I dumped BlackIce for Zonealarm

Jal

Senior member
Mar 22, 2000
452
0
0
OK, I give, I have been a Blackice user for a long time, and liked their product. No updates since August, and they still don't address the issue of outbound blocking.

I read an article at GRC about firewall testing, and ZA looks like the only one that can pass the test so far. http://grc.com/lt/leaktest.htm

So I unloaded BI and put ZA on. I hate to admit it, but it is a nice program. Easy set up, works nice on my Windows2000, Blocks ping requests (thus less scans), Blocks inbound and outbound, and it is FREE.

:Q
 

Big Lar

Diamond Member
Oct 16, 1999
6,330
0
76
I use ZA also, & like it alot// I just wish I could get rid of the splash screen :D
 

rocmonster

Golden Member
Oct 9, 1999
1,669
0
0
You must always remember:
Black Ice is an Intrusion detection program without any outbound monitoring.
Zone Alarm is a Firewall program that monitors and controls both incoming and outgoing traffic.
:)
 

madthumbs

Banned
Oct 1, 2000
2,680
0
0
Zone alarm passes a test that was made by Steve who made Zone Alarm also. The part of the test that BI failed wasn't used until the new Zone Alarm update was out. BI's updates involve software conflict fixes and bug fixes. The current version of Black Ice is very stable. I'm not knocking Zone Alarm, if I had to do it all over again I would go with it next time. I just don't think that BID is all that bad.
 

rocmonster

Golden Member
Oct 9, 1999
1,669
0
0
madthumbs wrote:


<< Zone alarm passes a test that was made by Steve who made Zone Alarm also. >>



Quote from Steve Gibson's site.


<< For the record, I have NO INTEREST in any of these vendors. >>



Steve Gibson has no connection to Zone Labs. I have no idea where you could have found that information. As for why Zone Alarm passed and Black Ice failed, please re-read my post above. They are two different products. One is an inbound only monitor, the other is an inbound and outbound configurable firewall.

Click here to see how other programs faired against the &quot;Leak Test&quot;.

madthumbs wrote:


<< The part of the test that BI failed wasn't used until the new Zone Alarm update was out. BI's updates involve software conflict fixes and bug fixes >>



I am not sure I understand what &quot;updates&quot; you are referring to as Zone Alarm's most recent update was sometime in October or early November (version 2.1.44) and Leaktest wasn't released until the first week of December. The whole issue the Leaktest confirmed was that most software &quot;firewalls&quot; (with the exception of Zone Alarm) allow your computer connect to the internet WITHOUT YOUR KNOWLEDGE. Some even allowed leaktest to connect after renaming it the same name as a &quot;trusted&quot; program (much like how a trojan operates).
 

PCAddict

Diamond Member
Nov 19, 1999
3,804
0
0
I have been using Zone Alarm since April when I first got my DSL. It's going to take alot to convince me to try something else. Every review and test I've seen gives the nod to Zone Alarm.

 

chicken

Junior Member
Nov 23, 2000
21
0
0
Check out PGP 7.0 Here you have a real IDS and personal firewall program as well as email, file and disk encryption from a network security vendor. You do pay for it (unless you find a cracked copy), but then ask yourself, how much is my data worth...
 

celeritas

Senior member
Oct 13, 1999
935
0
0
I still like BlackIce and AtGuard combo over ZA. I tried ZA's free and pro versions, and they both seem to lack the &quot;granular&quot; level control and notifications I want. By default, ZA seems to &quot;allow access to all ports and protocols&quot; for any app that you allow access to the internet. Furthermore, if you choose &quot;allow access for ONLY the ports checked below&quot; and input the ports; e.g., 25 and 110 for e-mail, where is the setting to enable traffic on those ports to only certain sites -- namely, your ISP's e-mail server? I imagine that there must be a way to do this in ZA, but since it isn't readily apparent I think I'll pass. Also, I've noticed an inordinate number of rogue, nonstandard port requests. For example, IE wants to go to a regular web page, and is allowed to access ports 80, 443, 8000, 8080, etc. -- but ZA won't let it because it wants to touch port 2637 (and others) for some reason. What's up with that? :|

