My mate Fred hasn't got one – why do I need one? You won't need a firewall if you never connect to the Internet; otherwise, you will. Firewalls come in two flavours: hard and soft. Or to be less jocular, hardware versions, and software versions. These are often specifically referred to as router firewalls and personal firewalls, though this may not always be absolutely correct. A firewall, by the way, is called so because this is the name for the metal bulkhead or wall that protects a racing driver from the fuel tank in his car. If or when it crashes, the theory is that any fire will be contained behind the wall, and not reach him. Of course, like all theories, it doesn't work quite that well in practice – but it buys time, and that's what is needed in his case. From our point of view, we're driving a PC, and the Internet is the fire; we need some protection from it. Ideally, you will have both a hardware and a software firewall. They don't interfere with each other, and work efficiently as a pair. If you are on a LAN, especially with a broadband connection, the switch, router, or WiFi DSL router most likely contains a hardware firewall. From a general point of view, hardware firewalls are efficient and trouble-free, whereas software firewalls can be a CPITA (see technobabble1). Hardware firewalls don't take much setting up, and most people simply leave them on their default settings. They can't refer problems to the user, since they don't know who to address them to; so they simply deal with it all silently. For this reason, they cannot be as efficient as a software firewall resident on the PC, which can interrogate the user whenever there is a problem to be overcome. At least they are the first line of defence. Vitally Important A firewall works in both directions: it tries to stop the nasties coming in, and if any do get through, it stops them phoning home out of your PC. You might install some malware from a disc, in any case, so it perhaps wasn't to blame anyway for letting it in. Trojans can get in by disguising themselves, and often function as internal spies to send out data by phoning home or sending email. A firewall that only works in one direction, against inbound traffic for instance, is obviously not therefore a firewall in the first place, and is next to useless in the second. Windows XP onboard 'firewall' comes in this category; switch it off immediately and get a real one. Blackice Defender used to be in this group, but they've fixed it. Your Choice If you don't currently have a software (personal) firewall, then you will choose between a free one and a paid-for one. It makes sense to run with a free one first, then you will have some ideas about likes and dislikes when it comes to buying one. Here, we give you some recommendations for and against. It is important to remember two things regarding this: firstly, these are my opinions entirely, and someone else may have a totally different viewpoint. Secondly, one may not criticise the real offenders in the terms which they really deserve, for fear of attack by criminal lawyers (and you can read that sentence any way you like). It is not possible to state the truth in public, unless you are a millionaire and like court battles. If you don't understand this, research Walker Wingsail v Yachting World 1993. YW boat-tested a catamaran which was being marketed with a new type of solid-foil sailing rig. The thing sailed like a pig, they said so, they got sued for lots of £££, they lost (!), then Walker went under anyway since few bought their sailing bricks. So, once again: These are my opinions and may be in error. If you want to read about this subject in depth, and see opinions from people who know the score but just don't care, then see the link at the end. Free Firewalls At present, my vote for best free firewall goes to Zone Alarm. This is in contrast, you should note, with the result of the Paid-For question. The reasons are that it works well, is simple, is effective in stopping unwanted traffic in both directions, runs in stealth mode, and is fairly leak-proof. No free firewall is perfect. Other good choices are: Agnitum Outpost free version; and Sunbelt Kerio Personal Firewall free version. You can find them, download them all, try them out. I don't recommend the free versions of Outpost or Kerio because one is too old and not now upgraded (the makers only develop & support the paid-for versions, which are A1); the other is too complex for a free program. The Full versions, though, come with the highest recommendation. If you want the best protection there is, the people in the business say: #1: Outpost; #2: Kerio; #3: Tiny Personal Firewall Only those working in the Internet security business on a day-to-day basis are qualified to state this sort of opinion; certainly not me. An expert knows when to get advice from another expert in the precise field in question, and exactly who to listen to. I'd say ex-poachers turned gamekeeper, and people who nick poachers, are a good bet here... Zone Alarm Full does not get the best recommendations of the industry, for the following reasons: 1. It used to be one of the best software firewalls, and probably one of the few that actually worked in both directions, but has not (in my opinion) properly resolved issues such as FTP problems. *** 2. You can tell from an app's Support BB which are hot and which are not. ZA just doesn't hack it here. Go to Outpost's BB if you want to see how a top app is supported by the community. 3. In addition, they now have a poor reputation for spying on users (and denying it hotly), then having to fess up when caught red-handed. Not good. 4. And not being very good in some areas: ports 'closed' but still found to be open. 5. It is alleged that their CEO has a less-than-spotless reputation in the Internet security world. *** Update: ZoneAlarm free has fixed the FTP problem, and is the first firewall I've seen that can be FTP'd through without setting-up. Whether the full version also complies I don't know. Another not recommended by the majority, so I'm told, is Norton / Symantec. What's To Like Or Not I'm afraid I can't get away from the fact that I like ZA Free: it's simple, does the job pretty well, has its good points, and has less bad points than most others. When you can decide for yourself, you may feel another candidate is best for your Full-Version $$$. Outpost is good, has the best real-time logging – you can easily see exactly what's coming in and out at any time. Internet security pros use Outpost; but probably only they know how to set up a FW correctly anyway. Far too complex for a free app, unless you just say yes to everything. Kerio is as good as the others; and at least it's possible to set it to silent mode (no warning pop-ups), though of course it is less secure in this mode. All PFs are troublesome, continually blocking everything including OK traffic, and keep popping-up warnings until 'trained'. Kerio probably is least troublesome in this respect; and there are some other pluses to this choice. Although Outpost is reckoned to be the ultimate, Kerio gets my vote as the top app that's easiest to use, and therefore appropriate for most of us. So, IMO: 1. Best Free Software Firewall: Zone Alarm Free. 2. Best Full-Version Software Firewall: Sunbelt Kerio PF. You can't FTP through any of them (but see Update above) without a major brain-scrambling exercise setting it up – it is the single major fault in all software firewall makers' support / help procedure. None acknowledge the problem, or do anything much to help. Switch off the firewall every time you FTP, unless you are an Internet security pro who knows exactly how to set it up. Some firewall & antivirus products are notorious for causing problems and slow PCs; we cannot name them here but you will find references to them elsewhere, on BBs and so forth. Note that the best applications almost always have a free version because: 1. Everyone is well aware that they are in the top ten, so they have no trouble making sales; 2. The more people who are satisfied with their free version, the more buy an upgrade; 3. They generally need a large base of installed products to keep them updated with current requirements and environment changes – cf the top AVG Antivirus from grisoft.cz. Top Tip If you're desperately trying to FTP a file but pulling your hair out because it fails at around 80% and then hangs – here's the reason: it's your firewall. Even if you don't think you've got one running, that's what's causing it; sometimes what you think is just an antivirus program is a security package that also acts as a firewall. You'll have to find it and kill it. We are talking here about a software firewall; hardware firewalls all have the FTP ports forwarded (= pre-opened), otherwise they wouldn't be much use, since only a small percentage of those who own them know how to manage them. Opening ports on a hardware firewall, though, is a cinch compared to trying to port-forward many software firewalls. It isn't a good idea to turn off the software firewall unless you are behind a hardware firewall, and even then you are likely to get problems when on a DSL connection. For instance, on broadband, if you run with no firewall at all, you will get several viruses within five minutes. --------------------------------------------------------------------------------------------------------- |
PC FAQ's: Firewalls – Do I Need One? |