ZoneAlarm - outdated?

[Fragbait]

Hi lurkers,

Thought that you maybe want to know that ZoneAlarm by Zone Laps Software isn't as safe as your backyard anymore. At least that's what PC-Professional (despite the name a German magazine) implies in one of their recent articles. The link's here, but beware - it's all in German.
For those of you that don't speak this world-language B) , and that don't have some kind of translator, the gist is that in the research of this magazine, ZoneAlarm could block only one out of three unrequested accesses to the PC it should protect.
The test winning program, which is of course recommended by the staff of this journal, is Sygate Personal Firewall 5.5 Pro. The homepage is www.sygate.de, and the top 5 personal firewalls can be seen here. Just click 'personal firewalls' in the assortment. The whole outcome can be seen here. Just click 'Bewertungen im Überblick'.
The test winning program scored a 'good' for a 90% performance, and ZoneAlarm scored 'inadequate' for a 30.8% performance.
Just to let you know. You might wish to change...


Greetings, Fragbait

[LochnarITB]

Thanks for pointing this out. I wish I could get a better translation of the page(s) you pointed too but I think I got a pretty good idea of what they were saying. I have actually been a little suspicious of Zone Alarm due to some recent happenings. I started looking around a few days ago and had already run into Sygate which is the one they said came out on top. My problem has been that I am addicted to a silly little game some people here introduced me too - Gunbound. Twice in the last week, I have had curious things happen. While playing one time, without warning the config window popped up as if I had hit escape in game. I assumed I bumped something and didn't think about it. Then Winamp popped up. I shut it down and then my HD became very active and I looked and the Zone Alarm tray icon was pegged. With the ZA icon, it was a simple 2 click process to slam the internet door. I then went about doing complete scans for viruses and mal-ware. Both came out clean. Then just yesterday, I was playing in a room against some folks that made me question their character. When I told them what I thought of them, I suddenly lost my game and again my HD and connection pegged. I slammed the door shut again.

That this happened disappointed me. I had had good faith in ZA up until then. Frequent updates, relative ease of use, success in running tests against it and that handy tray icon were selling points for me. Realizing that, once I had given access permission, I had seemingly opened the Holland Tunnel to anyone piggy backing on the Gunbound software upset me. It seemed that there should be some way to tell that the activity associated with the program, either amount or destination, had suddenly changed. I have now decided to try Sygate. What I read seems to say that it will do a better job of watching for such happenings. My biggest concern is that I will lose that functionality afforded by the ZA tray icon.

If anyone else has experience, positive or negative, with either or both of these products, especially the free versions, please post here. Also, if anyone has links to good firewall test sites, could you please post them? I have used the tests at the grc.com ShieldsUp site and at DSLReports. Thanks.

[Refrigerator]

@Frag - That's odd... I didn't see AVG antivirus on there... did I skip it or was it missing from the list?

@Lochnar - Yay! Another gunbound fan! I'm relatively new to the game, but if you PM me your acc I'll play you sometime!

[DeeBye]

@Frag - That's odd... I didn't see AVG antivirus on there... did I skip it or was it missing from the list?

AVG is not a firewall.

[LochnarITB]

@Lochnar -  Yay!  Another gunbound fan!  I'm relatively new to the game, but if you PM me your acc I'll play you sometime!

Well, there would be no point in PMing you my account name since you already have it. If that isn't enough of a clue I'll ask this question - Is your Gunbound account Refrigerator? If you still don't know my account name, it is given in the previous gunbound thread. Just add me to your Gunbound buddy list and I'll add you in and keep an eye out for you. I usually play the money servers (11/12).


[edit] Geez, I'm an idiot. I can't even remember my own name. :blink: Sorry, Refrigerator. Some possible confusion there. I forgot that I use the tag ITB (In The Buff - naked mage) here. My Gunbound account is my name without the tag - Lochnar. Cya sometime after the Guild Wars E3 alpha.

[Fragbait]

Hi LochnarITB,

I'm going to try my best. Here we go:

>>

firewalls - scandalous security gaps ( PC Professionell issue 3/2004)

Many firewalls lull their users with deceptive safeness. In their testlab, pc professionel simulates over 1800 hacker attacks and annuls 20 common firewalls with web attacks and trojans.

introduction
Personal firewalls insecure?

