One of the problems with personal firewalls is most people using them dont understand the technology so you'll see a lot of conversations on mailing lists in which people say they've been hacked or this or that when they havent... basically there is a ton of confusion. Sites like grc.com, while attempt to make things less confusing, seem to also miss the mark on understanding whether a personal firewall is good or not.
there are two things to think about when picking a personal firewall... because there is roughly two (there is more but people dont use them) ways to implement firewall functionality in windows. here is a rough (missing a few pieces) layerd example of how things fit together: networkcard | v NDIS Hooking/NDIS IM | v TDI | v Application for those more technical... yes i know i left things out. So most personal firewalls are implemented either as NDIS Hooking (or some sideline im style thing) or TDI (Transport Driver Interface) mode drivers. With TDI your at a higher level and you get packets after windows has already put them back together for you. So you only get to get things like sourceip, dst ip, src port, dst port, and the data from the packet. You can not however get packet options like headers etc... Also your limited to just TCP/UDP packets, although there are tricks you can do to get ICMP and a few other things in a raw format. your still limited however. The cool thing about TDI though is your able to know which applications are the ones communicating with what network traffic. So when someone tries to connect to an open port on your system you know what program is about to accept that connection and you can say yes or no. Most personal firewalls work at TDI, things like zonealarm, symantec's etc... thats why they pop up all the stuff about programs wanting to communicate. Now if you use something like blackice you'll see its not asking about what programs are communicating (at least in the last version i checked) that is because they are not implemented in TDI they are implemented in NDIS/IM which is closer to a real firewall. NDIS/IM is low enough where you dont know what applications are communicating however because you are so low you get everything completely raw before windows plays with it to much. That way you can protect against low level IP stack DoS's like we've seen in the past. Blackice is probably one of the more well know NDIS/IM personall firewall. Also Snort for windows is implemented in NDIS although its not NDIS/IM (better know as NDIS hooking). Straight NDIS (that sniffers use like snort) can only read packets off the wire in a raw form... they cant block them. really depends on what your looking to secure because both of the types of personal firewalls have good and bad points. TDI can interpret applications yet isnt low level enough to give true protection from attacks... yet most TDI dont have IDS style functionalities so they dont claim to stop attacks and more just claim to firewall...although the marketing reads different. NDIS/IM is good cause its low level so you can stop almost any attack etc... like blackice with its firewall stuff. however it doesnt know what programs are communicating, which matters to some people. not really going to say which i like best but hopefully this explains some of the technology a little better for you. most personall firewalls are good... all comes down to how they are managed. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
