ZoneAlarm

[whacker () HACKERWHACKER COM (Wally Whacker)]

ZoneAlarm (http://www.zonelabs.com) is a very popular 
personal firewall for Microsoft Windows computers and easy 
to use for newbies because it is application based, 
meaning, you apply network permission to applications 
instead of ports.

Because it is application based, I was wondering how it 
handled ports that weren't applications, i.e., what about 
ports that are opened by the kernel?

I tried scanning a ZoneAlarm protected machine using 
various source ports that are often problems for other 
firewall environments. What I found was this:

If one uses port 67 as the SOURCE port of a UDP scan, 
ZoneAlarm will let the packet through and will not notify 
the user. This means, that one can UDP port scan a 
ZoneAlarm protected computer as if there were no firewall 
there IF one uses port 67 as the source port on the packets.

The version I tested this on was 2.1.10

I strongly suspect port 67 needs to be left open because it 
is used for DHCP.

On an earlier version 2.0.26 UDP packets from source port 
53 also behaved as above but this doesn't seem to be the 
case with this latest version.

The test was this: 

1) Download and install ZoneAlarm version 2.1.10. 

2) From another computer (unix, linux, etc) run nmap -P0 -
p130-140 -sU 192.168.128.88 <-Your Computer Ip Address. 
This will run a small UDP scan on the computer.

3) ZoneAlarm will throw up alarms on these UDP probes

4) NOW, run nmap -g67 -P0 -p130-140 -sU 192.168.128.88 
(Notice the -g67 which specifies source port). This will 
run the same test as above except the packets will have a 
source port of 67.

5) ZoneAlarm will not throw up any alerts AND if you have 
any services running on those ports, nmap will find them.

I'd appreciate it if any one else can independently verify 
this.

Wally

http://hackerwhacker.com