SolutionBase: Defend your workstations with ZoneAlarm Pro

Use a software firewall such as ZoneAlarm Pro to add an additional layer of security to your network.

If you're running a SOHO network (small office/home office), you're probably aware that you need a firewall. This hardware device or software application protects your computers from network intrusions. Although a firewall is normally a separate device, a software-based firewall can add an additional layer of security to your workstations. Here's how you can add a software firewall using ZoneAlarm Pro.

Reasons to add software firewalls
Even if you have or are considering a hardware firewall, there are good reasons to add a layer of software protection:
  • To secure mobile computers that attach to different networks while you roam. Think of your vulnerability when you work wirelessly at the local coffee bar.
  • To protect your network and the Internet from exploits that originate on your computer, say after a worm has been planted on it. This kind of protection is something software firewalls are particularly good at.
  • To protect your programs from being altered by viruses and other exploits. Good software firewalls warn you whenever your programs attempt to access networks or run as servers. In addition, they warn you if the hash fingerprints of standard executables differ from those on your computer.
  • To shut down ports left open by hardware firewalls. This feature allows you to fine tune a machine's access.
  • To protect your machine from harm when you locate it in front of a hardware firewall. This relocation may be necessary for network testing, avoiding a network configuration problem, attaching to a port forbidden by your hardware firewall, or for other reasons
  • To lock down your computer without having to pull a cable or power down.

To make use of all these security features, and more, I recommend ZoneAlarm Pro from ZoneLabs. Currently, ZoneAlarm Pro is in release 4.5. Single licenses cost $49.95, with a sliding scale discount applied to multiple licenses. Update and support subscriptions cost $19.95 per year for a single license (the first year is free), with graduated discounts for multiple licenses.

In addition to its firewall security, ZoneAlarm Pro contains quite a few interesting and helpful features (a full feature list is available here):
  1. MyVault and ID Lock let you encrypt personal information and be alerted whenever it is outbound from your computer in plain text.
  2. MailSafe quarantines auto-executing e-mail attachments. This gives a level of protection against unknown viruses.
  3. Automatic network detection and automatic VPN configuration are especially useful if you do a lot of roaming among networks.
  4. Privacy/safety features allow levels of blocking for cookies, pop-up ads, banner ads, Web bugs, and scripts.

Installation and configuration
Before installing ZoneAlarm Pro, complete any Internet activity in process, such as sending e-mail, downloading or uploading files, or browsing the Web. During installation and configuration, ZoneAlarm Pro will block all Internet access to and from your machine.

Double-click the installation file and enter the requested information. If you have a previous version of ZoneAlarm, you have the option of performing an upgrade or a clean install. Even though it means reconfiguring you network, a clean install is the safest option. Before letting you go, the install program presents a “User Survey” with four questions about your Internet use. You can skip this screen if you wish.

When configuration is complete, click Yes and ZoneAlarm will start. Remember that all incoming and outgoing Internet access is denied at this point.

Next, a Welcome screen prompts you through configuration, offers a tutorial, and finally starts ZoneAlarm Pro. Click Next to move through each of the following configuration dialogs (these settings can be modified later):
  1. Privacy Control: Enable banner ad, pop-up ad, and third-party cookie blocking, and enable the Cache Cleaner. By default, the medium security setting is enabled. This setting is designed to block unwanted browser behavior yet allow Web sites to run commerce and personalization features.
  2. Cache Cleaner: This periodically cleans out Internet files and unneeded entries on your hard drive.
  3. Alerts: Accept the default value. ZoneAlarm only displays warnings of probable hacker activity. The other choices are to log activity silently, and to enable all alerts. Since a normal Internet connection includes many port requests, enabling all alerts is a nuisance. In fact, if you are bothered by too many alerts at the default setting, you may prefer to log activity silently.
  4. Password: Set a password to use whenever you wish to change your ZoneAlarm configuration. Do not forget your password. Valid passwords contain between 6 and 31 characters, and are alphanumeric, case sensitive, and also can include characters (!,@,#,$,%,^,&,*…). Once a password is set, you must enter it before you can change settings, shut down or uninstall ZoneAlarm. If necessary, set up ZoneAlarm Pro to protect Microsoft Internet Connection Sharing (ICS). You will need to provide gateway or client IP information.
  5. Secure Programs Automatically: The default value lets ZoneAlarm configure Internet access for common applications that match a safe list. To be considered safe, the executables on your computer must have an MD5 hash that matches the fingerprint on ZoneAlarm’s list.