In contrast, AtGuard is very straightforward. It denies all incoming and outgoing traffic by default, and always asks if X incoming/outgoing port is OK for X address. No frills, no surprises, no mistakes. Although AG won't have any more updates (since Symantec absorbed AG into Norton firewall), I don't really think I'll need one. I use it for its good port blocking features -- and a port is a port. ;)

I read that AG apparently failed the leak test, but my AG/BI combo didn't. Also, I never get anything but 100% stealth on all ports on ShieldsUP. Between AtGuard's firewall and BlackIce's intrusion detection (and a little tinkering with Windows' file sharing/security settings) I've successfully repelled scans/hacks from everyone from script kiddies to CISSP's. In addition to the off-the-shelf basic &quot;hacker tools&quot; like 7th sphere port scan, ws ping propack, NTO scanner, superscan, et al, I've also shrugged off &quot;doorknob rattling,&quot; intrusion, DoS, etc. attempts from ISS Scanner, CyberCop Scanner, satan, nmap, SNMPwalk, etc. Pretty good for a software solution I think. :D
 

DocDoo

Golden Member
Oct 15, 2000
1,188
0
0
There sure is alot of mis-informations out there....

1) BlackIce and Z/A are 2 completely different type of programs (In function).

2) To get rig of the splash screen, use Z/A Pro!

3) BlackIce is more of a &quot;install-it-and forget-it.&quot; (no user input needed)

4) Steve Gibson has only done &quot;some&quot; consulting for Z/A.

5) The &quot;LeakTest&quot; program is rather crude, rude and very narrow focused!

6) Z/A Pro allows you to block specific port(s) for any specific program!

7) Z/A Pro is excellent at seperating LAN vs. INTERNET rules.

I use BlackIce and Z/A Pro. I feel naked if both are not running ;) I have never had a program or computer crash when running BlackIce (for over 2 years). I can't say the same for Z/A.

 

celeritas

Senior member
Oct 13, 1999
935
0
0


<< 6) Z/A Pro allows you to block specific port(s) for any specific program! >>

Yes, but how do you block specific ports for specific sites? TIA.
 

DocDoo

Golden Member
Oct 15, 2000
1,188
0
0
celeritas.... This is can't do (and why I did not mention it). What it can do is block domain or IP address of specific sites. Besides, there are over 65,000 ports availible, how are you going to determine what is good and what is bad. Yes, your &quot;basic-cookie-cutter&quot; ports are 80, 8080, 21, 110, 119.

Give me an example of a site and your reason for blocking what port?

Unfortunately, as with anything in life... any software has a compromise and there is no one ( 1 ) program that can &quot;do-it-all.&quot; Your best to stick with a program(s) that offers the lest compromise for &quot;your needs.&quot;

NOTE: Some sites that you may download from may initially trigger port 21 to start downloading, but then can use bouncing ports 2300, 2302, 2304.... to keep the connection going. This makes it a moving target, and also makes adding specific port rules very difficult (if not impossible). Another example is large sites that might have graphics (or whatever) stored on a 3rd party network and these sites are pulled from IP's and ports other then what are in your rules.

Don't get me wrong, I used AtGuard up to the point when they &quot;sold-out&quot; (ver 3.22). I liked it for what it did... at that time. But AtGuard is not &quot;officially&quot; compatible with WinMe (VxD problem), while there is a hack/workaround, I choose otherwise. And it's lack of MD5 checksum is another factor.

For those that are interested:

Trojan Port List Found Here

Official Port List Found Here

 

DominoBoy

Member
Nov 3, 2000
122
0
0
Celeritas or anybody else who knows about this stuff, I know this is off topic but can you answer a few questions please?

What can people/hackers do to me when I play games on-line? In many games it is easy for people to see your IP address. And sometimes even in games that don't show it there are guys who get your IP address somehow and put it on the screen to freak you out. What can they do when they get your IP address? Can they see all the stuff on my computer or just mess with it? Since I'm on a 56K modem with no particular protection, what difference does that make?

Please explain what it means when these guys get your IP address and try to mess with you. It happens all the time with on-line games. Please explain the dangers of people getting your IP address and what I should look for to be careful.
 

