Best firewall

What is the best firewall and do i need it when i use my computer extensively on the Internet with broadband access?  I heard good things about zone alarm, black ice and trend Pccillian.  Which one of these provides the best security?  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Hello bigdg =)

I trust Mcafee Firewall as i have personally used and tested it :)
After that Pccillian is the Best choice and then Zone Alarm or Sygate if you prefer freeware :)
Pete LongTechnical ConsultantCommented:
Difficult subject :)

Depends on a number of factors

1. hardware or software?
2. how much?
3. What do you want to protect
4. Personal opinion

Reading your question Im guessing that this is a home PC, so unless you have firewall capability built into your existing broadband access then a hardware firewall is, a big cash outlay, and more difficult to install (unless you have a spare PC and want to use smoothwall on it - as its free)

In your situation Id say you need to be looking at a software firewall (unless you have important/sensitive stuff you simply "Have to Protect" that you havnt mentioned.

Everyone has a personal preference - in my case I'd say Zone Alarm, you can still pick up the free version but to be honest the free one is not that good, and has very little funtionality. Look at Zone ALarm Pro, yes it costs but not a lot, and You can configure it to do what you want or set it to "Im a technophobe" mode and let it do everything for you. I can say hand on heart I would not recommend Black Ice as its more of an IP filtering solution than a firewall (sorry to all the black ice fans :)

Firewalls (Hardware or Software?)

Software Firewalls

The basic version is still free!;jsessionid=10lfaHFKttIAMkUvvZm1xhWKVLKHVeYPMJpXB1I1UxUpAC2ZioSE!1284415661!-1062696903!7551!7552!1822958594!-1062696904!7551!7552?lid=home_zainfo
Zone Labs offers a complete range of firewall products, from the free ZoneAlarm, to the comprehensive protection of ZoneAlarm Plus, to the ultimate privacy and security tools in ZoneAlarm Pro.

Black Ice Defender   <---- for info only - I dont recommend
BlackICE teams a personal firewall with an advanced intrusion detection system to constantly watch your Internet connections for suspicious behaviour.

Symantec's Norton™ Personal Firewall
Keeps hackers out and personal data in. It makes robust firewall protection easy by automatically hiding your PC on the Internet and blocking suspicious connections. Norton Personal Firewall also protects your privacy by preventing confidential information from being sent out without your knowledge.

McAfee Personal Firewall
Personal Firewall places a barrier between the Internet and your PC, helping to block hackers from accessing your computer and allowing you to digitally 'fingerprint' trusted applications. Every time your computer is probed or attacked, you get detailed reports and clear follow-up options.

Hardware Firewalls

Cisco PIX
The world-leading Cisco PIX® Security Appliance Series provides robust, enterprise-class, integrated network security services including stateful inspection firewalling, protocol and application inspection, virtual private networking (VPN), in-line intrusion protection, and rich multimedia and voice security-in cost-effective, easy-to-deploy solutions.

SonicWALL Internet firewall/VPN security appliances support an array of security applications and deliver powerful firewall and VPN performance. SonicWALL appliances are built on stateful inspection firewall technology, and a dedicated security ASIC designed to ensure maximum performance for VPN enabled applications.

3Com perimeter firewalls and website filters cost-efficiently secure Internet access and give IT managers a critical first line of defence against network attacks and unauthorized access. For protecting the perimeter of your network, choose the 3Com® SuperStack® 3 Firewall for enterprise


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Good answer PeteLong.

One thing to add - you didn't give the link for smoothwall :)

It'll run on almost anything, though you'd want to check compatibility for LAN cards. It takes 20 mins to install off a CD image downloadable for free off the net. It runs on a linux kernel (cut down version of redhat i think) and is easily configured through a simple gui which runs thru a browser so you don't need to be a linux guru.

Probably overkill if you only want to protect s typical home PC.

