Radsoft
 About | Buy | News | Products | Rants | Search | Security
Home » News » Roundups » Zone Labs

Zone Labs: Anatomy of a Coverup

How angels stay clean and scandals stay silent.

Part Four - How It Doesn't Work III

Winsock is Microsoft's interpretation of Berkeley sockets. Winsock is close to the standard but not identical. What's important to understand here is where Winsock is jumping and dancing around.

For Internet (or ordinary network) communications are not single-tiered. Ordinary Internet applications have to go through several layers of logic to get out onto the Internet and conversely wait while several layers of logic deal with incoming data before they see anything.

At the very bottom - at the modem level if you will - is what is known as the Link Layer. This is where frames are sent and received by your modem on an ordinary ISP dialup connection.

When a frame comes in through the modem, it is demultiplexed. The logic at the Link Layer determines the type of packet the frame contains. Common packet types are ICMP and IGMP packets and of course the ubiquitous IP datagram. It is the IP datagram which the universal TCP uses to converse on the Internet.

If the Link Layer establishes that the incoming packet is indeed an IP datagram, it passes it on to the Network Layer. This layer, with the IP protocol, will then demultiplex the packet further. IP may, for example, find that the datagram is in fact a TCP segment and thereafter pass the datagram up again - this time to the Transport Layer.

The TCP protocol, operating at the Transport Layer, will look closer at the TCP segment it has been given and determine which client application wants this data and turn it over to them.

So it's like a fire drill, with a bucket of water being passed from hand to hand, from one side of the Internet to the other. And it all works fine and dandy. And there is nothing wrong with this picture at all.

The only flaw that could possibly occur is if someone applied for a patent that could allow a PC user to close down Internet or network communications and which worked at the level above TCP - at the so-called Application Layer.

Zone Alarm (and its Internet Lock) works at the Application Layer. Let's see how this looks coming back down the hierarchy now.

  1. An application tries to create a socket. To do this, the application will call an API in the Winsock API.
  2. This API call will alert Zone Alarm, as Zone Alarm on startup has hooked into this device driver.
  3. Zone Alarm will do all the fancy and flashy things it says it's going to do in the patent application.

But what if an application doesn't use Winsock? There is no golden or universal rule that says that network/Internet communications on a Windows PC have to go through this Microsoft library!

A 'socket' is just a data structure identifying two endpoints - IPs and ports. No one forces the Windows developer to go this way. A developer is fully able to create IP/port combinations independent of Microsoft's libraries - and then send and receive any messages they please.

And they can work at the Transport Layer, or they can do a bit more work and do it at the Network Layer, or they can work really hard and work at the Link Layer. They can do it anywhere they please.

  • There are four layers to Internet/network traffic.
  • Zone Alarm hooks into the highest (most abstract) layer when it should be hooking into the lowest layer.
  • If Zone Alarm hooked into the lowest layer, then it could truly filter and stop traffic - precisely as users trust it to do.
  • But Zone Alarm doesn't do that. It takes the easiest - the cheapest - way out. It looks at the top layer only. Internet/network traffic can proceed without a care in the world, and Zone Alarm - and the Zone Alarm user, even with Internet Lock turned on - will be none the wiser.

It's that simple.

Prev | TOC | Next

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.