Figure 2.
3. Overview of the "Alerts" screen
Figure
2.
Taken chronologically, this is the first screen of configuration for ZoneAlarm. This one is pretty simple, as you can see. This screen is divided in three sections, identified in Figure 2. In section 1, we have an indicator of how many bytes were sent and received during the current networking session. Section 2 will display summary information about the alerts generated by ZoneAlarm. You can browse through the alerts to see the history of events, you can connect to ZoneLabs website for more information about particular attacks by clicking the button "More info", or simply clear the current session history by clicking the "Clear alerts" button.
Section 3 lets you chose whether you want to create a log file of alerts, and if you want a popup window when an alert occurs (as shown in Figure 2.1). You also have a button that lets you erase the logs. In a security context, it is very important to have logs of monitored activity, in order to have the maximum information possible about a security event in order to investigate it. For this reason, I strongly suggest to enable the logging ability of ZoneAlarm. Unfortunately, the log files are stored in a hard coded directory (C:\WINDOWS\Internet Logs\ZALog.txt), which means that you can't change the destination. If you are a standalone user, this is not much of a concern, but for a Windows administrator who want to keep an eye on these log files (after all, he should be able to do so already with is antivirus log files) this could be more problematic. This is partly the reason why I wrote LogAgent (www.oocities.org/floydian_99/logagent.html), which lets a user to monitor pre-determined specific folders containing the log files in which we have interest into, and redirect them to a central server. This would enable the administrator of a networked site to not only protect his machines with ZoneAlarm, but also to gather up the alerts generated by it.
Figure
2.1
As for the popup option, it is left to the taste of the user, I usually find it more disturbing and annoying than anything if I am connected straight to the Internet, but in a LAN environment, where traffic is well controlled (or should, we'll discuss about this later in chapter 5), it could be an interesting option to keep to raise user's awareness. But in order not to raise too many false flags, application security configuration (covered in chapter 6) should be carefully designed for your environment.
4. Overview of the "Lock" screen