Agree on black-ice - I don't like it at all - nuff said, nothing personal :)
The free version of ZoneAlarm tends to slow down most machines I've run it on and is resource internsive. Never used the Pro version, so can't comment.

The Trend stuff is quite good - I like PCcillin as SheharyaarSaahil mentioned.

My 0.02 :)
Two linux firewalls (if you stil have an old spare 486)
Pete LongTechnical ConsultantCommented:
mellowmarquis thanQ - and thanks for posting the link
    " Norton Internet Security" is the BEST firewall ever made.
Pete LongTechnical ConsultantCommented:
Now theres a bold statement <grin>

how many cuncurrent triple DES VPN clients does it support?
How many DMZ's will it support?
Is it ITSEC E3/E4 compliant?


Yeah good comment Pete about Norton Anti Virus.  Should ask about triple DES, and AES, plus SHA-1 or MD5 hash and what Diffie Hellman groups are supported.  Ok Im rambling
a good realtivley unkown personal firewall is kapersky (although names getting around) I rate it try it here: -

Personally I use a combination of hardware and software firewall. I use a Linksys router with built in 4 port switch so I can share high speed and it makes you "stealth" to the outside world. For a software firewall, zonealarm free does everything I need it do. Take a look here for more info on software firewalls:
Pete LongTechnical ConsultantCommented:
Mandrake has a free linux based Multi-network firewall and is working on a new one based on 2.6 kernel currently in beta.

- kernel 2.6
- static routes
- network cards aliases
- vlan

- pptp
- openvpn
- strongswan/openswan replaces the no longer maintained freeswan
- traffic shaping (the wondershaper script)
- ecn support
- netmap
- kazaa filtering (ftwall project)
- the dhcp and proxy servers now support several networks
- bridging
- bonding
- mandrakeonline support for updates
I've heard good things about watchguard firewalls
I use Sygate Personal Firewall Pro and it hasn't failed me yet.
Also, rated as one of the best by PCWorld Magazine.


You could try Kerio personal firewall at some guys swear by it...some at it!!
I would agree with this Big time, However i would like to state here that the Computer Associates E-Trust Firewall is also a Fantastic Option and comes free with the Windows XP Service Pack 1 CD. This Firewall is basically a Rip of the Zonealarm Firewall but is done in a neat manner and hasn't failed me ever. On the Other hand i would also suggest this thing called Tiny Firewall ( ), this thing is very basic and does most things that a standard firewall would do... if you are a technical person and you're smart enough as restraining yourslef from using stupid things like P@P Software's and Install spyware applications and searh bar's then this firewall would do good for you... elegant and simple.. thats how i would decribe it... and the best part is that its free of cost and like the name says its less than an MB in size and makes use of very less system resources.


Dilip Muralidaran

first of all i want to correct that linux has only one firewall. what you are naming are the configuration tools.

the firewall in linux is a part of the linux kernel. thats what makes it so powerfull since netwerk it also part of
that same kernel. program like zonealarm work like a buffer between the windows kernel and the application
running. i would say that for firewalls you can never have overkill because that depends wich hacker is passing
by. since the linux kernel firewall (iptables called in 2.4 and 2.6 kernels) is free and simply the most powerfull
possible besides of BSD maybe wich use a simial approach.

the problem with the linux (and BSD aswell i believe) are that they are very difficult to configure thats why there
are several tools designed to make this kernel hacking a bit easier. i my self use narc since it uses a simpel to
use single file config file wich can edited by hand. it also uses that same file for sharing internet (also a built-in
part of the linux kernel.) so its a all in one solution for simply sharing your internet and protecting it at the kernel
level and it also supports forwarding wich will make certain port function like if they where directly connected to
the local computer. the big advantage is that is small and text based and can be run on even the slowest computers
like a old pentium 133. i wouldt use a 486 becuase they use ISA slots and they will knock down you internet speed.
seen it my self slowing my 400kb/s down to 30kb/s. also don't use grapich **** it will slow down you speed.

