On your recommendation many years ago I installed the free version of ZoneAlarm as my firewall. It was very successful and I recommended it to many others. Last week I received a major update to my McAfee Virus Scan Plus which immediately and regularly locked up my system and frequently switched off McAfee. It was fully resolved by removing ZoneAlarm and using the Microsoft firewall. I understand this is a common problem for McAfee and ZoneAlarm. My question to you is how effective is the Microsoft firewall? Can we rely on it as we did with ZoneAlarm? I have researched the Microsoft firewall for Windows XP (SP3) and it appears to be fairly basic and limited in its effectiveness. Do you have any comments or advice?

This is a particularly good question seeking an update on earlier advice in the context of current day technologies. In previous years I have recommended ZoneAlarm primarily because it provides outbound firewall functionality – in other words, when an application or process on your computer attempts to access the internet it will seek your permission. This is in addition to the inbound firewall functionality that the utility also provides. However, we should investigate whether given advances in consumer computing whether an outbound firewall is absolutely necessary. Given that most applications and processes on a computer need to communicate over the internet for one reason or another (perhaps for automatic update checking or accessing help information available over the internet) when running an outbound firewall you are generally going to be prompted for most applications to access the internet. While this may have been a problem in previous years, before the widespread adoption of high-speed broadband internet (since a program in the background downloading an update could have completely ground your dial-up connection to a halt) it is not so much an issue from the bandwidth perspective now. Additionally, an outbound firewall does raise a rather significant administrative burden to approve these applications, and most of the time you probably are not completely certain exactly why they need access and (human nature) after being asked for access on numerous occasions it is likely you will start approving access without really investigating the actual reason those programs need access, eliminating the benefit of an outbound firewall. Perhaps several years ago when not so many programs were internet-enabled this would have been a manageable task, but today it has become a much more administratively-intensive operation.

We should next consider the need for using an outbound firewall. This was mainly from a security point of view, to stop unwanted programs (potentially malware and spyware) from phoning home. However, given the advances in most antivirus and antimalware products they have become fairly good at detecting such threats on your computer and removing these so you don’t need to block them from phoning home, because hopefully there isn’t any such malicious software on your computer which does phone-home. This part of the discussion goes beyond the question of whether to use an outbound firewall on the computer and into the general area of being careful about what software you install on your computer. If you are careful about the software which you install, and you don’t download and install everything under the sun without considering the consequences, then your computer should be fairly safe. In this regard, I have a few rules of thumb which I also apply when installing new software on my computer.

First, I only install software from a trusted source. When I download software from the internet I always ensure that it is downloaded from the software developer’s website, rather than some third-party downloads website, to ensure that I do get a legitimate copy of the software.

Second, I rarely install software that does not have a valid accompanying digital certificate. Software developers can purchase a digital certificate for their software which allows them to digitally “sign” their software. This guarantees that the software installer does come from the software developer and has not been modified – an important guarantee to ensure that, for example, the installer has not been modified to include a malware or virus payload. When you double-click to install a software package Windows will produce a message saying “Open File – Security Warning” which shows the software publisher information. If the window has the name of the software publisher which is blue and underlined this means the software has been digitally signed (you can even click the software publisher’s name to show the security certificate information) and the publisher is verified. This essentially means that the software is trustworthy. However, if the message says “The publisher could not be verified…” and it is listed as “Unknown publisher” then the software is not digitally signed and the publisher is not verified. This does not indicate a problem in itself, as the vast majority of downloadable software is not digitally signed. This is because it requires the software developer to purchase a digital certificate (which can be a costly proposition) and some independent software developers just cannot afford that outlay. Most software that is not digitally signed is perfectly fine, but you just need to take extra care to ensure that it has been downloaded from a legitimate source (rather than some dodgy website which may have added “something special” into the installer).

