I’ve been using the free ZoneAlarm for a few months, but it’s constantly causing problems (like making my computer think it’s not able to access any webpages, until I turn off ZA), so I want to ditch it. What’s another free firewall that doesn’t have these problems?
I like Tiny Personal Firewall.
I have been looking at the http://soho.sygate.com/default.htm free firewall and it looks OK to me.
Currently using Zone Alarm on three machines and have never had a single problem with it.
This isn’t what you asked, but that’s rarely stopped me in the past.
Have you considered a router, instead? They’re not free, but any of the DSL/Cable Modem routers act like a hardware firewall as long as you don’t use the DMZ feature (which won’t be on by default). They use Network Address Translation (NAT), which gives you a private address behind the router, and a more public address outside of it. In addition, they tend to block all incoming ports at the router (which you can override on a per-port basis if you need to). This is really all you need a firewall to be doing for you. This all happens pretty much automatically, no setup or software required. Plus, it gives you (either directly or with an external switch, depending on the model) the ability to support and protect multiple computers if you’ve got them.
I’ve entirely stopped recommending software firewalls to family and friends. For $40 or so, they can protect all their computers more or less permenantly, without any irritating messages at the computer. The default configurations are secure, and easy enough to install that I can walk someone through it over the phone in a couple minutes.
More importantly, the hardware firewall (router) protects you at the most crucial time - when you’re first installing Windows (or whatever your OS). Your machine is generally not secure until you’ve installed all of the “critical updates”, “software updates”, or whatever your OS calls them. But the idiots of the Internet(spammers, crackers, worm and virus writers, zombie machine owners, and ISPs who won’t take basic precautions from letting the former control their networks) have too much control.
On a broadband connection, it is generally not possible to take a first-release Windows XP install, for example, and download all the critical updates before the machine has been compromised. Various tests have shown compromise times for such machines range from 2.5 to 12 minutes; some factors you have no control over (like your IP address range) will affect this time. This problem is eliminated by the router: you can download the patches through it without risking infection.
So, when anyone asks me about new computer protection, I always say: hardware router (even for a single machine), which gets connected before the computer touches the Internet. This will effectively eliminate worm attacks from outside. On the local machine, add virus protection and anti-spyware software unless the person has good computing hygene.
-
-
- Firewall software still has value even on a PC behind a router, in that (if it includes the feature) the firewall program will alert you if any programs are trying to connect outbound. A router will not do that. These outbound-connection attempts are very-often the first sign you get that something is amiss, so it is important.
~
- Firewall software still has value even on a PC behind a router, in that (if it includes the feature) the firewall program will alert you if any programs are trying to connect outbound. A router will not do that. These outbound-connection attempts are very-often the first sign you get that something is amiss, so it is important.
-
No hardware router that I’m aware of can block applications from tunnelling out. Also, logging may or may not be needed and I haven’t seen a hardware router that can log worth a damn.
I use ZoneAlarm and haven’t had any problems. My wife uses Sygate Personal Firewall, and that also seems to work fine.
Those are, as far as i’m aware, probably the two most popular free firewalls. If your ZoneAlarm is giving you trouble, give Sygate a go.
A software firewall will also provide protection against attacks coming from a compromised machine located on the LAN (i.e. the same side of the router as you)
Another vote for Sygate; the only criticism I have of it is that the ‘update’ alert that you occasionally get (when they release a new version) downloads and installs by default the trial of the ‘professional’ version, which you have to pay for (or uninstall, and locate the updated free version and install that. Shouldn’t grumble really, I suppose.
If this is a continuing problem, ZA is not configured correctly. What browser do you use? Have you checked the program settings in ZA to see if your browser has the correct permissions? I have been using ZA since 2001 (through several product upgrades), and have never had this problem.
This, and the outbound traffic notification, are good points, and I’ll concede them for a business or other reasonably large LAN.
But, I’m assuming that most folks with a home LAN have virus software running on their vulnerable home machines, which would detect and eliminate attacks running from those machines. Certainly having such virus protection in place is at least as important as having a firewall.
