Results 1 to 10 of 25

Thread: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

Hybrid View

  1. #1
    monster_z Guest

    Default Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, everybody!
    After using ZA for a year by now I was wondering can I block all incoming and all outgoing traffic and processes except the traffic I want?
    Basically, I only use Mozila Firefox, Opera and sometimes Internet Explorer,Spyware Doctor and **bleep** Antivirus for surfing.
    I have also additionally configured ZA, but I was always wondering if I can block all other inbound and outbound processes and traffic?
    Thanks for your help.

    Operating System:Windows XP Pro
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Actually there is no inbound traffic unless you have opened some ports. The traffic is initiated by the application itself and the returning traffic is normal.
    There are some windows processes which need to have internet access, many need trusted access and the svchost.exe needs the trusted server (for the dhcp and the dns).

    Keep in mind software firewalls are for controlling the ports, protocols and IPs. Control is the key word.
    What have you done so far for the extra configurations?

    Oldsod
    Best regards.
    oldsod

  3. #3
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod and others!
    I apologize I didn't answer before, because right now my home computer is going for total re-installation of Windows XP (I didn't install it correctly and my Local Area Connection was limited, connectivity was screwed) so I'll simply tell you what I usually do with ZA.
    So, I send you this message on computer where I work.

    First I always go into Firewall-Advanced Options-enable ARP protection,I block trusted servers, Internet servers, lock hosts files and etc, I even uncheck "Allow VPN protocols option.

    Than I also go on Firewall-Custom-than I block just about anything in both medium and high level sections I even block option "allow broadcasting/multicasting" (for both Trusted and Internet servers), than in those same section I put number of ports blocked in both Internet and Trusted servers 0-65535.

    I also use OSFirewall, Advanced Application Interaction control and Advanced Component control.

    I also use Internet Lock (enabled) with those pass-lock enabled- despite someone said I'll lose connection, that practically never happens.

    However, I consider myself a novice user.
    I don't think it's possible to stealth or close all of your ports (30606 for antivirus updating, for example) even when Internet lock is enabled.
    Also, I'v seen when I go to the net, at Sunday from 7pm-9pm I'm constantly under all forms of attacks (and thanks to ZA they are all blocked)
    I've also notice that this newest version of ZA Pro actually remembers all of the attacks made by hackers (that I know because every Sunday when I wnet to the net, I've been under
    lot of attacks, after Sunday before I have collected over 4000 blocked intrusions, the Sunday after at same time period ZA Pro blocked them only 100-which means that only 100 attacks were new kind).

    Also, I need advice:
    When svchost.exe (Generic Host processes) asks me that it wants to modify rundll32.exe (or modify anything else in the computer) what should I do?

    Also, if ZA Pro asks me that if svchost.exe wants to act as a server what should I do?

    Again, big thanks!

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi Monster-Z

    Okay. The easy setting are used. Maybe confusing if these are not understood, but still easy enough to figure out.

    Users that lose the internet connection after using the Internet Lock made some mistakes. They probably never entered the router or gateway IP or DHCP server as Trusted in the Zones. Or/and the generic host process (svchost.exe) has no server rights for the Trusted server.

    All ports are stealthed by the ZA. The only time a port may not be stealthed is if there is an application which has been given server rights for the Internet Server.

    Lots of intrusions? What type of internet connection is used? Modem and PC or modem and router and PC or many PCs on the LAN?
    What are the IPs' of these intrusions? These intrusions even could be coming from your own provider doing network checks (if there is no hardware firewall in front of the PC).

    The svchost should be allowed to change the rundll32.exe. It probably is trying to inject (rundll32.exe operates the windows .dlls). If you are uncertain, just right click the svchost in the ZA program list and select the Properties and examine it.
    The vendor should say microsoft and the exact time/date of install should be there and the date of change. The version is listed and this can be verifed on the 'net. Even the file size can be helpful for a comparision to find out if it is malicious or not. Plus the location should be noted - if it is not located in the WINDOWS\system32 folder, then it is in the wrong location and it is very possiblely a malware.
    Even the Alert from the ZA has more information and can open the Properties and related files.
    Just check and have a look and the file can be determined to be good or bad. Then the decisions can be made safely and with some assurance.

