Review roundup: Slim is in for Windows desktop firewalls

Computerworld - Most large companies instituted solid network firewall protection long ago, and few have much need to run software at the Windows desktop level to accomplish their firewall goals. At least, that was true a few years ago.

As the workforce becomes more mobile, indiscriminately accesses the Internet and the company network from wireless hot spots, and works more frequently from home via consumer-level broadband, a solid Windows software firewall that doesn't require help desk support is a very good thing indeed. With no corporate security system protecting their networks, of course, home users are even more in need of firewall protection.

The problem many desktop security buyers face is that the established Windows software security makers -- Symantec, Check Point/ZoneAlarm, McAfee, Trend Micro, Panda and so on -- sell very large, multiple-component security suites that slow their systems to a crawl. These products are aimed at perceived value for consumers, rather than on lightweight simplicity and straight-ahead functionalism.

After years of hands-on testing of security suite products, and with the benefit of thousands of messages containing detailed insights from advanced computer users, I've come to the conclusion that Windows-based multifunction desktop security products have a low degree of customer satisfaction. Products such as Norton Internet Security require far more Windows system resources than lightweight stand-alone tools.

What's more, according to independent security testing from third-party testing sites, such as Firewall Leak Tester and Matousec, many of the biggest names offer less protection than simpler, lesser-known security products. This isn't to say that security protection from Symantec, McAfee and others isn't good. The point is that you don't have to buy big, bloated software from a well-known security company to get solid protection.

My quest with this two-part story is to identify the best lightweight software firewall for Windows desktop use. Last year, I pursued a similar long-term research project to find the best lightweight antivirus software for Windows. The result of more than a year of testing, with input from hundreds of readers about their experiences, resulted in my selection of Eset NOD32 2.7 as the best antivirus product for the Windows desktop in 2007.

I began my research to establish the best software firewall in September 2006. I've called for reader input from the start of the project, both to nominate a first round of products and provide in-depth information about their own experiences with the specific firewalls.

Your experiences, should you choose to convey them, are very important to the final assessment, coming in Part 2 of this story. Later in the story, I'll ask for your input. If you have something useful to say, please take me up on it.

What makes a good firewall

There's no way around the fact that this is a subjective assessment based on both objective and subjective measures. You may not agree with them, but I am explicit about my evaluation criteria. This isn't a beauty contest.

When it comes to desktop firewall protection, most properly configured low-cost hardware and software firewalls get the job done of protecting against casual inbound incursions to your computer or network. Network address translation, stateful packet inspection and selective, smart management of port access provide a good, if imperfect, level of protection.

The problem, as I see it, comes with outbound protection. If your antimalware protection lets in a bad piece of code via e-mail or from a Web site that runs on your system and is designed to extract data from your computer and send it somewhere out on the Internet, are you protected? My determination is that that's the key type of activity that you need your firewall to block. But not all of them are good at that. Some of the most commonly used firewalls, in fact, offer inferior outbound protection.

That's why in terms of security efficacy, outbound protection is my key metric. Currently, that sort of protection is measured by what's known as leak tests. Many such tests exist, both expensive corporate-oriented tools and freely offered tests.

Some other important criteria for firewalls:

• Must have low impact on system performance.
• Can be configured for silent operation -- or at least the product minimizes the number of needless or unexplained pop-up questions it asks.
• When a silent operation mode exists, a fully interactive mode must be an option.
• Must be compatible with other types and brands of software security products, such as VPN, antivirus, antispyware, antispam and so on.
• Must have logical controls and settings that help the user avoid security loopholes.

I'm also a big fan of the ability to configure the firewall to work with your LAN without having to constantly tend them. Any software firewall that gets in the way of basic networking functionality will not last long in my environment -- and it shouldn't in yours. No one should become a slave to their firewall.