Many producers wholeheartedly praise their firewalls. Market leader Symantec for example promises on the package of Norton Personal Firewall 2004: The program keeps hackers at bay and personal data classified. Amongst other things spyware programs and trojan horses are said to not send data via internet unnoticed anymore.
But neither Symantec nor Agnitum (in Germany: Buhl Fire Alarm) nor almost all other firewalls in the test keep such promises. Even a single security gap can mean that an attacker can spy, abuse or destroy data. When applied in an enterprise, the existence of the whole company is at risk.
And even the common firewall Zone Alarm isn't safe: unblocked 'denial-of-service' attacks can paralyze pcs and networks through 5 gaps. Moreover 2 out of 3 leak-tests wind up negatively. This means that attackers are able to conduct systematic data espionage by the use of trojan attacks. In such a case, the firewall security is inadequate.
Only Sygate Personal Firewall 5.5 Pro blocked every dangerous attack in the testlab. To test whether the software really stops trojans, pc professionel uses 3 simulations that are accredited by experts, which every desktop firewall should block: Programs try to send data from the user pc to the internet under a false name.
For one the simulation Firehole disguises itself as Internet Explorer. Though most firewalls promise that thanks to them trojans can not call home, only Sygate, Kerio and Tiny blow the cover of these test attacks.
The tools of Norman, Internet Security Alliance and Agnitum/Buhl at least fall for just one assault. All other tools, among them famous names like McAfee, Norton Personal Firewall 2004 and Zone Alarm, let pass at least 2 out of three of these attacks.
1800 assaults with different grades of peril in the test reveal how well firewalls bear up against hackers.
10 of 23 software firewalls pass all test hacks without error. These are apart from test winner Sygate the following: Hackersmacker and Freedom firewall, but also the products of NT Kernel, Kaspersky, Internet Security Alliance, Omniquad, ISS, Deerfield and Cyber Firewall 2003 by Pearl.
With only one error at the most dangerous attacks, the products of Norman, McAfee and Symantec deliver a sufficient protection against hacks yet. If a desktop firewall lets pass five or more perilous attacks, this cannot be considered acceptable anymore: this blunder happens to the programs of Kerio, Tiny, Agnitum/Buhl, Zonelabs, Armor 2 Net, Software Appliance, Surfsecret and Secure Up.
In the category hardware firewall eight tested devices under 350 euros parry all hacker attacks with high danger potential. Among these devices, Zyxel Zywall 2 got the recommendation of the editorial staff. While hardware firewalls are an essential protection against hackers for users that are online for more than an hour daily, they do not help against trojans, which send personal data to spies in the internet. To block these, users definitely should run a good software firewall contemporaneously to the hardware one.
Only three out of eleven hardware firewalls show problems: Draytek lets pass one dangerous assault, Linksys two and Longshine even five.

test winner
Software: Sygate Personal Firewall 5.5 Pro (distribution: BHV)

Sygates Firewall 5.5 in the pro version is the only software firewall that doesn't let pass a single of the over 1800 simulated assault and gives none of the conducted trojan attacks a break.
In the test is the paid full version including Intrusion Detection as well as protection against Spoofing.
On the 13.02.04, the German version, that wasn't available to press date, is announced to get onto market. It will carry the appendix Platinum and get special live updates online.

Best software firewalls:

1. Sygate Personal Firewall 5.5 Pro: 84,5
2. Norman Personal Firewall 1.4: 79,5
3. Farstone Hackersmacker 2.0: 73,4
4. NAI McAfee Personal Firewall Plus: 67,8
5. NT Kernel Personal Firewall: 66,1
(maximum: 100 points)

<<

Well, that's it. Hope this helps... :)

Greetings, Fragbait

[Selby]

I like to think of firewalls as another tool you can use to protect your computer. Not the end all be all of safety and an end to personal computing responsibility (like keeping it up to date and clean from infection). Users need to be dilligent about maintaining their computers and most of the problems easily solve themselves or never are a problem to begin with. Too bad personal responsibility isn't high on people's priority list anymore.

[Moldran]

Some may be less secure than others, but all "personal firewalls" (= software packet filters) are a security hole by design. I recommend to not use them at all.

Plus: many of them are very annoying. Administrating a network where users have these programs running can be a major PITA. People don't realize that, while providing very little extra security, these programs often break many undangerous but useful applications.

What PFWs do is:
Make the uninformed user think that perfectly legal and undangerous traffic is an evil hacker attack so he feels threatened, then spit out a useless message so he feels protected (if the firewall has succesfully "blocked" the "attack" *cough*, there is no need to inform you about it, is there ?)
"I have just blocked access to your computer !!!". What the damn program blocked was a ping from the local DHCP server who wanted to know wether the leased IP address is still in use: Result: Address conflict, broken network..

What PFWs cannot do is:
Protect you from evil hacker attacks. An attacker who manages to make you run his code on your computer can easily disable or cheat *any* personal firewall. The other scenario are incoming connections. For that scenario, you do not need any firewall at all. It is absolutely sufficient (and easier, and more secure) to not run any insecure services. If you consciously decide to run an insecure service, you will also decide to allow access to that service via the firewall. If you don't, why run the service in the first place ? If the service does not run, there is no need to "protect" it with a firewall. Usefulness of the firewall ? Zero.

