Since the birth of the public internet, host firewalls have been sound
practice. But high-speed broadband and wireless access have heightened
risk and accelerated demand. Today, providers like AOL include host firewalls
in client software bundles. Many large enterprises routinely install security
suites containing firewalls on employee laptops. Last year, Microsoft
even rolled a personal firewall into Windows XP SP2.
Integrated firewalls like these are great for those who already use—or
have the budget to buy—the associated commercial products. But some
regional ISPs and small businesses prefer to recommend freely-available
programs that are not tied to a specific OS patch or AV/VPN product. In
this article, we take a brief look at five Windows firewalls that won’t
cost individuals a dime: Check Point ZoneAlarm, Comodo Personal Firewall,
NetVeda Safety.Net, Primedius Firewall Lite, and Sunbelt Kerio Personal
ZoneAlarm runs on Windows 98/ME/2000/XP, with 50 MB disk and 128 MB RAM
(XP). For this review, we tried the free-for-individual-use version of
(v6.1.737), a bi-directional desktop firewall that can enforce network
and program rules. The commercial ZoneAlarm Pro ($49.95, not tested) adds
anti-spyware, e-mail virus scanning, pop-up blocking, and automated firewall
After installation, ZoneAlarm uses a short wizard to create initial
firewall rules. For example, if the user plans to surf the web, the wizard
creates a rule that lets the default web browser (iexplore.exe)
and a related OS program (svchost.exe) access the Internet.
initial rules can be added, changed, or deleted over time, at the user’s
request, whenever new applications attempt to use the Internet, or whenever
new networks and unsolicited inbound traffic are detected. When each new
situation is encountered, pop-up alerts prompt the user to choose whether
to allow the activity once or forever (see figure at right). Novices
can click an advice URL to view descriptions of programs commonly associated
with filenames or ports, and learn whether they are likely to be trustworthy
This learn-as-you-go approach makes ZoneAlarm seem awfully chatty—perhaps
even a bit intrusive—for the first day or two of use. But once rules
are created, these alerts die down and you may even forget that the firewall
is there until something unusual occurs. If these alerts bug you, a less-secure
learning mode can be used to silently auto-create rules as new programs
run. To prevent trusted programs from being abused (e.g., overwritten
by trojans), it is recommended that users run in high security mode. Unfortunately,
that mode is only available in the Pro version.
Dig a little deeper, and you’ll find that ZoneAlarm applies rules at
two levels: firewall (network) and program (application). Program rules
determine server (inbound) and access (outbound) permissions, depending
upon whether a packet’s origin/destination is located in the “trusted”
or “Internet” zone. For example, the default web surfing rule gives IE
“access” permission for both the trusted and Internet zones. If IE should
load a web page with active content that unexpectedly opens a listening
port, ZoneAlarm would ask whether IE should be given “server” permission
programs should often accept requests from the local LAN (e.g., home or
office network) but not from outsiders (e.g., public Internet or Wi-Fi
hotspot). This is where ZoneAlarm “zones” come into play, letting you
treat specified networks or hosts as trusted (see figure at left).
By default, all adapters are placed in the Internet zone, with security
set to high—the host operates in “stealth” mode, ignoring all unsolicited
inbound requests. Trusted zone security defaults to medium, permitting
Windows file and printer sharing. Any zone’s security can also be set
to low, disabling the firewall for subnets and hosts in that zone. Zone
rules can be fine-tuned to permit DNS/DHCP in high security mode, or block
servers altogether. However, you won’t find granular protocol/port-level
control in the free version of ZoneAlarm—for example, you cannot
allow inbound ICMP ping but not ICMP redirect.
lets you see what’s happening in several ways (see figure at right).
First, Internet In/Out gauges give a rough idea of traffic flow. Second,
a series of program icons identify programs currently using network services.
Third, a log of firewall and program alerts is maintained, so that you
can determine which activity has been permitted or blocked by ZoneAlarm.
Novices may never even look at the ZoneAlarm log. But we believe that
a detailed log like this is essential to enable problem diagnosis. Without
it, users could be tempted to disable the firewall when programs are blocked,
reverting to unsafe operation instead of adjusting firewall rules.
The free version of ZoneAlarm also alerts when AV stops running and
can quarantine VB scripts received in e-mail. Many additional e-mail,
privacy, and spyware defenses can be found in the Pro version, available
by itself or in combination with sibling Anti-Spyware and Anti-Virus programs.
Multi-user licenses are available in small business versions of ZoneAlarm.
Zone Labs has been refining these firewalls for years, building a reputation
in the market. The free ZoneAlarm is aimed at home users who really need
GUI simplicity and alert advice. Users with more granular firewall requirements
will need to spring for Pro or try another firewall.
This article was first published on ISPPlanet.com.