Tightening Security Screws

By Timothy Dyck  |  Posted 2002-03-18 Print this article Print

Zone Labs Inc.s ZoneAlarm Pro originally set the bar for Windows client firewalls because it could define on a program-by-program basis which applications could send network traffic.

ZoneAlarm Pro 3.0 goes further to block malicious program network activity by adding program integrity and component DLL checks. It also adds a variety of ad-blocker and privacy features that worked well—but not perfectly—in eWeek Labs tests. ZoneAlarm Pro 3.0 began shipping March 6 and runs on Windows 98, NT 4.0, 2000 or later.

Competitively, the $49.95 program is at the top of its class when it comes to straight firewall features (although we still found room for improvement) and is competitively priced, but this space is moving forward quickly, and we believe the stand-alone firewall market will not exist much longer.

Given the level of detailed IT knowledge needed to tightly lock down a firewall, centralized control is a must. However, thats just part of whats needed for an integrated approach: ZoneAlarm Pro lacks any anti-virus or IDS (intrusion detection system) features, and so it will have to be combined with other programs to provide complete security coverage.

Currently, nothing on the market provides integrated client firewall, IDS, anti-virus and privacy features in a centrally managed package—the Holy Grail of client network protection.

For now, Symantec Corp.s Norton Internet Security 2002 Professional Edition comes closest with combined firewall, IDS, privacy and anti-virus protection features. However, this edition lacks central management; Norton AntiVirus Corporate Edition is an anti-virus-only package that offers central management.

Internet Security Systems Inc.s BlackIce Defender combines firewall and IDS features (both can be centrally managed).

Application-Level Security

ZoneAlarm Pro 3.0 has two new anti-system-tampering features.

First, the 3.0 release blocked programs that we had previously authorized, then modified with a separate hex editor to simulate cracker tampering. This feature guards against infection of trusted software (ZoneAlarm Pro keeps an MD5 hash of authorized executables to check for modifications).

Second, ZoneAlarm Pro now keeps a list of the approved DLLs that each approved executable is allowed to load and displays a warning if a program tries to load a component not on the list. (We had to increase program control security to the nondefault "high" setting to get this protection.)

With this feature on, ZoneAlarm Pro blocked the firewall test program firehole (available at keir.net/firehole.html) when we tried to run it, something that previous versions werent able to prevent.

We found other parts of ZoneAlarms program-level control frustrating. Although we could specify the network ports to which applications could send traffic, we couldnt limit the destination IP addresses to which these programs sent data. We were able to use ZoneAlarms zones feature to set global controls on destination IP addresses, but these settings cant be set on a program-by-program basis.

Wed like ZoneAlarm to allow program-by-program network access control on the basis of network port, destination IP address or range, network protocol, parent process, and user account under which the sending process is running.

ZoneAlarm Pros new privacy features enabled us to filter out banner ads, pop-up ad windows and animated ads and to block third-party cookies. These features occasionally missed ads (and, in a few cases, resulted in a bit of leftover HTML displaying in our browser), but they were still worth using.

ZoneAlarm Pro has very basic e-mail protection—it renames e-mail attachments that have particular extensions (based on a configurable list).

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel