Impact -
Steve Gibson DOES NOT SELL ZONEALARM. This appears to be a fairly common misconception.
He merely provides a link to the Zonealarm site and a solid reccomendation. As Steve does not profit by selling Zonealarm, what would he gain by fudging tests to make it look good?
I suppose its just possible that Zonealarm is actually a good and effective product.
There is a press release on the Zonealarm site stating that EDS (a big computer services company and outsourcer) have selected Zonealarm Pro for their engineers laptops etc. They are bound to have someone who knows what they're doing somewhere.
I've used Zonealarm Lite ever since I got cable a year ago, and I'm very pleased with it.

Personally I find Gibson's points about Windows XP to have certain merit. If they didnt, why would Micro$oft make a detailed statement of denial on Technet? Microsoft does not deny that Windows XP can be used for spoofed IP packets - their reply is that XP will be secured so there wont be a problem.
Hello?
Microsoft Windows Secure? Mutually Exclusive statements anyone? :-)

Apparently Win 9x and NT have had the required raw sockets support for years, but only if you install the SDK, which 99% of Joe Average PC users dont.
The fear that the same 99% of Joe Averages will upgrade to Windows XP, plug in their cable modem or DSL and unwittingly allow themselves to participate in DDoS attacks is a valid one.

Steve Gibson's research into the DDoS attack against him proved that.

(Edit - spolling errups)

[This message has been edited by RichL (edited 13 June 2001).]

I use ZoneAlarm on some of my other machines. One of them is owned by a not too bright user, so I need to take some precautions, even though I am behind a firewall from my router already. ZoneAlarm may not always be the best, but it's pretty damned good considering that the price is $0.

Sorry, I thought you did that. I didn't ask Greebe if he had deleted your post. I was wrong and I am sorry.

Rags

ouch
chuck

My two cents is that Zone Alarm seems to work better than BID in after the fact trojan situations (at least with sub seven). I don't have any firewall installed. I do think that given MS' previous approach to security, there is cause for concern that winxp may be less secure because of the ease of ip spoofing.

Impact, First off, yes I did delete your post because it was grossly off base, your bad!

I did address your comment as to why tho, so bite me!

Now if you haven't tried the product and have blind faith in everything SG says and does, isn't that having "your head in the sand"?! D'oh!

(remember you said it, not I)

Additionally, I nor Rags have ganged up on you, sure we know each other, but that doesn't mean a thing. We both have many more friends out their whom the other doesn't know. I can only speak for myself when I say I have just about as many friends in Europe as I do in the States and will stand up for any/all of them. So I am not singling out any race, ethnic group, religion, culture, or country to say, your just an ass!

RickL... do you know for a fact that he doesn't profit from promoting ZA? He is a self proclaimed security consultant, so no you don't! Your Bad.

ZA Pro isn't the same product, so keep to the subject at hand.


I have had a network for several years now that consists of three machines, one is an old home built Cyrix system that the wife uses and when I was on dialup was my gateway. I used Nat32 for that seeing there was no such thing as ICS back then. About a year later I installed Atguard. Now after awhile I felt that wasn't enough and decided to test out other firewallesque products. I tried BID and ZA, but since ZA didn't work with those whom had a gateway.. ie NAT box that was out in a heartbeat and in went BID.

When I went broadband I set up another gateway using Nat32 on my celeron system and BID, again I tested ZA, but it still couldn't measure up to the task. So I stuck with BID and found other solutions as to tracking what was leaving my machines.

If any of this rings a bell, well that means you have been here awhlie, cause we had polite discussions about it back them. We all stood as 1, why, because personal protection was in our joint interest. Now this thread has turned into a pissing contest only because I have objections to SG and which most of you refuse to hear, thus has degenerated into a pile of poop.

I'm an inch (2.54cm for those who can't convert) from locking it. Got it




[This message has been edited by Greebe (edited 13 June 2001).]

I run BID and NAT32 on my Router/Gateway machine to my Cable internet connection.

It's always worked fine and it was active BEFORE the connection to the 'net.

I tried ZA for a little bit, but it would crash the games I tried to run (Asheron's Call, Age of Empires).

amish

Don't look at me. I use a HW firewall.

Come to think of it, could someone compare & contrast HW -vs- SW firewalls?
Do either one provide truly comprehensive protection?

chuck

I'd be interested seeing a comparison between them myself!

BTW Ant just picked up a Netgear RO318 Cable/DSL router 8 port switch for <$160 in his neck of the woods. Looks perdy sweet to me

IMHO, hardware firewalls are generally provide better protection - because Joe Blow User isn't running apps (eg - Outlook/Express) on that hardware that could potentially load malicious code into the system.

But with this increased security sometimes one has to make a few sacrifices, because certain software isn't always programmed to accomodate firewalls. One good example is Soldier of Fortune - Yah, sure, I've got no problems getting onto the net and playing some multiplayer. But if you want to host an internet SOF game, but you are behind a NAT, you are SOL. To the best of my knowledge, SOF _has_to_be_ using an internet addressable IP addr in order to serve an Internet accessible SOF game. (If someone can correct me on this PLEASE LET ME KNOW!!)

