Personal Firewalls Tests: ZoneAlarm Pro

An analysis of mini-firewalls for Windows users

By Seán Boran

November 29, 2000 - This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, a feature comparison,  a summary of analyses and tips on 'hardening' your Windows even without a firewall.

This report focuses on ZoneAlarm Pro (note that the 'regular' ZoneAlarm is tested in a separate report) ¹.

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of Security Protection (penetration, trojans, controlling leaks, Denial-of-service)
• Effectiveness of Intrusion Detection (few false positives, alerting of dangerous attacks)
• User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?
• Price

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) ³ was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) An nmap ² scan was run to check that incoming ports were effectively blocked. For comparison, with no firewall installed nmap detect the test PC's OS version (NT4 SP5) and the following list of services:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen

ZoneAlarm Pro Personal Firewall

ZoneAlarm Pro Firewall ⁴:

Combining the safety of a dynamic firewall with total control over applications' Internet use, ZoneAlarm gives rock-solid protection against thieves and vandals. ZoneAlarm now features MailSafe to stop email-borne Visual Basic Script worms, like the "I Love You" virus, "dead-in-its-tracks", thwarting its spread, and preventing it from wreaking havoc on your PC. ZoneAlarm makes ironclad Internet security easy-to-use.

Zone Alarm watches network communications on a per application basis and asks the user for permission each time an application wants to use the network.

Features

• General security levels low, medium, high are available, for the Internet and local (i.e. trusted) network interfaces.
• The network interface which is trusted (local) can also be chosen (useful to protect a dialup, but not an Ethernet connection for instance). However if you use dial-up for both Internet and Intranet access, it's problematic (see below).
• Specific trusted hosts can be added, but not which services you wish to allow.
• ZA pro detects running network applications and provides a list. Each application can be allowed to receive incoming connections, on either the Local or Internet connection (or both). ZA pro looks at the application's file header and directory location to identify the application.
• The configuration GUI allows application security to be changed afterwards, to all/deny connections or prompt for permission to connect.
• The pro version costs $39 and has the following additional features:
  • password protection
  • custom alert & logging
  • trusted addresses can be manually added to the 'local zone'
  • ports allowed can be controlled per application

ZA pro V1.0.64 was tested on Win2k SP1 and NT4 SP5.

Security Effectiveness

The security tests were made on NT4 SP5 (Win2k was unstable), with 'high settings', customized to allow outgoing ping.

Incoming ping is blocked.

Netbus trojan

• when the Netbus  server is started, ZA pro pops up a dialog "Do you want to allow NBSvr.exe to act as a server". This is not very informative, an inexperienced user might well allow it, especially if programmed to start on booting.
• However, even after allowing it, the Netbus client could not contact and control the Netbus server, an alert was issued: "The firewall has blocked local network access to your computer (TCP Port 3000) from 176.17.17.11 (TCP Port 1042) [TCP Flags: S]". No reason is given why it blocked this traffic which should have passed, given that we clicked OK to allow Netbus through.

Running nmap causes over 500 alerts (the GUI only shows the last 500) like "The firewall has blocked local network access to your computer (TCP Port 169) from 176.17.17.60 (TCP Port 9814) [TCP Flags: S]". The ZA taskbar icon flashes during the scan. Nmap is able to identify no services or identify the OS fingerprint.

Mail filtering:

• MailSafe was switched on and 'MailSafe alerts' enabled. MailSafe apparently is able to detect dangerous content.
• Sending an outgoing email with Outlook98 with a ".vbs" attachment was not detected.
• Receiving such an attachment was detected and the attachment renamed to ".zlv". On double-clicking on this file, MailSafe gives a well written warning about visual basic scripts and allows Inspection with notepad, saving or running.

Advantages

1. Shuts down all unused ports.
2. No reboot required during installation.
3. Laptop powersaving modes continue to function.
4. Has different rules for LAN (local) and Internet networks.
5. Stops and asks for your permission before an application can use the network, for the first time, or every time. (e.g. "Do you want to allow Explorer to access the Internet, Destination IP: A.B.C.D "
6. Nice little tray icon that indicates volume of passed/denied Internet traffic.
7. Flexible
8. Lots of features (see above)
9. Button to block the network temporarily (which can be used if you suspect you have a Trojan, or are opening an email/program from an untrusted source, or are going off for lunch...). Programs which are configured to "Pass Lock" are still allowed to communicate.
10. Some readers who use ZA have indicated that they like its method of functioning.

Disadvantages

1. If many applications are used, the questions to the user can be annoying/confusing, and the user may end up having more applications trusted than expected.
   It doesn't tell you exactly what the Application does, and application is either trusted, or it is not.
   For example, when using Internet Explorer, ZA prompted saying IE wanted to be a server to the Internet, but without any details as to what port, whether this was dangerous, etc.. I denied access and IE still worked (Netscape did not have this effect). IE did this several times. ZA pro does however, allow the user to restrict what ports are allowed/denied per application.
2. Scans (like nmap) cause large amount of alerts and the alerts correlated to tell the user that a scan is underway. However the presence of hundreds of alerts does at least indicate an attack. For the user to take appropriate action it would be useful to have a summary alert that analyzes what was scanned, with what tool (if the scan tool can be detected by it's methods), from where.
3. If you use the same dialup connection sometimes for Intranet, sometimes for Internet, ZoneAlarm will always apply the same rules. e.g. on an Intranet dial-up NetBIOS file sharing, RPC etc. are desirable, but they are not on the Internet connection. It's too unwieldy to switch security levels on the GUI each time you dial one or the other.
4. User Interface:
   • GUI could be easier to use, more instructive.
   • ZA pops up confusing alerts that a typical user will not be able to handle: "The firewall has blocked Internet Access to hostx.domainy.com [10.10.10.10] (TCP port 3327) from your computer (TCP Flags: AP)".
     It is not mentioned which application caused the alert, and the user is not prompted to add an appropriate rule to allow this traffic, if he/she so desires. Assume the user recognizes the destination and port and feels it is OK, what can be done is to add the target address to Security-> Customise -> Local Zone Contents. This means that the target will be trusted for all communications.
   • There is no 'user friendly' GUI for browsing attacks. However a third part tool is available ⁵.
   • 'MailSafe' alerts are not enabled by default.
5. It would be nice if power users could customise the rules a bit more: cannot allow/deny specific incoming/outgoing ports/protocols, for all applications.
6. The alert log file \winnt\Internet Logs\ZALog.txt is not detailed enough, it gives port numbers but not reasons why packets are blocked, no packet headers or contents, nor any state information.
7. Bugs:
   • Continuous blue screen crashes on Win2k SP1: "PAGE_FAULT_IN_NONPAGED_AREA / vsdatant.sys". Two applications, Outlook and Mindterm were running each time, but these never cause problems with other firewalls.
   • The 'check for update' feature would not work behind a proxy/firewall, although my browser was configured and worked.

Summary

ZoneAlarm Pro is effective, powerful and fixes most problems found in the standard ZoneAlarm.

The MailSafe feature is an added bonus that will be appreciated by users who don't have a virus/trojan checking system on their mail servers.

Unfortunately it's not free, can be confusing (user interface) and it does have stability problems on Win2k.

One of the best products tested so far.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu
   
4. ZoneAlarm
   http://www.zonealarm.com
   
5. Firewall Log Analyzers are available from Brady & Associates, LLC, for BlackICE, ZoneAlarm and Winroute. The BlackICE log analyser was tested and works well. It costs $20.- for BlackICE, $10 for ZoneAlarm, with a one month evaluation period.
   http://clearice.hypermart.net/

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

07.Nov.00 Published