Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
 7 Dec 2001 14:22:59
More readers react.
Date: Fri, 7 Dec 2001 14:22:59
From: Patrick Nolan
Subject: Re: Flawed outbound packet filtering in various personal firewalls
Comments in-line:
> -----Original Message-----
> From: Te Smith
> Sent: Friday, December 07, 2001 3:51 AM
> To: bugtraq@securityfocus.com
> Subject: Re: Flawed outbound packet filtering in various personal
> firewalls
>
>
> Tom contacted us a couple of weeks ago with the
> information that certain packet drivers can bypass the
> low-level firewall that is part of our ZoneAlarm and
> ZoneAlarm Pro drivers. Upon investigation we
> confirmed the problem and we are testing a fix.
>
> It turned out that a bug in Windows NDIS layer allows
> a packet driver to bypass any personal firewall or
> similar product.
NDIS is a specification. This is a feeble attempt to toss this into
'it's a Microsoft Product what do you expect' category.
Check out all of the firewall websites whitepapers and all you will
see are very narrow and simple statements that they control NDIS
adapters. They make no statements that they control any other host
methods of network communication or drivers that are not NDIS
compliant.
> Tom contention that we block any outbound traffic
> issued by drivers other then the regular TCP/IP driver
> is simply wrong.
No it's not wrong. What's wrong is the failure of pc firewall
companies to list exactly what their firewalls will not stop, which
is what is termed above a 'regular TCP/IP driver'.
Narrowly defining the firewalls control to 'regular TCP/IP driver'
(NDIS) lets the firewall maker off the hook for the actions of any
non-NDIS compliant adapter. hmmmm, I wonder what kind of adapters
crackers write, NDIS compliant or not compliant.
> For example, most VPN drivers do
> just that in one way or the other. However we require
> that such drivers only communicate with the trusted
> computers as defined by the local zone in ZoneAlarm
> and ZoneAlarm Pro.
VPN technology is vendor specific because the technology won't work
without vendor proprietary adapters that will work with their
proprietary firewalls.
These adapters may or may not be NDIS compliant and they share the
same weaknesses of any adapter.
Once again marketing obfuscation and attacking the messenger rules
when $ales are at stake.
Tom's issues concerning adapters and personal firewalls are right on
and NO personal firewall manufacturer is prepared to admit the scope
of the weakness he has brought public attention too. THis is a
matter that has been publically ignored for too long.
Pat
Prev | TOC | Next
|