Kicking Off a Software Firewall Comparo

Over the last month I’ve received a ton of email from readers asking me to help them pick firewall software to go along with F-Secure. I had intended to kick off a software firewall comparison review anyway, so I just got started a little earlier. My very preliminary research has *not* resulted in any sort of formal firewall pick by me as yet.

My considered advice on this subject is to start by choosing a hardware firewall of some sort, and then layer in a software firewall on every machine. This combination maximizes your protection and also provides you the most flexibility and convenience.

Firewall routers for home use are not expensive. Most are available in 1, 4, or 8-port switch combinations, with the 4-port models selling for as little as $25 with rebates. The average price is in the $50 range.

Generally speaking, the weakness of these low-cost products has to do with issues with firmware and tech support. If you’re a heavy broadband user, you may also find that you’ll burn these things out quickly. A good tip to remember is that you power off your router for a few minutes every once in a while to reset them. Update firmware when you have a problem, but review the firmware notes on the company’s website every once in a while to make sure you’re not experiencing something that might be fixed by a firmware update.

Opting for a gigabit router brings you a bit more reliability as well as gigabit networking functionality for gigabit-equipped computers connected to the router. It offers zero improvement for your broadband throughput.

The popular products sold in this category — from makers like D-Link, Linksys, and Netgear — all offer Network Address Translation (NAT) and Stateful Packet Inspection (SPI), which, when combined, provide Internet stealthing and inbound firewall protection.

Firewall routers generally provide no outbound protection, or they may offer outbound protection that’s far less convenient to configure than that of a well-designed software firewall.

I’m currently using the first product on the list below, a wired D-Link home-user-level firewall router. It’s been working for me for three years or so without a single problem. There are wireless versions of several of these products, although I prefer a wired router with wireless access points.

Recommended Firewall Routers

For Home Use, in the $25-$60 Range:

Gigabit Firewall Routers in the $110-$125 Range:

Software Firewalls and Outbound Protection
This test grid shows the results of a long list of firewalls tested on a wide variety of outbound leak tests. It provides an interesting set of data that’s worth a look. (Note: Scroll to bottom and click “View Tests.”)

While it’s only one aspect of firewall protection, outbound blocking is especially important because hardware firewall routers aren’t the best tools for outbound protection. You want a software firewall that evaluates inbound and outbound transmissions, catches potential security threats, and makes it easy to make temporary or permanent decisions about outbound transmissions from applications and services.

I’m also big on the ability to configure networks so they work, without having to constantly tend them. Windows networking is bad enough as it is; any software firewall that gets in the way of basic networking functionality will not last long in my environment — and shouldn’t in yours. No one should become a slave to their firewall.

With that introduction, here are some of the firewalls I’m currently planning to evaluate in this long-term test:

People who’ve been around the block may wonder why I’m leaving out the best old-guard products, including ZoneAlarm, Norton Personal Firewall, and Sygate Personal Firewall. Well, here’s why.

Like my antivirus test, this one aims at getting a lowest-common-denominator product, not one that’s bloatware. So I’m looking for a product that focuses on being a software firewall, not a whole bunch of other stuff. I’m fed up with jack-of-all-trades security software that masters none.

So that lets out all the Internet security suites, including all four of the paid versions of ZoneAlarm. ZoneAlarm’s free basic firewall hasn’t been significantly updated in a long time. All those glowing reviews of ZoneAlarm’s firewall have been focused on one of the four paid versions of ZoneAlarm. The few tests I’ve examined that have tested the free ZoneAlarm have found it wanting. Zone Labs’ product page makes it clear that two out of the three firewalls components are missing from the free version of its firewall.

I recently looked at Norton Personal Firewall again, both on a corporate network and on my home network. The product hasn’t kept pace with the rest of the field. Its most annoying aspect is that it prompts over and over again for the same DHCP network because you’re dynamically assigned a new IP address. It’s also difficult to find the settings, which are buried in several different locations. It’s not worthy. So what’s wrong with Sygate? Nothing, really. It’s always been a great basic firewall aimed at more experienced users who understand how to configure a firewall. The only problem is that Symantec bought Sygate, so the product is no longer supported.

That said, there are many other lesser-known software firewalls out there. If you’ve got one you think I should consider, let me know. But be advised, I’m also looking for *why* you think a specific software firewall is great. Can you offer a link to a test or review that says so? Can you describe why you like it? Tell me what firewall you like and why

I will share with you that I’ve looked at Comodo and Kerio so far. Over the past four weeks, I must have received 50 recommendations for Comodo. But so far, I don’t see why. It reminds me of Norton Personal Firewall. It’s very noisy, always popping up boxes, repeatedly — even when I tell it to remember settings. In one browsing session with Firefox, I had to say “Yes, let it work and remember this” eight or nine times. And I had trouble networking with Comodo; its settings for allowing networking were tough to configure.

Feel free to write me about why Comodo is so good. I know that Neil Reubenking over at PC Magazine loved it. What I want to know is what *you* think though.

I like Kerio a lot better, but it may have some opposite problems. It may not be fully set up to protect you by default, which is something of a firewall no-no. Also, people who use DHCP to assign IP addresses to printers on their networks have reported printing troubles with Kerio. The user interface is terrific though. It’s more like ZoneAlarm, the software I used to prefer. And I had no difficulty configuring it.

I’ll be looking at LooknStop and Jetico next. Outpost may be too multifunction for my tastes, since it includes anti-spyware functionality. But Agnitum is working on a new version, so I’ll wait for it and give it a shot. Tiny Personal Firewall was purchased by Computer Associates last year and hasn’t been updated since. I’ve been running it on my 64-bit Windows x64 machine for about a year, since Tiny offered one of the earliest x64 firewalls. I like it, but don’t use that machine frequently.

Leave a Reply

You must be logged in to post a comment.