i use narc now for almost 2 years and its very easy to use. works wit almost every stock kernel but some distro's
might need recompile of the kernel(better switch distro i that case). you can find more info on the narc website:

its simple, free, fast, no-interupting and requires no more knowlegde than that you know what IP, DMZ and ports are.
thats it. btw RedHat 9 is a perfect start for linux newbies. its kernel it compatible with narc and it has an easy setup.

that what i advise people when they want to share internet and have it protected way better then those standard
router boxes. it gives more freedom in what to open, close, and stealth. hope it will help someone and give it a try
its free! and don't forget by setting up a decidacted firewall with an old computer you reliefing you work pc(s) from a
firewall since there inbound/outbound traffic is already scanned so you have more memory for you favorite online-game
or what ever you do on internet. also you could run a web/ftp server on it if allowed by you ISP. also there is no limit on
the number of computer you putting behind you firewall since its commercial like norton is. just use 2 networkcards and
a switch put on to your broadband and one to your switch, install redhat 9 and download narc follow the instructions, edit
the config file the way you want it. everthing clossed and only the ports that realy need to make a connection to you are open
is a very good method like port 4223 for edonkey and 6112 for for hosting games.

hope this helps anyone, for more quistions post them here and also check the newbie lessons on (that where i started).
they help you get a good lift-off on your way to becoming a linux guru.

Docey, The Netherlands.
sorry, for my bad english sometimes.
hope you make sence out of it.
and ofcourse i mean NOT commecial like norton.

no offence but sometimes you need to know the better sollution.
haven't seen windows working on the kernel level yet?

cYa! Docey.
(damn its time to go to bed its getting light outside already)
hi there,
you can try Internet Security 2005 which comes with Anitviurs and Firewall. It works fine for home users.
Mark StrevensCommented:
Zone Alarm:
I've experienced problems with stability on business systems.

Agnitum Outpost
Recent upgrade appeared to cause problems, more verbose and apparently more intrusive.

Now using this behind a hardware firewall and has worked well but less friendly than the above.

Used this in office environments, confused non-expert staff.

My general experience is positive of all four so these are qualifying comments - low cost and improve security.
If you are experienced I'd  go Kerio, if not Outpost or Zone Alarm.
This is a question on Docey's comments.

I like the idea of using old machines with Linux as firewall, but I would like to expand on Docey's comment of not using 486 machines. I imagine that the problem is not the ISA slot, but finding a LAN card able to work at a reasonable speed. Why should a 486 machine with a 10 mbps NIC reduce your speed down to 30 kbps?

Still another question: is Linux RH 9 a good option for such a 486 machine? I mean, disk space and memory are limited in such machines.

