Personal Firewalls

All you want to do is use your computer to do your job, play games, learn, buy, and surf the Web. You don’t want to worry about malicious intruders, port scans, Trojan horses, worms, and all the other mischievous stuff that hunts your computer. You shouldn’t have to worry, but you must; thousands of malicious programs exist solely to break into your PC. That’s where personal firewalls come in. Personal firewalls are software programs you install on the PCs they protect. More expensive hardware-based and corporate firewalls protect entire networks, cost more than personal firewalls, and usually aren’t as user-friendly. Personal firewalls are designed to keep the bad guys and programs out of your PC. The best-of-breed will keep malicious intruders outside your PC, turn away their unwanted probes, and prevent bad programs that have already staked a claim on your PC from doing further damage.

The best firewalls will also be easy to configure and manage. In the security world, functionality is crucial, but form also has a place because most home users want to install their firewalls and forget about them. Most users aren’t experienced enough with computer security to decide whether a particular configuration decision is the right one. Accordingly, the best personal firewalls install themselves in a reasonably secure mode with minimal user interaction.

At last count, more than two dozen personal firewall products were available. Some of these products are great, even the free ones. Other firewalls, as Gibson Research’s Steve Gibson (the infamous firewall tester of Shields Up!! fame) says, "are much worse for the security of your computer than using nothing at all!" (To read Gibson's comments about firewalls, see http://grc.com/su-evilportmon.htm.)

What makes a firewall great?
All personal firewall products filter data packets between a host PC and a network, which is usually the Internet. The features beyond that given role can make or break a firewall. Let’s look at the features common to six popular personal firewalls for Windows machines: Network Associates’ McAfee Firewall 3.0, Symantec’s Norton Personal Firewall 2002, Internet Security Systems’ (ISS's) BlackICE PC Protection 3.5, Tiny Software’s Tiny Personal Firewall 2.0, Zone Labs’ ZoneAlarm Pro 3.0, and Windows XP’s Internet Connection Firewall (ICF). Then, let’s look at how these products stood up under testing. To test firewall efficiency, I used several intruder utilities and creations to simulate external and internal threats.

Feature 1: Stop External Attacks
Even the most basic firewall should protect your PC from external malicious threats. These types of attacks include port scans, network traffic floods, malformed network packets, fragmentation attacks, and IP spoofing (i.e., rogue traffic that bypasses the firewall to exploit a deficiency in the OS or application). For more information about common attacks that intruders use, see the sidebar "External Firewall Attacks." Many PCs run services and applications that make them even more vulnerable to attack. For example, Symantec estimates that nearly 30 percent of Internet-connected Windows PCs have drive shares that don’t have passwords. Internet intruders can connect to these drive shares to download and upload files without the owner’s permission. Firewalls should prevent unauthorized access, deny invalid network packets, and stop external attacks.

Feature 2: Stop Internal Threats
If malicious software, or malware, executes on your PC, it might attempt to initiate connections over the Internet so that it can spread to other PCs, contact its originator, perform further configurations, or transfer files and information from your machine. Many of today’s worms and Trojan horses initiate an Instant Messaging (IM) session with a predetermined intruder channel and announce their latest victim. The intruder can then connect directly to the PC and raid it. Other malware might email its successes to predetermined recipients. Sophisticated worms (e.g., Hybris) download new modules and configure themselves on the fly. Clearly, intruders aren’t just trying to break in; they’re also trying to break out.

Feature 3: Automation
In the past, users had to have a fair amount of computer-security knowledge to install personal firewalls. Upon installation, either the firewalls allowed no Internet connectivity or users had to make security decisions and determine which traffic to allow, which led to recklessly installed firewalls—worse than no firewall at all because users thought they were protected. Today, most personal firewalls autoconfigure with a well-considered blend of default security and minimal user intervention, which leaves most of the common legitimate programs free to work and gives users the least inconvenience. The best personal firewalls notice patterns of malicious activity (such as a port scan) and configure themselves to automatically block future attacks from the same location. In addition, personal firewalls automatically check for newer versions of themselves and updated definition files.

Most personal firewalls come with preset levels of protection (i.e., protection modes) you can change on the fly. The most protective mode doesn’t allow any Internet activity, which isn’t as stupid as it first sounds. You can disable all Internet traffic when you’re away from your PC to minimize risk while your PC churns away unattended. The least protective mode lets all Internet activity occur.

Feature 4: Application Control
Personal firewalls work by letting traffic into and out of a PC through predefined IP ports. In response, intruders scan for the ports that firewalls aren’t blocking, then attack and connect to those ports. For example, most firewalls let users surf the Web over IP port 80. A worm or Trojan horse running on a local hard disk can use port 80 as its opening back to the Internet to continue its maliciousness. Early firewalls couldn’t discern legitimate traffic from rogue traffic. The highest-performing firewalls have instituted a process called application control (or application scanning or application blocking). Only applications the user and firewall have approved can connect to the Internet.

   Previous  [1]  2  3  4  5  6  Next