Though ZoneAlarm's configuration is robust, it’s more secure to avoid automatic configurations. That way you know if the first access reported by ZoneAlarm was originated by you or by an unknown process. Therefore, choose Alert Me Later When My Browser And These Components Need Internet Access. At that time, you can allow permission, deny permission, or give permission for that one session only.

For some programs, such as FTP, I never grant permanent Internet access, as I always want to verify that I'm originating the request. As with other options, you can modify these settings any time. You can opt to anonymously share your settings with Zone Labs. I never opt to give away information.

Finally ZoneAlarm Pro offers eBay password protection. This feature is designed to prevent eBay “phishing” scams, whereby look-alike Web sites con passwords from users. If you choose this option, ZoneAlarm verifies that the eBay site displayed is legitimate before letting your password through. A recent Microsoft patch to IE helps prevent phishing scams, but no doubt new Web spoofing techniques will be developed.

Using ZoneAlarm Pro
Once configured, ZoneAlarm stealths all Internet ports so that port scans, a hacker's initial probe for weaknesses, do not see your computer. Further, in the process of guarding your connection, ZoneAlarm begins issuing alerts. Stealthing and blocking connections are, naturally, the heart of ZoneAlarm's operation. All the other goodies are nice, but if the app failed here, there would be no point in installing it.

These color-coded alerts come in several types:
  • Program Alerts
  • Firewall Alerts
  • Network Alerts
  • Identity Alerts

Remember that if you chose to log Internet activity silently, you won't see these. Periodically check your logs.

Program Alerts
Yellow Program alerts pop up each time a program (and often when a program component) requests access from your computer to the network (Figure A). (Note that many components are handled in the background in what ZoneAlarm calls learning mode.)

Figure A
This New Program alert appears the first time FTP seeks to access the Internet.

Note the following features:
  1. Technical information lists the destination IP, the application name, and its version.
  2. Clicking More Info opens up an Alert Advisor browser window with details about the alert. There are four tabs. Overview describes the alert. Technical includes the app's MD5 Hash, date modified, program size, and port requested. All this information helps you determine whether or not to grant access.
  3. The Details tab gives additional information, when available.
  4. Hacker ID presents the Whois listing for the IP address being sought (or in the case of Firewall Alerts, originating the contact). Clicking the This Address graphic presents a map of the source of the requesting IP address.

The response is simple: If you want your application to access the Internet, click Yes. If you don't, click No. To store the program configuration permanently, click the check box, Remember This Answer The Next Time I Use This Program (you will no longer receive alerts for it).

If you don't store the response, the next time you start the app, you'll see a blue Repeat Program alert. Aside from the color and a message informing you that the program has previously accessed the Internet, the alert is identical to the New Program warning.

There are two other Program Alerts: to let you know a previously reported program has changed and that a program is trying to access the Internet as a server. All these alerts inform you of attempted outbound communications and give you the ability to take appropriate action.

Firewall alerts
Firewall alerts inform you when outbound or inbound traffic has been blocked. Low to moderate risks are colored orange; these are suppressed by the Medium alert setting. Red alerts signal traffic that ZoneAlarm judges to be serious threats.

Both types note the port that was blocked, where the connection attempt originated, and the date and time of attempted access. A typical message looks something like this:
The firewall has blocked Internet access to your computer (UDP Port 1026) from ( (UDP Port 4115).

