NEW CONNECTION DIALOG – THE KEY TO A GOOD FIREWALL USER INTERFACE
The old free AtGuard firewall had a huge fan base, and one of the reasons was that it had a nice pop-up alert dialog when a new unknown connection was established. It always amazes us when we try out new firewalls how few of them have managed to implement properly this most important part of firewall user interface. This is, of course, the dialog you will be spending the most time with. It will pop up every time a new program tries to connect in or out, and any time a known app goes to some new address that you haven’t previously ok’d.
The Outpost dialog on a new connection is perfect. When a new connection in or out is detected you will get a simple screen like this:
Notice how simply you can allow or block this single connection by pressing a simple button; this won’t make any new rules and is often the right thing to do when you aren’t sure what to do permanently (make sure you tell Outpost to resolve ips for you so that you see the domain name when appropriate).
But you can also very easily block the application totally or allow all activity permanently (you can always modify these selections later).
Even better, you can choose to immediately proceed to customize the rule; in a bow to make life easier for common applications, Outpost has some built-in rules for common applications that it will offer you in the drop down box if it recognizes the application. A very cute idea that works well if you don’t want to be bothered with customizing all rules.
If you select customize and hit OK you will be brought to a second screen where you can customize a new rule:
Now notice something critically important, that many alternative firewalls fail to do properly but which Outpost does perfectly; it has already set default restrictive settings based on the current connection attempt. It has defaulted to restrict to the current ip, port, etc. You can see at a glance exactly what the rule will be, and it’s easy to customize it further. Note it doesnt select Allow or Block by default. Smart.
The ability to configure specific addresses, ports and protocols for both source and target is critical to building good tight rules; you’d be surprised at how many firewalls force you to simply decide whether to give an application complete “server functionality” to contact any site, or else block it completely. You need to be able to restrict applications to specific addresses and ports.
CONFIGURATION AND LOGS
The presentation of summary information is extremely clear and well organized. You can tell at a glance what processes have established connections, the total bandwidth and the count of blocked and allowed connections:
Outpost offers a very nice ability to customize system rules like allowed DNS hosts and the blocking of some common messages (like echo and ping replies). These are very well laid out and they are the kinds of things that a power user will like to investigate and configure.
Outpost is unsurpassed in its collection of log information about blocked and allowed connections, and thankfully now allows you to configure the extent to which you want to keep logs (so you can turn it off completely). Logs are useful when you are trying to figure out what’s going wrong:
Rules are grouped by application, which is almost always a better idea than the other way that some firewalls list rules, which is as one big ordered but ungrouped list.
Outpost also supports a plugin system (with free sdk), and includes some nice plugins for blocking ads, detecting attacks, and and controlling activex and other content blocking for specific sites. This is a fantastic idea though in practice we had a hard time tweaking these settings to work reliably; we were very excited about the posibility of blocking content on certain sites more flexibly than the built in security settings in IE and other browsers, but had a hard time getting the active content filter to work reliably. Still this is a nice feature and has led to some nice user-written plugins.
ISSUES AND SUPPORT
There seem to be a few lingering bugs and reports of bluescreens on some hardware. Working with vmware requires some unofficial workarounds (though it can be made to work). The official support from Agnitum is just plain awful and inexcusable.
However, to make up for this, Agnitum does host a user-run forum where you can usually get quite good help, and find a bunch of tips and tricks. The forum is a great resource and does in fact make up for the bad official support facilities (note to Agnitum: your explicitly stated policy of not having any support people on the forums is retarded).
ALTERNATIVE FIREWALL PRODUCTS
There are some reasonable competitors to Agnitum, including Zone Alarm, which is available in a very usable free version for personal use, and is well configured enough out of the box and friendly enough to be usable by non-experts (wheras Outpost is really more of a tool for experienced users). The fact that ZoneAlarm is also available in a suite with Antivirus tools makes it even more appropriate as a solution for inexperienced users who would prefer a single solution to all their security needs.
On the other side of the coin are firewall products by Tiny and Kerio. Something truely strange happened in the history of Tiny and Kerio. Both were spawned from the same small simple elgeant and much-loved free firewall product. And both decided to pursue a strategy of bloat and complexity that has rendered their new products almost unusable. Both Kerio and Tiny have attempted to integrate some very sophisticated security features that have little to do with the traditional role of a firewall, like blocking application launching. We have found their configuration options confusing and unintuitive, and we prefer our firewall to be a firewall, and leave the other stuff for other programs. But there is no denying that they are ambitious products.
Agnitum Outpost Firewall is not perfect but it’s darn close.
The user interface is fantastically designed, while still offering some of the most flexible customization and configuration rules of any firewall, and it’s security is top notch. Expect to spend some time learning how to configure it securely; Outpost does not come configured perfectly out of the box (you’ll find some guides available in the Agnitum Forum). And do be sure to install the trial version available from the Agnitum web site before you buy it until you confirm that it runs properly on your computer.