Are Personal Firewalls Worthless?

[Lemur]

I've always been fond of my ZoneAlarm firewall, even if it is a bit twitchy, and even if I need to turn it off now and then. But then I come across an article reporting on a test of six personal firewalls, finding them all useless. Have a gander:

A recent test in the Munich-based computer magazine PC Professionell showed that the software often causes more problems than it solves. Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

Many firewalls were even quickly switched off within the simulation. In the most serious cases, damaging software was able to circumvent the firewall in sending sensitive data, from personal surfing histories to passwords and credit-card numbers, to the hacker.

Comments? And more importantly, have any of our euro-orgites read the original test in the original Deutsch, and if so, can they give us a little more perspective?

[Xiahou]

I never put any stock in "personal" software firewalls. I mean, I'll certainly use one if it's all I got- but I much prefer a nice hardware firewall. They're builtin to pretty much any broadband router you can get today and seem pretty effective when configured properly.

Not one of the six firewall programs the magazine tested, regardless of whether commercial or freeware, could prevent all attempts from the test programs at establishing outgoing connections between the PC and the internet.

This got a "no duh" reaction from me. Of course, no program is going to stop every attack you throw at it. As soon as they make something foolproof, a better fool comes along.

"The primary gateway into the browser is JavaScript," Wolf explains. Users should deactivate the program language in their browser, or use browser extensions to define which web sites are to be trusted to execute JavaScript.

Bingo- that's huge. I run NoScript and Spybot S&D on my computers and both have protected my PCs against numerous attacks from nefarious sources. NoScript can be a hassle sometimes- but once you see the protection it offers you, it's well worth it.

[DukeofSerbia]

The so-called personal firewall programs commonly used with home PCs are not comparable to the powerful firewalls used in companies or public organisations.

Those organisations can afford special computers assigned exclusively to guarding the PCs in the network. A home computer must attempt to maintain its own firewall while performing its normal functions.

From that article...

Because you don't have money to buy hardware firewalls, software are good enough for home usage. Zone Alarm Pro is very good program and with excellent antivurus program like NOD32 make excellent team. Ad-Aware for spyware.

[drone]

If you have a hardware router/firewall (and everyone with a high-speed connection should), the use of a software firewall is reduced significantly. However, if you have multiple PCs behind this firewall, or wireless behind this firewall, then the software does protect some against internal infections and infections on your bandwidth-stealing neighbors' PCs.

Nothing will protect you completely, in the end the user is the most important and vulnerable part of any security system.

[R'as al Ghul]

Comments? And more importantly, have any of our euro-orgites read the original test in the original Deutsch, and if so, can they give us a little more perspective?

Yes, I did. Although in a different mag called ct (computer technology).
It may be a simple reprint, some of those mags are closely related.
Iirc, they mainly said that the virtual security that's perceived when having a PF installed is just that, virtual. They made the point that people trust in them too much. Besides the fact that popular Firewalls like Zonealarm are the first piece of Software being attacked and neutralised, the main problem were Windows native services that were being hijacked. (That's when I thought, wait a minute don't they do MD5 checks on the file? That's what my Sygate does). The other main problem is people's lacking knowledge, often resulting in an "Allow everything" mentality. You can't expect the average user to know about all Windows services and possible threats.
They recommended some anti-spyware programs and a good virus scanner to keep the system clean.
I'll check the article again to look for details but there wasn't really much new.

[caravel]

Personal firewalls such as ZA are rubbish, and a complete waste of money. If you want to run a personal firewall then you should simply use the Windows ICS/Firewall service. This is a NAT router and as good as it gets for the home user.

There is actually no such thing as a hardware firewall. A firewall is always software. So called hardware firewalls are simply a program running as firmware on a piece of hardware. Usually the firmware is some kind of UNIX or Linux, with the NAT router running on this.

The advantage of this, is that you are behind the NAT, if you're actually using the machine that is hosting the NAT, as is the case with personal firewalls and the Windows ICS/Firewall service, you're still directly connected to the net. (Note: NAT is not exactly a firewall)

My advice: Uninstall the zonealarm/other personal firewall, and free up some system resources, then invest in a decent hardware based NAT router.

[Geezer57]

While I agree that personal firewall software should never be your sole (or even main) source of online security, and also agree that money spent on them is largely wasted (there are several free alternatives), I would'nt label them as completely useless. And I'd have to disagree with the recommendation to uninstall ZoneAlarm in preference to Windows ICS/Firewall service. ZoneAlarm at least checks outgoing data, which the Windows Firewall doesn't, so can give an indication that you've clicked on the wrong thing and gained some spyware.

I use alternative browsers, a hardware firewall/router, corporate-level antivirus software, along with updates to them and regular O/S patches - and ZoneAlarm Personal (free). Combine that with intelligent surfing. and you're probably as secure as is possible for an average individual. Of course, ZoneAlarm is the first thing to get shut down when a LAN or online gaming session stars.

[caravel]

While I agree that personal firewall software should never be your sole (or even main) source of online security, and also agree that money spent on them is largely wasted (there are several free alternatives), I would'nt label them as completely useless. And I'd have to disagree with the recommendation to uninstall ZoneAlarm in preference to Windows ICS/Firewall service.

The free version of zonealarm is actually quite limited because you cannot add ip addresses/hosts to the blocked zone, nor can you configure to navigate the Windows firewall/ICS service (if you're using this for ICS). Zonealarm pro however is pretty good, but at a cost. Personally I don't bother with ZA because it's rather overweight and most of the 'alerts' it flags as 'high rated' are nothing more than normal network traffic, such as icmp packets. I recommend the windows ICS/firewall service because it is built into WinXP, so costs nothing more and needs no installation, it is a decent NAT firewall that protects against possibly malicious port scanning, and thus worms as well as actually monitoring programs that try to access the net, i.e. the programs such as MTW etc, that need to be unblocked. It does it's job and is all the average user needs.

ZoneAlarm at least checks outgoing data, which the Windows Firewall doesn't, so can give an indication that you've clicked on the wrong thing and gained some spyware.

You're right about outbound protection. This is something that MS have chosen to ignore so far. One thing to remember is that the typical Linux desktop also does not have outbound protection. At the end of the day if you're careful about what you install/execute on your pc, and if you avoid IE and Outlook Express, that's the best outbound protection there is. Also if a malicious executable does enter your pc, there is the very big possibility that this could simply disable or circumvent any outbound protection or fool the user into allowing it.

I use alternative browsers, a hardware firewall/router, corporate-level antivirus software, along with updates to them and regular O/S patches - and ZoneAlarm Personal (free). Combine that with intelligent surfing. and you're probably as secure as is possible for an average individual. Of course, ZoneAlarm is the first thing to get shut down when a LAN or online gaming session stars.

I prefer the hardware based firewall/nat router method. Previous to this I had an old laptop running Linux doing my routing and firewalling.

[Geezer57]

Caravel, thanks for the clarification. It sounds to me like you've pretty well got it figured out, and that what you use works well for you - just like what I'm using works well for me. I don't think there's a "perfect" answer to situations as complex as these, just hopefully good ones.

Have a great weekend - Cheers!