In-Reply-To: <3C0E54A9.18978.24B88E9@localhost> In reply to Message-ID: <3C0E54A9.18978.24B88E9@localhost> Tom contacted us a couple of weeks ago with the information that certain packet drivers can bypass the low-level firewall that is part of our ZoneAlarm and ZoneAlarm Pro drivers. Upon investigation we confirmed the problem and we are testing a fix. It turned out that a bug in Windows NDIS layer allows a packet driver to bypass any personal firewall or similar product. In order to exploit the bug, malicious code would have to break through two levels of protection in our software - our inbound firewall protection and/or our MailSafe feature that blocks potentially dangerous attachments. In addition, a malicious application would need administrative privileges under Windows NT, 2000 and XP. To date, there have been no reports of actual exploits of this potential vulnerability and we are working on a fix and expect to have another build for testing next week. After providing Tom with a test version of ZoneAlarm Pro that sealed this vulnerability to confirm the fix, he was then disappointed that his LaBrea@Home application would not work any more. LaBrea@Home is a honey pot application that attempts to frustrate hackers by initially responding to a scan but then not continue "the conversation". The theory is that a hacker would waste time in his/her scan but would ultimately be unsuccessful in the attempt. We'd recommend that a honeypot application be put on a separate machine and not be protected by a firewall. If used by security specialists, honeypot applications have their legitimacy, but we firmly advise against this approach for most users because honey pots do (and are designed to) attract subsequent attacks. ZoneAlarm and ZoneAlarm Pro will block indiscriminate outbound traffic to untrusted computers by applications that attempt to bypass the normal TCP/IP stack and therefore we don't expect that LaBrea@Home and our products will work together. It is possible to configure ZoneAlarm and ZoneAlarm Pro for this setup but we don't recommend it for the reasons listed above. Tom contention that we block any outbound traffic issued by drivers other then the regular TCP/IP driver is simply wrong. For example, most VPN drivers do just that in one way or the other. However we require that such drivers only communicate with the trusted computers as defined by the local zone in ZoneAlarm and ZoneAlarm Pro. Tom further complains that he doesn't get an alert for every single blocked packet. This is as designed. ZoneAlarm and ZoneAlarm Pro have been carefully designed to eliminate unnecessary alerts. This includes: 1) Only issue one alert for any hack attempt even if the attempt consists of multiple packets. 2) Reduce alerts by "Internet background noise". 3) Repress alerts if issuing an alert might lead to a DoS situation because processing the alerts start to take up too much CPU time. This behavior is consistent with most professional firewalls - personal or otherwise. In addition, ZoneAlarm Pro allows the user to customize many of the alert settings. Te Smith Director, Corporate Communications Zone Labs Inc. 1060 Howard St. San Francisco, CA 94103 415-341-8233 (v) 415-341-8399 (f) 831-462-5317 (Santa Cruz) tsmith@zonelabs.com