Clicking the AlertAdvisor More Info button opens up a browser screen that gives more detail regarding the blocked packet, such as type of connection attempted, and whether it's considered typical Internet traffic or a hostile probe. By using the Hacker ID tab you can discover the source server and its location.

Further, by pressing Submit, you can pass your Alert info on to the ZoneAlarm Web site. The site tracks incidents relating to specific IP addresses. When the number of incidents originating from a specific IP address or range escalates to a serious level, a complaint is sent to the ISP. The above alert registered close to 7,000 submissions.

Network Alerts
Any time ZoneAlarm detects a new network, it will notify you through a Network Configuration Wizard. At that time, you can choose a name for the network and choose whether to configure it as a Trusted or an Internet zone. ZoneAlarm will automatically recognize wireless networks as well as VPNs. The information will be logged for future reference.

ID Alerts
If you configure myVault to store personal information, you will receive an ID Lock Alert whenever this information is sent from your computer in plain text (Figure B). As with other alerts, you can prevent or accept the action in progress, and find out more information, if needed.

Figure B
An ID Lock Alert lets you know whenever your personal, private information is being transmitted.

The myVault system only stores an encrypted version of your information, so that there is less danger from identity theft if your computer is ever stolen.

Viewing and modifying settings
Double-clicking the ZoneAlarm icon on the System Tray will bring up the Control Center user interface. Though it contains a lot of information, one of the app's best features is that the bulk of the data is clearly presented. Displayed across the top of the Control Center is the current status of your Internet activity, called a Dashboard (Figure C).

Figure C
Use the Dashboard to quickly view firewall activity.

From the left, the first Dashboard item is a set of indicators that light up to show the presence of outbound and inbound Internet traffic. Clicking the Stop button immediately halts this traffic.

Next appears a network icon. This display changes when wired or wireless networks are connected. Click it to go to the Network configuration screen.

Click the padlock icon to engage Internet Lock. This differs from Stop in that programs you granted Pass-Lock permission can still function.

Next appears a listing of the programs currently accessing the Internet. Hover the mouse pointer over an icon to view information. A hand under the program icon indicates an application acting as a server.

Down the left of the Control Center appears a Menu Bar (Figure D). Click on a heading to view its details in the Control Center. Tabbed subcategories make it easy to drill down into the properties you need.

Figure D
Use the Menu Bar to navigate through categories.

To manually configure firewall rules, click Firewall on the Menu Bar, then click the Expert tab. Rules are evaluated before ZoneAlarm applies its security settings. Therefore, this is an area in which you can exercise fine-grained security control. It is also an area in which you can introduce vulnerabilities, since these rules bypass the program's settings. However, certain Web sites or networks may require you to make exceptions. Do so with caution.

For example, here you can set up a simple rule to block FTP traffic to a specific computer in a trusted zone, or allow NetBIOS only during certain times, or set up more complex rules.

When creating more complex configurations, be particularly careful in testing how rules interact. A higher level rule cancels the action of a lower level rule. In addition, program-specific rules, configured through the Program Control Menu Bar category, are subordinate to firewall rules.

In the Zones tab of the Firewall menu item, you can add any specific host/site, IP address, range of IP addresses, or subnet to the list. These can be set as Trusted, Internet or Blocked zones. To do so, click the Add button and choose the activity you want blocked from the drop-down menu. Then complete the dialog. For a host, after entering the domain name, click Lookup. Addresses are added that match the name. Figure E shows a typical dialog entry. In this example, I've blocked all access to eBay. Employees using this computer will be unable to spend time bidding on auctions. When trying to access a blocked site, a browser will report the site as unknown.

Figure E
Adding eBay to the list of Zones. The domain is set to be Blocked.

Specific lessons about creating expert firewall rules is beyond the scope of this article, but you can find many other useful sources on TechRepublic.