Is there really something wrong with Zone Alarm?

Discussion in 'other firewalls' started by Diver, Mar 5, 2005.

Thread Status:
Not open for further replies.
  1. RAV

    RAV Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    70
    No problems here with ZA Suite on my 2 computers (and previous computers). I also run with MS Antispyware and Trojanhunter behind a Linksys router. As far as suites (those with parental controls and AV) there is no better software that I can find. The new Kaspersky 2006 alpha/beta suite does look promising but it may be a few months before it is ready for prime time use.
     
  2. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    This rainy afternoon I finally got around to running some of the port scans on ZA, namely GRC and AuditMyPC. When I started out by setting my NAT/Wireless Access Point for DMZ, I lost connectivity. My first tought was that ZA was broken, but after uninstalling it and testing with Kerio 2.15 and CHX-1, I realized my NAT was the culprit. A reset to factory defaults saved the day. Well, it ws an opportunity to update my rule sets. After reinstalling ZA it passed the scans nicely, including the troublesome AV mail proxy ports and P2P server ports.

    These scans do not really test a firewall to its max. They are no more than a way of testing to see if you set the thing up correctly. Don't forget that.
     
  3. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    What's your overall impression of ZA now that you've used it for a while? If nothing else, it's certainly simple and easy to use. I'm of the impression that it has pretty good stateful too, but I can't prove that. I don't think ZA logs everything that hits either. In other firewalls, I'll see for example groups of 3 hits one after the other quickly and fairly often, but I think ZA only logs one hit. Maybe it's summarizing in some fashion. Should log everything though. In Pro, there are some logging options for what you want logged. I've turned everything on here.
     
  4. Arup

    Arup Guest

    ZA is very good for those not willing to go deeper into the realms of firewall configurations like the ones you have to do in Kerio and Jetico, it works very nicely out of the box and the controls are pretty much self explanatory even for first time users, however it comes with the price of being heavy on resources as well as extremely hard to configure when you finally feel the need to tweak the rules. Rule creation and Zone Alarm doesn't go well.
     
  5. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    K-

    I think ZA is pretty good. When I first set it up there seemed to be some slowdown, but I traced that to some other problems with my NAT, and certain other drivers. I cleaned all that up this afternoon and it is running a lot better.

    One possible way of looking at firewalls is that there are 4 categories of threats:

    1. Traditional firewall direct inbound. Hard for non professionals to test this.

    2. Leak tests as assembled by gkweb.

    3. Termination. Some say this is more likely than #2.

    4. Mouse/Keyboard exploits to allow new programs.

    ZA seems to address all of these fairly well. It may not be the top performer on leak testing, but it is good. Note that the leak test thing has become a selection factor for the some (the LnS crowd) while ignoring the others.

    ZA is widely used, so if there was a problem with traditional firewall functions #1, everyone would know about it. Chances are something like CHX-1, 8Signs or some high end enterprise product is tops here.

    It is excellent in the ease of use category. This is partly due to its total application orientation. Each application is in its own compartment, so to speak.

    Doing expert rules is difficult. I believe that all of the tutorials leave a lot to be desired. Not one really captures the concept. Not one mentioned the loop back problem, which took me hours to understand. If an application is in a compartment it will need its own DNS, loop back and a terminator, plus specific rules. For the typical program that just updates something on port 80, it is not worth the effort to do expert rules. This gets into the concept of the trusted app.

    I have limited my expert rules to IE, mail and P2P. The last category are servers and I want to cut the unsolicited listening down to just the designated server ports. IE is limited due to the many possible exploits. Mail just is limited to the addresses of the SMTP boxes.

    Yes, there is extraneous stuff, and I don't think it is worth running an old version to exclude it. Is that 1MB or 6MB, there is no way to know for sure. I just turn it off. I guess on a 512MB machine another 5 or 8 MB does not mean much. The total remains less than Sygate, Kerio 4, Outpost, and Tiny 6.X. I have never run Norton, but if it is not a hog, I will eat my firewall :) So the bloat argument is more of a perception than reality. When I realized that is when I decided to try ZA.

    I will probably keep ZA on my main machine, but continue to experiment with Kerio 2.15 and CHX-1 on the hand me down boxes I have. Someday, I am going to take on Outpost and Tiny 6.X, just for the experience. I am also thinking of doing a linux powered appliance on one of the old junkers, as a project, not cause I really need it.

    Diver needs to go diving, in salt water, somewhere.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I agree, expert rules are difficult in ZA. Awkward might be a better description. So much so that I don't even bother with them, but I may give them a try again just to learn more.

    As far as resources, I think it's pretty good actually. Here, it's using about 14 megs of ram (service and gui combined). And cpu usage is nil. It's better than Sygate, Outpost, Tiny and some others. Not as good as CHX-I, Kerio or Jetico though.
     
