I'm not sure how many people use ZoneAlarm, but if your like me and do use it, you will notice that the logs are very difficult to understand, I did a bit of searching on the ZA website forums and found this little nifty program:
What is does it basically converts the raw ZoneAlarm log files in a nice and VERY easy to use GUI. This program has it all including Attack Analyser, Activity Summary's etc. It even allows you to make reports based on
Date & Time
It’s a great program if you use any flavours of ZoneAlarm.
I was actually curious as to knowing how well Zone Alarm works for personal computers and small private networks.
Have you ever caught someone trying to break into your network/pc and have Zone alarm block the attempt and alert you?
I had heard some rumors a while back that the latest Zonealarm versions did not deliver as expected, but I have no idea knowing if its true since its been a while from the last time I had tried it (at least 1 1/2 years!).
In response to your question ZA has been running on my gateway machine for a few years now and I haven’t had a single exploit of my machine, every security tests I do on the internet are straight out on stealth mode.
But I must say yes the older versions were dodgy, however they have REALLY improved over the past year.
Heres a look at the Advanced filtering rules
And Logging options
In reference to small private networks:
It's a very nifty program, however to be able to do Internet connection sharing with it etc you unfortunately need the Pro versions, not just the Free version.
An easy way of monitoring your logs with ZoneLog is to put a shared folder on your gateway (if it’s using windows (I already know using windows for a gateway is unsafe, I have tried many flavours of Linux including coyote Linux and it just didn’t suit my needs)). Then you simply map the network drive (mines L: for logs) then refer ZoneLog to pick log files up from that directory. Works VERY well, and its amazing how much traffic gets picked up that gets dropped.
Also another side note on ZoneLog (if you haven’t already seen it on the website) it’s got colour keys for different sorts of attacks which helps ALOT when looking through thousands of log entries.
Ahh now thats useful I was on the lookout for some form of log analyzer for ZA, in fact since I hadn't found one, I was busy writing up a little perl program to take the raw text file and use it as a database.. however this should save me some time and trouble.
ZA is pretty decent, I use Pro on my XP machine.. while I wouldn't say I've ever seen it come under attack, I really don't consider echo requests as attacks its just nice to know that its blocking alot of useless traffic that comes my way. What I do like is the control you have over what accesses the net.. I'm not a big fan of autoupdate utilities such as the ones in Getright and Adobe Acrobat.. so you can keep that stuff away from using your connection.
However I really feel that ZA is a bit of a resource hog.. I mean it is the best personal firewall out there.. but I would really like to see Windows implement some form of packet filtering in the kernel itself (like iptables ).. and no I'm not talking about the Internet Connection Firewall lol.
Btw did you know ZA is vulnerable to a DoS attack when its flooded with random UDP packets ? If anyones interested I'll put up the perl code for download. I've tried it over a 10mbps network and the CPU usage on the victim shot up to 100%.. after letting it run for about a minute and a half, the target system was unusable.
Btw Neon, you said you tried linux for your gateway and found it unsuitable right ? Could you tell me which distributions you tried and why exactly you found it unsuitable ? I'm doing my own little mini survey to figure out what grouses new users have with the penguin.
Frankly, you might want to try Redhat 9.. a lot of people say its become a very 'commercial' distribution.. which is true in a sense... but I feel more than anything its become the most accessible distribution for new users, while not throwing out the power of linux. They will give you dumbed down GUI tools for everything, but theres no stopping you from hitting the command line.
Just as an example, my girlfriend is far from the worlds most computer savvy person, but she seems to have no problem using linux.. she finds KDE as easy to use as the Windows GUI, mozilla and Opera are really the same as their windows counterparts, and OpenOffice is almost as nifty as Word... in fact she often forces me to reboot into redhat (to kick my ass at Kspaceduel and Ktron lol).
