LEAK-PROOF (SAFER) PERSONAL FIREWALLS |
Firewall | Considerations, versions, etc. |
McAfee Firewall | v 2.15+ Update to get version 2.15 or later |
Sygate Personal FW (FREE) | v 4.0+ FREE for personal use! |
Symantec / Norton | v 2.55+ LiveUpdate to get version 2.55 |
Tiny Personal FW (FREE) | v 2.0.7+ FREE for personal use! |
ZoneAlarm (FREE) | Never Leaked |
ZoneAlarm Pro | Never Leaked |
|
|
LEAK-PROOF (SAFER) FIREWALL NOTES |
|
| Automatic Rule Creation Just a BAD idea: At my urging, Symantec has changed the default setting for their product family's extremely unsafe automatic firewall rule creation to off. The ONLY WAY automatic rule creation could ever be safe would be if their provided database were to include pre-computed SHA1 hash signatures for known programs. Without pre-computed signatures, and with automatic rule creation enabled, any malicious program can still masquerade as a "known" program to invisibly and silently gain unrestricted access to the Internet. (That's not good.)
My enduring complaint is that NO WHERE does Symantec explain the danger of their automatic rule creation. Therefore unwitting users might turn it on in order to eliminate the pop-up questions which are so necessary for end-user security (in the absence of pre-computed SHA1 hash signatures). |
| Tiny Personal Firewall A terrific FREE Firewall: For some reason I was unable to get TPFW to work on my main dual-processor Windows 2000 workstation. I wanted to use it since it is fully multi-processor compatible and ZoneAlarm is not. It operated correctly under Windows 98SE on a test machine, but it didn't like something about my main dual-processor, dual-NIC, multi-IP, multi-display system. <<grin>>
If Tiny's firewall works on your system, and if you consider yourself more "technically oriented" so that you would enjoy messing around with firewall rules, ports, protocols, etc. (as I do), TPFW might be the best choice for you. But if you just want top-grade protection without making a career of it, and if you're running a single-processor machine, ZoneAlarm's rule-free system is probably the better choice for you.
You can grab a copy of TPFW from PC World's site here: www.pcworld.com/downloads. If you read the comments being left by people it is clear that TPFW2 is working very well for the majority of sane posters. It is a nice and secure firewall. |
LEAK-PROOF (BUT STRANGE) FIREWALLS |
Firewall | Considerations, versions, etc. |
PC-Viper | v 3.1.6+ Doesn't Leak, but seems "unfinished" (see below). |
|
|
LEAK-PROOF BUT STRANGE FIREWALL NOTES |
|
| PC-Viper v 3.1.6 In a class by itself: PC Viper has the distinction of being the first "fixed" firewall which initially failed the version 1.0 LeakTest. Just so we're clear: PC Viper version 3.1.6 passes all aspects of the v1.0 LeakTests. Although Source Velocity's current solution undeniably works, the current implementation has a few quirks and odd behaviors which bear noting:
| All application connection attempts are initially immediately denied rather than being "suspended" pending the receipt of the user's permission. As with the original Sygate solution, this may force the user to restart or re-initiate whatever work the denied connection was attempting to perform. Other personal firewalls are able to "pend" the application's access request while the user decides how to reply. |
| The version 3.1.6 user-interface apparently needs some updating, since there is no visible provision (that I could find) for viewing the current set of "Internet enabled" applications. All other application-blocking firewalls allow the user to see and edit which applications have been granted and/or denied access. |
| And speaking of being denied access, the current version apparently does not record and store the user's application denial responses at all. This means that every time an application, that you want to deny Internet access, attempts to access the Internet, you'll be forced to reply "no" again and again. |
As a result of these implementation quirks, while I certainly want to acknowledge PC Viper's quick response to the application masquerading vulnerability, I hope that they intend to flesh out this "patch" into a full-function solution sporting a complete user-interface.
At the moment, PC-Viper falls short and I could not bring myself to group it in with the much more correctly working and "finished feeling" firewalls above. |
LEAKY (UNSAFE) PERSONAL FIREWALLS |
Firewall | Trivial EXPLOITS | Masquerade VULNERABLE |
AtGuard | None Known | YES (in same directory) |
BlackICE Defender | Doesn't block unknown Trojans, Viruses, or Spyware |
Conseal Desktop | None Known | YES (in any directory) |
Conseal PC FW | No Provision to block Trojans, Viruses, or Spyware |
eSafe Desktop | YES (stealth) | YES (in any directory) |
PrivateFirewall 2.0 | None Known | YES (in same directory) |
Lockdown 2000 | No Provision to block Trojans, Viruses, or Spyware |
|
|
LEAKY (UNSAFE) FIREWALL NOTES |
|
| WRQ has asked me to point out that AtGuard was discontinued in 1999. I included it here for reference and comparison because so many people are continuing to use this otherwise excellent firewall. |
| Aladdin's eSafe Desktop has an extremely worrisome characteristic: A simple variation in any application's Internet communications approach renders the firewall completely transparent and allows any malicious software to pass though this firewall and gain unrestricted access to the Internet. This can be easily demonstrated by activating LeakTest's "Stealth" mode.
Also, when an application is "denied access" there is no provision for remembering that access should be blocked for that application. The user will therefore be asked every time the application attempts to use the Internet. |
| Masquerade Vulnerability: Please see the previous page for a discussion and explanation of the executable file masquerading vulnerability suffered by many current firewalls. |
| Accuracy of these Findings: The information contained in the table and text above is believed to be accurate and representative of the current release version of all products discussed. We will entertain any and all factual rebuttals and will work to maintain this page so that it continues to accurately reflect the current state of the personal firewall marketplace. |
|