  7. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Not that many apps need expert rules, but when you have one, it is a real pita. The tutorials seem to show how to limit an email client to the SMTP server range. Trivial with any other firewall and difficult with ZA. You can probably get buy with the broadest rule that will enforce the server destination range here.

    I like to limit Internet explorer to destination ports 80 and 443. Just enough for windows update, as I don't use it for anything else, and it is known for too many exploits.

    Azureus is a Bittorrent client that is written in Java. Because Java can do pretty much anything, I limit Javaw.exe to the minimum it takes to run this one. It's a lot of ports out, but only 80 in the tcp service port range. Inbound it is a single TCP port. I regard this as the app in the greatest need of limited rules.

    I tried to write some rules for eMule and decided there was no real reason to. Most other apps just do not matter. The real point of application filtering is not to limit every application to the tightest possible range of ports, it is to limit communications to a trusted list of applicaions, and no other applications. That is what the whole leak testing thing is about. They all call out on TCP port 80 with IE because every system allows IE to do that. The rest of the ports don't matter much, unless the rules are all global, as with 8signs.

    Actually, it is a close question whether you need any expert rules with ZA.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Diver - I'm back to Kerio 2 again tonight. Reason is, I ran into a post in the comp.security.firewalls newsgroup that described a possible workaround for that Kerio 2 fragmented packet thing. I'm trying it out now and will know in a day or two if it works. It involves hardening the OS with a few registry entries. It apparently (from what people say on the newsgroup) works on Win2k and XP Pro, but not on XP Home. I'll post the text of the guy's workaround below for anyone interested who's using Kerio 2.1.5. Granted, the fragmented packet problem is not much of a problem really, but this might give some people more peace of mind. If it doesn't work for you, don't blame me... I'm just the messenger. :)

    Here's the guy's original post:

    "First let me tell you about Kerio. I reported this frag problem to
    them on 16/12/04. They said it's several years out of date and is not
    sold or supported. I asked them if the exploit concerned them and they
    told me not to contact them again. No more replies. _|_

    Many people still like Tiny/Kerio 2.x and will continue to use it
    despite Kerio's lack of concern for their security(dig). So:
    This works on XP. Do registry backups.

    Go to:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    make a new DWORD Value
    EnableFragmentChecking
    edit it and change the value to 1
    Make sure it's in
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    and a reboot shouldn't be needed.

    This should stop the XP stack processing fragmented packets, so they
    should be rejected before they get to Tiny/Kerio. It should work for
    2k/03 as well, I haven't checked 9.x
    To check it works before making the registry change, send out some
    fragmented packets using ping or hping. After the change the packets
    will time out as the stack drops them."
     
  9. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    Kerodo...Should i have to go offline or quit the KPF while doing those registry tweaks?
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Nope, just make the registry changes and then reboot for good measure. Perhaps backup your registry also, or note what you're changing in case you want to reverse the changes. Also remember this apparently does NOT work on XP Home. I'm testing it now on Win2k.

    Please note my disclaimer too.. If it breaks something, don't blame me!
     
  11. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Ok, cancel the above post relating to Kerio and fragmented packets. The guy's solution doesn't work. Just tried it here on Win2k and no go. He claims it works on XP Pro, but somehow I doubt it. Oh well... Sorry... :doubt:
     
  12. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    Hehe...arite i was abt too then as a pre caution looked at ur post....gave it up :D Win XP Pro here though. By the way Kerodo beside Kerio do u use anything extra ti be well protected just becuase of the fragmented packets ?
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    MushfiQ, I don't worry about the fragmented packets much. I change firewalls all the time too, but when I do run Kerio I'm not concerned anymore. It's been discussed quite a bit and generally agreed that there's nothing much that anyone can do to harm anything. If it concerns you, then maybe use something else, but otherwise I wouldn't worry... Psychologically it's a little irritating, but practically speaking, it's nothing to worry about.
     
  14. MushfiQ

    MushfiQ Registered Member

    Joined:
    Jan 8, 2005
    Posts:
    131
    Thx Kerodo for clarifying that....Cheers :)
     
  15. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I just noticed on the eMule site, in their help area, they say ZA and eMule do not get along, which is kind of interesting because it seems to work here.

    K-

    Even if that registry hack worked, it would be overkill. Are you going to try Process Guard with Kerio?
     
  16. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Naw... I'm not worried about process termination really.. I did install it last week and took a look. Looked interesting. But I'd prefer to have as little apps running as possible...
     
  17. Piper

    Piper Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    34
    Location:
    California, USA
    I have been running ZoneAlarm on my computer for a long time. I started out with the free version, then Pro, now back to free. I was running ZA 5 until last night.

