General

Thinking Outside The (Windows) Box,
Part 4: Free Windows Firewalls—Sunbelt Kerio Personal Firewall, and Conclusion

While many businesses depend on Microsoft and its various product suites, alternatives exist, some of which are not well known. Part four of this series examines free windows firewalls.

by Lisa Phifer VP Core Competence, Inc. [March 3, 2006]

We tried Kerio Personal Firewall 4 (v4.2.3) on Windows XP. This personal firewall also runs on Windows 2000, and requires 10 MB disk and 20-30 MB RAM. Sunbelt charges $14.95 for a KPF license, but the program automatically reverts to a limited free edition after 30 days.

Sunbelt Kerio Personal Firewall www.sunbelt-software.com Sunbelt Software Clearwater, FL

Paid-mode features disabled in the free edition include Host Intrusion Prevention (buffer overflow and code injection detection), Web Content Filtering (ad, pop-up, script, cookie blocking), and syslog support. For comparison with other free firewalls, we set our calendar ahead and used only features available after 30 days.

The KPF installer offers a choice of simple or advanced behaviors. In simple mode, KPF silently permits all outgoing and blocks all incoming traffic. In advanced mode, KGF solicits feedback on how to handle unknown traffic and applications. Simple mode is a nice turn-key for novices, but if you want to customize your rules—for example, make some interfaces trusted—then use advanced mode.

KPF starts with application rules covering standard OS processes like Windows Logon, Generic Host Process, and Microsoft File and Printer Sharing. All other programs fall under the "Any other application" rule that prompts you to permit or deny each application as it uses the network (see figure at right).

Any interface or IP range can be placed in the Trusted area. At the highest level, Applications are simply permitted or denied, inbound or outbound, Trusted or Internet. Users who want more control can configure Packet Filters, based on IP Address, Protocol, and/or Port. But Ports can be ranges, and IPs can be reusable groups. Any given filter may contain several rules. This strikes a good balance between flexibility and manageability for advanced users, while keeping program control simple for novices.

KPF also includes Predefined network rules for DHCP/DNS and non-TCP/UDP protocols like IGMP, ICMP, and VPN (i.e., PPTP). Predefined rules take precedence over Application rules. But we wondered about the unstated relationship between Packet Filters and Predefined rules, so created a conflicting "deny all pings" Packet Filter. Our Packet Filter did stop all pings, so apparently took precedence over Predefined rules.

Signature-based Network Intrusion Prevention can permit / deny / log known attacks, grouped into three levels (see figure below, left). High priority intrusions include trojans like Subseven and BackOrifice. Medium priority includes traditional TCP/IP attacks like Smurf, Jolt, and TCP SYN floods. Low priority includes UPnP discovery and other recon activities.

No, you cannot use KPF as a true network IPS (a la Snort). But KPF's attack signature detection is pretty extensive for a free personal firewall, and Security Focus or White Hats URLs are given for most intrusions to help you learn what they mean. Host Intrusion Prevention is disabled in the free edition, but certain application behavior rules can still be enforced in the free version, like blocking a modified program.

KPF provides both real-time monitoring and logging. A bar graph summarizes incoming and outgoing traffic (measured in KBps). A Connections list (see figure above, right) displays active programs, each followed by an expandable sublist of open TCP/UDP sessions and session details (including bandwidth). A Statistics page summarizes NIPS activity in the last hour / day / week / month (and other statistics in the paid version). Statistics are backed by detailed logs for Network, NIPS, and other categories. Most firewall rules can be configured to generate log entries, user alerts, or both.

Overall, KPF seems to be aimed at network-savvy users who can appreciate the benefits of intrusion detection. Simple mode configuration tries to bring KPF to novices who might otherwise be overwhelmed by detail. But KPF has a lot going on for a free personal firewall, and simple mode doesn't hide that.

In our view, those most likely to benefit from KPF are users with advanced needs—and they may be tempted to spring for the relatively inexpensive paid license.

Conclusion
These are just a few of the many Windows personal firewalls that individuals can use as an alternative to commercial host firewall programs. Readers familiar with host firewalls may note that we did not review popular programs that are no longer freely available, like the former Sygate personal firewall. Inexpensive commercial versions are also available for businesses that need multi-user licenses and value-added features omitted from these free firewalls.

As discussed in Part 1 of this series, free software has both advantages and disadvantages. When it comes to security software, be especially careful. A free program that's a feature-limited version of a commercial program from a reputable vendor is clearly preferable to unsupported, lightly-tested shareware from an unknown source.

Any network-connected host can benefit from a host firewall—including those located behind an Internet router/firewall. But proper configuration is absolutely critical. Make sure that you understand your firewall's default rules, and take the time to verify that your firewall is working as intended. Keep firewall software up-to-date, preferably using auto-updaters found in several of these programs. And remember that no host firewall is a panacea—even firewall programs can crash or become an attack target. A firewall can play an vital role in host defense, but should always be combined with further defenses that fight viruses, spyware, and other network-borne threats.

Free Windows Firewalls: Check Point ZoneAlarm

Free Windows Firewalls: Comodo Personal Firewall

Free Windows Firewalls: NetVeda Safety.Net

Free Windows Firewalls: Primedius Firewall Lite

Free Windows Firewalls: Sunbelt Kerio Personal Firewall, and Conclusion