With centrally managed firewalls, the kind we tested for this review, a centralized server dictates the security policy. Each client queries the server to download its policy file and upload status reports--then enforces the server's policy mandates.

We tested desktop firewalls from Internet Security Systems, Securitae, Sygate Technologies, Symantec and Zone Labs. We also invited InfoExpress, whose product won our Editor's Choice awards in previous desktop firewall reviews, but the company declined to participate because a new version of its product was in beta during our tests.

With these firewall products, the central management server and end-user desktop clients are directly and completely intertwined, though the client software usually has one name and the server another--for example, ISS's ICECap manager and RealSecure Desktop.

We tested only Microsoft Windows systems in this review. Although all OSs contain vulnerabilities, there are comparatively few malicious programs on non-Windows/Intel platforms. That is to be expected: Windows sits on more than 90 percent of desktops in the United States and is therefore a more enticing target.

Our test bed used 600-MHz Pentium-based computers running Windows 2000 as management server and client stations. When necessary, we installed Microsoft SQL 2000 on the management server.

More Administrator Time

In the past, you could secure a desktop by blocking all incoming connections and limiting outgoing ports to a few well-defined services (such as Port 80 for Web access). But this method is obsolete. Today, Trojan horses (hostile code typically disguised as or hidden in benign applications) can initiate outbound connections that look like legitimate traffic. For example, sensitive data can be encoded and hidden inside an HTTP request. To a network analyzer, a Trojan uploading your financial-data spreadsheets may resemble normal Web traffic. To get around this problem, the desktop firewall's central server must grant individual applications permission to access the network. These permissions comprise part of the firewall's security policy.

Methods of populating and configuring the permitted applications vary by product. Some products offer a scanning tool that's uploaded to the server; others let a clean client system learn and report back the available applications. All the products we tested compute MD5 hashes, or fingerprints, to protect the network from modified or overwritten applications. If the application being launched has a different hash from what the server dictated, the application is denied network access. This way, infected Internet programs (viral or Trojan) and renamed applications (such as a Trojan masquerading as iexplore.exe) will send up red flags.

Four of the products we tested--the exception is Symantec's Client Security--also offer component control; that is, they extend control capabilities to .DLL and other library files, which Trojans can also attack. A library is a small file of compiled code, such as a Windows .DLL file, that contains functions an application may wish to access. The firewall calculates an MD5 hash of each library, exactly as it does for the applications.

The administrator creates a list of allowed applications, libraries and MD5 hashes as part of the security policy. Compiling and maintaining these lists and hashes require a significant time investment (see "Beyond the Initial Expense").