My experience with ZA 4.5.594 is similar - no problems from this source - although I only use the Ad blocking Banner and Popups. However FWIW, I _have_ found that the Delayed Popup blocker in AdShield3 will interfere with
As far as I remember, I've always had to turn off Privacy controls to get Microsoft Update to work. That's a given. I'm still using
4.5.594 because of issues with later versions. Win 98 isn't supported for later versions anyway. The more bells and whistles, the more complications, I've found. As long as my ports are stealth, and it blocks the bad stuff, I'm happy.charlie R
There is an issue with the latest update to ZoneAlarm Pro. I have posted this to a ZoneAlarm user forum:
----------------------------------------------
ZoneAlarm Pro version:6.0.631.003 TrueVector version:6.0.631.003 Driver version:6.0.631.003 Anti-spyware engine version:4.0.9.7 Anti-spyware signature DAT file version:01.200508.111 Windows XP Home
If I set any privacy options, this prevents Microsoft Update from working. Instead it fails with error number 0x80072F76.
Note that it doesn't matter what combination of privacy options is selected (cookie control, ad blocking, mobile code control). If ANYTHING is set to "block", Microsoft Update will fail.
There are also [other issues - snipped]
Brian
I am running 5.5.094 and I have cookie control set to custom, ad blocking set to high and mobile control set to off and have never had problems with either Windows Update or Microsoft Update.
Ah, Volker, what has a good Firewall ever done to you to make you hate them so? I'll just keep on using mine, in the hopes that it's "better than nothing", if you don't mind. I'm just on dial-up. Highspeed internet might make me a lot more paranoid.
charlie R
Nothing is stealth. Your ports are filtered, and everybody, who uses nmap -P0 i.e., will see that.
Your "Personal Firewall" just violates the Internet Protocol by nor sending RST (see RFC 793 / STD 0007, section 3.4), nor sending ICMP Destination Unreachable Message with code 3 (port unreachable, see RFC 792 / STD 0005).
Yours, VB.
You probably don't even need one for dial-up. I went for 3-4 years on dial-up with no firewall and never had one problem of any kind..
Nothing. Why do you think that? I'm just recalling facts, as you can proof yourself, if you'll read the mentioned sources.
Oh, please, do what you want ;-) No problem for me.
It's a good idea then to think about security, you're right. I just wanted to remind, that a good security concept is much better than believing in placebo effects and advertisment ;-)
Unfortunately it's not so easy, that security can be bought in boxes.
If you're interested, I would be pleased to explain, what I think what would be a good security concept for a single PC on a high-speed line.
Yours, VB.
For lowest overhead, just use Torsten's script, and switch off any listening server. This means: no overhead at all. Then you don't need filtering at all.
The problem with Internet Explorer is not that it has security holes - every browser has this from time to time; OK, Internet Explorer had unfixed holes for years, this is worst case. But also Mozilla from time to time are not perfect in security, to say the minimum. The problem is the ActiveX technology, Internet Explorer uses as the plugin concept. The problem with this is, that ActiveX / COM is a system wide concept without any security if a control is running. There is no sandbox concept, and, once marked "scripting sage", any control in the complete system is a possible flaw, which can be abused. The unfortunate zone concept of Internet Explorer was refitted, it's a flub, one could say.
Keep your software up to date. Use Windows-Update, and keep any other software up to date, which you're using in the Internet.
When you're installing new software, don't forget to use netstat -an to check, if there are new servers started, you should stop again.
It is a good idea to use an AV software regulary. Please keep in mind, that AV software only works good, if it's malware signatures are bleeding edge. Unfortunately, the heuristics to detect unkown malware are not functioning very well.
And keep in mind, that the best AV software is your brain - no-one wants to make your dick longer, no-one want's to offer pr0n for free by mail, and no bank sends you login or password request by mail ;-)
Unfortunately, AV software is not reliable - that means, it can help, it's useful, but you should not bank on it.
And: if you're detecting an infection, please have a look on the type of malware - if it's loading code through the Internet or if it's offering access to your box for somebody in the Internet, it's im- possible to get a clean box again, but with flatten and setup the system again.
See:
I don't know, if you need tweeking a port filter. I don't know, if you need a port filter at all.
I know the D-Link and the Linksys devices. Both seem to be OK.
If you're using such a router, don't forget to configure it for filtering. NAT is not enough, because NAT primary is not a security feature, so usually, the NAT implementations are not secure.
Especially, filter away any packet, which reaches your router at the outside interface, but has a source IP adress, which seems to be inside (say: source 0.0.0.0/8, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12 and non-used blocks like 169.254.0.0/16, 192.0.2.0/24 or 192.168.0.0/16, see RFC 3330).If your router is filtering, perhaps it's not so important any more, if your box uses a port filter or not ("firewall") or even is offering servers or not.
And beware of mail attachements ;-) Think about it.
Hm... had no problems with this device so far. Perhaps another hardware revision?
Yours, VB.
Since you know so much about these things, so go ahead.
I would be interested especially how to secure Windows 2000 at lowest possible system overhead using firewall program and firewall box combo. In 100 Mbps Ethernet connection. I already run F-Secure Anti-Virus Client Security 5.55 in Windows 2000, containing a software firewall (F-Secure Internet Shield). Are there any good sources of tweaking instructions to it? I also have run Kerio 2.1.5 in Windows 98SE, and have adjusted its behaviour.
While at it, could you and others too give opinion of following router/firewall boxes? They all seem be available here at affordable prices. I would be interested of their ability to provide a reliable connection to a small *n*x web server, besides 1-2 Windows 98SE/2000 PC:s.
D-Link DI-604 Linksys BEFSX41 ZyXel Prestige 334 ZyXel Prestige 335 SMC Barricade 7004VBR SMC Barricade Plus BR14VPN
DI-604 (Rev. B 1.82) seems to require occasional power cutout between couple of days, in this network, possibly because it gets confused of network overload or some other reason, who knows. It seems not to be the most stable choice here.
ZAPRO makes it easy to configure security settings and cookie and ad control on a site by site basis. Allow Active X on trusted sites that need it, and block for all others. It monitors traffic in and out, and blocks when I tell it to. Spyware Blaster provides extra security. I stay off dodgy sites and only download free apps recommended by MVP's in newsgroups. My AV is updated daily. This machine has never been infected or compromised.
charlie R
BrianW answered:
you forgot the BIGGEST issue.. "FOR YOU!!"
I have ZA 6 pro and everything is working *JUST FINE*. AND I have cookie blocking enabled, AND ad blocking enabled. and windows update works JUST FINE..
So the issue is *for you*.
Jerome M. Katz answered:
I never did either, AND I have upgraded to the very Latest version of 6 pro, and STILL have no problems.
For you and all other Zonealarm users are these issues:
Zonealarm is vulnerable to the SelfDoS attack.
It opens Popups with texts, which most users don't understand and misinterpret.
Zonealarm cannot prevent spyware from sending your personal information across the Internet; it failed in our tests together with the rest of the "Personal Firewalls".
Zonealarm does not make a PC "invisible" or "stealth" in the Internet, as this is not possible at all.
Yours, VB.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.