Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
 7 Dec 2001 11:51:00
Spin doctor Smith, one day an employee of PR firm Holland McAlister, the next day an employee of Zone Labs, fires off a reply at four o'clock in the morning her time.
From: Te Smith
Sent: Friday, December 07, 2001 11:51:00
To: bugtraq@securityfocus.com
Subject: Re: Flawed outbound packet filtering in various personal firewalls
Tom contacted us a couple of weeks ago with the
information that certain packet drivers can bypass the
low-level firewall that is part of our ZoneAlarm and
ZoneAlarm Pro drivers. Upon investigation we
confirmed the problem and we are testing a fix.
It turned out that a bug in Windows NDIS layer allows
a packet driver to bypass any personal firewall or
similar product. In order to exploit the bug, malicious
code would have to break through two levels of
protection in our software - our inbound firewall
protection and/or our MailSafe feature that blocks
potentially dangerous attachments. In addition, a
malicious application would need administrative
privileges under Windows NT, 2000 and XP. To date,
there have been no reports of actual exploits of this
potential vulnerability and we are working on a fix and
expect to have another build for testing next week.
After providing Tom with a test version of ZoneAlarm
Pro that sealed this vulnerability to confirm the fix, he
was then disappointed that his LaBrea@Home
application would not work any more. LaBrea@Home
is a honey pot application that attempts to frustrate
hackers by initially responding to a scan but then not
continue 'the conversation'. The theory is that a
hacker would waste time in his/her scan but would
ultimately be unsuccessful in the attempt. We'd
recommend that a honeypot application be put on a
separate machine and not be protected by a firewall.
If used by security specialists, honeypot applications
have their legitimacy, but we firmly advise against this
approach for most users because honey pots do
(and are designed to) attract subsequent attacks.
ZoneAlarm and ZoneAlarm Pro will block
indiscriminate outbound traffic to untrusted
computers by applications that attempt to bypass the
normal TCP/IP stack and therefore we don't expect
that LaBrea@Home and our products will work
together. It is possible to configure ZoneAlarm and
ZoneAlarm Pro for this setup but we don't
recommend it for the reasons listed above.
Tom contention that we block any outbound traffic
issued by drivers other then the regular TCP/IP driver
is simply wrong. For example, most VPN drivers do
just that in one way or the other. However we require
that such drivers only communicate with the trusted
computers as defined by the local zone in ZoneAlarm
and ZoneAlarm Pro.
Tom further complains that he doesn't get an alert for
every single blocked packet. This is as designed.
ZoneAlarm and ZoneAlarm Pro have been carefully
designed to eliminate unnecessary alerts. This
includes:
1) Only issue one alert for any hack attempt even if
the attempt consists of multiple packets.
2) Reduce alerts by 'Internet background noise'.
3) Repress alerts if issuing an alert might lead to a
DoS situation because processing the alerts start to
take up too much CPU time.
This behavior is consistent with most professional
firewalls - personal or otherwise. In addition,
ZoneAlarm Pro allows the user to customize many of
the alert settings.
Te Smith
Director, Corporate Communications
Zone Labs Inc.
1060 Howard St.
San Francisco, CA 94103
415-341-8233 (v)
415-341-8399 (f)
831-462-5317 (Santa Cruz)
tsmith@zonelabs.com
Prev | TOC | Next
|