The magazine of the Melbourne PC User Group
ZoneAlarm Pro 3.0
 Ash Nallawalla
 ash@melbpc.org.au
 
Many of our readers use the free firewall program from Zone Labs known as ZoneAlarm (ZA). I had been using it for over a year and was aware of the Pro version. Since the free version seemed to do "everything" (although restricted to home use and nonprofit charities), I was curious about the extras offered by the paid version.

ZoneAlarm 2.6

Perhaps a quick overview of ZA (presently at version 2.6) will set the scene for this review. You can fetch it via a link at Zone Labs http://www.zonelabs.com.

When your PC is connected to the Internet, logically speaking, the rest of the Internet is connected to it. A loose analogy is your unlisted telephone. Only those who know its number can phone you, but call centres sometimes dial numbers sequentially; some are not allocated but others are valid numbers and your phone will be one of them. Wouldn't it be good if a "wall" could be built that would not stop you from using that phone to make calls, but only accept calls from known people?

The telephone analogy ends there because the Internet connections are far more complex. Your computer has thousands of numbered ports (openings) and many of them are designated for a fixed purpose. For example, if you ran a Web server on your home PC (hardly anyone will do so except by accident or for a test), it would be "listening" on port 80 for incoming requests from browsers. If you could block port 80, then nobody could reach your Web server. Note that you could be running such a server without hosting a Web site.

There are nasty people out there who run programs that are the equivalent of the call centre that dials sequentially. They "dial" Internet Protocol (IP) numbers, which include the one temporarily given to you by your ISP. For example, today my ISP has given me the number 144.137.50.128 but tomorrow it could be 144.137.50.xxx.
 
If your PC responds to a probe known as a "ping" (think of SONAR), that is just one of many ways someone else can tell that you are "at home". It's like picking up your telephone if it rings. If your PC turned a deaf ear to pings, that type of probe would fail. 		What can a network administrator do to protect against Nimda-like multifaceted threats? The only thing that we know about the next Nimda is that we don't know what form it will take. Such multi-faceted threats take advantage of multiple network and Windows vulnerabilities. Nimda's propagation vectors and payload exploit a series of known security holes in one cleverly executed package. The result is a huge network traffic jam, slowing down network responses. (In fact, at Nimda's peak, the entire Internet experienced a noticeable slowdown).

Future-proofing your network from such an unknown threat requires preventing infection in the first place - quarantining suspicious e-mail; managing application version and patch levels to plug existing vulnerabilities network-wide; and blocking unknown applications from making further connections and, thus, propagating themselves.

This proactive guilty until proven innocent approach balances productivity and protection and is a distinguishing characteristic of Zone Labs' security solutions such as Zone Labs Integrity, a centrally managed enterprise security platform.
 
Zone Labs


Figure 1. Configuring Zone Alarm Pro is very easy.


Figure 2. Internet Connection Sharing 
can be defined during setup or at any 
time.


Figure 3. An incoming probe is detected and blocked.
Once the program has determined that an active connection exists at that address, it can start probing every port number in sequence from 1 through 65534 or specific numbers that are known to be vulnerable. That vulnerability requires you to use specific Internet software, so it pays to keep it all up-to-date.

Most people don't need to know a thing about ports but they will probably all agree that uninvited "guests" are not welcome inside their PC. To do this, they need a firewall that keeps the baddies out and only allows the data you want to enter your PC, such as email, newsgroups and Web pages that you request.

ZA is easy to install. It will immediately make your PC invisible to the outside world and block your ports. None of your Internet programs will see the Internet either. What's good about that, you ask? No, you will see an alert box pop up, informing you about the program that is trying to sneak out. Of course, if it is your Web browser or email program, you will grant permission. You can also tick a box if you want to give such permission indefinitely and not be annoyed with alerts every time your program accesses the Net. Once in a while, you may see a program requesting permission. Deny such access and see if it stops something from working, else you can assume that it is a Trojan trying to report back to its master.

