matousec.com (site map)

Poll

On Windows 7 (or Vista) I use

  unlimited administrator's account (58.13%)

  limited administrator's account (16.48%)

  common user's account (13.66%)

  nothing (I do not use Win 7/Vista) (14.02%)

more

results

Articles

More about personal firewalls

Published: 2006/07/12

What is a personal firewall? Do I need a personal firewall? Do I need it if I already have an antivirus installed? Which personal firewall is the best and how do I recognize a bad personal firewall? What are the main tasks of a personal firewall? How about personal firewalls and non-Windows systems? In the following article you can find lot of information about personal firewalls and also answers on these questions. In short we can say that personal firewalls are very sophisticated software and we do recommend users to use them but we also recommend to choose the final product very carefully.

Contents:


Back to contents

What is personal firewall?

A personal firewall is the desktop security product which is commonly designed to enhance the security of the operating system by implementing per-application security. Some operating systems (including modern Windows systems) implements per-user security. Such a security conception is not always sufficient or effective especially when we talk about common users workstations.


Back to contents

Threats versus antivirus, antispyware and similar applications

Today's Internet is a full of spyware, worms and other malware. People looking for valid information can meet these threats easily. People often download new programs just to try if they are useful. It is almost impossible for common user to differentiate between malicious programs or programs that include spyware and harmless programs before they run them. Nowadays, many Internet users know that they should not execute every program in a mail attachment but rules for execution of user downloaded programs are still underestimated. This is where antivirus, antispyware and similar applications comes. But can they sufficiently protect people against mentioned threats? The main problem of antivirus and antispyware software is that they rely on signatures. They need to be updated frequently to be able to recognize a new malware. If there is no signature for the new malware in their database they are not able to fight it. Yes, there usually are some heuristics implemented in engines of antivirus software but these methods can only recognize smaller modifications of well known malware programs. The response time of security vendors differs and it usually depends on the severity of the new threat and its wildness. It takes from a few hours to several months before a signature is available. Simply said having antivirus and antispyware software installed will not protect you against the latest threats but they can raise the security of your system.


Back to contents

Purpose of personal firewall

In general the main purpose of personal firewall is to tighten the computer security, to set up restrictions to limit possible malicious activity but not to limit the user. Imagine common home workstation. There are many applications like text editor, Internet browser, file manager, computer games, media player etc. By default, without personal firewall installed, all these applications can do everything as the user who runs them. But why should be the text editor allowed to access the Internet? Why should be the Internet browser allowed to change system files? Is it not a possible danger to allow games to delete documents or control system services? Why should be the media player allowed to install kernel drivers? No, there is no need to allow such actions.

The purpose of a personal firewall is to set up rules that limit applications to perform actions they should not be able to do and to allow actions that are expected from them. This is something what antivirus or antispyware do not. However, it is the fashion nowadays that antivirus products include also the antispyware features as well as personal firewall features. Such a product is usually called security suite rather than antivirus. Placing a VPN in front of the filewall is also another great option for increasing security measures.

Another feature of security products that is very popular today is a cloud-based engine. A pattern based detection can be implemented in a cloud, which means that the description of the pattern, binary or behavioral, is sent to the server maintained by the security product vendor, which replies with the scan result. The advantage of cloud-based engine is that the vendor's servers are usually much more powerful than the end-user's computer, they may have access to multiple scanning engines and larger malware databases. In general, this approach delivers more accurate results while the requirements for the end-user's hardware and complexity of the security product client application are reduced.


Back to contents

Good and bad products

Many applications are called personal firewalls but how to recognize good products from others? For common user it is very hard to decide. All vendors claims that their product is the best and offer something unique and extraordinary. We think that as personal firewalls are security software the main criterion should be the level of security. Forget all those bells and whistles in security software. If you want Ad-blocking you do not need personal firewall because your browser can do it. There are plugins for the most popular browser that can block ads, popups etc. Today's personal firewalls contain many similar features that have nothing to do with the security. Just go to your favourite personal firewall vendor's website and read all the features of their products.

A good personal firewall offers both inbound and outbound protection. The inbound protection means that packets sent from the Internet or local area network to your computer are filtered and only ports that you want to be open are accessible. This protection is standard and is very good and reliable in almost all personal firewalls. On the other hand is the outbound protection which cause problems to all vendors nowadays. The outbound protection means that only applications that are allowed to can access the Internet or local area network. This is not as simple as it looks. Imagine the situation that you want to browse the Internet with your Internet browser and that you do not want other applications to do so. The problem here is that it is not enough only to check which application wants to send the packet to the Internet because modern operating systems allows programs to communicate. An application that is not allowed to access the Internet can start the browser and use it for the communication. Your personal firewall has to protect all those privileged applications against misusing by malware. It has to restrict the access them. But this is still not enough. The personal firewall has to protect itself. Malicious applications should not be able to switch it off or modify its rules. This means that it also has to protect system resources etc. There are many problems in this and we still talk only about one feature - the outbound protection. The personal firewall should also restrict spying on your computer and stealing your data. Also the possibility of deleting or replacing important system files, killing system processes should be restricted because these activity can be used to bypass the protection. What you should ask from your personal firewall is a comprehensive protection against malicious activity. In this context we often talk about sandbox.

There exist special software products we also call personal firewalls which offer neither inbound nor outbound protection. These applications implement the sandbox only. They can be usually installed together with some firewall or personal firewall software to tighten the system security and to minimize the possibility of malicious activity. When we analyse this kind of software we do not consider the missing protection of inbound and outbound protection as security flaws.


Back to contents

Poor reviews

Another big problem are product reviews that are available on the Internet. The vast majority of these reviews were written by users or at most advanced users. This is not a bad thing in general. It is good to have information about the product from the common user point of view. But this information is not enough, not if we talk about security products. You should ask for reviews made by security experts. Those advanced users do not implement their own programs to try to bypass the security of a reviewed product. Unless these people understand how personal firewalls work on the lowest level they are not skilled enough to judge the security level of these products. Usually people who write reviews on security products use only well known third party tools to test the security. Every personal firewall vendor can then implement a simple protection against these well known tools. Different methods has to be used to test security software. The design of the testing product must be understood by the analyst. A good analysis can take weeks of work. Exact methodology must be set. Just look at any personal firewall review on the Internet. Do you see any description of their methodology? Do they talk about the security and bugs? Did they find any bugs? And now, how can you recognize which product is the best? Best from the security point of view.


Back to contents

Non-Windows systems and personal firewalls

On non-Windows systems this kind of software exists but it is not called personal firewall. On Unix based systems the security concepts are different in many ways but also lots of things are similar. The important similarity is the per-user security. However, there are different habits of users of non-Windows systems. They usually do not use root (Administrator equivalent) account for daily work and it is a very common thing there to create a new user for a small group of programs or even for a single application to restrict its access. Nevertheless, sometimes it is efficient to use per-application security. Read more about Jail. Back to contents