Re: New LAN user needs laptop security assistance

From: Duane Arnold (notme_at_notme.com)
Date: 06/15/03 

Date: Sun, 15 Jun 2003 10:41:33 GMT

I would use a free firewall like Kerio or Tiny and BlackIce together.

Why, because BI is an IDS/firewall solution based on the OSI model for
network firewalls and has the ability to stop malware from coming in the
network traffic or running on the machine.

http://www.firewall-software.com/firewall_faqs/firewall_network_models.html

There are times when I have to take my laptop to work and connect my laptop
to the company's network. Yeah, the Raptor firewall the company uses works
find for the entire network. But machines behind firewall connected to the
network can and are being attacked by malware coming in the network traffic,
because of file sharing on ports and services being used by the MS O/S
connected to the network. BI has got my machine covered.

http://www.uksecurityonline.com/products/intrusion-detection.php

Although it has a link to discussing IDS applications, the good reason for
using and IDS/firewall app is at the below link within how to protect one of
the NT based O/S's.

http://www.uksecurityonline.com/husdg/windows2000/ids.htm

The key to understanding what BI is doing is to read the Server User manual
which gives more detailed information.

http://blackice.iss.net/product_documentation.php
http://www.iss.net/products/networkice/eval/

You may see someone trying to *dog* me. He is negative and I am about
business.

Below is my analysis on how and IDS/firewall like BlackIce and Sygate really
work and other firewall applications are now implementing an IDS component
in the applications..

 Please ignore my rant on this person.

HTH

Dr. *D* :)

*********

This post is about my knowledge about things that I have learned to look for
since I have come to this <g>. Although my analysis is between BlackIce and
Sygate. I have nothing against Sygate and it's moving in the right
direction.

I don't know what this fool Walter has said about me. But I know it cannot
be good. I am not reading his sh*it anymore. Pull-up the history of my posts
concerning my technical expertise. You will sure as hell find it. Pull up
Walter's stuff, if you can find it. But really all you have to do is find my
posts trying to respond to this *clown*, along with helping others. Help I
in this <g> and others I frequent

When a company such as the Archer Daniels Midland Company will pick-up my
*** lock, stock and barrel and move me to their corporate head quarters
and tell me that I have the credentials that are needed to help develop this
critical multi tier International Web based application that the company
has spent millions in a seven year period and it has not been successful.
Well, it is successful as I and my team are bringing it up from scratch..

The bottom line here is with this Taco Bell *** is that I cut him down
on BlackIce. This fool even used BI and didn't know what the hell he was
doing with it and started bitching and crying about his damn $40 big ones.
Here recently, with all this BS about Outpost this *clown* showed up again
bitching about BI again and I cut him down again. I didn't know it was this
fool, because he will not post with his real name. This *clown* is in my
face you should checkout what he did the first time. I am afraid he is on
this same path again.

I'll put my knowledge of computers and technical expertise up against anyone
and will be able to hang there.

So when I mention InterGate, it's more powerful than BlackIce in some ways.

Really what this come down to is me against a *clown*

Dr. *D* :)

*********

Malware test using Gator telling Gator to install from the Website:

IE Security:

IE stopped the download and I told it OK

BlackIce:

BlackIce Application control stopped the download reporting that
*iegator.dll* wanted to use *iexplorer.exe* and I told it OK. BTW, I did an
entire search of <C> looking for *iegator.dll* and it was not there, which
means it was coming from the Website in the HTTP traffic.

BlackIce Communication control detected that *iexplorer.exe* wanted access
to the Internet, but of course it was *iegator.dll* who wanted access and I
told it OK.

BlackIce Application Control stopped *gatorsetup.exe* from executing and I
told it OK. BTW, I searched for *gatorsetup.exe* on <C> and it was not
there, which means it was coming from the Website in the HTTP traffic.

BlackIce Communication control reported that *gatorsetup.exe* wanted access
to the Internet and I told it OK.

Sygate Pro:

Sygate Pro after BlackIce detected everything upfront, indicated that Gain
Setup was trying to connect to *gs.gator.com* using remote port 80 HTTP.

My analysis of this is that BlackIce IDS is doing a detailed analysis of
layer 7 (application) protocols such as HTTP, Telnet, etc and is looking at
what is coming in the network traffic from a Website and stopping it. And
BlackIce is checking its Application and Communication control database in
real time based on its analysis of traffic in layer 7.

