Where do you want to go next?here's for you :)about homeopathyassorted rantsVB and subclassingVB, screensavers and security concernsLet the Skriptkiddiots play...VB and pointersVB and the Windows shellVB and multitaskingVisual Basiclibrariessnakeoil and blatant liesZoneAlarmeSafefirewall basicsabout harmful codeIn Commerce' Service - sniffersabout spywarecookie jarabout PGPabout privacymain page

ZoneAlarm is a so-called "desktop firewall". This describes a family of firewalls that are designed for a single machine with a single user.


Here I assume that you are familiar with the program, if not, please look at its home: www.zonelabs.com


One of it's most noteworthy features is the unique approach to a user-interface.


From outside to inside


Traffic from the outside to your machine is heavily restricted, to allow a certain machine to connect to you, you have to explicitely exclude it from the foe-list.


This is a very sensitive and intelligent approach, contributing to the ease-of-use.


Unfortunately, every application that is allowed to act as a server, is also allowed to receive data unrestricted. This, together with the problem described later, is a major drawback.


False alarms


During my tests of ZoneAlarm, I noted many false alarms.


When a site tried to place a cookie, ZoneAlarm logged an alleged intrusion on port 80, originating from the website I was connected to.


Incoming ICMP-packets (such as Ping) were interpreted as attack, too.


Keep-alive messages from ISPs are thought to be malicious, too, but this can easily be amended by including the ISP on the friend-list.


Still, you have to trust your ISP very much to include him on this list, because you'd never be warned about incoming traffic from there again.


From inside to outside


For traffic from your machine to others, you let it know which of your applications are allowed to access the net.


This is a most comfortable thing if you deal with spyware, but it's also ZoneAlarms weak point.


I'll describe briefly how it can be fooled. For obvious reasons I won't go into details, but those of you who know Windows will know how the behaviour can be duplicated.


I do hope the problem will be fixed soon, since ZoneAlarm is a tool worth having. But until the fix is released, I can't advise any person to use it without extra precaution.


I saw this behaviour with version 2.1.25, other versions may not be affected.


ZoneAlarm stores information about the programs that are allowed to connect to the outside world. This information includes: product name, filename (full path and name of executable), product version, compilation date, and filesize.


You can see the information in the Explorer, too, if you right-click on the executable and display "details".


Of course, all this information can be accessed from other programs. Once you get it, you can use it to forge the information.


This seems to be the only check, ZoneAlarm does. If you set up another application to look exactly like the one allowed out, you trick ZoneAlarm.


If you're using a local proxy (like an ad-filtering software), you're in serious danger of being infiltrated.


Recommendation


ZoneAlarm is a useful tool, but don't use it as stand-alone.