Firewalls

A firewall is a barrier between the Internet and your computer. The computer term is named from physical firewalls in buildings or cars that block fire from spreading. A firewall is also analogous to a lock on a door -- it prevents those without keys or access codes from entering. Firewalls enforce security policies. These policies or rules are in the form of built-in (usually user-controlled) filters that permit access only to authorized users.

There are two types of firewalls: software firewalls and hardware firewalls (such as those built into routers). Both examine the data that comes from the Internet and into your system. When packets of information enter your computer, the filters examine them for the source of the data and the destination of the data. The firewall does this by comparing this incoming information to the criteria set or established by the filters. If the information passes scrutiny, the information is forwarded on to its destination. Any unacceptable data is deleted or blocked before it reaches your hard drive.

Firewalls can also control the traffic that comes into and out of your computer system. A good firewall is customizable. This means that you can add or remove the filters that you want. With a firewall, you can set up these rules to restrict the information that is allowed to enter your home computer or network. Practically speaking, these rules give you control over what websites people can view or what activities they can perform. Users can grant or deny access to specific sites, and most firewalls have a pre-approved list of common, reputable websites, which shortcuts configuration.

Every computer has a unique numerical IP address, which is used to identify your particular computer on the Internet, so you can receive e-mail and view websites. A firewall's filters can hide your computer's IP address, making your computer invisible to hackers. Your computer uses ports to connect to various services. HTTP (Internet), for example, uses port 80. FTP (file transfer protocol) uses port 21. A firewall can close unused ports to prevent an attacker from entering through an open port. Another firewall filter can block specific domain names. You can also configure the firewall to prevent FTP activity (which allows you to upload or download files to and from the Internet). There are also filters relating to words or phrases, which allow you to block access to sites containing material you might find objectionable.

Software firewalls vs. hardware firewalls

Software firewalls work differently than hardware firewalls, but the two can be used together to create a powerful level of security. Hardware firewalls are devices that sit between the Internet and your computer. If you own a router (wired or wireless), for example, it probably includes a hardware firewall. A main advantage of hardware firewalls is that they use no system resources, because they work independently from your computer. They can also protect multiple computers on a network at once. They can be more difficult to customize, especially for beginners, but hardware firewalls are usually effective even without configuration. Since a router has its own IP address, potential hackers can't see your computer -- they can only see the router.

Software firewalls provide some of the best protection against viruses, worms, Trojans and other malicious programs. One disadvantage of software firewalls is that they can slow down system performance, especially if you have an older computer. Software firewalls monitor both incoming and outgoing traffic. A flaw of a software firewall is that it doesn't totally hide your IP address from the outside world. It closes unused ports and monitors traffic to and from open ports.

If you use your computer mainly for e-mail and casual web surfing, a software firewall is probably all you need. However, if you use your computer for work, store financial information on it or use online banking, then you should also consider a hardware firewall. If you have a wired or wireless router, it likely already includes a hardware firewall. See our wireless router report for more information.

Windows XP and Vista firewalls

If you use Windows XP or Vista, you are somewhat protected by their included firewalls, but reviews still say you will be safer with a third-party firewall. Windows XP includes a rudimentary firewall, but it only protects against inbound threats. Windows Vista includes a slightly more robust firewall that also protects against outbound threats.

The Windows XP firewall is turned on by default when you install Service Pack 2 (SP2). SP2 also includes a Security Center that allows you to easily control the Windows firewall, as well as any third-party firewalls and antivirus applications you may have running. With SP2 installed, Windows will alert you when updates are available for third-party security applications.

The consensus among reviewers is that the Windows XP SP2 firewall is adequate at best. Matousec tests show that it cannot protect against leaks at all. Reviewers such as PC Magazine's Neil Rubenking say that several free third-party firewalls are a significant upgrade from the XP firewall. Web User's Brad Jackson describes the default option as "a workable measure of protection for those who don't like the setting up and interaction involved in other firewalls, and would otherwise be going unprotected." However, he adds, "this is a risky strategy, and we'd thoroughly recommend installing one of the more sophisticated firewalls instead."

Because the XP firewall only monitors inbound threats, Computerworld's Scot Finnie and Preston Gralla say, "If your PC [is] invaded by a Trojan or spyware, those programs would be allowed to make outbound connections unimpeded." Reviewers say that this is the key reason why they recommend using a third-party firewall. To rely completely on the SP2 firewall, you'd need to be certain that your computer harbors no intruders already, such as previously downloaded programs that might be dialing out. In that case, blocking inbound traffic might be enough.

Other firewalls not only block incoming traffic, but also monitor Internet activity initiated from your computer. This enables them to catch intruders that have been planted in your computer and are trying to pass personal information and files to a tracker, hacker or hijacker.

On paper, the Windows Vista firewall is a big improvement since it monitors outgoing as well as inbound traffic. Microsoft is touting security enhancements as a big reason for upgrading. Reviewers say that Vista's security enhancements for non-business users don't amount to much, however. That's also true of the latest integrated Mac OS firewall (see below).

