On Sunday 10 October 2004 08:22 pm, Chad Perrin wrote:
> steve szmidt wrote:
> > On Sunday 10 October 2004 06:49 pm, Chad Perrin wrote:
> >>xcalibre wrote:
> >>>free version of zonealarm will not work with linksys routers only thhe
> >>>paide version has filtering to work with routers
> >>
> >>ZoneAlarm works on the PC on which it is installed to prevent packets
> >>from entering and leaving the system based on what rules you set for it,
> >>based on which network "zone" the packets are coming from or going to.
> >>Whether or not there's a router has very little to do with it, except
> >>insofar as the router makes ZoneAlarm redundant if it is also a firewall.
> >
> > Well this is not entirely correct. Having ZA and an external f/w running
> > is not redundant as security is a multi-layered approach. It's made out
> > of many pieces working together. Each adding a layer of security.
> >
> > (I've not used/seen ZA Pro, but it could have routing support in which
> > case it could have the ability to understand routing protocols.)
> >
> > ZA by itself is not total security as it can be bypassed from the
> > outside. Ditto a packet filter which does not know anything about
> > applications cannot block what ZA blocks.
> >
> > Let's say you browse a corrupted website and end up downloading a viral
> > application. Your packetfilter sure did not stop it. Windows being nice
> > and cooperative, then executes it for you (well, for the criminal
> > hacker).
> >
> > It may not have the smarts to modify ZA and so when it tries to go online
> > ZA stops it. So disabling ZA is not the thing to do just because you have
> > a packet filter firewall.
> >
> > Now a proxy fireewall can do a bit better as it sends out a proxy request
> > and then returns a proxy answer. So to some degree it's better on dealing
> > with the above.
> >
> > Ideally you also have an application firewall, not unlike ZA. Except ZA
> > is not a true application firewall, more of a hybrid.
> >
> > Another layer is not to allow images or html to be drawn or executed
> > through email. Yet another one can be various s/w that detects abnormal
> > behavior or traffic.
> >
> > Anyway, the point with this was just to show why a firewall and ZA are
> > not mutually exclusive, or redundant.
>
> Note: I didn't not say that the external firewall makes ZA redundant, I
> made a comment about an external firewall having nothing to do with ZA
> _except_insofar_as_ it makes ZA redundant. To some degree, a good
> external firewall _does_ make ZA redundant -- that is to say, some of
> ZA's functionality is redundant when one has a good external firewall
> running. ZA and the external firewall perform some entirely redundant
> functions, in comparison with one another.
>
> They're not mutually exclusive, and they are not _wholly_ redundant, but
> bits and pieces of them _are_ redundant. Get my drift?
Hmm, no I don't. There's not much they share as far as how they filter. A
packet filter does not filter out anything that ZA does, and vice versa.
Maybe I don't get what you are saying.
The big point being that one should have both.
--Steve Szmidt
"They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:34:41 EDT