DocDoo

Golden Member
Oct 15, 2000
1,188
0
0
Getting ones IP address is very simple and is commonly used by tracking sites for analysis, usually aggregated info. If you were to join an IRC chat room, your IP is readily availible to the world. There are complecated ways to &quot;spoof&quot; or &quot;mask&quot; your IP address when going on IRC, but most all servers scan for this and will block you from logging on.

The real question is.... what can a punk do with your IP address? 99% of those people have no clue how to properly compromise your PC through your IP address. Since you have a dynamic IP address, it changes every time you sign on (makes you a moving target).

You are at a greater risk with Trojan infested software. Software that &quot;calls-home&quot; when you log on could send passwords or other private information from your PC. Right now the biggest risk is email attachments! This is the #1 way for a PC to be hacked. This is 99.9% preventable, but people feel the urge to open stupid and useless attachments.

I have been on-line since 1991 and have only had 3 different ISP's, my static IP address has been posted countless times. I have never been hacked. I once posted my IP address on a security exploit forum as an example to see who was able to hack me.... only thing I got was some generic port scan (narrow band) that returned nothing but 100% packet loss. I found out later that someone copy/pasted my post to a &quot;hackers group.&quot; Still nothing....

We hear stories every week about how this and that company got hacked, this causes people to worry too much about their own PC's. Companies are at a greater risk because they need to allow the public to access their certain areas.

As long as people use proper network settings and use common sense, they are at very little risk. Unfortunately that sounds simple but, improper network settings are a big problem for those using a LAN (NetBIOS =BAD).

Oppsss...I forgot to mention on-line games; Everytime you play online on a server you are essentially opening up a port, it must do this to play. Because you now have your PC open to that port, information can pass through it. Most multi-player games are good as far as security goes. When Quake first came out, it has quite a few security flaws (when played on-line).

While playing online can pose a greater risk, I have not had any issues on this. The biggest complaint I have is when playing Unreal Tournament online, I usually get an ICMP flood when leaving a server (or during). But this is a fault in U.T game..... and is not a hack (nor could it be)!

 

celeritas

Senior member
Oct 13, 1999
935
0
0


<< there are over 65,000 ports availible, how are you going to determine what is good and what is bad >>

All of 'em are potentially bad. The trick is to close every single one you don't absolutely need, and watch the rest of them like a hawk. ;)

<< Give me an example of a site and your reason for blocking what port >>

With my current setup, it's easy to make outgoing SMTP/port 25 traffic go to only x.x.x.x IP or mail.x.com. The same goes for incoming POP/port 110 traffic. I'd like to know how to do this in ZA Pro, if it's possible... Just because I want e-mail access to my ISP, doesn't mean I want to open these well-known ports up for everyone.

If I wanted to compromise a system, one of the first things I'd probably do is check if the most common ports were open -- hence the ones on which incoming/outgoing traffic wouldn't be suspicious/detected until it was too late, if ever. I feel stateful packet inspection on all ports is a good idea, so I'll probably just make the move to Linux or a nice hardware firewall.

Off on a tangent... Maybe it's just my twisted sense of humor, but I'm rather surprised that I haven't read about any virus/trojan/worm makers yet who've released actual nasties that purposely resemble well-known hoaxes -- to delay response and maximize damage (not to mention humiliation). If a user called the average IT helpdesk to say he just got an e-mail reading something about &quot;budweiser frogs&quot; or &quot;it takes guts to say 'jesus,'&quot; I bet they'd probably tell him to ignore it. :D
 

KouklatheCat

Golden Member
Oct 23, 2000
1,502
0
0
DominoBoy

Go check out Mr Gibson's siteand do the &quot;shields up&quot; and &quot;probe my ports&quot;. Before Zone Alarm i was very vulnerable. Now with my DSL router and Zone Alarm I am &quot;stealth&quot; according to GRC. I like Zone Alarm a lot and the price is right....:D
 

shadowfaX

Senior member
Dec 22, 2000
893
0
0
I agree, Zone Alarm is a pretty GOOD software firewall. All I remember BlackIce doing is screaming bloody murder whenever someone did a ping on my IP, but it didn't seem to put me in stealth mode the way ZA did.