Here's a good one that a friend of mine has tried with success:
Alan SilvermanOwnerCommented:
I have two personal solutions to this problem.  I was wondering if you see any drawbacks to them.
First, for machines running Windows XP, I like the firewall that comes with the Windows XP SP2 update. It doesn't ask you a lot of questions, it's free, and it hasn't (yet) screwed up like a lot of software firewalls I've tried.
For XP users, why would anyone buy a software firewall anymore when this one is free?
Second, hardware firewalls come with most routers and routers are a dime a dozen these days, especially wired ones.  I've even gotten wireless 4 port routers for as little as $10 after rebates.  Assuming that you have broadband, you can hook up a router to your broadband modem and just use it as a firewall for a single PC.
I'm not a fan of either Norton Internet Security or any of the McAfee products or Zone Alarm either.  I've seen them all mess up, stopping my customers from accessing the Internet at all, asking intricate questions about allowing this or that application access to the Internet, or just using too much system resource to run.  
Does anyone see any problems with my two solutions, Windows XP firewall and a router?
Its seems that this has turned into a personal prefrence look at what firewalls are out there. Being that I find myself repairing all sorts of systems and maintaining
many diffrent types of firewall products I would have to say this. If you are feeling filthy ritch with money to burn go with a software controled hardware firewall cant
beat them. Now for the rest of us blue collar folks I would say if its in you budget and there not to expensive nowadays go with the router it is a good start to help mask
 your internet connection but remeber it's only a mask if your system is broadcasting it won't do you any good. Now as far as software firewalls go I'm a true believer you
need one, I make a good portion of my living from those that don't. That being said if you are only going to use the Windows Xp firewall and tread with no fear all over
 the net downloading everything you better put you local tech on retainer this firewall barely meets the minmum requirement to be even be called a firewall. I would agree
that service pack 2 went leeps and bounds over the original to make it better but it is still lacking to say the least. If you want a good firewall it's going to be in your face and
huge pain in the butt to set up to make sure that every program that is connecting to the net is monitored and has a rule created for it. This is not the Xp Sp2 Firewall.
Now the next famous one I would say Norton Internet Security what can we say about this program that hasn't already been said, avoid it don't use it if something does
get past it , with 100 hundred plus lines in your registry it's gonna kill your system. This is the number one system that I come across hands down that kills your system for
no other reason besides worst coding then Microsoft itself. This is the only one that I have come across that corrupts your system from just geting it's own update little on
what it does when you run the windows update. I make a good living off this one. The next most popular that I come across is Mcaffee not my personal favorite but I have
to give them credit they have come along way in the past couple versions, far more stable then it use to be a decent firewall when set up properly a little messy in the
configuration and uses a fair amount of resources. The freeware and the bought versions of ZoneAlarm are so diffrent from on and another for one reason ones free ones
not you get what you pay for. The free version is more the test bed for ideas for the pay for one it has glitches and hogs the resources on most systems, the paid for one on
the other had is decent setup but again I have found that it conflicts like the free one more times then I can't count needs a little more skill to get around these confilts when
they occur. Then we get to ones that I find myself recommending they are Trend Micros Pc-Cillin and Panda Internet Security. These two program have great in your face
redundant email scanning for incomming and outgoing. If you find yourself keeping alote of unread email in your inbox your not going to like Panda it scans all of these
everytime you load the email program from a Techs point of view this is great from a users point of views it slow annoying and they tend to turn of the email scanning feature.
Otherwise Panda when setup is a forminable firewall with easy setup and advance features great for the person that wants great security with adaptability also having the
wizards for those that don't know as much. The downside of Panda thier support they are a great company but measure you response in lunar cycles not hours. Still one of my
 more favorite programs for the well informed. Now for PC-Cillin by far again on of the best I have come accross easily setup but still having the features for the more well
informed to custimize it to any setting. This program has a simple straight forward layout with tech support that is one of the best I have come accross (but the program is so
 simple you don't need it). Then the price is one of the lowest out there for an Anti Virus firewall combination that I have come across with the features of that this program.
So in closing I would have to say that a good firewall is going to require and investment in time to properly set  it up if you are just going to install it and walk away this is
not going to be a good firewall there going to scan your system for internet connecting programs or ask you to identify every program that connects to the net. You are going
to have to set up port settings for any p2p program out thier to allow it to connect this also goes for and  good routers. You will have to set ports settings for ftp and video
video confrence and even sometimes for quicktime and any other streaming video or audio program that not using port 80 (web). So if you complain about how hard it is or
how annoying it is that is normaly a sign of a beter more secure setup. If you find its a breeze to setup just using the install does a quick scan and all you programs pass
thru it, what's it protecting then?

I have use other program like Sygate, Kierio but I would have to agree with bookmark if you are asking this question and setting this up for a home system
these setups are quite involed and fairly advance to setup correctly. (But when set up correctly there tough to get around and require considerable more
knowledge to keep them running designed by the IT type for the It type.

Also a word of caution if you have not ran a firewall before make sure to disconect your internet connection and shut down your software firewall before doing
and major system upgrades like service packs, download them then disconect to install. This is the number one reason why Norton kills most peoples system.

