Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
 13 Nov 2001 13:28:00
As Michelle has coyly skipped town, Tom tries to take over.
From: Tom Liston
Sent: Tuesday, November 13, 2001 13:28:00
To: Gregor Freund; Michelle Delio
Subject: Re: FW: wired news story
Mr. Freund,
My name is Tom Liston. I was asked by Michelle Delio of Wired News
to contact you and respond to statements made by you in answer to
questions posed about ZoneAlarm's functionality.
>1: Is zone alarm aware that data can pass through the firewall,
>underneath the socket level, without the product blocking or
>alerting users?
>A: This is not correct. ZoneAlarm protects your system on two
>different levels:
>- On the application level we determine if the application is
>allowed to access the Internet at all.
>- On the adapter level we catch any unsolicited traffic from the
>outside and block any traffic that tries to bypass the application
>layer.
>One possible cause for the misunderstanding is that our adapter-
>level firewall is not visible as a network driver using the
>standard Windows tools but links into NDIS (Microsoft Networking)
>dynamically. This is intentional because anything that's installed
>as an 'official' network driver could be uninstalled by another
>application such as a Trojan Horse. This is particularly an issue
>with Windows 95/98/ME.'
Response: Therefore, anything else that 'links into NDIS (Microsoft
Networking) dynamically' wouldn't be seen by ZoneAlarm. (Note: this
wording is open to several possible interpretations, but seem to
point to the fact that ZA simply uses NDIS commands). That is
exactly how the program that bypasses ZA's security works.
>2: What particularly concerned me was that the data could be
>transferred even after I engaged the 'internet lock' --all the
>other applications I had running did stop, but my drive was still
>accessible to the demo team via the internet. It would appear that
>there is no check at the packet level for outbound traffic --true?
>A: Again, that's incorrect. Any traffic that bypasses the
>application layer gets automatically blocked. This has been
>independently confirmed by numerous sources and is an inherent
>design of ZoneAlarm. Unfortunately we are not able to recreate
>your environment and how your system has been modified - as I
>mentioned in an earlier email the demo app you've send us is
>missing a DLL module.'
Response: I'm sorry, but what you're saying is incorrect. Any
traffic that ZoneAlarm 'sees' would perhaps be blocked, but if
something talks to NDIS directly, as this application does, can send
data out. It works, I've seen it.
As for the missing dll, it is readily available, well known, and
free.
http://netgroup-serv.polito.it/winpcap/install/default.htm
In any case, packet.dll and the required .vxd (packet.vxd) are
attached. These will work under Win9x/ME. A .sys file (packet.sys)
is available that will work under NT or 2K.
As for the environment, it simply requires the program that you
have, the dll/vxd attached (which should be placed in
\windows\system), and an ethernet connection.
>3: I was told that this is not a patchable issue, but is a design
>flaw that would require a major overhaul of ZoneAlarm. True?
>A: Again, not true, this was always part of the core design of
>ZoneAlarm and ZoneAlarm Pro.'
Response: I would have to agree that this isn't a 'patchable'
issue. The program simply talks directly to NDIS, and I don't see
how that could be 'patched.'
>4: I happen to think that ZoneAlarm is an excellent product, and I
>have and will continue to recommend it highly to many people.
>But I am concerned that it's not as bulletproof as I believed it
>was. Will Zone alarm advise users that the product does not block
>all data transfer? What else should ZoneAlarm users be doing to
>truly lock down their machines? Perhaps a multi-tiered security
>plan?
>A: Your support is appreciated and warranted as the basic
>assumptions of your source are not correct. ZoneAlarm and
>ZoneAlarm Pro have a full dynamic state full inspection firewall
>that blocks anything that bypasses the application layer. Having
>said this there is always a chance that on an insecure operating
>system like Windows someone finds a way around both layers.
>However that would be of a much more limited scope then the
>'redesign' your source is suggesting. Normally if such a rare
>instance comes to our attention we rapidly issue a fix and
>automatically notify the affected users that an upgrade is available.
Response: I've seen the program work. I've seen data sent without
a peep from ZoneAlarm. I don't think this is a 'limited scope'
issue.
HackBusters has agreed to host a 'target' for the application. I
also have reviewed the application and I've seen it work with ZA on
it's highest settings and the Internet Lock 'on'.
If you have any additional questions on the functionality of the
application, please feel free to contact me.
-TL
Prev | TOC | Next
|