Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ZoneAlarm Pro Local Internet not only Locally!

From: Justin Morgan <jmorgan () zonelabs com>
Date: 13 Nov 2001 00:36:58 -0000
Mailer: SecurityFocus
In-Reply-To: <000001c16693$de35fbb0$5241bbd4@www>

Hi,

As a technical support engineer for ZoneLabs I just 
wanted to let all of you know that this report is 
missing something important.

ZoneAlarm has two zones, the internet and the local 
zone.  Any networks which are checked in the local 
zone are considered trusted, and all network traffic 
from those addresses will be allowed through the 
firewall.

As an end-user it is EXTREMELY important you only 
add addresses to your local zone that you trust.  This 
would be your LAN addresses and no others 
generally.

ZoneAlarm Pro asks you if you would like to trust the 
network you connect to whenever you get DHCP 
from a new DHCP server.  If you are connected to 
the internet answer NO to this question when it 
comes up.

If you follow these guidelines you will not be open as 
described below.

Best regards,
Zone Labs Support




ZoneAlarm Pro is firewall for Windows home-users.

The following was tested with ZoneAlarm Pro latest 

version: 2.6.357


I`m not sure if it also works with the free version but 

I can't imagine

why it wouldn't.

Similair to Internet Explorer ZoneAlarm Pro (ZAP) 

has security settings

for Local and Internet. 

However ZAP in certain cases classifies 

connections as Local when they

really aren't Local. All connections that have the 

same 2 octets as your

IP (ex. Your ip 123.123.123.123 -> 123.123.*.*) are 

also considered

Local.

This means everyone on with the same two first 

octet's of your IP can

connect to your computer under local level security 

settings instead of

the internet level security settings.

With default settings this will expose your computer 

and all it's ports

plus opening and allow access to windows services 

and shares. Users to

customize local level security to allow (and block) 

whatever they want.


How did I discover this?

I installed a webserver and asked some friends to 

view some pages but

they weren't able to connect. Zone Alarm Pro 

blocked the http port I

found out. But this surprised me since I viewed my 

http.acces and

http.error logife before I enabeled port 80 in ZAP and 

already had a lot

of requests from servers infected with nimba. After 

looking at the IP's

the first two octets were all the same.. the same as 

mine.


Philip Wagenaar
The Netherlands
philip () netlogics nl
Previous By Date Next
Previous By Thread Next

Current thread: