Firewalls started out at the corporate level a number of years ago. They were complex to configure and typically very expensive. Fortunately, vendors realized the need to provide a cost-effective solution for home use. Unfortunately, unless you know what you should be looking for, it can be difficult to pick out the product that protects adequately. You can get a false sense of security if you choose poorly.

An intrusion detection system (IDS), such as BlackICE Defender, looks for known attack patterns. If you want configurable protection, an IDS is generally a poor choice. It will rarely allow you to block all traffic initiated from the Internet and will almost never block outbound traffic. But it does provide protection from the specific attacks it knows about. Inadequate as your sole protection, in combination with a firewall, an IDS can be very valuable.

Most personal firewalls are packet filters. They look in the header of packets for the source and destination addresses and port numbers and protocol. Based on this information, they allow or deny traffic according to rules, either automatically configured or configured by the user. 

A stateful inspection firewall goes further by also looking inside the packets to examine the packets in context. They can do things like detect HTTP (web) traffic on non-standard ports or block a particular combination of FTP PORT commands that you decide you don't want to allow. It is the most powerful type of firewall, as well as the most difficult to configure. I don't know of any personal firewall products that do stateful inspection.

Some personal firewalls have a learning mode that can detect inbound and outbound traffic and ask you if you want to allow the traffic. Lack of learning mode generally means that the software allows all outbound traffic. This can be dangerous. If you somehow get a trojan program installed on your machine, it can initiate a connection to an attacker's computer. The attacker can use the connection to do anything their trojan program is designed to do, such as remote control of your computer. Your firewall allows the traffic because your computer initiated the connection.

PGPfire 7.1, part of the PGP suite of security tools, seems to be a very nice balance of the various firewall options available to home users. It has an IDS and an easy-to- configure packet filter firewall. It has some base configurations with varying degrees of protection and a learning mode to handle traffic not covered by an existing rule.

When PGPfire is first installed, the firewall is disabled, which seemed a little strange to me. Once enabled, all traffic in and out of your computer is blocked unless covered by a rule.

You can select from any of the predefined firewall settings or choose to create a custom configuration. The predefined levels are "minimal", two client levels, two server levels, and the default - "Learning Starter". The manual gives a good description of the levels. Any of the predefined levels may also be used as a starting point for a custom configuration, speeding overall configuration.

With learning mode turned on, when an program on your computer tries to access a remote address for the first time, PGPfire displays a dialog box with the application name and path, version number and vendor. It reports the IP address and port number the app is trying to access along with the name of the service typically used by that port, such as FTP for port 21 or World Wide Web for port 80. You choose to allow or deny the access. PGPfire then creates a rule to handle this application accordingly in the future.

If someone or something is trying to connect to your computer, the pop-up notification identifies the local program the remote process is trying to connect to along with the remote and local port numbers and the remote IP address. You can allow or deny the connection and a rule is created for the application being accessed.

PGPfire considers more than just the application name and will not automatically permit access if the program is not the same as when the rule was created. This is good protection against a trojan program being substituted for a trusted application.

  

You should review any automatically-created rule. They are typically pretty broad rules and this may not be what you really want to permit. By default, the rule will allow traffic to or from the specified local application (depending on whether the connection was initiated by the application on your local machine or from a remote address) with any external IP address using any protocol and any port. While this is usually OK, it is worth considering. Fortunately, it is quite simple to modify rules.

To edit the properties for a rule, double-click the rule in the rules list. You can specify if the rule allows or blocks traffic. You can set the protocol (ICMP, IGMP, TCP, UDP, Ipsec ESP, Ipsec AH, or All), and the direction (inbound, outbound traffic, or both). If applicable, you can specify the local application you want to allow to access remote resources or allow connections from the network. You can specify the local or remote service by service name or port. This is not a stateful inspection firewall. The list of services is there as a convenience so that you don't have to remember things like a POP3 service normally uses port 110. When you specify a service, you are really specifying the port number. You can restrict the remote IP address this rule applies to by specifying a single address, a range of addresses or a complete subnet.

One thing that PGPfire does not provide that some other personal firewall products do is to permit or deny access for a limited time or current connection only. PGPfire rules stay in effect until you manually change the rule by modifying, disabling or deleting it.

PGPfire also has an Intrusion Detection System. While nowhere near as comprehensive as a dedicated IDS such as BlackICE Defender, it is a handy addition to this package. The manual lists 17 attacks the IDS can protect you from, including Back Oriface, IP Spoofing, Ping of Death, Port Scanning, Smurf, and Winnuke. There is no indication of any way that this list can be updated to cover new attack types. If you choose, any of the filter rules on the Firewall tab can be set to be considered an intrusion.

You can configure the IDS to block the attacking source for a specified number of minutes or until you manually clear it. PGPfire can also send you an email about the attack and provide a visible or audible alarm. While I personally think it is a waste of time, you can also attempt to trace an attacker. PGPfire can attempt to find out the DNS and NetBIOS names. If the attacker is running services, PGPfire can pick up the banner from Telnet, FTP and SMTP services as well as the HTTP version. Finally, it will run a WHOIS to attempt to learn more about the attacker.

You can also manually add addresses to the Intruder list if you want to block all traffic between your computer and a particular hos

PGPfire 7.1 requires a minimum of a Pentium 166 with 32MB RAM running Win98/ME or 64MB RAM running WinNT4/2K. On my Win2K system, it generally uses about 4MB RAM and about 10MB disk space. CPU utilization is minimal. The price is CAN$105 from the PGP web site. A 30-day trial version may be downloaded from www.pgp.com.

All in all, I think PGPfire is a very nice personal firewall. Is it worth spending $105 when there are "free for personal use" firewalls available, such as Zone Alarm and Tiny Personal Firewall? Check the feature list of those other products. If they satisfy all your requirements, there is little reason to spend money on PGPfire. But don't underestimate your needs when protecting your computer.

Bottom Line:

PGPfire 7.1
CAN$105
http://www.pgp.com