ZoneAlarm works by querying the user if they want to allow or deny
other programs access to the Internet. This is very good in that it
can help you understand which programs on your computer are accessing
the Internet. However, this technique has a number of problems:
- It is very intrusive; you have to answer questions each and every
time a program accesses the network.
- If you make a mistake, there is no backup. For example, every time
the Melissa virus spread, a user answered "yes" to the question
if the Word document should run macros. Enough users answered
this question incorrectly that the Internet crashed for a few days.
- ZoneAlarm cannot recognize incoming hacker attacks from the Internet.
- ZoneAlarm is fooled by simple hacker techniques such as DLL insertion.
Example: AOL messenger
Simple firewalls with outbound blocking do not help against hacker attacks
on common internet programs such as the AOL or Yahoo messenger
programs. As an example, if you are a user of AOL messenger, these
firewall products will ask the question "Do you want to allow AOL
messenger to access the Internet?". The normal internet user will answer
"Yes", since he wants to use his AOL messenger to communicate with friends.
Now, this user is susceptible to buffer overflow attacks against the AOL
messenger service and the firewall will not detect these attacks. The AOL
buffer overflow attack was documented back in August, 1999. You can read
more about this attack at
http://www.idg.net/crd_instant_81389.html.
While this particular exploit has been fixed by AOL, there
are other hacker attacks against many commonly used internet programs that
have not been fixed or even discovered yet.
Simple firewalls are an on/off switch. Traffic is either allowed or
disallowed. Once the traffic is allowed through, they do not monitor the
traffic for attacks against that particular program. True anti-hacker
products such as BlackICE Defender constantly monitor all traffic for
hacker attempts, even on traffic that is allowed to enter and exit the
computer.
Example: Personal Web Server
DSL and cable-modem users often install a "personal" webserver on their
machines in order to have their website to share files with their friends.
With ZoneAlarm, you either have to sit at the machine and OK each incoming
connection, or tell the system to allow all incoming connections to your
webserver. If you do so, you have not protection against attacks
against the webserver. Most personal webservers are vulnerable to attacks
that either allow the hacker to read all the files on your system (not just the
ones you intended to share), or break in and completely control your machine.
BlackICE Defender detects these attacks and blocks out the intruder.
Example: Monitoring outgoing traffic
ZoneAlarm can tell you when a program is attempting to make an outgoing
connection to the Internet, but does not monitor the content of that
data. This creates a problem similar to the Melissa virus: users must
answer this question correctly each and every time, and it takes only
a single wrong answer to cause havoc. On the other hand, BlackICE Defender
monitors your outgoing traffic looking for signs of hackers activity. If
it detects such activity, it blocks all further access to your machine from
the hacker.
