If you're one of the holdouts who has not installed a personal firewall on your business or personal system, you're engaging in the computer version of unprotected sex. Sooner or later, it will catch up to you.
How do I know this? My own boneheaded ignorance got in the way of common sense. I forgot that my Windows 2000-based notebook, which had been running behind a corporate firewall or cable modem router/firewall for months, was also running Microsoft's Internet Information Server.
At Networld + Interop in Las Vegas, I had to establish an un-firewalled dial-up connection to the Internet before launching my Virtual Private Networking (VPN) software to connect to CNET's corporate network for e-mail. That's when Nimda struck. Fortunately, Norton AntiVirus quarantined it. But it also notified one of our network administrators, who asked me to get my computer off the network until the company's antivirus special forces could launch a sortie on my system. Embarrassed and apologetic, I complied. Then I called the folks at Zone Labs, the company whose name comes up most often when the phrase "personal firewall" is mentioned, and asked for a test copy of its flagship product, ZoneAlarm Pro.
The difference between antivirus utilities and personal firewalls is that with the latter, the end user of the system (or IT staff assigned to managing it) plays a much more active role in the proper functioning of the software. With antivirus software like Norton AV, you install the software, set it up to check the vendor site regularly for updates, and leave it to run unattended. The software never springs to life and says, "Hi, David. The Klez worm is trying to infect your system. Should I let it through?"
Personal trainer
A personal firewall, on the other hand, must be trained to learn which applications on your system should be allowed to access the local area network, which applications should access the Internet, and which entities on both the LAN and Internet should have access to your system. Many of the network-enabled applications running on our systems are very chatty and like to check in regularly with various corporate and Internet servers. And even though most desktop systems aren't servers (technically speaking), a lot of the software actually runs in a server-mode, where software on other systems reach out to it as clients instead of the other way around.
So, immediately after installation, a competent personal firewall should detect all of this communication between your PC and other systems and, on a case-by-case basis, ask you if it's OK. ZoneAlarm, upon detecting such traffic, will ask if you want to allow the traffic for just that one occasion or every time. (You can always change the setting later.) If you use a lot of network-enabled applications, the flurry of such prompts from a personal firewall can be overwhelming. This is especially true immediately following installation, when you program many permanent settings that will eliminate subsequent prompts about the same traffic. And herein lies a personal firewall's biggest weakness: the possibility of human error. If you make the wrong decision, you could end up inadvertently lowering your guard or, worse yet, paying a dear price.
The ability to make the right choice about which traffic to allow and which to block is based largely on having the right information at the right time. In some cases, it's obvious. When you launch your browser and attempt to access a Web site, ZoneAlarm will pop up and ask if the browser should be allowed to access the Internet.
In other cases, it's not so clear. When a Windows system is attached to a corporate network running some sort of directory server, ZoneAlarm will catch any background chatter between the two. When it does, you'll get some basic information about what it caught. But for low-level processes like these, the information can be cryptic. You'll see the names of programs that you never knew you had, and they'll be trying to interact with destinations that you know nothing about. For situations like this, ZoneAlarm has a "more info" button that attempts to retrieve additional information from the ZoneLabs' knowledgebase. Unfortunately, the knowledgebase often responds with information that is either too difficult to decipher or flat-out uninformative.
If you're like me, you'll err on the safe side and block anything that you're not sure about. For me, erring on the safe side had the unfortunate side-effect of over-securing my system. ZoneAlarm was working too well. My system and the applications I was running started having problems. My first instinct was to go back to the list of things I taught ZoneAlarm to block and unblock them. But the list of things that looked foreign to me was long, and the trial-and-error process of unblocking some traffic while leaving other traffic blocked was a daunting task. As a result, I keep the firewall on, but I have to reboot my system every couple of hours after my applications start having irrecoverable problems.
While it wouldn't solve all of my problems, one thing ZoneAlarm needs to do is improve its knowledgebase. In the same way that Microsoft is trying to improve Windows and its other software by gathering data when crashes happen and sending that data back to the company's databases (with the user's permission), ZoneLabs could gather information about all of the applications out there. It could then do a little more homework about those applications so that when people click on the "more info" button, the knowledgebase actually returns something that most of us can base a decision on.
ZoneLab's CEO Gregor Freund agreed, saying "I think our engineers got a little overambitious with the information they were trying to provide." But he was also quick to point out that an enterprise edition of ZoneAlarm Pro --- ZoneAlarm Integrity Desktop --- is about to ship. With this version of the product, the settings that users now teach to ZoneAlarm can be regularly updated by polling a central Web server maintained by the IT staff. However, the IT staff still has to figure out what all these low-level applications do, and what traffic should and should not be allowed. For this new enterprise product to truly satisfy an IT manager, the knowledgebase has to be improved so that he or she doesn't have to deal with tens or hundreds of software vendors to figure out how all of the applications work.
Still, the enterprise version should make it much easier to centrally manage personal firewall policies. ZoneLabs also has a product called the Integrity Server that can manage different policies for different groups of users and deny access to the corporate network if the right version of ZoneAlarm with the right policy settings isn't running. The Integrity Server can also push new policies out to client systems, as opposed to making the clients do the aforementioned polling.
Third zone needed
Another improvement ZoneAlarm desperately needs for business environments, especially those with complicated network configurations that involve multiple geographic locations and hosting centers, is a third and more granular "zone" for categorizing other systems and networks with which desktops must communicate. Currently, those other systems and networks can only fall into one of two zones--Trusted or Internet. In reality, not everything that is not trusted is on the Internet. For example, a sub-net in the demilitarized zone at a hosting center that's technically a part of the corporate network might not be completely trusted. For this reason, a third zone-- such as Corporate Network--might be handy. This way, when an alert springs up as a result of traffic from that network, you're not misled into thinking that your system is actually interacting with a system out in the wild (on the Internet). Freund agreed that more granular control would be helpful, but declined to say whether such control would make an appearance in forthcoming versions.
For companies that have or need VPNs, ZoneLabs has a special arrangement with Cisco. Cisco's VPN Concentrator 3000 performs like an Integrity Server and denies access to potential VPN access unless it detects the correct version of the software. Had such a configuration been in place at my company, the chances of catching Nimda and then connecting to the corporate network would have been greatly reduced.
Even with its faults, ZoneAlarm Pro 3.0 is probably worth the $49.95 price tag. While I haven't tested competing products such as McAfee Firewall 3.0 or Norton Personal Firewall 2002, my colleagues in CNET's reviews department seem to recommend ZoneAlarm over the others. As of this writing, pricing for ZoneAlarm's Integrity desktop and server versions had not yet been set.
What's your experience with ZoneAlarm? Are you running another firewall? Add your comments to our TalkBack forum or write to me at david.berlind@cnet.com
