Re: black ice defender
From: Joseph V. Morris (jvmorris@erols.com)Date: 08/17/02
- Next message: : "Re: The Beginning Of The End For Micro$oft Reign Of Terror"
- Previous message: NeoSadist: "Re: Detecting the sequence/processing order of two installed firewalls"
- In reply to: Alexander Delarge: "Re: black ice defender"
- Next in thread: Elite: "Re: black ice defender"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joseph V. Morris" <jvmorris@erols.com> Date: Sat, 17 Aug 2002 12:40:50 -0400
Alexander,
Not sure this is directly apropos to your comments below, but I thought it
might be worthwhile to throw them in, anyway. . . .
"Alexander Delarge" <alex@nowhere.com> wrote in message
news:U9x69.98903$UU1.17938@sccrnsc03...
. . . .
| 5. BlackICE is the ONLY personal firewall that includes an IDS. None of
the
| other personal firewalls have the ability to actually monitor and
analyze
| network (Internet) traffic for known modes of intrusion. Not Zone, not
Tiny,
| not Norton - NONE of them. . . . .
There _is_ something in NIS/NPF 3.0x/4.0x called "Intrusion Detection",
but I will agree with you that it's not intrusion detection in the sense
you describe. However, NIS 2002 Pro (aka NIS 4.5) _does_ include more
reasonable IDS functionality by incorporating a scaled-down version of
Raptor technology.
Also, PSFs like PC Viper (which may now be defunct for all I know), Look N
Stop and Sygate Pro at least currently provide 'packet
capture/information' (See the post by Crazy M at
http://www.dslreports.com/forum/remark,4115010~root=security,1~mode=open
.) Now, I don't use _any_ of these products, so I can't say yea or nay as
to whether they truly fall into the category of the kind of IDS you are
describing. Just wanted to bring them to your attention, if you'd missed
them.
| . . . . They are all "application gates" that just close
| off access to applications. Which is a false sense of security, since
most
| people mindlessly hit "allow this application to communicate" when they
see
| that warning from Zone - hence making Zone's protection meaningless.
I agree with your comments above; but would extend it a bit. For example,
in addition to custom configuring the applications, I tend to run a fairly
detailed set of rules for MSIE, OE, and OL (my own idea of defense in
depth). You can then imagine my surprise when I was confronted with
pop-ups saying something to the effect that "Internet Explorer (or Outlook
Express or Outlook) are attempting to communicate. . . . Would you like t
o PERMIT this communication?" Well, WTFO! (This is where it gets
insidious.) As a _novice_ user, the inclination to say, "Sure, allow it!"
is overwhelming. But I had a problem. You see, I _haven't_ updated any
of these apps in that time period, so it couldn't be the firewall asking
if I wanted to allow access because I was running an updated version of
the apps in question. Checking details on these pop-ups revealed that
MSIE, OE, and OL were attempting to communicate to a remote port that I
had _not_ written an explicit PERMIT rule for. Furthermore, (in my
particular situation) it turned out that they were ports to which I most
definitely did _not_ wish to allow communication -- namely Port 135 on
_another_ dialup user on the ISP subnet I was currently using. (There was
absolutely no legitimate reason why I should be seeing such queries,
inasmuch as I had done absolutely nothing to initiate such a communication
attempt. NONE of these three apps should be attempting to communicate with
another ISP subscriber.)
Just to ensure that I never got sucked in to 'PERMITting' such
communication (for example, if I were tired), I wrote EXPLICIT "Block
Everything Else" rules for _each_ of these applications. (Yes, there is
an "Implicit Block Rule" in NIS/NPF, but in my configuration that leads to
the pop-up query unless the "block everything else for this application"
rule is EXPLICITLY present.)
I'm fairly certain that a ZA(free) user would never have seen any
notification whatsoever in these circumstances. But, more to the point, I
remain somewhat concerned about what a ZAP/ZA+ or SPF or Kerio or Tiny
user would have seen if they were simply running with the 'default' rules
that these PSFs install for these applications (assuming, of course, that
they have been PERMITted Internet access). (And I must admit that I don't
know as I've never used them.)
Just a caveat for consideration by others.
--
Regards,
Joseph V. Morris
jvmorris@erols.com
ICQ #29438199
This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.
- Next message: : "Re: The Beginning Of The End For Micro$oft Reign Of Terror"
- Previous message: NeoSadist: "Re: Detecting the sequence/processing order of two installed firewalls"
- In reply to: Alexander Delarge: "Re: black ice defender"
- Next in thread: Elite: "Re: black ice defender"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