    I am a Comcast HSI customer and we just got our speed increase activated in our area about a week ago. I couldn't get the new faster speeds. I tried just about everything. Someone at dslreports Comcast HSI forum suggested it might have something to do with ZA 5. I uninstall it and just like that, I'm getting the new faster speeds. Since I do like ZA, I decided to install ZA 4.5 free, and I'm still getting those faster speeds. Maybe ZA 5 just affects certain computers.

    Now that I'm back to using ZA 4.5, I am still ok as far as the firewall goes? The firewall portion in 4.5 and 5 are the same, right? I don't want to go backwards as far as protection goes.
     
  18. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    Piper, I think you're fine with 4.5. Many people prefer it to 5.x. Some people may claim that there's been security enhancements since 4.5, but I personally don't know of any. Don't know though. I've used ZA versions as old as 2.6 and found them to be ok. I don't think they've changed the core firewall for a long time. Seems that they've just added a steady stream of "features" that I don't want over the years...

    My best guess is that anything from 4.0 and newer would be fine.
     
  19. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    :D Hi there I was having the same problems with Kerio I could not get high speeds not even half the speed until I uninstalled it then now I have Zone Alarm 5.5 and no speeds problems here so I don't know what to say maybe certain ISP's and certain firewalls don't mix!!

    Cheer,

    dagolag:D
     
  20. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,448
    Location:
    Sky over the Wilders Forest
    Good advice. But I would add this, always go to the History of the releases for the versions and see what was fixed and then decide what you want to do. At least you know what your risk is by loading an older version. I wish ZoneLabs allowed for users to pick the version they want or more versions were availiable at other sites. Here is the link to check the history. I think Kerodo is right the core is still the same just loaded up with features that are less effective then other stuff.

    http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html
     
  21. Piper

    Piper Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    34
    Location:
    California, USA

    Thanks Kerodo. I was hoping that anything from 4.0, would be ok. :)




    Hi dagolag. I was thinking the same way about the certain ISP and firewall thing. Glad to see that ZA 5.5 is working for you. :) I might give it another try in a couple of days. I think I need to get a life, what with all the installing and uninstalling of software I do. :D
     
  22. Piper

    Piper Registered Member

    Joined:
    Dec 18, 2004
    Posts:
    34
    Location:
    California, USA

    Thanks Mercurie. I've been to that site, but I never really read everything that closely. I will go back and give it closer look.
     
  23. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Hi dagolag. I was thinking the same way about the certain ISP and firewall thing. Glad to see that ZA 5.5 is working for you. :) I might give it another try in a couple of days. I think I need to get a life, what with all the installing and uninstalling of software I do. :D[/QUOTE]

    No problem hope things work out with your Firewall Issue!!:D

    Cheers and Good Day:D
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Really? I've never seen this happen or heard of this being reported (link please?). The "phone home" features of Outpost (update checks and news/plugin information downloads) do require rules allowing Outpost itself to access the Internet (i.e. if they are not present, you will be prompted whenever such a connection occurs) and can be disabled via the Tools menu.

    Agnitum do blacklist serial numbers that are circulated on warez boards but this AFAIK takes effect with future released builds (this being one of the features of ASProtect which Outpost uses).
     
  25. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    Epilogue:

    ZA is no longer on my machine on something like a permanent basis. Above you will see my complaints regarding the difficulties of doing simple things like restricting mail to a set of server addresses. In addition, I found that the column to check that an application could sent mail did not work when there was a proxy intercepting mail, as there would be with many AV's.

    However, the killer item was there was a major system slowdown when running P2P apps for extended periods of time. Of course, the only thing I use these for is to download GPL Linus ISO's. Dosen't everybody.


    P2K-

    When a software publisher blacklists serials and dows a web server check to enforce it the whole reason is to not wait for the next release of the program. I can not say that I have tested this myself as it would involve the dishonest act of obtaining a warez serial number and then trying to bust the registration by whatever means the publisher planned. Yes, there is an apparant work around. The point is it phones home and so does ZA and probably it can be turned off, but who wants to mess with that. Remember, XP phones home all sorts of ways. If I don't like phoning home I don't have to use Outpost or ZA, but with Microsoft, the choices are more limited. I suppose I could use W2K, but MS would like to see that go away asap. Further to, I don't think that Outpost is a bad firewall. It is definitely one of the major players. It just does not fit my style. Obviously, it fits yours, but it is the differences that make life interesting. If everyone used the same firewall we would have a situation similar to that which exists with MS products. All of the hackers would be targeting the same thing. So, it is a good thing that we use different firewalls, AV's etc. Too bad that the jump from windoze to another OS involves so many difficult issues. If I knew how to do everything I wanted to do in Linux, I would be using that now, instead of windoze.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.