Computerworld has the best coverage of the Windows Vista's firewall. Reviewer Preston Gralla says outbound filtering is inadequate. He checked with Microsoft product managers, who didn't dispute his criticisms. The article notes that Microsoft includes a more formidable firewall in Windows Live OneCare 2.0 (*est. $50 per year) and calls the situation "a somewhat schizophrenic approach to outbound protection."

In a thorough analysis, Thomas Greene says in The Register that Vista is a "slightly more secure version than XP SP2." In a scathing review of Vista -- and especially its security features -- Forbes writer Stephen Manes maintains, "If malware somehow gets into your machine, Windows Firewall will not stop it from making outbound Internet connections to do its evil deeds." Considering that you can get a better firewall for free, the operating system firewalls seem to offer little value. An exception might be if you have a hardware firewall, but we haven't yet seen that addressed by reviewers.

Best software firewalls

The official release of Comodo Firewall Pro 3.0 (free) happened as we were researching this report. That means that some of the reviews are of the beta (testing) version. PC Magazine selects Comodo Firewall Pro 3.0 as an Editor's Choice. Both PC Magazine and BIOS magazine describe it as "the best free firewall software available." That implies that both reviewers believe that some paid firewalls could be better, but neither reviewer mentions one. Web User gives the program a Gold Award as the best firewall, but reviewer Andy Shaw complains that it (the beta version) is hard to use. Conversely, in a PC World's "The 15 Best Downloads of the Year," Preston Gralla describes Comodo 3.0 as "a top-rated free firewall that's easy to use and configure." At BetaNews, a member forum and download site, the Comodo firewall has the highest average rating for a current product.

Scot Finnie, editor of Computerworld, has been privately testing firewalls for months to determine the best lightweight firewall (meaning that it interferes minimally with computing performance). His many readers in computer-related fields contribute suggestions and criticisms. Finnie had almost settled on version 2.4 of Comodo, then the Comodo Group released version 3.0, and his readers recommended Online Armor Personal Firewall v2 (free). At press time, Finnie is testing the two firewalls in real usage and will conduct his own analysis of leak tests.

Finnie and PC Magazine's Neil Rubenking are very impressed with Comodo's options. Rubenking says it works well both as a simple program and as a fully customizable firewall for those who need specific settings. Comodo includes a "white list" of popular safe applications, so users will not have to tell the firewall that these programs are legitimate.

Comodo 2.4 was rated third overall among 42 programs in Matousec.com's leak test evaluations. Online Armor Personal Firewall v2 (free) and Outpost Firewall Pro 6.0 (*est. $40) finish ahead of Comodo, and both passed all leak tests.

Finnie says, "Online Armor is literally a joy to use. I've seen only about five pop-ups in about 10 hours of direct use." The Matousec tests are what interested Finnie and Scott May in Online Armor. May likes the simplicity and ease of use, too. He says, "Online-Armor installs quickly and configures painlessly," adding that you "don't have to know beans about ports or protocols to set the program up correctly." Training the program is relatively painless, too. May concludes, "The standard version of Online-Armor is fantastic, and…it's probably all most users will need." He recommends the free version, but says to upgrade to the commercial version (*est. $40), if you find it's necessary.

The commercial version of Online-Armor includes web and mail shields, a phishing filter, an advanced mode, key-logger detection, transparent blocking, DNS spoofing protection, automatic updates and support. Neither the free nor the commercial versions are compatible with Vista (at press time). A third version includes Kaspersky antivirus (*est. $70) . Given that the firewall in Kaspersky Internet Security 7.0 (*est. $70) out-performed the firewalls in all other suites in Matousec's tests, the Kaspersky suite is the better value if you want its extra features.

Outpost Firewall Pro 6.0 (*est. $40) from Agnitum may be a better option than the commercial version of Online-Armor, if you need a commercial firewall program. Versions 3 and 4 received very favorable reviews, but the new version has only been reviewed by Personal Computer World so far. The British magazine rates all firewalls equally, so comparison is impossible. Paul Rowlingson says Outpost "offers a good level of protection for home users and is powerful enough for advanced users yet simple enough for beginners." Rowlingson also likes the way the program can be used to exercise per-user parental control. It can block specific websites or key words on websites.

The new version includes a handful of security enhancements, including anti-spyware protection. It is compatible with Vista. Security programs are notorious for conflicting with each other, and we're impressed that Agnitum acknowledges the potential for problems. The developer says, "Outpost Firewall Pro should not be run with any other security software. Running Outpost Firewall Pro with other security products can result in system instability (i.e. crashes) and can cause your system to operate in an insecure mode."

One other free firewall is worth considering, according to tests, but not any full reviews. Jetico Personal Firewall 2.0 (free) ranked fourth in Matousec.com's leak tests. Preston Gralla recommends Jetico in the PC World article, "Keep Yourself Safe When You Surf," but this recommendation isn't supported by much documentation. Jetico has a relatively low average rating (3.2 out of 5) in user reviews at BetaNews.

However, Computerworld's Scot Finnie says, "I was sorely disappointed in Jetico Personal Firewall." He complains about "a blizzard of apparently repeat pop-ups." Network blockages and Vista compatibility were also problems in tests, but he fairly notes that he was testing a beta version. Some of those issues may have been resolved in the final release.

