Tightening Security Screws
Zone Labs Inc.s ZoneAlarm Pro originally set the bar for Windows client firewalls because it could define on a program-by-program basis which applications could send network traffic.
ZoneAlarm Pro 3.0 goes further to block malicious program network activity by adding program integrity and component DLL checks. It also adds a variety of ad-blocker and privacy features that worked well—but not perfectly—in eWeek Labs tests. ZoneAlarm Pro 3.0 began shipping March 6 and runs on Windows 98, NT 4.0, 2000 or later.
Competitively, the $49.95 program is at the top of its class when it comes to straight firewall features (although we still found room for improvement) and is competitively priced, but this space is moving forward quickly, and we believe the stand-alone firewall market will not exist much longer.
Given the level of detailed IT knowledge needed to tightly lock down a firewall, centralized control is a must. However, thats just part of whats needed for an integrated approach: ZoneAlarm Pro lacks any anti-virus or IDS (intrusion detection system) features, and so it will have to be combined with other programs to provide complete security coverage.
Currently, nothing on the market provides integrated client firewall, IDS, anti-virus and privacy features in a centrally managed package—the Holy Grail of client network protection.
For now, Symantec Corp.s Norton Internet Security 2002 Professional Edition comes closest with combined firewall, IDS, privacy and anti-virus protection features. However, this edition lacks central management; Norton AntiVirus Corporate Edition is an anti-virus-only package that offers central management.
Internet Security Systems Inc.s BlackIce Defender combines firewall and IDS features (both can be centrally managed).
Application-Level Security
ZoneAlarm Pro 3.0 has two new anti-system-tampering features.
First, the 3.0 release blocked programs that we had previously authorized, then modified with a separate hex editor to simulate cracker tampering. This feature guards against infection of trusted software (ZoneAlarm Pro keeps an MD5 hash of authorized executables to check for modifications).
Second, ZoneAlarm Pro now keeps a list of the approved DLLs that each approved executable is allowed to load and displays a warning if a program tries to load a component not on the list. (We had to increase program control security to the nondefault “high” setting to get this protection.)
With this feature on, ZoneAlarm Pro blocked the firewall test program firehole (available at keir.net/firehole.html) when we tried to run it, something that previous versions werent able to prevent.
We found other parts of ZoneAlarms program-level control frustrating. Although we could specify the network ports to which applications could send traffic, we couldnt limit the destination IP addresses to which these programs sent data. We were able to use ZoneAlarms zones feature to set global controls on destination IP addresses, but these settings cant be set on a program-by-program basis.
Wed like ZoneAlarm to allow program-by-program network access control on the basis of network port, destination IP address or range, network protocol, parent process, and user account under which the sending process is running.
ZoneAlarm Pros new privacy features enabled us to filter out banner ads, pop-up ad windows and animated ads and to block third-party cookies. These features occasionally missed ads (and, in a few cases, resulted in a bit of leftover HTML displaying in our browser), but they were still worth using.
ZoneAlarm Pro has very basic e-mail protection—it renames e-mail attachments that have particular extensions (based on a configurable list).
ZoneAlarm Pro 3
.0″>
ZoneAlarm Pro 3.0
USABILITY |
A |
CAPABILITY |
B |
PERFORMANCE |
B |
INTEROPERABILITY |
A |
MANAGEABILITY |
B |
Those wanting a state-of-the-art firewall will find just that in ZoneAlarm Pro. However, it lacks anti-virus and intrusion detection features and so isnt a complete solution.
SHORT-TERM BUSINESS IMPACT // Ad-blocking features (especially pop-up window blocking) reduce user frustration when using the Web.
LONG-TERM BUSINESS IMPACT // A firewall alone is inadequate client protection, and companies need to plan on how to combine firewall, anti-virus, intrusion detection and privacy features into an integrated security management strategy.
PROS // Detailed traffic rules for both inbound and outbound traffic; checks for binary tampering for programs and program components; strong ad-blocking and other privacy features.
CONS // No intrusion detection or anti-virus features; program-based firewall rules can only be specified by port number, not by destination IP address; ad blocking sometimes results in invalid HTML and misses some ads.
Zone Labs Inc., San Francisco; (415) 341-8200; www.zonelabs.com/products/zap/ index.html