Why would you post a fox to watch the henhouse?  That is what you are doing using the WinXP firewall.  Yes, it's free and (nearly) idiot-proof, which is why MS included it.  Most people do not have the knowhow to set up a firewall, just as you said.  However, for those of us who can read instructions, read the manual, read a website, read a Help file, etc., why not use something a bit more formidable and customizable, i.e. Zonealarm (free) or Tiny Firewall (also free).

one more link and reviews about firewall
A good solid practically idiot proof firewall is smoothwall or monowall.  It is great for those of us who dont have time to build and config their own linux firewall from scratch.  Also, the price is right, free.  You just take that old pentium that you keep around since it would break your heart to throw away that PC you spent 3K on a couple years ago
Put a second NIC in it or Third, depending on how many networks you want to put together.
Download Monowall or Smoothwall, check out their websites to see which will be the best for you.
Burn the iso to CD
put it in your old PC and fire it up.  The setup process takes about 10 minutes and is very simple for smoothwall.  In my opinion this hardware firewall is very robust and simple to use.
Also since it is a harware firewall and separate from your main box, you do not compromise security or performance on your main PC. for Monowall. for smoothwall.
Check them out, you just may like it.
OOps sorry  mellowmarquis  missed your post somehow,  however you should look at monowall if you like smoothwall,  it is a bit more robust than smoothwall and allows more Networks without adding code.  Just some FYI since you seem to be a smoothwall fan.  I am currently running it and love it, but am testing monowall and it is looking pretty cool.
Hi all

A hardware firewall doesn't have to cost you much.  

You can buy a broadband router for about $60 .   On the router you close all ports you don't want to be open, and set the SPI firewall option.  The advantage for this solution is that you can share your internet connection with 253 other computers for no extra cost...

With kind regards

Ramses (x_terminat_or_3)
One everybody forgets is Look 'n' Stop™ -  Personal Firewall
It's engine is one of the advanced software firewalls for windows (

I personally use Tiny Firewall Pro 6.0. This has many options and is for the more advanced user.
"The only thing worse then no security is A false sense of security"

The thing with software firewalls is that they give a false sense of security and that they require updates and new licenses as well.  

A router that is configured to block ALL incomming requests that are not preceded by OUTGOING requests will do it's job 100% of the time regardless of license

- If a firewall program is not loaded for wathever reason, your computer will be unprotected
- If somehow a virus or spyware or worm gets it way into your system, they usually unload antivirus and firewall programs

* if your router is not powered-on then internet access will not be possible so your computer WILL be protected

There is only ONE secuirty risk when using a router as firewall

>you did not change the access password

Because all routers default to blocking all incomming ports and spi firewall

I think in the case of this user, it would be a fair assumption that they are not extemely knowledgeable when it comes to internet security and firewalls.  It's easy to make suggestions based on your knowledge and expertise, but from my experience supporting end users, they need something that works efficiently, with little to no user configuration.  Bigdg, Trend Micro Internet Security 2005 is in my opinion, the best solution for combined Antivirus & Firewall protection, as the firewall comes preconfigured with 4 profiles (Direct connection<-- which is probably the profile you would want to use, Office Network, Home Network, and Wireless Network<---ie., hotspot access) that will fulfill most home user configurations they could possibly need.  The antivirus protection is great as well.  The only thing I have against Norton Internet Security is the need for the end user to continously allow or deny new programs or executables that attempt to access the internet.  Most end users have no idea what they should choose, because they don't know what the program is.  In the case of broadband router discussion, that is a great option as well.  It will give you the abililty to share 1 internet connection w/ multiple computers.  It also provides "firewall" protection using NAT(network address translation), and to keep it in understandable terms for you, it means that your computer is no longer the device that connects to the internet, instead the router connects to the internet and everything that is behind the router (ie. your computer(s)) is no longer visible to others on the internet.  Almost all modern routers will provide all the protection you need out of the box, however, as stated by x_terminat_or_3, you will definitely want to change the default password.  And if your connection to the internet is Cable Broadband, you will probably have to clone the MAC address of your computer to the router (refer to router's documentation).  The 1 other thing you should be aware of is a router will not protect you from problems on your internal network (other computers connected to the router), therefore it is always a great idea to have both a software and hardware based solution.  You could purchase the Trend Micro Internet Security 2005 software for $49.95 directly from Trend Micro at their website and purchase a router from a local computer shop or major retailer for $50-$70.  With a little bit of reading, you should easily be able to set both up in 1 hour tops, and for a little over $100, you will have all the protection you need from internet attacks.  I hope this is helpful to you, as most of the threads I saw here are not informative enough, or don't even apply to a home user with a small budget.
The other advantage of using a hardware based firewall is that all computers in your home will be protected by one device. Yes, a hardware solution will possibly be more expensive than a software solution, but these days most households have more than one device exposed to the internet. Taking that into consideration, the hardware solution makes much sense. (I'm talking about general consumer firewall products here, not corporate products)

Pros for software firewall:
- Several different interfaces you can choose from
- Software updates tend to be more frequent than firmware updates for hardware
- Try Before You Buy, most of the software firewalls have trials you can download
- Software firewall can be configured so that only applications you know you use are permitted to run.. for the very parnoid.

- You'll need a copy for each machine, unless your other computers connect through your main one via Internet Connection Sharing.
- You'll have to pay for software updates (Granted, this is optional... the software updates tend to include tweaks to the interface and probably new wizards)
- Some of the software can put a significant performance hit on your system
- Software can be disabled, either accidentally, through operating system errors, some trojans can even specifically target and try to disable the more popular software firewalls

Pros for hardware firewall:
- Protects multiple systems
- Firmware can be updated, although firmware updates are not as frequent

- Tends to cost more than software
- Configuration interface is not as good as software
- No hit on CPU load

The best approach would be to use a multi-tiered solution if money permits.  Use both hardware and software. However, if you had to choose only one, I'd recommend getting a hardware firewall.. some switches/routers come with a firewall feature.

I know a lot of people don't like the Windows firewall, but I'm of the opinion that it's better than nothing. I've tried to introduce family members who aren't as computer saavy to several different software firewall products to try and find one that isn't a frustration for them to use, and so far haven't found one... so for now I've had them install SP2 and leave the included firewall enabled.
To make things more complicated, a typo made it's way in greetinghuman's comment.

- No hit on CPU load

Should be moved to the Pros section for the hardware firewall.

From personal experience you may want to seriously look at Fortinets "FortiGate" products.  We use them and they have the best support for an appliance based firewall that I have come across.  You also get a huge bang for your buck.

maybe you would like to check out this firewall with its capabilities. It does our security for 2300 workstations and 250 servers:

Watchguard firebox -

It's quite expensive, but it gets the job -well- done...
better than all ......

I agree that Watchguard does the job (most of the time)

However, our unit seems to cause issues with Weblocker fairly often - it sometimes blocks ALL sites for no reason, and sometimes blocks legitimate sites.

Let me add that support for Watchguard is awful. By that I mean you pay an arm and a leg for maintenance contracts only be to shipped to an Indian call center where you go through the typical voice menu from hell only to be on hold and the finally if you are lucky you get connected with techs who are hard to understand and spend endless amounts of time putting you on hold while they consult with the one guy in the call center who actually knows the proper methods for advanced configuration of a Watchgaurd firewall.

Synopsis: Watchguard = poor value for the money.

Hi ftherrien,

I must say the watchguard support desk is indeed a rather poor service... But, then again, we have a "local" support desk with Watchguard certification, and they can solve our issues quite fast.
On the other hand, Weblocker can get on your nerves... we are actually just getting a grip on the webfilter after 6 months.

