Re: BlackICE Misinformation

From: EliteSim (SpamTrap@LamerZ.com)
Date: 12/31/01 

From: "EliteSim" <SpamTrap@LamerZ.com>
Date: Sun, 30 Dec 2001 23:44:06 -0000

"Cynthia Melrose" <nowhere@nothing.zom> wrote in message
news:50aT7.9929$X94.394530@rwcrnsc52...
> There is a lot misinformation about BlackICE, mostly caused by the
> uninformed Steve Gibson.
>
> 1. BlackICE has a firewall - actually more true than Zone. What BlackICE
is
> not, is an application gate. BlackICE blocks traffic at the port/IP level
> (or packet level). This is actually how most "true" firewalls work. An
> Application Gate is a different kind of "firewall". It controls access to
> the network interface based on which programs or programming interfaces
> (called APIs) you have allowed to communicate with the network.
Application
> gates are generally something that can only be used on local machines,
> although there are some network-based gates of this kind. But they work
off
> the different network protocols and not the actual application.
>
> 2. BlackICE does outbound blocking. The version that Mr. Gibson tested
> (2.1) is rather old now. The current release (2.9 for Defender and 3.0 for
> the corporate products) absolutely do outbound blocking.
>
> 3. BlackICE's core technology is an Intrusion Detection System (IDS). That
> means BlackICE actually monitors the traffic entering and exiting your
> computer for suspicious activity. It does not just block traffic en-mass
> like Zone and Tiny. BlackICE is more accurately described as a protocol
> analyzer mated to firewall with an analysis engine to detect suspect
> traffic.
>
> 4. Traffic that poses no threat to the computer, like a simple outbound
HTTP
> request is not filtered because it does not threaten the computer. This is
> why Gibson's Leaktest "cuts through" BlackICE. Only traffic that poses an
> immediate threat to the computer (like transmission of outbound registry
> information) is detected and stopped. You could say, BlackICE does not get
> in the way of normal traffic, it only cares about the dangerous stuff.
>
> 5. ZoneAlarm and other "Application Gates" have one fatal flaw to them:
they
> do not actually monitor traffic. What that means is if a spyware
application
> proxies its outbound traffic through an "accepted" application such as
> Internet Explorer or Netscape, Zone will not stop the traffic. In other
> words, the spyware "piggybacks" its traffic on accepted applications which
> Zone does not stop. Most advanced spyware now works in this manner. Don't
> believe me, see
> http://archives.neohapsis.com/archives/bugtraq/current/0056.html
>
> 6. Both Zone and BlackICE have weaknesses. It just depends on your comfort
> level. Zone provides "blunt level" blocking. That is it will block
things
> en-mass. This will stop most inexperienced hackers and poorly designed
> spyware. BlackICE is a more sophisticated engine that can identify a lot
of
> what are called "Zero Day" exploits. That is hacks that have not been
> discovered yet. BlackICE was actually one of the only Intrusion Detection
> Systems able to detect the CodeRed worm, before people even knew what it
was
> called. BlackICE is actually more susceptible to simplistic spyware, but
it
> is very good against higher-end hacks and spyware. BlackICE will detect
> outbound spyware traffic, even if it is encrypted or proxied.
>
> Sygate, Tiny and all the others have their strengths and weaknesses as
well.
> What it all comes down to is what you want. I have used BlackICE for two
> years. It has caught all sorts of things, including outbound spyware. I
> have also used Zone. It was good but I found it more infuriating to use.
>
> Mr. Gibson's opinions of BlackICE are very skewed. First off, there is
ample
> proof that Mr. Gibson did not install or use BlackICE properly. Secondly,
> Mr. Gibson has a strong and rather suspicious relationship with ZoneLabs.
He
> is practically their Director of Sales. I am not saying Zone is a horrible
> product, but realize that Mr. Gibson has a bias. Lastly, Mr. Gibson's
> refusal to retest BlackICE and his pathetic Leaktest demonstrate that he
> doesn't want to really analyze software based on how hackers might use it.
> He wants to analyze software based on how ZoneAlarm works. In a since,
> Gibson sees Zone as "the perfect tool" and therefore evaluates all other
> software based on how Zone works. That is like comparing the value every
car
> to a Chevy Impala. Since a BMW 540i does not have a pushrod V6, it is
> therefore not a good car, because the Chevy Impala does.
>
> One of the things BlackICE does extremely well is intrusion detection.
> BlackICE's corporate products are outstanding for this very reason. Their
> distributed host-based IDS is one of the best next to Snort and RealSecure
> (another ISS product).
> The point is, no security solution is 100% effective. As a security
> engineer, we use a layered approach to security. We have hardware-based
> firewalls doing mass blocking of ports, probes, etc. Then we have
intrusion
> detection systems monitoring our network. We use both BlackICE and Snort
> (and excellent combination I might add). Lastly, we perform regular
> vulnerability analysis of our network using a combination of security
tools
> such as nmap, Nessus, and this great tool called STAT from Harris
> Corporation. All our corporate workstations are running centrally managed
> versions of BlackICE.
>
> We had a few knuckleheads download some MP3 that had SubSeven on it. Our
> BlackICE's lit up light Christmas trees when those SubSevens tried to
> communicate with the outside world. It temporarily shut them down until we
> went out and A) scolded the users B) cleaned their machine.
>
> Now, this is probably a little too much for a home user. But the point of
> all this is: don't think you're 100% safe just because you plunk down $40
> for Zone, BlackICE, Sygate, Tiny or any firewall. Good security starts
with
> paying attention to details and being careful. You are just as hackable
> using Zone as using Sygate.
>
> Personally, this is why I like BlackICE. Its IDS engine tells me a lot
more
> information about network activity, it also arms me with trace files that
> can be used as evidence for police. We have already helped the feds spot
one
> hacker, thanks to the trace files we got off our BlackICE systems.
>
> Good luck.
>
> Cynthia Melrose
>
>

I couldn't agree more. and yes Steve's views and opinions on blackice are
corrupted. he should really give it a second chance hence he didnt want to
try the updated version how rude.

Quantcast