For whom are PFWs useful ? For the companies that produce them.

[LochnarITB]

Wow, thanks Fragbait! Unfortunately, the translation confirmed the one thing I was concerned about - the test was of the pro version and not the free personal edition. I did decide to try Sygate but have not yet decided to go the paid route. The problem with that is that it doesn't include some of the features I would like to have that appear to be in the paid version. It also makes some assumptions that I'm uncomfortable with. The biggest is one of the things pointed out by Moldran - it throws out all ICMP (ping) traffic, even that coming from my host and from behind my router, which I assume is for keeping my LAN connection live. It doesn't seem to have broken any connection yet but I think I can add an advanced rule to accept the pings and just haven't done so yet. Another thing that I discovered is that (being the family computer "expert") I would not put this on my parents' or my sister's computers. In order to work with it to get the best out of it, there has been quite a bit of interaction. I don't mind doing so, but they would never understand what they were looking at, or how to figure it out, and would just start blindly clicking the OK each time they were alerted, totally negating any benefit the firewall provided. One other thing that Sygate has given me is a better idea of all the programs that want to access the internet, just because it is there, even though it makes no sense for them to do so. Notepad tried to access the internet - huh?? :blink:

[Refrigerator]

Not Thinking

[Moldran]

As if they wanted to prove my point. 4 security holes were recently discovered in Symantec's products. 3 of the vulnerabilities enable an attacker to run arbitrary code on your computer, the other one causes a DoS, forcing you to reboot. Affected are:
Symantec Norton Internet Security and Professional 2002, 2003, 2004
Symantec Norton Personal Firewall 2002, 2003, 2004
Symantec Norton AntiSpam 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

Symantec has supplied patches.

Source:
http://www.heise.de/security/news/meldung/47316 (German)

These are vulnerabilities introduced by the firewall. The firewall is not just failing to do its job, it even introduces additional security problems. A system without any of the programs in question is not vulnerable in that way.

A well-configured system is more secure when it is not running a PFW. A badly configured system might profit from a PFW in some special scenarios, but it is far from being "secure". Don't let these programs fool you. A piece of software does not make your system secure.

[Fragbait]

Hi Moldran,

I admit that i don't know system configuration that good to make it 'well-configured'.
But isn't it true that e.g. Sasser comes onto your pc from just the ip? Without you having clicked at or downloaded something? If that's the case, and Sygate (or any other program) blocks this unwanted access to my pc, that should be enough to justify the use of this program.
And also:

A well-configured system is more secure when it is not running a PFW

If you are able to configure a system that way, to make it this safe, maybe you're knowing more than the plain average user. I'm sure there's quite a few people who couldn't secure there system manually, but are capable of running a firewall. Although there may be new security holes because of some firewalls, there's hope left that others are better.
What else should none-computer-experts do?

Greetings, Fragbait

[Moldran]

But isn't it true that e.g. Sasser comes onto your pc from just the ip? Without you having clicked at or downloaded something? If that's the case, and Sygate (or any other program) blocks this unwanted access to my pc, that should be enough to justify the use of this program.
And also:

Sasser exploits a vulnerability in a service that is running by default on Windows machines. That vulnerability was fixed several weeks before Sasser broke out. Only those users who were too stupid to apply the patch were threatened by Sasser.

The big problem with PFWs is that they make uninformed users feel secure while they are in fact not. They reduce awareness for the true problems.

Yes, PFWs protect you from worms like Sasser (any plain home router does that, too) - so far. But noone can tell you if your PFW will protect you from the next "big" worm. That one might just exploit a vulnerability in the PFW itself. It might be a more intelligent worm (Sasser was not very sophisticated) that knows a dozend ways to fool your PFW. You would probably only get to know when it is too late.
If you just apply Windows patches regularily, you are also protected against worms like Sasser - without the PFW. The PFW offers very little, if any, additional security to an up to date Windows system, and it introduces new problems. It is not worth it.

- Keep your software up to date (especially, but not only, Windows)
- Do not run potentially dangerous programs
- Do not surf with IE
- Do not use Outlook
- If possible, use an up to date virus scanner

I think *any* user can easily follow these 5 tips. If you do, a PFW is useless for you.
If you are paranoid or if the functionality of your computer is really important for you, get a real firewall. Any plain NAT router offers more security than a PFW.

[roguebanshee]

- Keep your software up to date (especially, but not only, Windows)
- Do not run potentially dangerous programs
- Do not surf with IE
- Do not use Outlook
- If possible, use an up to date virus scanner

I'm using those and one more:

- Do not run Windows XP

Most of the features that were introduced in WinXP has proven to be a security hole. And no, I never liked WinXP.

[Fragbait]

Hi Moldran,

Bit of minor grumbling:

That vulnerability was fixed several weeks before Sasser broke out.

