Online Armor Firewall: First Impressions

As I mentioned previously, based on a recommendation from Scot Finnie, I installed the Online Armor firewall on a couple Windows XP machines.* Scot recommended the paid version, I opted to get my feet wet with the free edition (v2.1.0.131). These are my first impressions, not a review. I don't think anyone can base a firewall review on merely a couple days experience, it's the sort of software you have to live with for a while.

My previous firewall was ZoneAlarm, whose best feature was its ease of use. Unfortunately, for a number of reasons, I no longer think that's sufficient. For example, ZoneAlarm seems bloated. The download for Online Armor is 9.9MB, ZoneAlarm is over four times larger.

The install process for Online Armor was uneventful, but then things went downhill. After installing, you have to reboot, no surprise there, I would expect this with any firewall. But, on the first computer I installed it on, the reboot looked like it wouldn't happen. For what seemed like an eternity, I was staring at the Windows desktop image with no icons. Perhaps a watched pot never boils, but I was sure glad that I had made a disk image backup beforehand.

This was bad documentation. Online Armor doesn't tell new users that special processing takes place during the first boot after the product is installed. There is a warning on their website, but there is no warning where it needs to be, alongside the message that says the installation worked and you have to restart Windows. After Windows finally restarted, Online Armour said something about completing an initial "learning process".

One of the first things I noticed was that Online Armor has two icons in the system tray (the leftmost two in the screen shot above). To me, one is enough. Other software makes do with a single icon (Avast antivirus defaults to two but there is an option to combine them). Someone else pointed out that both icons have the same right click menus. One icon (leftmost one above) looks like a shield and doesn't seem to change. The other icon looks very much like the Task manager icon which, at first, I thought it was (judge for yourself - the two are next to each other in the picture above). This icon does change, it's a vertical bar graph showing inbound and outbound traffic.

I poked around and found an option to suppress the bar graph traffic icon and another option to suppress both icons. What I wanted to do, see just the bar graph icon, doesn't seem possible.

The second thing of note is the cool looking status display shown below. I haven't yet found the graphs at the top to be very useful, but the Active Connections section at the bottom offers very interesting information, data that ZoneAlarm did not provide.

Main Menu

Judging by the General tab, shown below, there are four main sections/features to Online Armor, two of which are included in the free edition - Program Guard and the Firewall.

After installing Online Armor I was getting, what I felt were excessive warnings. Granted, "excessive" is subjective, but I was getting warnings that had nothing to do with networking.

For example, below is a warning from Online Armor that IrfanView wants to run. IrfanView is a picture viewer and editor. It has nothing to do with networking and therefore it's not something a firewall needs to worry about. Disabling Program Guard (you can see the checkbox is off in the screen shot above) was one of the first things I did. Program Guard may be a good thing, but all firewalls are chatty at first, that's the nature of the beast. Adding warnings about safe, non-networked programs such as IrfanView just makes things worse.

The first hint that Online Armor is not just a firewall comes from this introduction to the product on the Tall Emu website which refers to Online Armor as an antivirus program. The page also refers to trusted programs and programs allowed to access the internet as two different things. As a former ZoneAlarm user these are, to me, the same thing.

The fact that Online Armor is not just a firewall may be what leads to my biggest gripe with the product - it's confusing. Compared to the simplistic, free edition of ZoneAlarm, the Online Armor configuration options seem strangely spread out. For example, some Firewall options are in the Firewall section, others are in the Options section and the main on/off switch for the Firewall is in the "General" section.

Controlling Programs

The heart of a firewall are the rules governing the networking that programs are allowed to engage in. Online Armor controls this in three different places.

First, there is a Programs tab where you can allow or block programs. Allow them to do what? It doesn't say. I turned off Program Guard, yet this window seems fully functional. Only by clicking the Block button, does it become obvious this is blocking programs from running so it must be part of Program Guard rather than the firewall. There should be some indication here that Program Guard is disabled because a user can easily make changes here and expect them to take effect, when they are, in fact, being ignored.

There is a "Hide Trusted" checkbox as part of this display. Yet, even with it checked, you still see programs that are "allowed". So, there is a difference between "allowed" and "trusted" that I'm not getting. You also see this in the Firewall section of the Options tab, which has a checkbox for "Automatically allow trusted programs to access the Internet". What about a program is trusted, if not Internet access? This is, after all, a firewall.

Programs are also controlled in the "Program Access" section in the Firewall tab, which seems to do the same thing. That is, it too has a list of programs that you can Allow or Block. Allow to do what what was not immediately clear here either. Finally, there is a rules section in the Firewall tab (shown below) which also controls programs.

To try and understand things, I looked into how each of these three configuration areas dealt with Firefox.

On one computer running Online Armor there is a normally installed copy of Firefox 2, a portable copy of Firefox 3 and two portable copies of Firefox 2. The Program Access section of the Firewall tab shows all four, but calls each one "Firefox". By accident, I discovered that if you hover the mouse over the program name, a tooltip displays the path to the program. The rules section shows only two copies of Firefox and, likewise, the Programs tab shows only two of them.

The other computer with Online Armor had a normally installed copy of Firefox 2, a portable copy of Firefox 3 and a portable copy of Firefox 2. I ran them all at least once. The Programs tab only knows about the normally installed copy of Firefox 2. The Program Access section of the Firewall tab shows all three but the Rules section of the Firewall tab has one entry for the portable copy of Firefox 2, no entries for the portable copy of Firefox 3 and two entries for the normally installed copy of Firefox.

Go figure.