    The svchost.exe can act as a server to the DNS server and the DHCP server. This information will be included in the Alert. The DNS will be mentioned in the Alert and it should be the same IP as the DNS that you are using from your provider. The DHCP server IP maybe also from your provider or from your modem or router. These can also be easily determined if these are legitimate. The server to the DNS is okay and presents no danger - this is basically a "private network" between you and no provider and there is nothing or nobody between you and the providers network. It is a direct connection with no other internet included. Very safe.
    The server for the svchost is needed because the port to the DNS and the DHCP must be opened to allow incoming return connections. This creates a smoother and assured domain name lookups and a properly maintained connection to the gateway/DHCP (keeps you connected).
    So, yes the svchost acting as a server for the Trusted Zone is perfectly okay.

    There are some tweaks to do, using the Expert rules for the applications. The details would be lengthy, But I am willing to help you with these if you so wish.

    Cheers, Oldsod
    Best regards.
    oldsod

  5. #5
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Hi, Oldsod!

    I again thank you for your answer. Since I'm extremely busy, I'll leave these configuration questions, and ask you some other day if you don't mind.

    However, since I have little time to post this, I'd like to ask you about what ZA uses for inbound protection. I've seen you said that ZA Anti-Spyware and all other ZA's products use full Stateful Packet Inspection (SPI), but does it use full Deep Packet Inspection (DPI) what toher technologies ZA uses for both inbound and outbound protection?

    Also, on some other forums that full Stateful Packet Inspection and full Deep Packet Inspection can't help us against UNKNOWN malware. Also if there is some new, unknown attack preformed by hacker, does it mean SPI and DPI are useless against unknown malware and also useless against UNKNOWN form of attacks?

    Also, does ZA protect against buffer overflows?

    Big thanks for any information you can give me.

  6. #6
    monster_z Guest

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    Thanks for your time and patience.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Is it possible to block all incoming/outgoing traffic, except traffic you want to allow?

    OK Monster-Z not a problem.

    SPI yes. DPI no. Because Deep Packet Inspection is not really needed (examing each and every single packet would slow down the connections) and DPI is more suited for the gateway appliance or gateways firewall for a larger LAN. Not really needed for the home user. Stately Packet Inspection is sufficent to ascertain if the connection is correct for the applications in question and for the protcol, ports and IPs involved. SPI is always better than a plain packet filter.

    The only way the firewall can really protect from malware is to actually open all the packets and have a look before passing the packets on. Impossible to do - it would mean every packet from the sites would have to be viewed in full. Only then would the firewall be able to say, yup there is a malicious link in this page, so I will remove it before passing it on. Checking the headers and the packets is sufficent for firewalling. For the time being, it is still up to the user to click or not click on the malicious link.

    Unwanted pings are dropped by the ZA (if configured properly in the Custom or in the Expert). All ports are stealthed and all ports are closed. This alone will provide optimal security for inbound protection and safety.

    Buffer overflows? No. You need a dedicated HIPS such as SSM</font color> or a dedicated buffer overflow tool such as WehnTrust</font color>. I have used the WehnTrust (it does sometimes need to have the AV and FW components set as exceptions) and it is very easy to use. I still use the SSM (2.0.8.575) and the longer it runs the smoother it gets. OOPs I just checked with CastleCops Wiki for HIPS and see the SSM gives no buffer overflow protection. Only Prevx2 and ThreatFire do this. Well at least you have three choices left.
    The DEP of Windows does provide some buffer overflow protection and the 64 bit Windows Systems have a full protection.

    Does this help?
    Oldsod

    Message Edited by Oldsod on 01-31-2008 09:23 PM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •