Re: Microsoft to ship new versions with firewall enabled

[Omachonu Ogali <nanog () missnglnk com>]

On Thu, Aug 14, 2003 at 05:37:44PM +0100, Richard Cox wrote:
> What I do like in the latest release of Zone Alarm Pro is that it will
> stop ANY program from connecting outbound on Port 25 unless that program
> has been specifically authorised to send mail.  It was quite informative
> to see which programs were trying to mail information back to their base!

Zone Alarm Pro is very stupid as well. When a machine makes an outbound
connection attempt, yes, you'll see a dialog that pops up asking you
whether to allow that SINGLE connection or not, I guess this is what
you mean...

BUT on every single occasion I get that dialog box, it's telling me
that the program is trying to access my ISP's DNS servers, which is
correct, I click yes to allow that SINGLE connection, and it lets
the program go ahead and connect to port 22 (putty is the application
in this instance), instead of asking me about port 22 next.

Reasons why this is bad?

A) Semi-savvy user sees 'DNS' and their ISP's nameservers and clicks
   yes not knowing it's a trojan trying to resolve the hostname for
   trojan base.

B) Trojanned program operates semi-normally, makes the initial
   connection to the proper host, you ok it with ZoneAlarm because it
   looks legit, but ZoneAlarm goes ahead and lets the program connect
   to whatever it wants after the inital OK, (example scenario: buffer
   overflow), so the trojan connections are concealed.

C) It's bothersome. Ask the user every time they fire up the program
   whether they want to let it connect to something, and they're going
   to click the "please don't ask me about this crappy program ever
   again" checkbox, and be done with it, again, concealing trojan
   connections in the event the program gets modified later down the
   road.