Rules

In all this configuration, I miss what ZoneAlarm calls "server rights', the ability to accept incoming connections. The Online Armor equivalent is a rule with a "Dir" of "in" ("Dir" means "direction"). Online Armor commits a cardinal sin here, it uses abbreviations without explanations. This same window has an "Adv" column whose meaning I couldn't even guess at initially.

The product help is not part of the installed software, rather, it's on the web, so if you're off-line it doesn't exist. And, the Help button is not context sensitive. That is, it always goes to the same introductory web page rather than going directly to the page with help for the feature you are looking at. In this case, I want to read about the Rules tab, within the Firewall tab. Because there is more than one Firewall tab, finding the right section in the help takes time. The page for the Rules tab doesn't explain these columns but the page for editing rules does. This is harder than it needs to be.

Kicking The Tires

One problem ZoneAlarm had was that it created an always-growing log file. I had to put a reminder in my PIM to delete this file every couple months. With this in mind, I looked to see how Online Armor dealt with logging. It seems to have both a log file and a history, the difference between them isn't clear. Even with logging disabled (there is a checkbox in the Firewall section of the Options tab), the history is still created. Neither one seems to have an option to limit the total size of the output.

I was disappointed by the history, which doesn't show the outbound endpoint. For example, it showed that Thunderbird, my email program, made an outbound connection on port 443, but to where? Of the millions of computers on the Internet, which one did my email program connect to? Online Armor doesn't log this, ZoneAlarm does.

Online Armor is a step up from ZoneAlarm in that it includes a database of known trusted programs. So, for example, the first time I run the Ping command it allows it and pops up an alert. The free ZoneAlarm knows nothing, so it objected to Pings. In the Online Armor history, there are two entries for that first ping. Neither shows the website that I pinged and one says it was a user decision, which is was not.

I maintain a number of websites using an FTP program. One type of FTP chooses port numbers randomly which meant that every time I used the program, it generated a pop-up notice that the new port was auto-approved. The pop-up doesn't say that explicitly (see below) but that's what it means. When an already approved program uses a new port for the first time, you get this pop-up and it wasn't obvious how to turn this off.

When a program was approved with ZoneAlarm, you never heard another thing about it. That said, ZoneAlarm doesn't offer the level of control that Online Armor does. Specifically, ZoneAlarm can't restrict the ports a program uses. And, if you really care about network security, you would want to be notified if a program used an unexpected port. Still, I would have liked some way to not be notified every time my FTP program used a new port.

Speaking of notifications, below is the standard alert from Online Armor, one that was generated by installing Java. It leads with "A program wants to use the Internet". It doesn't say if it wants to make an outbound connection or if wants to accept an incoming connection, something ZoneAlarm makes very clear. The last option has to do with sessions, what a session is to Online Armor, I don't know.

The most important thing a firewall does is keep the bad guys out. That is, it prevents unrequested connection attempts from the outside world. Even the basic firewall in Windows XP does this (that's all it does). ZoneAlarm excelled at two things in this regard, it logged these blocked intrusion attempts and it had an option to issue an alert when it blocked something. After reviewing all the options in Online Armor, it doesn't seem able to do either. This, to me, this is a big omission. Not only did I like to audit my firewall by occasionally reviewing the log of unsolicited incoming connections, I also found it educational. There is no better way to drive home the danger that is the Internet, than to see how often bad guys come knocking at your door.

Like ZoneAlarm, Online Armor can protect the hosts file, something I think any firewall should do. I found that it let me modify the comments in the hosts file without objecting, but as soon as I changed something that really mattered, it caught me and issued the alert below. In other words, it works great. If you want to test this yourself, the hosts file in Windows XP is in C:\WINDOWS\system32\drivers\etc.

A nice feature of Online Armor is that it shows you other computers on your LAN, something that ZoneAlarm does not. But, every time I've looked at it, the status of the other computers is "unknown", it continued to show computers that had been turned off hours ago and there is a yellow light bulb icon whose meaning is a mystery.

Online Armor also deals with Internet Explorer extensions, which ZoneAlarm does not. On both machines, it trusted the few extensions it found, which isn't a surprise, as I hardly use IE.

In Internet Explorer 7, you can see the installed Add-ons with: Tools -> Manage Add-ons -> Enable or Disable Add-ons. On both machines, when I selected "Add-ons that have been used by Internet Explorer" the list was much longer than the list in Online Armor. On one machine, IE7 displayed 20 Add-ons and Online Armor listed 7. I'm not sure what to make of this.

Windows Messenger is an IE7 browser extension that I always disable, since I don't use the product. Online Armor trusted it, so for good luck I tried to block it. This produced the warning below saying it will be uninstalled rather than blocked. The warning is wrong - if you say yes, the Windows Messenger extension is blocked rather than removed. After unblocking the Windows Messenger extension, I deleted it and that seemed to work, it no longer appeared in IE7.

Final Thoughts

In the interest of brevity (this is already my longest posting), I won't go into some other quirks in the user interface but suffice it to say, there is room for improvement.

Before Scot Finnie recommends a firewall, he runs it through a battery of tests. Online Armor got an excellent score, so I don't doubt it's protecting my computer. Still, it will be a while before I feel comfortable with it.

And, I don't know that it's a good fit for non-techies. Not only is it more ambitious than just being a firewall, the paid version is a very ambitious firewall. The list of features is huge. The free version of ZoneAlarm is skimpy on features, but sometimes less is more.

That said, two features of Online Armor sound very interesting. The "Run safer" feature is much like DropMyRights, which I wrote about last year. The "banking mode" (only available in the paid version) is also intriguing. I may research these a bit more.

Update July 17 2008: Revised the topic on incoming connections and added mention of the status display.

*Online Armor supports Windows XP and 2000, a Vista version is in the works.
See a summary of all my Defensive Computing postings.