1. Introduction
A few weeks ago, a poster sent an advisory on BugTraq claiming that ZoneLabs' ZoneALarm software contained a vulnerability that permitted DSL users who had the same Class B subnet (255.255.0.0) the ability to access his machine, while denying all other Internet users. As it turned out, this person had clicked on his network adapter's subnet to include it as part of the local network (click to the Security screen, then Advanced). There is a little explanation on the window that explains that you should do this to include machines that are part of your LAN in your local network. It is also mentioned that network adapters connected to DSL, cable modems or dial-up to access Internet should not be clicked to be part of the local network. This is the mistake that this person had made. Some other person also argued that this was a pretty loose configuration, even for a local area network, to have included by default a whole Class B subnet. While ZoneAlarm is a pretty good tool in my opinion, like most software its default configuration(s) may not be the best option in terms of security.
This paper will present an overview of the different sections of ZoneAlarm version 2.1.25, free for personal use (which is the context under which I am using it BTW). I plan to look at the commercial and newer versions in the near future, and probably submit similar papers for these versions if I feel this would be profitable to the community. So, this paper consists of 6 chapters (plus intro and conclusion) presenting each of the 5 sections of ZoneAlarm and an overview of the graphical interface. The reader should put more emphasis on the material presented in chapters 5 and 6 for the really good tips in terms of security configuration.
I haven't done it yet, so I guess I should do it here, but if you've made it so far, you probably already know what is ZoneAlarm, but anyway, I will define what ZoneAlarm is. ZoneAlarm is a security software operating as personal firewall published by ZoneLabs (www.zonelabs.com). The software works by creating a "wall" (or more exactly, a firewall) between your network connection and your operating system, filtering all traffic flow between these two components of your system accordingly to a set of rules that you have pre-defined. However, unlike traditional firewalls (for example, CheckPoint Firewall-1 or Conceal PC Firewall), ZoneAlarm doesn't concentrate its work on source and destination ports by themselves, but more to which applications on your system are allowed to access the network, and how they can access it.
To do this, it uses 2 strategies. In the first, you have the possibility to define 2 different networks (internal and external), and apply a set of pre-defined rules to each of these networks. This will define which machines can talk to this host. In the other strategy, it holds a list of which executables on your system that have access to the network. For each networked application on your computer, you can define if this application can access the local network, the external network, or no network access at all. You can also configure it so that it asks you the permission every time it tries to connect. So, knowing this, we can now go more deeply in the configuration of ZoneAlarm.