Firewalls are really meant to be protecting you from the outside world, not attacks from your own network, where you control all the computers. Even a rudimentary level of care should prevent home-based attacks from existing very long…
My objection to the software firewalls is that they are indescriminate - they give warnings for all sorts of perfectly normal activity, and the average user isn’t going to be able to identify the legitimate traffic from the illegitimate. On most networks with up-to-date software updates, virus protection, and a reasonably good ISP, the average user will NEVER see a legitimate attack in progress, especially not outgoing, but will still be faced with all sorts of “allow/disallow” messages all the time. If they ARE attacked, most people won’t be able to identify it anyway, and will usually still allow the packets. Contrast with the hardware firewall, which wouldn’t have given them the option in the first place.
We’re never going to make any headway against these threats unless we start making this stuff invisible. There’s already too much that computer users “need to know” in order to keep their systems running. Expecting them to know the name, function, and port of ever program that uses TCP to communicate, even rarely, is a waste of time, and impossible for most users, anyway.
Another vote for Sygate over ZA.
I had problems with ZoneAlarm slowing down my internet connection, etc., so I was forced to switch to Sygate. Although not as easy and fun to use, it works well, and doesn’t give me any problems.
Can anyone comment on the windows XP firewall? I put a new drive in my latptop recently and haven’t got around to putting ZA on it. I’ve been using the default windows firewall without any problems. Is there trouble brewing with this setup?
Hardware routers can do this, but not cheap ones. Or perhaps I shouldn’t say hardware routers, I should say dedicated routers, since the degree of software involvement grows as the scalability and complexity of the solution grow.
If anyone knows of a dedicated router that could be used at home (read: affordable) and provides logging and alerting, I’d be interested to konw.
I disagree… if anything, there’s never going to be any headway until users accept that it’s their business machine, not Dell’s or Microsoft’s, and only they can know what is legitimate and what isn’t. Yeah, you could make it transparent, you could lock it down for everything except mail and web, and tell the user tough beans if anything else doesn’t work. Then they’d be screaming “I have to have my remote desktop, can’t you just identify what’s coming in or out and prompt me to accept it? Or at least save a log of the activity?” And voila, ZoneAlarm in a nutshell.
You can’t build a house or car security system that already knows who the good guys and bad guys are. These are decisions that the owner makes after purchase. Computer security is no different from other kinds of security, except perhaps the widespread misconception that someone else should have to do it for you. I don’t know about you, but no way would I live in a house with a security system where some dude at the factory helpfully programmed my PIN number and guest list.
We’ve hijacked this thread enough, so I’ll let it be after this, I promise. I’m talking about security by default, not making it so that an advanced user can’t control it. We can build a system that knows who the good guys and bad guys are (every virus checker does it) automatically, with a very high success rate. Disallowing all unsolicited packets from outside the LAN, for example, (which is what most routers do by default) leaves the user with almost complete Internet functionality, but immune to worms.
What we’re doing now is not working. People aren’t, and can’t be expected to become, knowledgeable about the details of TCP in order to secure their own systems. We in the computer industry can get as high and mighty as we want about users that don’t want to learn how to use their systems, but there are tens of millions of them, and their lack of knowledge is crippling the Internet. That’s not the fault of uneducated users, it’s OUR fault for building a system that doesn’t make basic security decisions by default.
Most users don’t CARE how it works. They don’t have to know how a car works to drive it, they don’t have to know how a lock works to use a key. They don’t have to know how a bank vault works to feel confident leaving their money there. Consider if the bank called you up every time a customer came through their door, and asked you if they should be let into the bank.
What your asking for is not possible because good computer security is intention based and not behaviour based. That is, two identical behaviours can mean radically different things in two different scenarios. What, to me, is a remote desktop application allowing someone to help me fix my computer is, to you, a malicious trojan that lets a hacker hijack your system. What, to me, is sending personal details and credit card numbers to buy something online is, to you, malicious spyware sending your credit card number to some scummy hacker.
No computer can tell the difference between these two because it requires knowing your intentions. I’m not saying that we can’t do a lot better than we are now, but your goal of a completely automated firewall simply isn’t possible.