The other day I was experimenting with the newest build of Torpark. This latest version is a wonderful update. Steve Topletz, working with John Haller, has done a remarkable job of packaging it in a standalone mode. I really like it. For the uninitiated, Torpark melds Firefox with TOR (The Onion Router) to provide an "anonymous" IP address for your browsing.
Anyway. I had upgraded ZoneAlarm (free) to v6.5.722.000 a little bit before downloading the latest Torpark version. I'd not had any problems with either application ever before so imagine my surprise when after a few minutes of using Torpark, ZoneAlarm alerted me to the fact that it's True Vector service had been suddenly shut down. It restarted and seemed fine, but then shut down again. As long as I wasn't running Torpark, ZoneAlarm didn't seem to be having any problems.
The prior version of Torpark also now caused the same behavior. Apparently a change in the latest ZoneAlarm version was causing the issue. Let me say I have no reason to believe that Torpark was behaving maliciously--but I didn't like what I was encountering.
So the simple response would be to just refrain from using Torpark. Or, just cope with True Vector service getting turned off and and while using it.
Well, by now you should know Claus couldn't be satisfied with that.
And thus, I began the process of updating both my software firewall and my knowledge of software firewalls.
I first started using a firewall not too long after we got our first home pc back in 1998. The first application I used for a while was called AtGuard. It worked well. Somehow I ended up coming across Steve Gibson's Shields Up site that tested systems over the Internet for open ports, etc. AtGuard didn't perform well, so I took Steve's advice and began using Zone Alarm. I have been ever since without looking back. It provided inbound firewall protection as well as outbound connection rules and monitoring (good for alerting users to programs attempting to contact the Net).
Today I am using a physical router/firewall to protect the system against inbound attacks. So as far as inbound protection, I really don't need a firewall. But having outbound protection still seems like a no-brainer in case some trojan or other malicious program (heck, it's even nice to know for legitimate programs) is calling home to the mother ship.
I believe in a layered defense for computer security. Very simply, a layered approach like below provides a series of rings that must be passed (up and down) for applications operating on the system. If one is breached (it's hoped) the next layer will catch the problem. It is important that they all work together nicely.
User (might seem silly but the best/worst software protection exists between the user's ears)
(maybe) Process-level/integrity monitoring application(s)
A primary problem with software firewalls is that they can be tricked or fooled using any number of techniques. These include DLL injection attacks, process thread injections, hijack launch of approved web browser. So basically, if your browser (or another firewall "trusted" application) is used by a malicious program, it may slip unchallenged through your firewall--with no alert.
This is why a hardware firewall/router is a great solution for inbound protection (from the Net to your pc) but (in a standard configuration) isn't as good for guarding against malicious outbound traffic. Unless properly configured, it can let important traffic out (including your SSN, banking info, bot net using bandwidth, etc.) from your pc without blocking.
So, it seemed a good idea to go back and do some research as I re-evaluated my software firewall choices.
Hardware Firewall/Router Tweaking
The first thing I did was to revisit GRC's Shields Up and ran a port scan. A quick test found two problems with my router's configuration. First I had to manually "stealth" Port 113. Next I had to set my router to not respond from outside (WAN) ping requests, but to discard them. It makes sense to ping up from your system to your router and the Net, but since my router sits behind the cable modem, the broadband guys (and anyone else) can ping the local router for troubleshooting and everything else, but any unsolicited packets just die into a black-hole if they get to the router/firewall. Nice.
Reading up about software firewalls.
PC Flank - I started on on this informative site. Andrew Cooper has written some great and easy-to read articles about a variety of security subjects. There are a number of articles here about firewalls, leak tests, and firewall comparisons. Plus he has general pc security articles also.
Firewall Leak Tester - This was my second stop for information. Guillaume Kaddouch provides extensive information about leak tests and how some of the most popular software firewalls (free and $$) stack up against them. It is a very interesting site. I downloaded all 19 leak tests (much to my anti-virus program's displeasure). Note, the posted test results do not necessarily reflect the latest version releases of many of those firewall applications tested.
Using Kaddouch's list (and a few reviews) I narrowed down my potential choices for a freeware firewall replacement to the following candidates:
ZoneAlarm Free - It's what I was currently using.
Sunbelt Kerio Personal Firewall - It's what Steve Gibson at GRC has been recommending now instead of ZA.
Jetico Personal Firewall - Passed almost all leak-tests according to what I read.
Comodo Personal Firewall - Found a number of glowing reports in forums, as well a getting a glittering review in PC Magazine.
If you are curious, more firewalls can be found listed in a forum at Wilders Security.
I was only choosing from freeware firewall applications. There are a number of commerical firewall applications as well that received high ratings and you can find them in the links I've provided including at Firewall Leak Tester.
My initial plan was to create a virtual machine of XP that I could run and install these applications for testing. I still would recommend this, but I didn't have the time I expected so I just got daring and installed and tested them directly on my running system. I don't recommending doing this--bad things can happen, but I was feeling brave and I did obtain "real-word" performance results.
First I downloaded all 19 the leak test tools from over at Firewall Leak Tester. I had to disable my "real-time" anti-virus scanner as it kept alerting on a number of these tools. The tools aren't "bad" but because they do what virus-scanners check for, many may alert. I also wanted to keep an eye on the memory usage requirements of the firewalls so I used Process Explorer for that task.
ZoneLabs Free - I started with ZoneLabs since it was already installed and running on my system. It uses two processes zlclient.exe (6644K) and vsmon.exe (22,928K). I quickly discovered that it failed almost all of the leak tests--miserably. Not good at all.