Sygate is not doing an analysis of layer 7 and not stopping anything from
coming from a Website. Sygate only knew to stop the outbound communications
of *gatorsetup.exe*. Once Sygate has given approval of iexplorer.exe to
communicate to the Internet, it doesn't have the means to stop a *dll*
executing from a site using iexplorer.exe on its behalf.

Conclusion is that BlackIce has better features with its IDS then Sygate pro
in controlling program execution and communication to the Internet and is
better at stopping malware on the machine. Not only is BlackIce looking at
dll's, it is looking at exe, com, sys, drv, ocx too and BlackIce can be made
to look at more sub component program types. You see an attack will not
always come from a dll or exe trying to use IE, OE or Outlook the host to
get out. Not only is BlackIce's IDS looking at what's executing and
communicating at the machine level, but it is looking at the network traffic
too.

Sygate is using a Signature Analysis IDS engine. They consider this type of
IDS engine to be extremely elementary. Most products that employ signature
analysis also use basic protocol analysis. Layers 3 (network) and 4
(transport) of the OSI model, which contain IP, TCP and UDP, are all
examined. So Sygate as well as BlackIce use a Signature Analysis IDS engine

Signature analysis systems have a few key strengths. They are very fast,
since packet matching is a relatively non-processor intensive task. The
rules are easy to write and understand, as well as very customizable.
Additionally, there is fantastic community support for rapidly generating
signatures for new alerts and warnings. These systems excel at catching low
level, simple attacks since they tend to employ prepackaged exploits that
are easy to recognize. Lastly, signature-based analysis conveys exactly what
has happened very well, since it takes a very specific event to trigger an
alert or tell it's firewall component to close the *open* port with Sygate
or BlackIce.

Signature analysis while initially very fast, performance edge slips away as
the ruleset grows. This is particularly problematic as the ruleset can grow
very fast - basically, for each attack or exploit that is created by
attackers, a new rule must be created to detect it. Despite data normalizers
and packet reassembly, both of which eliminate some evasion techniques,
uncountable variations of attacks can slip by a signature-based system.
Application level attacks such as Unicode, multiple variations similar to
those found in SNMP community strings, and evasion programs that morph shell
code like ADMutate can cause serious problems for any signature system. The
slightest variation in an attack is often enough to defeat a signature. The
only solution is more rules, which eats away at performance and increases
complexity.

This is where *BlackIce* starts to separate itself from *Sygate*. While at
first glance protocol-based IDSs are slower than signature-based systems,
they more than make up ground in terms of scalability and performance as
signature-based rulesets grow. Furthermore, since they search for generic
violations, protocol analysis engines can often catch zero-day exploits,
something that is impossible for a signature system; unfortunately, they can
sometimes miss obviously deviant events, such as a root Telnet session, that
do not violate any protocol. Protocol-based systems keep the false alarms to
a minimum, since they log real violations. And the BlackIce IDS closes the
*open* port with its firewall component.

IMHO from this point forward, this is where *BlackIce* IDS/firewall blows
*Sygate* and the rest away. Of course, the effectiveness of an IDS depends
upon the environment in which it will be employed. Monitoring a large,
diverse network is very different from smaller, homogenous environments.
Signature analysis models are best suited for average-sized networks looking
to catch standard threats. Administrators can draw on the fantastic
community support for releasing updated signatures, and performance is not a
crucial factor. However, a bigger, ever-changing network would likely
benefit from some of the strengths of a protocol analysis system:
performance, minimal false positives, and generalized alerts.

Without a doubt this is where the BlackIce IDS/firewall solution out shines
the rest, anyone choosing an IDS based on one of these techniques has
several factors to consider. Each model excels in different arenas.
Fortunately, it appears as though we're headed in the direction of
reconciliation between the two divergent methods. The engineers and
programmers behind these systems recognize the obvious strengths and
weaknesses of each approach. As can be expected, the developers are
attempting to pull together the best components of each approach in order to
provide a more robust product - a fact that is evident in several of the
more recent IDS offerings. Currently, almost all of the protocol-based
offerings perform pattern matching at some point in the application level
decode. There are IDS systems that, even though they perform protocol
analysis, also allow the user/operator the ability to create signatures for
particular traffic. We can expect to see more of this as well. Similarly,
signature-based systems are bundling application processors to more
effectively recognize attacks.