I must say, to my experience off course that the firebox meets our security needs... Especially for VPN handeling.

Though its good to have some feedback from the other side!

Must get that ftherrien changed. Name is Trevor :)

Anyhow, we haven't used the VPN features of Watchguard. Good to know that if we VPN we will have robust capabilities.

if you need a second opinion on the VPN solution, Watchguard is actually competing with Cisco an NetScreen Tech.
More info:
Here you can find testing results of the V200 series : 42.000 concurrent (yes, CONCURRENT) IPSec tunnels without giving the slightest glitch...

We've only lost connection once, due to our PDC...
bigdgAuthor Commented:
This is incredible......It's like going to a firewall candy many expert opinions.  I think that's great....Does anyone have a side by side comparison showing pro's and con's for these various firewalls and antivirus?
This web site has quite useful comparions/tests of software firewalls

I don't have a definitive side-by-side comparison, but can offer my 2c for hardware appliance firewalls.

If you are buying an enterprise appliance firewall then you really should look for Common Criteria certification.  Common Criteria ( is a scheme that uses recognised third party organisations to evaluate the correctness of certain products that have been submitted by vendors.  For firewalls, the CC EAL4 level (equivalent to the older ITSEC E3 level) is the general industry benchmark.  Lists of evaluated firewalls (boundary protection devices) are available at:

The Security Targets (Targets of Evaluation) detail which components of the products were evaluated.  Most/all include the Stateful Inspection engines, but only a limited few include Application Proxies.  Most are only evaluated to run in certain configurations, running certain versions on certain hardware and OS (where applicable).  Some are evaluated to include all future updates (usually referred to as CC EAL4+).

From this list, and from personal experience, I believe the Cyberguard CC EAL4+ application layer firewalls to be the best.

talk about beating a dead horse :) Its all personal pref.  Although some people hate it i use norton internet security.  I have repaired quite a few computers that had problems with mcafee and zone alarm.  i maintain 2 small office networks that currently use norton and have been for a while.  has there ever been problems, yeah a couple, but all of the software firewalls out there are capable of having problems at one point or another.  you just have to see what works best for you.
Actually ml13 that is not true.  Yes there is a little personal pref involved as to which company.  But there are HUGE differences between each firewall.  It comes down to what sacrifices are you willing to make to have  a good firewall.  Also some companies do have more bugs than others, this is just the way things are, some companies have more resources to spend on better equipment, engineers, and developers.  Sometimes the smaller company lucks out and already has the better people.  The only way to find out which Firewall is best for you is to ask around and see what experiences people have had.  This litte discussion here is a good example to show that it is not presonal preference but a matter of matching up the facts.  
Personal preference comes into play when trying to figure out which solitare game is your faviorate, not for deciding what will keep your bank accounts and personal information safe from the outside world.
Not trying to spend too much time on this topic, but the term personal pref could be be used to describe my opinion of which firewall solution fits my company's needs the best over another.  This isn't too say if i used another one i would have tons of problems.  the fact of the matter is that I do not have tons of problems.  And someone mentioned a few posts up that he has had problems with norton and did not have any with zone alarm.  I have had reverse situations, no problems with norton and problems with zone alarm.  Therefore I am going to naturally decide that I do not like the one that i had the most problems with.  Yes they are both different, but both were used in similar environments and one worked for me better then the other.  This could be because of a number of variables and ,your right, luck does sometimes play a role.  But we ARE talking small business use of the software or even home use.  It IS important to keep your personal information safe from the outside world, but if the data was of a more critical nature, a hardware firewall would be the solution, regardless of how well a software firewall worked.  i fail to make the connection between a company having better resources & engineers and whether or not it is personal preference as to which software firewall worked best. If a company has the resources and budget in the first place they will most likely opt for a hardware firewall, but if your trying to say a company has more resources, then their software firewall option is going to be more effective, I just don't see it.  Even the most average schmo can handle installing a software firewall and not have problems.  He can also pick up an issue of pc world, read the reviews, compare the features, and decide which is the best fit for him.  Which features he prioritizes and which sacrifices he is willing to make is his personal preference though.  So you are right. I have a personal preference as to which solitare game i like the best. But i also have a personal preference when deciding which software firewall is the best for myself and my company.      
I was referring to the engineers, equipment, and developers of the firewall.  Some companies are just better suited for developing software.  Other companies have a history of bugs and longer lists of vulnerabilities.
thanks for your response.
right, i thought you may have meant it that way but I was not sure.  Your very right in that aspect, then.  It's important to be aware, as best you can, of each company's strength and weakness and of what your priorities are.  I do agree with you that it is a matter of matching up the facts and coming up with a conclusion. I was just trying to be clear as to what I meant when I said it was one's "personal preference".  After reading my first post again I realized that it could have been taken the way you interpreted and I was trying to clarify the vagueness, per say.  This is a good little discussion though, as there are tons of options in terms of firewall solutions, and I learned of a few that i wasn't aware of just by participating in it. Thanks.