Had that 18 year old lad programmed it quicker, it could have been a danger before that vulnerability was fixed. And it didn't 'break out'.

they make uninformed users feel secure while they are in fact not. They reduce awareness for the true problems.

Uninformed users aren't aware of any problems. My grandparents have internet, and they aren't aware of any risks, no way.

But noone can tell you if your PFW will protect you from the next "big" worm.

You forget that there will also be newer versions of firewalls. It's a question of whom to trust: the capability of microsoft's programmers to close every security hole fast enough? (come on!) Or rather the smaller firewall producing companies, which are out of simple prestige reasons more unlikely to get hacked (how many people that you know use the same firewall compared to how many you know use the same OS?)

Do not run potentially dangerous programs

*any* user can easily follow these 5 tips.

Yeah, sure. Any user can of course easily estimate the danger potential that lies in some programs. I think you are concluding from yourself to others here. (example:my grandparents)

Do not surf with IE

That's in fact a bit complicated, since every Windows copy still includes IE, and many people don't even know the alternatives. That's partly Microsofts fault, I think, though I agree with you on this point.

get a real firewall.

According to PC Professional, these have holes, too. In any case they don't protect you from trojans.

Any plain NAT router offers more security than a PFW.

What the heck is a NAT router? And how should I or even lesser informed people know?
You know, there's an inadequate information flow that is founded in the desiderative interest that most people show when it comes to how a pc or a network works. For most of them all that counts is that it works. I think it has also something to do with the not-recognition of digital data as real commodity. If your pc got a worm - well, not too bad. Worst case is you format it and re-install everything. Same for a virus. Heck, some people even do that regularly, to 'keep it clean', their not-so beloved object of utility, and 'make everything go again'.
And as long as there are more people like that than computer foxes (like you? no offense!), these firewalls have their right to exist.
Well - perhaps when computer criminality gets able to actually hardware-wise destroy parts of the pcs, the safety awareness will grow.


Greetings, Fragbait


Edit: typo-god, what did I do wrong???

[Moldran]

"Break out" was the wrong term, yes. What I meant was "occured". Although maybe it did break out. AFAIK, that is not known yet ;)

Uninformed users aren't aware of any problems. My grandparents have internet, and they aren't aware of any risks, no way.

An uninformed user is doomed to use the PFW incorrectly.

You forget that there will also be newer versions of firewalls.

It will be an endless race, yes. A race with only one winner: Those who make money selling useless programs to uninformed users.

You forget that there will also be newer versions of firewalls. It's a question of whom to trust: the capability of microsoft's programmers to close every security hole fast enough? (come on!) Or rather the smaller firewall producing companies, which are out of simple prestige reasons more unlikely to get hacked (how many people that you know use the same firewall compared to how many you know use the same OS?)

I tell anyone I know not to use PFWs :)
I don't trust the companies that produce PFWs any more than I trust M$.

Yeah, sure. Any user can of course easily estimate the danger potential that lies in some programs. I think you are concluding from yourself to others here. (example:my grandparents)

A user who can not recognize wether a program is potentially malicious is also not able to configure his PFW correctly. I have seen this countless times: Users either allow every program to access the internet, or they accidentaly restrict programs they want to use. The result of the latter usually is that they turn the PFW off completely while using certain applications. Great security concept, a firewall that only runs 50% of the time ;-)
Plus: Once a malicious prorgam has been run, the PFW may allready be compromised. See below.

According to PC Professional, these have holes, too. In any case they don't protect you from trojans.

That part of the article really is complete BS. A real FW can protect you from trojans, to some small extent, IF it is configured correctlly. A PFW can NOT, NEVER, even if configured well, because the trojan can just disable the PFW (takes about 10 lines of code - example programs are floating around Usenet), or make the PFW think the user clicked on "allow connection", or change the PFW configuration, etc. The fact that this has not been imtegrated in wide-spread worms so far does not change the structural problem. You can be sure that in the future, there *wiill* be trojans that are designed to work around PFWs. It is only a matter of time until the first "super-worm" will emerge that includes functions to fool these programs.
If you want real protection against trojans, you must setup firewall systems that are much too complicated to be used as the average home user. The protection against tojans one should use is: Do not install them.

What the heck is a NAT router? And how should I or even lesser informed people know?

All the common routers for home networks are NAT routers. They offer very good security against attacks that rely on incoming connections (like Sasser, Blaster, etc) even without any special configuration.

[Fragbait]

Just wanted to add one more:

A user who can not recognize wether a program is potentially malicious is also not able to configure his PFW correctly.

In my case, my uncle's the pc specialist, and he configures the pc of my grandparents. They are the users, though.
Good conversation.


Greetings, Fragbait

[DeeBye]