Oh, and did you know that it is possible to spoof source ports? Thats right - if an intelligent programmer really want to (and I'm saying for certain this can be done from within windows because I am definately not a programmer) they could potentially create http, or telnet, or even irc traffic coming from port 53 - your friendly neighbourhood dns port. And you can't block that if you want to resolve host addresses (eg use the 'Net), can you?

Until someone invents and cheaply distributes application level filter/firewall (where http traffic is actually http traffic on port 80, and not, say, telnet traffic on port 80), its just not possible to be 100% certain. I'd agree with everyone else though, having some sort of firewall is better than having none at all.

Personally, I like the GRC article. It gives me a glimpse of what creativity the DDoS community is up to. I was shocked to see small computer programs going out to specified irc servers and waiting for a command to launch an attack. I now consider myself better informed, and more able to respond to certain types possible network problems in the hopes that I can do my job even better than before.

Has anyone seen this?

The Hackers Rootkit for NT
http://cnet.com/webbuilding/0-7532-8-4877567-1.html

Yeh testing does anyone know a good program one load on say a laptop and then use that to check your firewall for well known loop holes.

Assuming the laptot is connected to the net browse to Steve's site and go to the Shields Up section.

You can also use Netlab 1.4 (freeware) works with Win9x only (I believe)... it was writen long before 2K was around.

I wholeheartedly agree about that no matter how much I dislike some of SG's practices.
Yes, ZA is a perfectly good firewall for non-techie kind of people who can stand its ugly colors.

Because he drew the wrong conclusions yet got headlines in the news all over the place generating hysteria. That's exactly why it's so dangerous for someone in a position like Steve to misinterpret facts.

So can any other operating system. Some with less work, some with more. That spoofing is possible is a weakness of the whole current TCP/IP architecture. Nothing to blame Microsoft about and definitely not something in which there is going to be any real difference with the release of Windows XP.

You have to remember that spoofed IP addresses are not particularly useful anywhere else but these flooding kind of denial of service attacks.
It's not an easy job and usually just not feasible to get the reply back on your spoofed packet (which of course will be addressed to the spoofed source address).

There's only so much you can achieve with a one-way communication where you won't be receiving any reply back.

Now tell me, what difference would have it made for the attack on Steve if the addresses were spoofed? (And you will never know if they weren't actually spoofed already.)

The one initiating the attack does not care the least about the infected machines exposing their real IPs.

What good is it doing for Steve? That he can make cutesy charts to put up on his web page about where the attacks were coming from?
He can't really configure the router to drop all traffic from all @home users. Well, obviously he can, but is that a solution to ban all @home users, including any honest people with secure systems?

Definitely not. The only true solution is to work towards making people aware of the dangers of running unknown executables, enhancing software to minimize the chance that you could get a trojan into someone's system.

Their reply is that
a) they are continually working towards getting trojans on the systems of inexperienced users as hard as possible
b) that Windows XP doesn't make a concernible difference in spoofing addresses

So what's Steve's point exactly? That because of convenience and no need for it some "hacker tools" (available on public web sites, no less!) currently only support IP-spoofing on Windows 2000 and up? That, unfortunately, is going to change very soon primarily just because the trojan makers want to make Steve look real dumb.
(Which probably would've happened far later if ever, if only he never wrote this article to achieve the exact opposite of what he wanted.)

That's simply untrue (requiring the SDK on target PCs).

<font face="Verdana, Arial, Helvetica" size="2">
The fear that the same 99% of Joe Averages will upgrade to Windows XP, plug in their cable modem or DSL and unwittingly allow themselves to participate in DDoS attacks is a valid one.

Unwittingly getting a trojan on their system is the problem. Not what you can achieve in DDOS attacks with them.

"Sorry man, your system's got compromised by a trojan and half of the world is happily reading all your correspondence, deleting your files, etc. etc. Rest assured though, it's no biggie -- at least the current trojan on your system couldn't send spoofed IP packets to Steve Gibson's little server and that's really the only thing which matters. Have a nice day. "


[This message has been edited by fds (edited 13 June 2001).]

And why on Earth would you care? Receiving garbage when you are expecting something else isn't going to make the slightest difference IF the software receiving the garbage is well-written and can't be crashed, or more dangerously overflow a buffer with it.

If it comes as part of a flooding kind of denial of service attack and their only purpose is to saturate your connection to make it unusable, then it could as well come to any port and you could filter it all you want with the firewall on your side, YOUR connection will still be just as saturated with the attacks.

The problem with hardware firewalls is that they can't make a choice based on what application is trying to send/receive that traffic.

The problem with software firewalls is that if the malicious code can get administrator privileges, it can simply pause or kill your firewall and do whatever it wants to. Or it might get itself installed to precede your software firewall, or just fake being an application you allowed, etc.