You may be wondering about some of the major security brands. Perhaps because of Vista, neither Symantec (Norton) nor McAfee has released a standalone firewall in the past couple of years. As reported above, the firewalls in their Internet Security suites performed poorly in Matousec tests. Neither developer currently offers a standalone firewall for Windows, but Symantec does make a Mac-compatible firewall.

Mac firewalls

Macintosh pundits disagree about the need for security. Apple's operating systems are structured differently than Windows operating systems and are less vulnerable to attack. In addition, since Apple systems represent a minority market share, they have been less attractive targets for hackers. Mac users running OS X already have a firewall included in the operating system. By default, the Mac firewall closes the most-exploited ports, requiring users to actively enable ports for file sharing, print sharing or personal web hosting. Rebecca Freed, in her article for PC World, writes that the Mac OS X firewall "has some advanced features, including activity logging and a stealth mode. If enabled, the stealth mode makes your Mac invisible to incoming data inquiries, which is essentially the same thing that hardware firewalls do." Freed notes that users do need to turn on the Mac firewall, which isn't turned on by default. However, the firewall settings are a little hard to find.

Other reviewers say the Mac OS firewall isn't effective. Heise-Security.com has the most comprehensive and well-documented review, where Jürgen Schmidt informs, "The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorized services can still be established and even under the most restrictive setting."

SecureMac reviews Firewalk X (*est. $35), ContentBarrier (*est. $50) , DoorStop Firewall (*est. $50), IPNetSentry (*est. $60), NetBarrier (*est. $60) and Norton Personal Firewall (*est. $65) . Programs are rated on a 5-point scale. Firewalk and DoorStop are rated 4 out of 5; the other programs are rated 5. As all the programs receive rave reviews, this source isn't very valuable. The Mac Life article, "11 Foolproof Ways to Make Your Mac Secure," mentions a slew of programs, including those from Intego and DoorStop, but it doesn't evaluate them.

Macworld also reviews Norton Personal Firewall and DoorStop Firewall in older reviews. Both are rated higher than the integrated Mac OS X firewall, but reviewer Jeffery Battersby seems to believe a third-party firewall is unnecessary. Like the Windows XP firewall, the OS X firewall only protects against inbound threats. Battersby gives little indication that he or Macworld tested the performance of any of these firewalls. Norton Personal Firewall is top-rated, however. Macworld calls it "simple and effective."

Many free firewall programs have been developed for Linux. However, none of these has been formally reviewed by any well-regarded critics. The Tech-FAQ (http://www.tech-faq.com/download-free-firewall.shtml) describes a dozen of them and has links.

Important Considerations: Firewalls

Experts recommend keeping these factors in mind when selecting and using security software:

• Reviews recommend using a (wired or wireless) router with its own firewall as the first layer of protection, with a software firewall as the second. This is worth consideration even if you don't have a network. (See the ConsumerSearch report on wireless routers for details.)

• Though you have security software installed, you must still monitor your Internet behavior. Research before clicking on an ad or download, and don't open e-mails or attachments that look suspicious. Stay up to date about the latest Internet dangers by browsing computer news sites or subscribing to e-mail alerts. (See the Best Research section below for recommendations.)

• Disable file and printer sharing if you aren't using this feature.

• When choosing a firewall, be sure to check system requirements. Choose the correct version for your operating system. All work with Windows XP, but some don't work with Vista. Only a few work with older operating systems.

• Update security software regularly. Be sure your software is set to check for updates automatically, preferably at least once a day. Most security software does this automatically, but some free programs require manual updates.

• After the firewall is installed, test that it's working properly. Use a testing site such as Security Space Desktop Audit or one of the websites listed in the Best Research section below to make certain your firewall is working properly and is configured correctly.

• Turn on auto-updates or regularly check the Microsoft website for security updates and patches to the Windows operating system. It doesn't take long for hackers to exploit vulnerabilities in Windows operating systems, and keeping your system up to date is the best foil.

Our Consensus Report shows how many times products are top-ranked by reviewers included in our
All The Reviews Reviewed chart.

# of Picks	Model (with Retailer Links)
6	Comodo Firewall Pro Version 3.0 (free)
3	Online Armor Personal Firewall 2.1 (free)
1 each	Norton Personal Firewall 3.0 (Mac) , ZoneAlarm Pro , Jetico Personal Firewall (free), Lavasoft Personal Firewall, Outpost Firewall Pro 6.0

In most of this decade, the commercial and free versions of ZoneAlarm were reviewer favorites. However, sliding test results and other ZoneAlarm issues are now causing reviewers to find better alternatives. Even though it's free, reviewers identify Comodo Firewall Pro Version 3.0 as the best all-around firewall. This version is brand new, and reviewers believe the major bugs were caught in beta testing and fixed before release.

Two other programs, Online Armor Personal Firewall 2.1 (free) and Outpost Firewall Pro 2008 6.0 (commercial), were attack-proof in the most respected tests conducted by Matousec.com. Online Armor is not yet compatible with Vista. Comodo and Jetico Personal Firewall 2.0 were the only two other programs to produce excellent test results.

Sponsored links