upgrading from zaf to zap pros & cons

Discussion in 'other firewalls' started by Rickster, Sep 7, 2003.

Thread Status:
Not open for further replies.
  1. Rickster

    Rickster Guest

    Hope it’s OK to insert a question here since it pertains to upgrading zaf to zap. Whether an average user or highly advanced, what special applications, programs or internet connection interactions are performed that are hindered or can’t be performed using zaf, but can be performed or require the features of zap? Are there any examples?

    Thanks, Rick
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Rick

    Moved this question to it's own post to avoid going off topic in the other one.

    Regards,

    CrazyM
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi Rickster,

    Of course, as people might expect, I recommend the use of the commercial versions of Zone Alarm (ZAplus and ZAPro) because of the extra capabilities that they provide over the free product. As to the differences or pros and cons...

    First up, I ought to note that there are a few pages at Zone Labs website that give high level overviews of the different products, though, being the site that sells the commercial versions, you'd expect these pages to highlight all the advantages of the pay versions. ;)

    As I see it, the basic differences are as follows:

    Zone Alarm Free is a basic application firewall. It blocks unsolicited inbound connections (using the "stealth" concept so widely discussed in security forums), and it lets you either allow or block network access to a list of programs. It does have two main zones where you can set higher or lower security settings, the Internet Zone and Trusted Zone. But, within those zones, its configuration options are basically limited to a preset High, Medium or Low (off) range of settings. There is no ability to always block or allow a specific port or range of ports globally. And for program access, if you allow a program access out to a zone, it is completely allowed. If you block it, it's completely blocked.

    There is the concept of "server rights" in the ZAF product, but again, if you allow a program to act as server in ZAF to a zone, it's all or nothing. No limit on ports or specific addresses. As for logging, this too is limited to an all, some, or none preset, with no ability to control things on a granular level.

    Now all that isn't bad, but some people prefer to have a lot more control than that. In the overall firewall section, the ability to allow or block specific ports, regardless of program settings, may be desired. Or perhaps a config that "allows, but logs" is needed. (ZAF can't do that. It only logs what it blocks, and only if the slider is at the right level.)

    For programs, perhaps it is desirable to allow access only on specific ports and to specific IP addresses or ranges, and perhaps you don't want these addresses in the Trusted Zone for general firewall purposes, but rather just for the one program.

    These are the main differences between ZAF on the one hand and ZA+/ZAP on the other in so far as the options they share in common. However, ZA+/ZAP also include more options not at all addressed in ZAF. The most important may well be "Advanced Program Control" (which includes component level control). This not only monitors the components used by a program, and watches/alerts on changes and additions to these, but this same facility provides for the protections of "one program calling another program" to access the network on its behalf. ZAF doesn't have this capability. This is where most of the leaktest protections come from in ZA+/ZAP.

    Next, ZA+/ZAP have "expert rules" both for global firewall settings and for application control. This is basically the ability to add rules based configs to the firewall and it is quite powerful. This was new in ZA+/ZAP 4.0 and has made ZA now a mix of application and rules based. You can see examples of these rules in threads in this forum section that I have posted.

    This is where ZA+ differences end. ZApro continues by adding a Privacy tab that adds rather powerful controls for things like Ad blocking, cookie controls and "mobile code" control (ie. script, ActiveX and mime objects). And in a special version of ZAP, there is also a web content filtering feature.

    There are a few more tools/modules in ZAP (and some also in ZAplus) that I didn't bother mentioning, like the E-Mail protections, cache cleaner, etc. They are somewhat minor as far as I'm concerned, though some people really like them.
     
  4. Rickster

    Rickster Guest

    Wow LWM, you really know how to put things in perspective. Things like limiting traffic to certain ports and limiting a range of IP's make sense for those who micro-manage their traffic. One program calling through another seems like a vulnerabilty too. And ad-blocking, cookie control and mobile code controls seem handy. Now I see why advanced users make use of it. I suppose I've been afraid I'd misconfigure or omit a step and accidentally create a vulnerability in the process. You know the old adage - more buttons and gizmos to fiddle with, the more likely you are to make a mistake - but this poses an opportunity to do away with some protective yet redundant programs too. Thanks the info, definately food for thought.

    Regards, Rick
     
Loading...
Thread Status:
Not open for further replies.