Network Security Software Review: Agnitum Outpost Firewall versus ZoneAlarm Personal Firewall
By Angsuman Chakraborty, Gaea News NetworkSaturday, April 22, 2006
I am unable to use ZoneAlarm Personal Firewall as it proved incompatible with Asrock Motherboard. So I switched to Agnitum Personal Firewall. This review is the result of one month of experience with using Agnitum Outpost Firewall and several years of experience using ZoneAlarm Personal Firewall.
Agnitum Outpost Firewall is a strange beast. It shines on several fronts like allowing fine-grained rules for each application. You can block inbound / outbound connection, block ip addresses or host, block by protocol etc. ZoneAlarm in contrast only allows you to configure whether you trust the application to act as client or server on local network and / or internet. However the increased control of Agnitum is packaged with some serious usability issues and bugs.
The key value of ZoneAlarm is that it allows you to identify local network from internet and allows separate policies for each. Agnitum Outpost Firewall simply lacks the concept which makes it very clumsy to use.
Configuring ZoneAlarm Personal Firewall
In ZoneAlarm I can specify strict firewall policies and stealth mode for internet. On the other hand I make my machine visible to other machines on the network without any issues. Zone Alarm automatically identifies my external interface and configures it accordingly.
Configuring Agnitum Outpost Firewall
In Agnitum Outpost it is much harder to achive the same goal. Agnitum allows you to trust an application. By trust it means that it can act as a client as well as a server and can freely receive connections from external as well as internal network. This is pretty useless unless you want your application to act as server on the internet. So you have to configure policies for each application individually. I tried to configure each application (which is a royal pain you know where) to be able to connect to internal network by specifying IP mask and specifically allowing inbound and outbound connections. So far so good. Now I need to specify no inbound connections from other IP addresses or elsewhere. A general policy to block all incoming requests cannot be achieved as such a rule strangely blocks incoming requests from permissible network too.
Agnitum misses few simple yet essential rules for creating a rule based Firewall:
- Firewall rules should have a fixed order of execution. Apparently it is random based on my experiments.
- Otherwise they should have a specifiable order of priority. For example we should be able to run access rules before deny rules. Check Apache httpd for an excellent implementation of this idea in a different domain.
- IP address mask should be specifiable to be inclusive as well as exclusive.
This makes their excellent idea pretty unusable. So if you are using only Agnitum you are forced to explicitly block requests whenever any external network tries to connect to your applications.
Also it appears it forgets rules sometimes though I haven’t been able to pinpoint the exact condition to make it repeatable.
On the positive side Agnitum features adaptive blocking. It can apparently block Denial-of-Service attacks.
It can block ICMP pings but unlike ZoneAlarm it is a all-or-nothing proposal.
Agnitum Outpost Firewall features keyword based (in url or content) web page blocking (ZoneAlarm Personal Firewall doesn’t). Unfortunately you cannot specify it to exclude certain IP addresses or block certain IP addresses only.
It has a nifty DNS cache.
ZoneAlarm integrates with certain Virus scanners (not your free AVG or ClamWin).
Both provide slightly different but very basic email protection.
In conclusion ZoneAlarm firewall is very well suited for normal computer users without security expertise. Agnitum firewall offers more for security experts but at times can be seriously frustrating. Overall ZoneAlarm Personal Firewall wins as it provides a usable and easily configurable Firewall for all. Agnitum Outpost Firewall has the potential to beat ZoneAlarm by leaps and bounds if only it can fix its awkward and unsable configuration option and allows policies per network interface.