(Image: Shutterstock/Pixels Hunter)
Personal computer old-timers may remember the debut of the brash and colorful ZoneAlarm firewall, one of the first programs marketed as a personal firewall for consumers. In those days, more than 20 years ago, the company had the unenviable task of educating the populace as to what the heck a firewall is, and why they should want one. Windows 98, then current, didn’t offer them much help. But this heyday of the personal firewall didn’t last.
Just a few years later, Windows XP appeared with the beginnings of a proper firewall, and firewall protection in Windows has only gotten better since then. Third-party firewalls typically do no more than the built-in when it comes to fending off outside attack; they distinguish themselves in areas like program control and exploit defense. But almost all security suites and even a few nominally standalone antivirus tools come with a built-in firewall. Most contemporaries of the early ZoneAlarm have fallen by the wayside. Is the third-party personal firewall dead?
Safety in the Network
Back when having a personal firewall was new and exciting, most of us connected our single household computer to the cable modem, IDSN box, or (shudder!) telephone line that brought us internet connectivity. In the modern world, everybody has a home network, and that fact in itself is a defense against online attack.
The wireless router that doles out connections to all your devices also protects them. It uses Network Address Translation, or NAT, to assign each device what’s called a local-only IP address. This type of address is visible only within your local network, not anywhere else. That alone is enough to block many direct attacks.
Some routers have additional security layers baked in. For example, Netgear offers routers with Netgear Armor, which is a firmware-level security component based on the Bitdefender Box security device. Even without added security software, NAT does a lot to insulate your devices from outside attack.
Take a VPN on the Road
Of course, when you're away from home you don't get any benefit from the router sitting back in your home or office. In fact, you're vulnerable to attack by other users on that insecure airport wireless. The café that offers free Wi-Fi? A shady owner could sift through any unencrypted internet traffic, potentially capturing handy items like passwords or credit card numbers. When you're on the road, you really need a Virtual Private Network, or VPN.
Our Top VPN Picks
The VPN encrypts your web traffic all the way to a server operated by the VPN company. Ad sites and other trackers see the VPN's IP address, not your own. And you can also use a VPN to spoof your geographic location, perhaps to view region-locked content, or to protect yourself when traveling in a country with restrictive internet policies. You may not need a firewall, but you do need a VPN.
Port Protection
Your computer's internet connection grants you access to a limitless collection of baby sloth videos, social media posts, and streaming entertainment. It also opens your computer to access by others via the internet, though connecting through a router does limit the possibilities for damage. One major firewall task involves permitting all valid network traffic and blocking suspect or malicious traffic.
Your PC's ports, the entry points for network connections, can be open, closed, or stealthed. If a port is closed, attacking hackers can seek ways to jimmy it open. When a port is stealthed, it's not even visible to an outside attacker, which is ideal. Windows Firewall alone is completely capable of stealthing all your PC's ports, and any ports behind a router appear stealthed. In fact, the only way we can test a firewall’s ability to stealth the ports involves using a PC that’s connected through the router’s DMZ port. That effectively gives it a direct connection to the internet.
Most firewalls allow for multiple configuration profiles, depending on your network connection. Traffic within your home network needs fewer restrictions than traffic to and from the internet. If you're connected with a public network, the firewall cranks up its security level to the max.
Program Control
Early personal firewalls were notorious for bombarding users with a plethora of mystifying pop-up queries. ZKXT2048.exe is attempting to connect to 104.118.255.137 on port 8080. Allow or Block? Once or Always? Plastic or Paper? Few users have the knowledge to make an informed response to such a query. Typically, users either always click Block or always click Allow. Those who make Block their default response eventually wind up disabling something important, after which they switch to clicking Allow. Those who always click Allow risk letting in something they shouldn't.
Our Top Security Suites
High-end security suite firewall components like the one built into Norton 360 Deluxe get around this problem by completely internalizing program control. They configure permissions for known good programs, wipe out known bad programs, and monitor the behavior of unknowns. If an unknown process starts to abuse its network connection, the firewall smacks it down. The one thing it doesn’t do is rely on the untrained user to make important security decisions.
Other firewalls use their own techniques for cutting down on pop-up queries. For example, the firewall in Check Point ZoneAlarm Free Antivirus+ checks a massive online database called SmartDefense Advisor and automatically configures permissions for known programs. In the rare event that it does display a pop-up query, you should pay careful attention, as a program not found in the database might be a zero-day malware attack.
Many firewalls take note when a trusted program changes in any way. The change might be an update, it might be a virus infection, or it might be a malicious program just using the name of a trusted program.
Our Top Antivirus Picks
Do note that program control is only relevant for programs that got past your antivirus protection. If a program is a known stinker, or if it reveals its malicious intent through dangerous behaviors, it'll never come to the firewall's attention. The best antivirus programs apprehend all common types of malware, with rare misses. If you have antivirus protection installed, program control should hardly come into play.
Extending the Firewall
Top-of-the-line firewalls such as you get with Norton and Kaspersky Security Cloud include additional protection against network-based attacks, usually in the form of a Host Intrusion Prevention System (HIPS), Intrusion Detection System (IDS), or both. Among other things, these components serve to protect against attacks that exploit security vulnerabilities in the operating system or popular programs. In between the time a vulnerability is discovered and the time the vendor patches that security hole, malefactors can launch attacks that gain control over victim systems.
The best HIPS and IDS systems catch exploit attacks at the network level, before they even reach the target system. Other security suite components, particularly the antivirus, may eliminate the malicious payload dropped by an exploit attack before it can do any harm. In testing, we use the CORE Impact penetration testing tool to get a feel for each firewall's response to such exploit attacks. The best ones block 80% or more of the exploits.
Who Needs a Personal Firewall?
In the modern world, there's hardly ever a reason to consider installing a standalone personal firewall. The built-in Windows Firewall blocks outside attacks, and the firewall within your security suite does everything the built-in does plus handles program control and exploit detection. The era of the computer hobbyist who'd carefully and lovingly select each separate security component is long gone.
Sure, there could be a specific situation in which you want to install the absolute minimum of security—all that’s necessary but no more. You can still get standalone firewall protection, though the number of available products has dwindled over the years. And there's no need to pay for a firewall. The venerable ZoneAlarm mentioned at the start is still available, and still free, for example. Add a top free antivirus and you’ve got the bare bones of a security system.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
