https
Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation

Personal Firewall Scoreboard

The following information has been gathered by the combined effort of many terrific contributors to the grc.leaktest newsgroup. If you have experience with other personal software firewalls we hope you will share your experiences, or if your findings are different from those shown below, please come over to the grc.leaktest newsgroup and add your voice!

Security is a constantly moving target and a never ending challenge. Therefore, the following results are expected to be accurate only for the first version 1.0 of LeakTest. In other words, the following firewalls are "Leak-Proof" ONLY relative to their behavior with version 1.0 of LeakTest. When version 2.0 is created it is likely that these results will change.

LEAK-PROOF  (SAFER)  PERSONAL FIREWALLS
FirewallConsiderations, versions, etc.
McAfee Firewallv 2.15+ — Update to get version 2.15 or later
Sygate Personal FW (FREE)v 4.0+ — FREE for personal use!
Symantec / Norton v 2.55+ — LiveUpdate to get version 2.55 
Tiny Personal FW (FREE)v 2.0.7+ — FREE for personal use!
ZoneAlarm (FREE)Never Leaked
ZoneAlarm ProNever Leaked

LEAK-PROOF (SAFER) FIREWALL NOTES
Automatic Rule Creation — Just a BAD idea: At my urging, Symantec has changed the default setting for their product family's extremely unsafe automatic firewall rule creation to off. The ONLY WAY automatic rule creation could ever be safe would be if their provided database were to include pre-computed SHA1 hash signatures for known programs. Without pre-computed signatures, and with automatic rule creation enabled, any malicious program can still masquerade as a "known" program to invisibly and silently gain unrestricted access to the Internet. (That's not good.)

My enduring complaint is that NO WHERE does Symantec explain the danger of their automatic rule creation. Therefore unwitting users might turn it on in order to eliminate the pop-up questions which are so necessary for end-user security (in the absence of pre-computed SHA1 hash signatures).
Tiny Personal Firewall — A terrific FREE Firewall: For some reason I was unable to get TPFW to work on my main dual-processor Windows 2000 workstation. I wanted to use it since it is fully multi-processor compatible and ZoneAlarm is not. It operated correctly under Windows 98SE on a test machine, but it didn't like something about my main dual-processor, dual-NIC, multi-IP, multi-display system. <<grin>>

If Tiny's firewall works on your system, and if you consider yourself more "technically oriented" so that you would enjoy messing around with firewall rules, ports, protocols, etc. (as I do), TPFW might be the best choice for you. But if you just want top-grade protection without making a career of it, and if you're running a single-processor machine, ZoneAlarm's rule-free system is probably the better choice for you.

You can grab a copy of TPFW from PC World's site here: www.pcworld.com/downloads. If you read the comments being left by people it is clear that TPFW2 is working very well for the majority of sane posters. It is a nice and secure firewall.

LEAK-PROOF  (BUT STRANGE)  FIREWALLS
FirewallConsiderations, versions, etc.
PC-Viperv 3.1.6+ — Doesn't Leak, but seems "unfinished" (see below).

LEAK-PROOF BUT STRANGE FIREWALL NOTES
PC-Viper v 3.1.6 — In a class by itself: PC Viper has the distinction of being the first "fixed" firewall which initially failed the version 1.0 LeakTest. Just so we're clear: PC Viper version 3.1.6 passes all aspects of the v1.0 LeakTests. Although Source Velocity's current solution undeniably works, the current implementation has a few quirks and odd behaviors which bear noting:
All application connection attempts are initially immediately denied rather than being "suspended" pending the receipt of the user's permission. As with the original Sygate solution, this may force the user to restart or re-initiate whatever work the denied connection was attempting to perform. Other personal firewalls are able to "pend" the application's access request while the user decides how to reply.
The version 3.1.6 user-interface apparently needs some updating, since there is no visible provision (that I could find) for viewing the current set of "Internet enabled" applications. All other application-blocking firewalls allow the user to see and edit which applications have been granted and/or denied access.
And speaking of being denied access, the current version apparently does not record and store the user's application denial responses at all. This means that every time an application, that you want to deny Internet access, attempts to access the Internet, you'll be forced to reply "no" again and again.

As a result of these implementation quirks, while I certainly want to acknowledge PC Viper's quick response to the application masquerading vulnerability, I hope that they intend to flesh out this "patch" into a full-function solution sporting a complete user-interface.

At the moment, PC-Viper falls short and I could not bring myself to group it in with the much more correctly working and "finished feeling" firewalls above.

LEAKY  (UNSAFE)  PERSONAL FIREWALLS
FirewallTrivial EXPLOITSMasquerade VULNERABLE
AtGuard None KnownYES (in same directory)
BlackICE DefenderDoesn't block unknown Trojans, Viruses, or Spyware
Conseal DesktopNone KnownYES (in any directory)
Conseal PC FWNo Provision to block Trojans, Viruses, or Spyware
eSafe DesktopYES (stealth) YES (in any directory)
PrivateFirewall 2.0None KnownYES (in same directory)
Lockdown 2000No Provision to block Trojans, Viruses, or Spyware

LEAKY  (UNSAFE)  FIREWALL NOTES
WRQ has asked me to point out that AtGuard was discontinued in 1999. I included it here for reference and comparison because so many people are continuing to use this otherwise excellent firewall.
Aladdin's eSafe Desktop has an extremely worrisome characteristic: A simple variation in any application's Internet communications approach renders the firewall completely transparent and allows any malicious software to pass though this firewall and gain unrestricted access to the Internet. This can be easily demonstrated by activating LeakTest's "Stealth" mode.

Also, when an application is "denied access" there is no provision for remembering that access should be blocked for that application. The user will therefore be asked every time the application attempts to use the Internet.
Masquerade Vulnerability:
Please see the previous page for a discussion and explanation of the executable file masquerading vulnerability suffered by many current firewalls.
Accuracy of these Findings:
The information contained in the table and text above is believed to be accurate and representative of the current release version of all products discussed. We will entertain any and all factual rebuttals and will work to maintain this page so that it continues to accurately reflect the current state of the personal firewall marketplace.

To continue, please see: Firewall Vendor Responses

You are invited to browse these LeakTest pages:

LeakTest
How to Use LeakTest 1.x

Personal Firewall Scoreboard

Firewall Vendor Responses

Vulnerability Disclosure Policy
Hardware Firewalls/NAT Routers

Tracking Firewall Updates

Frequently Asked Questions

LeakTest News & History

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Feb 01, 2005 at 14:27 (3,367.91 days ago)Viewed 46 times per day