One of the tests that was particularly shocking to me was PCAudit. It provided (via email as I requested) a list of what I typed in a text field, a list of files/folders in my "My Documents" folder, a screen shot of my desktop, as well as my computer name, IP address and user account I was logged in under. Yikes!
Zone Alarm Free looked like it was on it's way off my systems. Bummer.
Sunbelt Kerio Personal Firewall - Installation went easily. Memory usage appeared to be confined to three processes: kpf4ss.exe at 14,304K, and two instances of kpf4gui.exe at 5,856K and kpfgui.exe at 9,472K. This was more than ZA, but certainly not a deal-breaker.
I had learned that when installing Kerio, if you select "Simple" mode, it only acts as an inbound firewall, but lets all outbound traffic out unchallenged. Not good if you are primarily interested in "leak" monitoring like I am. It passed a majority of leak-tests I tossed at it--though not all. I really liked the clear listing of applications (like in ZoneAlarm) and what they were allowed to do. It also come with additional Internet monitoring features. The interface was pretty intuitive. It comes with a slew of additional monitoring features, some shut down when the program revert to "free" mode after 30 days. Two extra items I really liked were the ability to import and export the Kerio settings. ZA Pro allows this but not the free version. This is a really great feature. It also monitors and knows when one application tries to launch another one out to the web.
I highly encourage anyone interested in switching to this program download and read the informative (PDF) Sunbelt Kerio Personal Firewall User's Guide Sunbelt offers.
Comodo Firewall - As I had previously mentioned, PC Magazine recently gave a gushy review of this "newcomer" to the freeware firewall software field. The article is heavy on screenshots so it is a good place to get an overview.
Installation went smooth. No problems. After installation I found two processes cpf.exe at 30,972 K and clptray.exe 5,136 K. Again, not exactly "tiny" but acceptable. The interface was ok and the activity prompt warnings seemed informative for deciding to allow or not. It seemed to pass all the leak-tests I tossed at it with flying colors. One of the benefits of this program is that it carries a list of "trusted" applications and doesn't prompt the user when these run. In addition it looks like it can run a manual scan of your Program Files folders looking for more.
I did find a couple of issues that caused me to be concerned. First, the firewall does not provide a system tray icon to show Internet activity. I just like to see it there. Second, despite all my attempts and tips from forums, I could not get Comodo to play nicely with my AVG email scanning plugin. Yes, I could disable that feature in AVG but as email is a likely vector for virus/trojan attack in our family (pre-teen child) I just wasn't comfortable with that. Finally, I never could find an application list of which applications/rules were established in the firewall system in case I wanted to go back and change them. While not deal-breakers for all users, I just wasn't satisfied with those deficiencies. To give credit to the developers, I found them to be very active across a wide variety of security forums seeking feedback and offering advice. I think they are working hard to make a trusted and valuable product. I'm keeping an eye on this one.
Jetico Personal Firewall - This application installed quickly and easily. It runs a single process named fwsrv.exe in the 8472 K memory range. Sweet. I had downloaded and reviewed the help file first which I found to have a good bit of documentation.
I ran the battery of leak-tests and it blocked them all. Good sign. It was pretty chatty. There are a number of choices you have to make when prompted, and it can be a little overwhelming. The GUI interface is sparse but does provide you with the important items easily. It took me a while of re-reading and digging to find my way to the application/rule list to make some rule changes, but once done was fine. I had to reboot my system several times to get all the auto-runs to launch their attempts before I had all the rules set. Jetico also monitors on-board processes so it is likely you will get prompted to allow/deny some activity that doesn't have anything to do (on the surface at least) with Internet activity. That's a good thing if you are security minded, but annoying if not.
Wilders Security Forums has a great post thread "Jetico making me crazy" that was very useful to understanding what to select and how to navigate the application.
So which software based firewall did I switch to? Well, I ended up choosing two.
Jetico Personal Firewall - Selected for implementation on our desktop system.
I chose this one for a number of reasons: it's light on memory and I only have 512MB system RAM, it had superior process monitoring and leak blocking, and it plays well with my AVG program. Drawbacks are that it requires a more "advanced" level of systems knowledge in deciding what actions to allow/disallow. The benefit of having a good clean system is that most all processes can be allowed up-front and only questioned after new software or files are downloaded and installed. I'm having to give Alvis more time while she is on the pc while Jetico learns what is good, but that's ok. It eventually does quiet down--just takes a longer time to happen.
Sunbelt Kerio Personal Firewall 4 - Selected for implementation on our laptop system.
I chose this one for laptop because with 1GB of RAM, I'm not worried about memory issues. Also, it also plays well with AVG. Finally the interface and activity prompts are much more "user friendly" than Jetico--which is great as Lavie and Alvis use the laptop pretty intensively. It's much easier for them to use.
I haven't given out hope for Comodo Personal Firewall and will continue to keep an eye on it. Once I get my virtual pc set up, I will be able to easily test out newer releases of it and get to know it a little better.
So there you have it. I've found a much more secure firewall than ZoneAlarm Free and no small animals or systems were harmed in the process. I'll keep you updated as I continue to use them if I encounter anything interesting.
And ZoneAlarm Free? I might still recommend it to noobies. It is pretty easy to use and does a good job on protecting against inbound traffic (for those users without a hardware based router/firewall solution). The messages aren't too confusing and the control panel is easy to navigate and make changes to. But advanced users can now pick from a wide range of more leak-proof firewall offerings.
Jetico vs Comodo - Wilders Security Forums
Comodo Firewall - Wilders Security Forums
Get your blockage on!