Security
levels Security
levels ZoneAlarm Pro security levels make it easy to configure your firewall settings. You can apply a default security level (High, Medium or Low) to each Zone, or you can customize the port and protocol restrictions for each level.
High
security default configuration for both the Internet Zone and Trusted Zone places
your computer is in stealth mode. File and printer sharing
is disabled; but outgoing DNS, outgoing
DHCP, and broadcast/multicast are allowed, so that
you are able to browse the Internet. All other ports on your computer are closed
except when used by a program that has access permission and/or
server permission.
|
Traffic Type |
High Security |
Medium |
Low Security |
|
DNS outgoing |
allow |
allow |
allow |
|
DHCP outgoing |
allow |
allow |
allow |
|
broadcast/multicast |
allow |
allow |
allow |
|
ICMP |
|
|
|
|
incoming (ping echo) |
block |
allow |
allow |
|
incoming (other) |
block |
allow |
allow |
|
outgoing (ping echo) |
block |
allow |
allow |
|
outgoing (other) |
block |
allow |
allow |
|
IGMP |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
|
NetBIOS |
|
|
|
|
incoming |
block |
block |
allow |
|
outgoing |
block |
allow |
allow |
|
UDP ports not in used by a permitted program |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
|
TCP ports not in use by a permitted program |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
Medium
security default configuration enables file and printer sharing, and all ports
and protocols are allowed. (If Medium security is applied to the Internet Zone,
however, incoming NetBIOS traffic is blocked. This protects
your computer from possible attacks aimed at your Windows networking services.)
At medium security, you are no longer in stealth mode.
|
Traffic Type |
High Security |
Medium Security |
Low Security |
|
DNS outgoing |
allow |
allow |
allow |
|
DHCP outgoing |
allow |
allow |
allow |
|
broadcast/multicast |
allow |
allow |
allow |
|
ICMP |
|
|
|
|
incoming (ping echo) |
block |
allow |
allow |
|
incoming (other) |
block |
allow |
allow |
|
outgoing (ping echo) |
block |
allow |
allow |
|
outgoing (other) |
block |
allow |
allow |
|
IGMP |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
|
NetBIOS |
|
|
|
|
incoming |
block |
allow (Trusted Zone) |
allow |
|
block (Internet Zone) |
|||
|
outgoing |
block |
allow |
allow |
|
UDP ports not in use by a permitted program |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
|
TCP ports not in use by a permitted program |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
Low security defaults allow all types of traffic.
|
Traffic Type |
High Security |
Medium Security |
Low Security |
|
DNS outgoing |
allow |
allow |
allow |
|
DHCP outgoing |
allow |
allow |
allow |
|
broadcast/multicast |
allow |
allow |
allow |
|
ICMP |
|
|
|
|
incoming (ping echo) |
block |
allow |
allow |
|
incoming (other) |
block |
allow |
allow |
|
outgoing (ping echo) |
block |
allow |
allow |
|
outgoing (other) |
block |
allow |
allow |
|
IGMP |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
|
NetBIOS |
|
|
|
|
incoming |
block |
allow (Trusted Zone) |
allow |
|
block (Internet Zone) |
|||
|
outgoing |
block |
allow |
allow |
|
UDP ports not in use by a permitted program |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
|
TCP ports not in use by a permitted program |
|
|
|
|
incoming |
block |
allow |
allow |
|
outgoing |
block |
allow |
allow |
You can customize the firewall configuration for each security
level in each Zone by blocking or opening additional ports. Do this in the Internet
Zone tab and the Trusted Zone tab.
Firewall protection
Internet Zone tab
Trusted Zone tab
DNS (Domain Name System)
A data query service generally used on the Internet for translating host names
or domain names (like www.yoursite.com) into Internet addresses (like 123.456.789.0).
DHCP (Dynamic Host Configuration Protocol)
A protocol used to support dynamic IP addressing. Rather than giving you a static
IP address, your ISP may assign a different IP address to you each time you
log on. This allows the provider to serve a large number of customers with a
relatively small number of IP addresses.
DHCP (Dynamic Host Configuration Protocol) broadcast/multicast
A type of message used by a client computer on a network that uses dynamic IP
addressing. When the computer comes online, if it needs an IP address, it issues
a broadcast message to any DHCP servers which are on the network. When a DHCP
server receives the broadcast, it assigns an IP address to the computer.
stealth mode
When ZoneAlarm Pro puts your computer in stealth mode, any uninvited traffic
receives no response--not even an acknowledgement that your computer exists.
This renders your computer invisible to other computers on the Internet, until
permitted program on your computer initiates contact.
access permission
Access permission allows a program on your computer to initiate communications
with another computer. This is distinct from server permission, which allows
a program to "listen" for connection requests from other computers.
You can give a program access permission for the Trusted Zone, the Internet
Zone, or both.
Several common applications may need access permission to operate normally. For example, your browser needs access permission in order to contact your ISP's servers. Your e-mail client (for example, MS Outlook) needs access permission in order to send or receive e-mail.
The following basic options are available for each program:
Allow
the program to connect to computers in the Internet Zone / Trusted Zone
Block the program from accessing computers in the Internet Zone / Trusted
Zone
Ask whether the program should have access permission (show Repeat
Program alert)
server permission
Server permission allows a program on your computer to "listen" for
connection requests from other computers, in effect giving those computers the
power to initiate communications with yours. This is distinct from access permission,
which allows a program to initiate a communications session with another computer.
Several common types of applications, such as chat programs, e-mail clients, and Internet Call Waiting programs, may need server permission to operate properly. Grant server permission only to programs you're sure you trust, and that require it in order to work.
If possible, avoid granting a program server permission for the Internet Zone. If you need to accept incoming connections from only a small number of machines, add those machines to the Trusted Zone, and then allow the program server permission for the Trusted Zone only.
The following basic options are available for each program
Allow
the program to listen for connection requests
Block the program from listening for connection requests
Ask me whether to allow the program to listen for connection requests
(show Server Program alert)
NetBIOS (Network Basic Input/Output System)
A program that allows applications on different computers to communicate within
a local network. By default, ZoneAlarm Pro allows NetBIOS traffic in the Trusted
Zone, but blocks it in the Internet Zone. This enables file sharing on local
networks, while protecting you from NetBIOS vulnerabilities on the Internet.