail providers, including mine (toast.net) do excellent virus scans before delivery. Anyhow, I'll happily vote for NIS. Recently, the 2005 version has been discounted with rebates to be free as an upgrade.
-- David W. Knoble

NetVeda SafetyNet
(Recommended by 2% of respondents)


NetVeda SafetyNet

(click image for larger view)
Little-known NetVeda SafetyNet is free for personal use; and $40 in a "Pro" version. Despite its lack of publicity, it generated some interesting comments:

Yes Sir, I have a solution that is working like a dream. Man, you got to try this out. Download the safety.net software and setup. Simple to use for a single computer or small network. GO!
-- Richard Farley

Fred, Having used the free Zone Alarm for a long time, I decided to replace my anti-virus with the ZA Firewall/Anti-virus combo. That subscription just ran out. The difficulties so many people are reporting with the latest Zone Alarm made me look elsewhere. I downloaded and installed the NetVeda free version. It installed easily enough but is not as user friendly as ZA. It also has a "learning curve" that is a bit annoying but is coming to an end as I use more of my applications.
-- Regards, Bill LaCoff

A really good free firewall which has many many features that I use is NetVeda Safety Net. I got rid of the likes of ZoneAlarm and Sygate's free versions for this Jewel. it lets me control my daughter's Internet time and has great parental filters built in that works. Also passes Steve Gibson's and Broadband reports leak test's port tests, etc..It's the best free firewall going.
-- Mike



Tiny Personal Firewall
(Recommended by 1% of respondents)


Tiny Personal Firewall

(click image for larger view)
Tiny Personal Firewall is available for free trial, or for purchase at $49 and $99, depending on the version. (See link for details.) The future of TPF is a bit up in the air, as the company was acquired by Computer Associates last summer (2005); but its current users are quite happy with the product.

Hi Fred, I E-mailed Outpost and Cyprus. After that, I took on Tiny Firewall, now owned by Computer Associates Inc.. I've been using it for two years now and think it is the best firewall/sandbox that I have used or tested. They have made it somewhat easier to live with. But it requires desire and determination to learn how to use it. Just remember not to give Trusted status to Explorer, Internet Explorer, other browsers, and apps such as Copernic Desktop Search. In fact it has been a while since I checked their status and will do so now.
-- Regards, Rob Johnston

Fred: I've been a long, long, long-time user of Sygate. They have recently been purchased by Symantec, though, so I expect their product quality and support to [decline]. So I'll move back to Tiny Personal Firewall. They've had a great product for a long time. I moved away when I had some issues with it during the major transition from v3 (which was a toy-like consumer firewall not unlike Zone Alarm) to v4 (which grew up into a serious tool). They've never had much support and I suspect that I'll find that is still true but the product is technically great. Warning, though ... you _BETTER_ know what you are doing. This is not for casual users.
-- Arley Dealey

EZ-Armor/eTrust Personal Firewall
(Recommended by 1% of respondents)


EZ-Armor/eTrust Personal Firewall

(click image for larger view)
Computer Associate's firewalls are a kind of odd duck: Although CA recently purchased Tiny Software, the EZ-armor and eTrust Firewalls appear to be based on earlier versions of ZoneAlarm (see screen shot), with some minor rebranding and interface changes. I would assume that at some point CA will standardize on the product it owns (from Tiny) rather than to continue with a licensed product; but at this point, CA's intentions aren't clear. Things are further complicated by CA's somewhat frenetic marketing which has the company offering free, deeply-discounted, and bundled versions of its firewall and other security products through third parties such as ISPs and even Microsoft. If any of these CA products interest you, shop around and you'll almost surely be able to get it for nothing, or nearly so.

Hello Fred, I gave up on ZoneAlarm earlier this year when I started having problems with. It was an easy switch to the CA EZtrust firewall.

#1 - it was free from my ISP - Optimum Online
#2 - it seems to be the exact same thing as an earlier version of ZoneAlarm
#3 - it works fine.
I had tried and discarded Norton Internet Security. I also looked at MacAfee's security program but I am not a fan of their software. I also use the firewall in my hardware router. I am a firm believer in levels of security.
-- Sincerely, John Madura

The <1% List
All the following were recommended by readers, but in low numbers. In aggregate, this group accounted for 4% of the total responses:

  • Windows OneCare Live (beta): Following its successful (but still officially beta) venture into anti-spyware, Microsoft now is ramping up to combine firewall, antivirus, automated system tune-ups and a backup service into a new product called OneCare Live. You can get further details and sign up for the beta here.
  • F-Secure is available as a free trial, and otherwise costs $60, with group discounts available.

  • McAfee Personal Firewall (also available in McAfee Internet Security Suite); free trial; $40 retail; also offered free as part of ISP sign-up deals in many cases.

  • NetDefense Firewall is also available in Vcom utility suites; it's a rebranded variant of the Sygate firewall. $60

  • Avast: Currently in flux with a new version imminent; prices for new version not yet set, but previous versions were available as free trial and free-for-personal-use versions. Check their Web site for new info.

  • Long known for a very good commercial antivirus tool, and a good free (personal use) antivirus tool, Grisoft's "AVG Anti-Virus plus Firewall Edition" is available in free trial or as a $49 purchase. As the name implies, there is no standalone firewall here -- it's a firewall-plus-antivirus bundle.
  • Panda Platinum Internet Security is an $80 bundle of tools, including anti-spam, antivirus, and a firewall.
  • Jetico Personal Firewall is freeware. It may become a commercial offering at some future point (like other Jetico products) but for now, there's no charge.
  • BlackIce firewall is available in free trial; $40 to purchase.
  • PC-cillin: Trend Micro's PC-cillin is more than just a firewall. It's available as a free trial, or as a $50 purchase.
  • System Mechanic: A utility suite that includes a firewall, System Mechanic is available in free trial form, or as a $50 purchase.
  • Freedom Firewall is a subscription-based service costing $40 per year.
  • Webroot's Desktop Firewall is a two-way (inbound and outbound) firewall. You can try it free; it's $30 to buy.
  • Kaspersky Personal Security Suite is more than a firewall (see link for full details). A free trial is available; it's $50 to buy.
  • Filseclab Personal Firewall is freeware. The interface may be a little intimidating for novices, but you can't beat the price.
  • Your Turn
    If you didn't get a chance to participate in our firewall survey, it's not too late! Click over to the BBS area associated with this column, and post your firewall likes, dislikes, and recommendations there. Join in!


    To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

    To find out more about Fred Langa, please visit his page on the Listening Post.

    We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
    Comment  | 
    Email This  | 
    Print  | 
    RSS
    More Insights
    Copyright © 2019 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service