RE: Packet Blocking a.k.a. BlackICE
From: Robert Graham (robert_david_graham@yahoo.com)Date: 08/23/01
- Previous message: Marc Maiffret: "RE: Packet Blocking a.k.a. BlackICE"
- In reply to: Marc Maiffret: "RE: Packet Blocking a.k.a. BlackICE"
- Next in thread: bacano: "Re: Packet Blocking a.k.a. BlackICE"
- Reply: bacano: "Re: Packet Blocking a.k.a. BlackICE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20010823184853.62408.qmail@web10004.mail.yahoo.com> Date: Thu, 23 Aug 2001 11:48:53 -0700 (PDT) From: Robert Graham <robert_david_graham@yahoo.com> Subject: RE: Packet Blocking a.k.a. BlackICE To: Marc Maiffret <marc@eeye.com>, "RAGHAVENDRAN H." <raghavh@ctd.hcltech.com>, focus-ids@securityfocus.com
BlackICE Defender has the equivalent of an intermediate driver. In
order to get widespread compatibility with VPN clients and other
networking stuff, the driver has morphed a bit, so it isn't a _strict_
intermediate driver. E.g. many VPNs use intermediate drivers, but you
can have only one in the stack on many Windows systems, so having both
at the same time gets tricky.
The upshot is that it isn't an official Microsoft Intermediate Driver,
but yet it is essentially a form of an intermediate driver, and sits at
the same place in the stack.
For those of you new to this, there are many places you can interfer
with network traffic. The stack on Windows looks something like:
winsock2.dll (analogous to libsock.so)
TDI
TCP/IP
intermediate drivers
NDIS
physical hardware
Older systems replaced the winsock API, but that interferred with a lot
of stuff. A lot of stuff these days taps into TDI as the best way of
being just one step below the application. Intermediate drivers are
just one step above the network. (Which means, for example, that TDI
gets reassembled packets, but intermediate drivers have to do their own
reassembly).
NDIS is the driver for the hardware. (As an offside, BlackICE Sentry,
the full NIDS version of the software, replaces NDIS and gets rid of
the entire stack above it for sniffing).
This is a simplification of the stack. There is actually a lot more
interesting stuff you can do to interfer with networking. For example,
Microsoft has a new firewalling API that taps directly into the TCP/IP
stack, but that only works on Win2k. WinXP has a bunch of new
firewalling stuff that I don't understand yet.
--- Marc Maiffret <marc@eeye.com> wrote:
> It does have IM, at least the last time we checked. The other
> personal
> firewalls that do filtering of what program.exe can talk where etc...
> are
> doing stuff in TDI however some are doing TDI and IM.
>
> | -----Original Message-----
> | From: RAGHAVENDRAN H. [mailto:raghavh@ctd.hcltech.com]
> |
> | I was just wondering how Black ICE Defender does packet blocking
> (as it
> | claims) without using an IM driver. Is it some kind of TDI trick?
> |
=====
Robert Graham
Personal: http://www.robertgraham.com Work: CTO Network ICE
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
- Previous message: Marc Maiffret: "RE: Packet Blocking a.k.a. BlackICE"
- In reply to: Marc Maiffret: "RE: Packet Blocking a.k.a. BlackICE"
- Next in thread: bacano: "Re: Packet Blocking a.k.a. BlackICE"
- Reply: bacano: "Re: Packet Blocking a.k.a. BlackICE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
