Stick with the Windows firewall is my advice. It's not the firewall that needs to be more secure.
In terms of inbound traffic, what most people really want/need is something that stops direct TCP/IP stack attacks, as well as attacks on ports that ought to be closed but aren't (Windows file-sharing services for example). The Windows firewall does this unless you start enabling Windows file-sharing through the firewall, and if you're that stupid, another piece of firewall software isn't going to help you much.
In terms of outbound traffic, if something dodgy is already on your machine, then a firewall is only closing the stable doors after the horse has bolted. That is, if the malware hasn't already edited/disabled the firewall (which, if that is its intention - to send spam e-mail for example, then it has probably already done that). Otherwise, the Windows firewall (or any other firewall) will ask you whether you want a program to be listening on a public port the entire time it is running, which isn't particularly useful, except if you're on the ball but something you've intentionally installed is doing something you weren't aware of (due to the install program being compromised already, for example).
Software that is more complicated than the intention of the Windows firewall is just more likely to have bugs which could let someone have full privs on your computer, which is worse than if you didn't have firewall software in the first place. I was quite nervous of the Windows firewall when it was first released for precisely this reason, but its security (vulnerability) record is actually pretty damn good (low - I'm not sure there's even been a vulnerability reported in it) to date.
Any security product telling you that the firewall is oh-so-important is purely trying to sell you something. It'll pop up loads of crap to make you feel insecure and that it is somehow keeping you safe, and that you
really ought to pay the subscription next year.
To make things worse, the configurations of third-party software firewalls for Windows are so poorly designed that they would baffle a security professional, let alone the average user. A firewall configuration should only have 'allow traffic' entries, because the rest should be denied by default.
Bottom line - Software firewalls are a great big waste of money. Stick with the Windows firewall. It's a small job that needs doing, and that's it.
- edit - reading that URL, I had to laugh:
Quote:
Keeps Hackers Out
An inbound firewall prevents Internet attacks such as hackers from coming into your computer. Any suspicious or unauthorized communications are filtered by the firewall. However, if these threats get through your firewall your personal data could then be transmitted back out to the hacker. To catch these thieves on their way out your firewall must be capable of automatically blocking unauthorized outbound communications - “outbound protection”.
Ah, I see, these would be those hackers who got into your machine already, yes? What stops them from opening an outbound connection with an allowed process? That is, assuming they didn't disable/edit the firewall config already, or the user hasn't already allowed <insert seemingly innocuous process name here> through already when the firewall software bugged them for the fifth time this week.
Quote:
Keeps your Sensitive Data In
Some firewalls don’t have what’s called “outbound protection”. That means they can’t control information that leaves your computer. This is risky, since hackers have ways around inbound firewalls. The ZoneAlarm outbound protection references our constantly updated database of trusted programs and program behavior—so the ZoneAlarm firewall can make security decisions safely and automatically.
I'm not sure I've ever heard of a firewall picking up "sensitive data" being sent out. How many ways can people think of to obscure the content of outbound data packets, even if firewall software tried to detect this? All the firewall software I know keeps a list of allowed/denied process names/port numbers, and has a few tick boxes to block known TCP/IP attacks, and that's about it.
Quote:
Outsmarts Advanced Hackers
At ZoneAlarm, we added outbound protection and then went beyond that to create the equivalent of guards who are trained to spot and stop suspicious behavior. We call this the OSFirewall, because it goes where dangerous programs go—to the operating system level. It monitors program installation, registry and file changes, keyboard and mouse code control, and over 40 other potentially dangerous behaviors.
I tend to avoid security software that tries to do anything "really clever" because when it malfunctions, it'll probably take your computer's Internet connectivity (and judging by what this claims to protect you with) keyboard and mouse control with it. Learnt from experience.
Quote:
Doesn't Bother You
Most firewalls with outbound protection generate a lot of "noise" -alerts asking you for input. Over the years we have developed ways to make our firewall as smart and quiet as possible. Our community-powered DefenseNet system constantly tracks the safety of millions of programs in real-time. Today, even the ZoneAlarm Free Firewall includes this automated program security, making it the quietest Free Firewall in the industry.
Considering that ZA was one of the most tedious "alerts asking you for input" firewalls, I'm a bit surprised they're saying this. It's gone from the worst to the best?
Anyway. I would look into finding the most secure web browser and extra add-ons/plug-ins that help restrict unnecessary JavaScript/Flash/other plug-in activity. Web site access is by far the biggest risk these days - PDF exploits, Flash exploits, Java exploits, JavaScript. These are the tools of the black hat trade these days.
Or HSBC for pushing McAfee as a security solution for its customers...