I agree with you sahirh all too much with ZA as a resource hog, like when I was downloading a file on my LAN which runs at 100Mbps, I was getting like 7Mb/s and I noticed ZA was using around 20% of the CPU resources so I shut it down and my speed shot up to around 9Mb/s, then I turned the Norton Firewall Utility off my other machine and the download jumped again to 11Mb/s! almost 100% of the bandwidth being used there.
About the gateway issue, It's really strange, I have been using Linux for quite a long time, just playing around with it, seeing what it could do and I'm so impressed with what it was able to do, but what I was looking for was a small distribution that could fit on a floppy so I found coyote Linux.
The main problem I got is I only have a 56k connection to the net, and where I live I don’t think I can get any better ATM, I tried getting ADSL but still no luck, and no cable around either. To add to that I’m not in the bush I’m just in a new estate that they haven’t seen it profitable enough to place another exchange near my area. I rather ADSL because here in Australia, my god Telstra. You get a 3gig cap, which counts u/l and d/l for around $80 AUD p/m so an unlimited ADSL plan for $67 AUD p/m sounds like such a better offer…
But to get back onto the topic at hand, I tried coyote Linux, it handled the connection great but it just had a very noticeable delay while sending the data packets straight to my machine. *Note: While downloading I didn't get a proper download stream, my RD light on the modem was on solid the whole time so I wasnt sure what was going on!* While downloading you will see the graph drop off then shoot straight back up, I just didn’t like it. Not to mention all the trouble I had to go through to get the modem to dial out because the latest distribution they released forgot a core file! The damn call file that actually controls the modem. Another problem with it was that I couldn’t find a command to display how long a ppp connection had been established for as I have 5 hour session limits I would like to know when my disconnection is to be expected.
I tried another release of Linux which was Mandrake. (Reason for that was I got it as a bundle on a magazine, cause try downloading a 600mb file on dialup, I’ve done it after taking LONG time :wink: ) While trying mandrake it was clean easy to setup etc but I got such a headache working out this shorewall firewall. I had such a easier time with the coyote Linux distribution with iptables.
Redhat was actually my FIRST Linux experience it was alright but back then when I first played with Linux I didn’t know much and I didn’t want to know much so it didn’t work out very well, and unfortunately the only CD’s I had that had it on them got lost somewhere between my junk.
Right now I am actually downloading Slackware Linux. I have heard its alright, what’s your opinion on it? I haven’t seen it at all yet I’ve just been told it doesn’t have much security holes in it etc.
To sum up, I love Linux, but I’m just not very experienced in it, I have installed programs like the apache web server, ftp, game servers etc but I haven’t done any real programming with it or such things alike.
P.S. I agree with you how windows needs a bloody inbuilt firewall like iptables would make the world a happier place :wink: but for now, ZoneAlarm will have to do for me.
I can imagine IPTables for Windows .... It would be nice, but unfortunately wouldn't do much to help Windows as its got its own problems with security.
I've seen companies in Australia (You know Neon, I use to live in Sydney!) using Windows as their Firewall, thinking that they are secure.... if only they knew! The worst part is that most of these companies were Credit Unions, which are like small banks all over the country. Hows that for security within an financial organisation ? :o
Neon, Slackware v6 was my first contact (go startrek! ) with linux and it was rather disappointing cause I found myself wondering what to do with the box after it was installed!
I supose the best way you can sort of 'force' yourself to make use of it, is to have it as a file server and implement a few services like DNS, DHCP and samba. That's the way I've managed to keep in touch with the operating system
Of course, I've also implemented 4 such servers here at work so that's helping even more! hehehehe
I must though admit that I believe IPTables with linux is the best and cheapest firewall one can use.
Its just that IP Tables require a deeper knowledge of the protocols you want to use and filter, in order to fine tune it. I've read so many tutorials in order to understand them and still find myself sometimes confused.
We are planning to cover the topic though at some time in the near future and I can promise you, its going to be the most comprehensive analysis of iptables ever done!
As far as Redhat, its pretty much my favourite these days. I'm using version 8, but am also looking forward to version 9, once I find the time to download and install it!