Personal Firewalls Tests: ZoneAlarm

An analysis of mini-firewalls for Windows users

November 29, 2000 - This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on ZoneAlarm (note that ZoneAlarm Pro has not yet been tested)

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

Effectiveness of Security Protection (penetration, trojans, controlling leaks, Denial-of-service)
Effectiveness of Intrusion Detection (few false positives, alerting of dangerous attacks)
User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?
Price

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) ³ was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2k test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet, we do this purely for testing purposes.

d) An nmap ² scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2k sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

ZoneAlarm Personal Firewall

ZoneAlarm Firewall ⁴:

Combining the safety of a dynamic firewall with total control over applications' Internet use, ZoneAlarm gives rock-solid protection against thieves and vandals. ZoneAlarm now features MailSafe to stop email-borne Visual Basic Script worms, like the "I Love You" virus, "dead-in-its-tracks", thwarting its spread, and preventing it from wreaking havoc on your PC. ZoneAlarm makes ironclad Internet security easy-to-use.

Zone Alarm watches network communications on a per application basis and asks the user for permission each time an application wants to use the network.

Features

General security levels low, medium, high are available, for the Internet and local (i.e. trusted) network interfaces.
The network interface which is trusted (local) can also be chosen (useful to protect a dialup, but not an Ethernet connection for instance). However if you use dial-up for both Internet and Intranet access, it's problematic (see below).
Specific trusted hosts can be added, but not which services you wish to allow.
ZA detects running network applications and provides a list. Each application can be allowed to receive incoming connections, on either the Local or Internet connection (or both). ZA looks at the application's file header and directory location to identify the application.
The configuration GUI allows application security to be changed afterwards, to all/deny connections or prompt for permission to connect.
Download size: 1.5MB
Cost: free for personal use, $20 for business use.

Security Effectiveness

Running nmap on ZoneAlarm in "high security" mode causes one alert that was not informative and nmap is able to identify a few services:

Port    State       Protocol  Service
17      open        tcp       qotd                    
19      open        tcp       chargen                 
135     open        tcp       loc-srv                 
139     open        tcp       netbios-ssn             
No OS matches for host.

Advantages

Shuts down all unused ports.
Cost: free for personal use.
Has different rules for LAN (local) and Internet networks.
Stops and asks for your permission before an application can use the network, for the first time, or every time.
Flexible
Button to block the network temporarily (which can be used if you suspect you have a Trojan, or are opening an email/program from an untrusted source, or are going off for lunch...). Programs which are configured to "Pass Lock" are still allowed to communicate.
Quick download (1.5MB)
Other ZA users have indicated that they like its method of functioning.

Disadvantages

If many applications are used, the questions to the user can be annoying/confusing, and the user may end up having more applications trusted than expected.
It doesn't tell you exactly what the Application does, and application is either trusted, or it is not.
For example, when using Internet Explorer, ZA prompted saying IE wanted to be a server to the Internet, but without any details as to what port, whether this was dangerous, etc.. I denied access and IE still worked (Netscape did not cause this effect). IE did this several times.
If you use a dialup connection, sometimes for Intranet, sometimes for Internet, ZoneAlarm will always apply the same rules. e.g. on an Intranet dial-up NetBIOS file sharing, RPC etc. are desirable, but they are not on the Internet connection. It's too unwieldy to switch security levels on the GUI each time you dial one or the other.
ZA can't be configured to ignore pings from unknown sources, e.g. from Network management stations on the Intranet.
GUI could be easier to use, more instructive, and could use less screen space (I don't like the permanent window that can't be removed).
It would be nice if power users could customise the rules a bit more: cannot allow/deny specific incoming/outgoing ports/protocols.
Deinstalling could be cleaner, an empty ZoneAlarm directory is left in C:\Program Files\ and keys are left in the registry.
There is no 'user friendly' GUI for browsing attacks. However a third party tool is available ⁵.
The attack logs \winnt\Inernet Logs\ZALog.txt is not detailed enough, it gives port numbers but not reasons why packets are blocked, no packet headers or contents, nor any state information.
Bugs:
- Stability: I had one blue screen during early testing.
  A reader wrote in to report multiple blue screens on his dual processor NT4 SP6a system, after running for about 24 hours. Rebooting daily was the "workaround". The impression is that it is related to the dual processors.
- If Windows 2000 service pack 1 is installed, ZoneAlarm breaks and will only work in "Medium" mode ⁶.

Summary

ZoneAlarm is interesting and has a loyal following, especially since it is free for home users.

However it does have it's quirks and you may find it worth paying for the pro version or other products.

Addendum: Some information has come in, but I've not reinstalled to check it;

Zonealarm includes the Mailsafe function found in the pro version, it does have trusted addresses, v2.1.29 was the latest version in Nov.2000.
One reader reports that DSL peak speed dropped from 900 Kb/s to 300 Kb/s after installing Zonealarm on Win2k.

References

Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
pf_main20001023.html
Nmap
http://www.insecure.org/nmap
Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
http://netbus.nu/
ZoneAlarm
http://www.zonealarm.com/
Firewall Log Analyzers from Brady & Associates, LLC, for BlackICE, ZoneAlarm and Winroute. The BlackICE log analyse was tested and works well. It costs $20.- for BlackICE, $10 for ZoneAlarm, with a one month evaluation period.
http://clearice.hypermart.net/
"Windows 2000 SP1 breaks firewall software":
Q269676
http://support.microsoft.com/support/kb/articles/Q269/6/76.ASP
Wininformant article
http://www.wininformant.com/display.asp?ID=2852

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

Changes to this article

18.Oct.00 Published
22.Nov.00 Minor fixes
12.Mar.01 Reader note. Doc 332
15.May.01 Addendum