check out the Enjoy enterprise firewall - - Its simple but yet very powerful n' afordable!!!!

It works like a charm!
well everyone thinks that their firewall is better, i tend to lean with the one that NSA is using as well as several other highly guarded installations and that is cyberguard a few years back they had a contest in bangkok and put 100 grand to anyone that could hack their box, 9 months later no one was able to crack it and they ended the contest.

the entry level to the most expensive box has the same level of security the only diffenerence is the amount of traffic it can handle

startiing box is roughly 4k
Well, i think you guys should have look at on their InJoy Firewall™ 3.0. - its the only firewall (what i know) that is really ONE firewall solution for both linux - 0S2  - And Windows all in the same time! No more hassle with different products for different platforms.
Here is a "cpoy/paste" from their website:
This multi-purpose Firewall readies you for the future through Deep Packet Inspection, unique MULTI-PLATFORM support, and market-leading IPSec VPN support. Its unparalleled network monitoring turns you into an SECURITY PROFESSIONAL with unique real-time insight into any network activity.

Complete All-In-One Solution The InJoy Firewall™ is a flexible firewall security solution for organizations of all sizes. It offers enterprise-class next-generation security, preconfigured policy templates - including full customization options, seamless IPSec VPN integration, superior gateway capability, intuitive management, access control, a wealth of documented deployment examples, unmatched control, and comprehensive documentation.  

The InJoy Firewall™ solves the overwhelming problems related to managing multi-vendor, multi-platform security applications and devices. Finally it is possible to deploy the same level of cross-platform unified end-point security and backbone infrastructure throughout the organization.

Highlighted Features:

Multi-Platform support
Local/Remote GUI
Deep Packet Inspection
Stateful Inspection
Intrusion Detection (IDS)
Dynamic Firewall Rules
10+ Security Levels
IPSec VPN Server
IPSec VPN Client
Basic Virus protection
Access Control
Packet Filtering
Traffic Accounting
Traffic Shaping
Bandwidth Management
SafeMail (secure e-mail)
Web Filtering
Internet Gateway (NAT)
DHCP Server
DNS Forwarding
Port scan protection
PPPoE Client
PPTP Client

And a 5 nodes licence only cost 99 bucks!

I have always used McAfee security products because i found them the best - Until now - i found this beuaty piece of security software for about a month ago - and have already implemented it through out the hole organisation since its really better than McAfee or others like Symantect Corp. firewalls. So from my point of view this is really the greatest and strongest product on the market today.

check it out guys  at (if  you wonder - yes, its a danish product )
Software based firewalls are OK I guess...please read this article:

Even though it might be overkill for one computer I would still buy a decent router to sit between me and the internet.
because NO software based firewall is as good as a router/firewall. Besides, overall the hardware based firewall is a cheaper
option than the software cause the software has to usually be purchased/ upgraded once a year.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.