The fundamental IDS concepts are these devices, similar to firewalls,
inspect incoming and outgoing network traffic. Unlike firewalls, however,
they do not alter the traffic flow by dropping or passing certain packets.
Rather, they look for malicious traffic that may be indicative of an attack
or other misuse and log an alarm with specific data for administrative
review.

BlackIce has taken this a step further with the introduction of its
*firewall* sub system and it does alter the traffic flow by dropping or
passing certain packets. BlackIce has taken the protection of the machine
even further by integrating and coupling its Application and Communications
control sub systems to the IDS main system.

It is evident that BlackIce's main focus is not on the firewall sub system,
because of how one must go to the *firewall.ini* file to manual configure
the firewall with more sophisticated rulesets. But BlackIce's firewall sub
system is as powerful as any other firewall on the market and one can
control it just as well. But the firewall sub system is tightly integrated
to the IDS main system and is mainly there for the IDS component.

BlackIce does take on the role of the traditional IDS application when it
*red* alerts and doesn't always block an IP, although ISS indicates that
BlackIce always takes some protection measures during a *red* alert. I think
people are confused when that happens along with not seeing the *blocked*
symbol thinking that BlackIce did nothing. But in fact, BlackIce did do
something and it altered on the attack issue. It's up to the ADMIN to take
the appropriate measures if necessary by *blocking* the IP by using the ADV
Firewall Settings UI and set the appropriate rule.

I have yet to lock down SQL Server 2000 running on my Win 2K ADV Server
machine. Why, because the security patches are very difficult to apply. The
very first security patch blows up and I am not getting on the phone with MS
to find out why. I suspect this kind of attitude by a lot SQL Admins,
otherwise, SQL Slammer wouldn't have hit as hard as it did in the wild.
There was a security patch for SQL Slammer from MS. I'll just let BlackIce
protect the *open* ports and services.

Also, I have yet to completely lock down the Win 2K ADV server or the Pro
workstations due to the fact that BlackIce is on the machines protecting
*open* ports and services running on the machines, along with the Linksys
NAT router, which doesn't have SPI. BlackIce is performing the role of SPI
on the network and is performing it well.

Don't get me wrong, I like Sygate it's a fine product and has a couple of
nice features that BlackIce doesn't have in it. But on the other hand, I can
use TCPview and the Task Manager and do the same thing. I do like the Update
Signature, Outbound Application protection, and the ability to give
sophisticate rulesets through the UI.

But Sygate is just a *Personal* SWF that is just now becoming aware of IDS
and is no where in the league with the BlackIce IDS/firewall - no way, no
how and no sir is it in the league with BlackIce. And point blank, neither
are the other SWF's for the Windows Desktop platform are in the league with
BlackIce. If Snort is the equivalent for the Linux platform, then it's not
in the league either.

Yeah -- yeah, let some *clueless* one come at me now about BlackIce. The AKA
is fully loaded! ;-)

Soon, I'll be learning just what does a firewall do.

Later!

Dr. *D* J 

--
The protection of the machine is a process and not a given!
-- 
The protection of the machine is a process and not a given!
"J44XM" <j44xm@seventy8.n_t> wrote in message
news:Xns939916E9CF312j44xm@206.66.12.209...
> Hello and thanks for reading. I'll try to keep this short.
>
> I just bought a basically-new Toshiba Satellite 1415-S173 laptop (1.8 GHz
> processor, 30 GB HD, 256 MB RAM, Windows XP Home) and I am using it to
> connect to my university's LAN. I unfortunately just had a brief brush
with
> a couple of viruses (now apparently eliminated), so I wanted to ask you,
the
> experts, directly: What do I need to keep my computer safe?
>
> Do I only really need anti-virus and firewall software? Can you recommend
> high-quality software, preferably (but not necessarily) try-before-you-buy
> shareware? Since I'm a college student, I don't have much money, so
> expensive solutions are out; but I'm certainly willing to spend a bit to
> ensure my data's safety. Also, is it safe to keep my LAN connective
active,
> or should I make it a habit to connect only when I'm actively using it? (I
> like streaming music ...)
>
> Any advice you can offer will be very, very much appreciated.
> -- 
> J44XM (#seventy8.net)
Quantcast