Firewalls.

A hardware firewall is not adequate alone!

A lot of people assume, some arrogantly so, that a hardware firewall is all they need. This is a dangerous fallacy. To tell the truth, not only will a software firewall protect you from most external attacks, but can stop your machine from becoming an attacker, without you even knowing it! Also, a harware firewall does you no good at all if your son, on another machine on your LAN downloads "Happy Forest Friends Fun Fest!" that turns out to be a big bag of malware. The hardware firewall can't stop infections that stay on your side of the LAN. The hardware firewall only (usually) stops incoming attacks, and it does it silently, so you never know anything is going on, including any new programs that happen on your side of the LAN.

Port Authority vs Program Authority.

Just what is a port authority firewall? All hardware firewalls, and some older software firewalls, operate on a port authority system, where if a certain port (possibly from a certain IP) is authorized to pass through the firewall, it is allowed to go through. No questions asked. This is where port authority can be dangerous.

A case in point, and not a narrow or unheard of one... If an normally trustable machine has become infected, whether through a bad download, e-mail, or a physical plant attack, it can blast right through the firewall. Even remote control software can breach a firewall, if the destination viewer (listening mode) is listening for a connection on port 80. Almost all hardware firewalls, except in some of the wiser businesses that force employees to surf through a filtering proxy, will allow port 80 to go right through. The obvious result, someone on the outside of your firewall, has full control of a machine inside your firewall, and free reign to take control of the rest of your computers.

A program authority software firewall, on the other hand, can block based on ports, but is more effective by detecting which program is trying to access the network. If it's one that it has never seen before, it puts a hold on it, till an actual user OKs the connection. One product I know of, Zone Alarm, can even take this a step further by denying remote control software the ability to click the authorise button, it must be done from the physical keyboard and mouse (unless you have previously unprotected the client, a conscious decision which you must effect).

So, while a hardware firewall can be hardier to more direct, and much larger attacks, it's dumb, and knows not what it is allowing to pass, except by deep packet inspection, which is a violation of privacy, and a security risk if the log file is compromised. A software firewall, while weaker to mass attack, is much better geared to stopping odd behavior from compromising a system. Both kinds have their place, neither should be used alone.

Some free firewalls reviewed.

* * * * * Zone Alarm. These people were the innovators, and the are still the best makers of software firewalls in our opinion. They, as far as we can tell, invented program authority. They were also the first one to protect their client from remote keyboard and mouse adjustment. (You must be using the actual mouse, and keyboard to work with it.). It has never failed me yet, nor allowed a single wayward packet to go through itself. Highly recommended!

Please note: Recently when Zone Labs was bought out by their current owner, their owner decided to monetize on Zone Alarm and start "offering" the ask .com toolbar with it. YOU DO NOT NEED TO INSTALL THE ASK .COM TOOLBAR TO GET ZONE ALARM TO WORK! You probably shouldn't install it either as it's adware and does other system tampering. If it weren't for the fact Zone Alarm by itself is such a strong product, this entry would fall off the list due to the ask .com toolbar. Just de-select it on install. The minute I find another firewall that while stealthing, still handles IDENT as gracefully (please see http://www.grc.com/port_113.htm ) I'll recommend it.

* * * * _ Agnitum Outpost Free. This was recommended by a recognized leader in the computer security field (See his site at http://hosts-file.net ), and personal friend of mine. I trust his opinions, I suggest you can too. (I have never used the product though, as Zone Alarm and I have been happily "wed" for about a decade now).

* * * * _ Tall Emu Online Armor. Also recommended by my trusted friend. (Haven't tested it, nor do I have time to test it, as above).

* * * _ _ PC Tools Firewall Plus. No personal experience with this one either, so 3 stars only. Based upon recommends from Kim Komando. Give it a whirl if you don't like Any of the above.

* _ _ _ _ Windows Firewall. Yes it's free, yes it's already installed, and no, I don't like it. How many times have you installed software to see a screen pop up saying "Setting Windows Firewall Rules"? Any firewall that allows a program external to itself, to set up firewall rules without user intervention, is no real protection. I could recommend it, if not for this one behavior! 1 star for boneheadedly opening itself to being neutralized.

_ _ _ _ _ Black Ice Defender. Cool name, worthless program. Only "legitimate" firewall known to have an intentional back-door built in over several versions. Avoid.