However, just because a software installer has been digitally signed does not mean that it is safe. Someone who writes malicious software could digitally sign their software and all that indicates is that the already malicious software has come from the original author and has not been modified! That said, this is fairly unlikely given that digitally signed software can generally be traced back to the original developer. However, there could be other software which is not malicious per-se, but does perhaps do unwanted operations on your computer. The main thing to remember is that digital signatures guarantee the authenticity of the software, not that the purpose of the software is safe. This is a bit like signing a contract – it verifies the authenticity of the document but does not say anything about the content of that contract. Therefore, my third tip is whenever you are about to install software from a vendor which you don’t already trust, then it is a good idea to Google the name of the software with certain keywords such as “spyware”, “malware”, “virus”, to name a few. For example, if I was about to install ABC Utility by XYZ Software (and I have never heard of the XYZ Software company before) then I would search in Google for “ABC Utility spyware”, “ABC Utility malware”, etc. (without the quotes, otherwise it will search for that literal phrase rather than just the keywords). In most cases you won’t get any particular interesting results (perhaps just hits from download websites which say they have scanned the software and it is 100% spyware free, as because you are searching for the spyware keyword it will also pick-up these other usages of that keyword such as when a website says “spyware free”). If you don’t get any interesting results that is a good thing, since it means that no one is complaining that there is something awry with the software. However, if you do get some odd results, particularly blog posts or comments in forums about the software and potential spyware or malware, then you may wish to read further to check whether they are just some disgruntled customers or whether there is actually something wrong with the software.

So, we have discussed ways to assist in preventing malicious software from installing on the computer to reduce the need for an outbound firewall. Of course, the other important thing which you should do is keep Windows up-to-date with all the latest security patches. Ideally, you should enable Automatic Updates so that Windows automatically downloads and installs updates when they are available. To enable Automatic Updates, go to the “Start” menu > “Control Panel” and open “Automatic Updates” control panel (if the Control Panel displays in category view you may first need to open the “Security Center”). Finally, you should also ensure that you are running up-to-date antivirus, which you appear to be doing since McAfee Virus Scan Plus is installed (and the reason the problem with ZoneAlarm occurred was because you updated this software, indicating that you are updating the program!).

At this point my recommendation is unless you are particularly concerned about the programs on your computer which may be accessing the internet, so long as you are careful about what you install on the computer (which you should be anyway) then there probably isn’t as much need for an outbound firewall. That said, it is absolutely essential you run an inbound firewall to prevent potentially malicious network traffic from getting into your computer. I recommend two levels of firewall – software and hardware.

Dealing with the hardware-level first, anyone with a broadband internet connection should be running a broadband router. This is recommended even if you don’t wish to share the internet connection with multiple computers in your household. The reason is that a broadband router uses a technology called Network Address Translation (NAT). Essentially, your router has two interfaces – the public (internet) facing interface, and the private interface(s) where you connect your home computers. Without going into too much networking theory, the broadband router sits between your computers and the internet with all internet traffic flowing through the router. In order for incoming internet traffic to get routed from the public (internet) facing interface to a private (computer) interface the computer on that interface needs to have specifically requested that traffic, such as a webpage. As such, any unsolicited network traffic (such as a malicious hacker’s traffic) will hit the public interface of the router, the router will realise that no computer requested that traffic, and will then dispose of the traffic. As you can see, it never reaches any computers on your network keeping them safe. Broadband routers are relatively inexpensive ($50 - $150) and they are highly recommended instead of having the broadband connection directly plugged into the back of your computer.

Even though a hardware firewall will protect you from the internet, it is always a good idea to run a software based firewall to protect you from threats within your own network. For example, if you have multiple computers on your network and one has a virus then running a firewall on all other computers could protect them from getting infected. For this purpose the Windows Firewall should suffice and all it needs to do is dispose of unwanted network traffic.

Both the hardware and software firewalls are pretty much set-and-forget, so they don’t require any ongoing maintenance or monitoring. They just sit silently and do their jobs, which is generally the way you want them to operate. Hopefully this has provided some more insight into the firewall question. However, if you are still running a dial-up internet connection then you may wish to contact me again for further advice since you would not be able to use a hardware-based firewall and therefore we may need to look at some additional measures you can take on the software front to ensure maximum protection.