Is there a risk with firewalls?

Many firewall appliances can actually inspect the traffic and remove content from SMTP and HTTP sessions, in fact, we only install firewalls that permit us to remove content from HTTP and SMTP sessions as a means to protect users from their own ignorance.

I think you are underestimating the skillsets of crackers.

Probably right - but most likely due to other factors than using ZAF. I always carry my lucky charm and I've never been robbed.

It probably works as coded - but did you actually test if it also works as expected?

It's a "firewall" (Marketing-speak) but not a firewall as IT professionals would call it.

A firewall in IT terms is a concept, consisting of various elements such as packet filters, proxy servers, virus-scanning gateways etc. - in IT-terms ZA is a host-based packet filter.

It's running on the same system that it's supposed to protect. Once the trojan is executed on the system by the user, the trojan can do everything the user could do - including disabling any security software installed on the same machine.

Nope. A system can be secure without any packet filters in front of it

- as long as there is nothing on it listening to inbound connections from the Internet (which the packet filter would block otherwise), and as long as nobody is sitting in front of it downloading and executing a trojan (they don't just magically install themselves...)

Juergen Nieveler

I've got a bottle of anti-virus pills on top of my CRT, no virus problems since putting it there :-)

Juergen Nieveler

I've tested it with some of firewall test sites, and it's always come up 'stealth.'

It has such a history of 'working' on my machine that I simply see no reason to doubt its effectiveness.

Ain't saying it's the best. I'm only saying it's the best for me in my situation. it's utter simplicity.

I do it for our company for SMTP, so the users can work more stress-less :-) In some cases I did it (inside of squid) for HTTP for not patched insecure flaws of browsers or graphic libraries (pattern came from sans.org)

The better way is: give the users (security) robust tools.

Yeah________^^^^^^____________^^^^^^^^^^^^^ , you said it.

Wolfgang

What about wipfw? wipfw.sourceforge.net/

asks Wolfgang

About "stealth"... well, better not get something started again....

Anyway, protection against unsolicited inbound traffic is not that hard to achieve also without a firewall. Most users install 3rd party firewalls for the sake of "outbound application control" which is nonsense in terms of security.

What alternatives did you consider when making that descision?

Show me where it says that this wipfw is going to provide protection at boot. Even MS's IPsec which is another packet filter and is on the O/S cannot even do this. And I suspect that this wipfw cannot do it either.

NoSpam wrote: ...

...

Submit that file on this site

maybe you will find out with what you are dealing with. I belive your system is already compromised. You have active malware which activates before ZA initialization is completed and downloads other malware. Best solution would be to flat and rebuild i.e. format. But if, for some reason, you don't want to do that, turn off system restore, boot into safe mode, scan with AV and hope that everything will be OK, maybe you will be lucky. In addition try to find help somewhere else. Try on some group or forum dealing with malware, this group deal with firewalls so your post is a bit OT. Maybe somebody might help you to determine how bad your system is compromised. Firewall cannot help you anymore. Remember, format is a _best_ solution. Leythos gave you a good advice, use NAT router in future.

*headdesk*

And you would have been able to detect if it had failed to work how?

BTW, you do realize that ZA itself phones home, and that more recent versions incorporate rootkit functionality to restrict administrative accounts (which is utterly braindead)?

Managing a Personal Firewall is far from anything that could even remotely be regarded as "simplicity". Not only do most (if not all) of them provide insufficient information to make reasonable decisions, they present the user with choices he simply cannot make because he lacks the required understanding of TCP/IP and windows internals. Not to mention that several of them open additional attack vectors (some local, some even remote).

cu

59cobalt

I never tested it yet, so I asked.

Not at boot, as first of all network services with highest priority would be enough.

Yes, IPSec is a conglomerate of secure networking and packet filtering. I was shown, that there are 3 different mechanism of packet filtering, not three ore more UI to one and the same mechanism.

I suppose too.

THX. Wolfgang

What about Wipfw with STARTUP_BOOT_START? Works quite well. Of course, none of the typical PFW shit works with boot startup.

Unless it gets circumvented, which is more or less trivial.

Now, what about not offering any services at boot time? Or better generally?

Because it simply is none? Look up the definition, then look into the manual, and you can straightly tell that it is impossible to build a real firewall with ZoneAlarm.

So what? This just proves that marketing works. None of the users has any clue what they're doing.

Because it introduces well-known remote exploits? And local privilege escalation? Trivial remote DoS? Trivially bypassed? Vendor being unwilling to fix anything?

Definitely marketing works. Why the f*** do you think a system couldn't be secure without a firewall, and a firewall could make an insecure system become secure?

MicroSoft Outlook Express

Which is s self-fullfilling prophecy. Someone who is using ZoneAlarm sure isn't competent enough to spot an intrusion.

Which helps exactly how much? Heck, even the obvious remote DoS (using a combination of SYN, ICMP and UDP flooding) remains sinceever it was discovered years ago)

Uoh, and then even the Kaspersky fun. Hey, do you know what NtCreateProcess(0,0,0,0,0,0,0) means? For you, it means a bluescreen.

Except that it works.

As long as at least one remotely exploitable vulnerability exists, the patch state doesn't matter much.

Yupp, that's bad.

And, um, did any of these sites test for what happens with overlapped IP fragments when injected close to your hop (in a topological sense)? You'd be surprised!

Just like magic charms. Your point being?

Oh, what about tomorrow? You're still offering an open door.

Expect that it DOES NOT WORK AT ALL.

O.k., but, as a malware generator, I haven't reflect to the patch state.

Wolfgang

Well Wolfgang in the other post, you heard it here first, let me know if does as advertised.

If one has got to offer the service, then one got to offer the service, like HTTP and FTP, etc, etc.