Zone Labs: Anatomy of a Coverup

How angels stay clean and scandals stay silent.

Part Eleven - 5,987,611

The basis for Zone Alarm is US patent 5,987,611, filed on 6 May 1997 and granted on 16 November 1999 - days before Steve Gibson was to begin preparations of his Shields Up application.

The introduction to this patent application makes it quite clear what is at stake:

Firewalls are applications that intercept the data traffic at the gateway to a wide area network (WAN) and try to check the data packets (i.e., Internet Protocol packets or 'IP packets') being exchanged for suspicious or unwanted activities.

In the case of firewalls employing 'Stateful Inspection' technology, performance problems are aggravated by the fact that the firewall software needs to duplicate much of the protocol implementation of the client application as well as the transport protocol (e.g., TCP and UDP protocol) in order to understand the data flow.

In other words, filtering traffic at the packet level is impractical. What the patent application therefore suggests is an alternate method which may be summarised as follows.

• Monitor the startup of new processes.
• Wait for these processes to use the Microsoft Winsock API (in particular the call WSAStartup).
• Determine if the process is to be allowed access to the Internet.

The patent goes on to describe a method (applicable only on Windows 95) of redirecting DeviceIoControl calls so that an installed firewall driver can be placed logically between the Winsock DLL and the Winsock driver. This method will of course help in the interception of Winsock API calls, but it will do nothing to traffic originating at or destined for any lower level of traffic.

The only reliable method of filtering and stopping traffic - at the packet level - is dismissed from the get-go.

Prev | TOC | Next