ZoneAlarm Pro 3.0.118

ZA Pro looks quite different from ZA so it takes a while to get reacquainted with the features it shares with ZA. Like its junior cousin, ZA Pro gives you the option of installing with conservative settings that will protect you.

What's Extra? Here are the extra features in ZA Pro compared with ZA:

  • It can block advertisements and popups.
  • It can block 46 types of potentially nasty file attachments that can come with e-mail, compared to one type blocked by ZA.
  • It can block active content found on some Web sites.
  • It can block cookies.
  • You can find the approximate geographical location of a cracker who is probing you (a "hacker" is what ignorant people call a "cracker").
  • You can block specific IP addresses if they are known to be pests.
  • Laptop computers can adapt easily to a new network, such as using it at home, work, and at a branch office.
  • You can protect your ZA Pro settings with a password.
Do You Need the Extras?

Some people like looking for free programs that can do some of the above tasks. They exist. Nevertheless, you should consider using an integrated program if the additional features appeal to you. If the programs are not integrated, you might have trouble pinpointing the source of anomalies.


Figure 4. You can request details of any alert.


Figure 5. You can ask for the approximate source of the intruder.


Figure 6. A list of actual alerts on my PC.
My work laptop does not have any software firewall, but it lives behind at least two hardware firewalls. My Internet usage is extremely conservative, so I consider myself to have a low risk. 

On the other hand, my home PC gets all kinds of suspicious e-mail and some of the Web sites I visit do unexpected things to my session.

I don't mind some banner ads but I like ZA Pro's ability to block slow ads. I know there are good cookies and bad ones; I am happy for ZA Pro to block just the bad ones. These are third-party cookies, whereas I want session and persistent cookies, or else some sites would be unusable or needlessly frustrating.

Requirements

  • IBM PC or 100% compatible, Pentium processor (or higher)
  • Windows 98/ME/NT/2000/XP, 16 MB RAM, 10 MB hard disk space
  • US$49.95 for an Internet purchase from Zone Labs
In Use

Installation was painless and swift. Configuration was likewise, although I had to think a little before choosing some settings. For example, I like to share my Internet connection with my laptop when I bring it home rather than swap cables back and forth. I had to reduce my Internet Zone security to Medium before Internet Connection Sharing would work. This did not sound right, so a little more checking resulted in placing my PC in High Security mode and allowing ICS to work. My confusion had resulted because I use a hub on the network and had not chosen the option that said that the PC is an Internet gateway.


Figure 7. All programs that try 
to use the Internet connection trigger an alert.


Figure 8. I found a vulnerability on my PC.


Figure 9. I swiftly closed that door with the help of UnPlug n' Pray from GRC.

I tested ZA Pro by using the free ShieldsUp tests offered by Gibson Research (http://grc.com). It told me that I had recently installed Microsoft Universal Plug-and-Play, which is a potential security hole. At the same site I downloaded a free tool to turn off this "feature".

I found the Help files to be briefer than expected. Some people don't like its user interface but it is a matter of getting familiar with it. I still run the basic ZA on the other home PC and find myself clicking the wrong buttons because I haven't used it for a while.

As Melb PC's Internet service has a trial antivirus filter, I don't see many viruses or suspicious attachments, but an innocuous HTML file sent by a friend was quarantined by default (HTML files can come loaded with a malicious script so it pays to be safe). I also use Microsoft Outlook XP, which also blocks certain attachments, so the two programs in tandem protect my PC.

As for its main protection against crackers, I saw a few alerts but I know that the attempts were blocked, so I was not concerned. ZA Pro, unlike ZA, enables you to be informed only if the probe appears to be malicious, so you don't need to choose between the two extremes of no alerts and all alerts.

Recommendation

My recommendation is that you download ZA Pro and try it for 30 days before deciding whether to buy it or to stick with the free version for home use. You definitely need the basic level of protection offered by ZA and you may wish to consider the added protection of ZA Pro.

Reprinted from the May 2002 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]