Re: Firewall Suggestions

From: Duane Arnold (notme@notme.com)
Date: 01/23/03 

From: "Duane Arnold" <notme@notme.com>
Date: Thu, 23 Jan 2003 01:17:34 GMT

> We have Norton Antivirus installed and running, I would think that would
> keep any worms or viruses from infiltrating he LAN, correct?
>

No, not from my experience. F-Secure is close to NAV and with my company's
laptop on the company's LAN a worm hit that disabled F-Secure on the machine
and had its way with the machine infecting 100(s) of files. I went to
on-line scan site and was able to get Nimda of the machine, but there is
something else there. I have done the online scans, it cannot find it,
scanned with NAV and NOD32 and the machine *blue* screens after scanning so
far.
And all you have to do is go to any AV newsgroup and see the worms bring any
AV to its knees.

BlackIce's Application control on a machine would have stopped it, because
it takes a baseline inventory of every program type exe(s), dll(s), ocx(s)
etc on the machine. If an un-baselined program element hits the machine,
BlackIce will stop it and notify.

That and BlackIce's IDS which scans the network traffic between two machines
that not only stops hacker attempts, scans for worms, virus and other attack
patterns in the traffic and will give you a *clue*. But of course, if you
approve it, then BlackIce cannot stop it either. In addition to that,
Application control intercepts all installs on the machine and gives you the
choice to proceed or terminate the install process.

> And how is BlackIce's return policy if I have problems with it as I did
with
> Zone Alarm Pro?

I don't know I have never had to return it, but I don't think they will be
that petty.

Anyway here is the 30 day trialware of the full version BlackIce 3.5 link.

 http://www.iss.net/products/networkice/eval/

Here is the Adv User Manual link RTFM and find out what it can do.

http://documents.iss.net/literature/BlackICE/BI-AAG.pdf

A couple of tips

1) Go on-online to some sites and scan the machine with some on-line AV(s)
2) Go to www.moosoft.com the Cleaner and scan the machine for Trojans -- 30
full trialware.... then get rid of it.
3) Since you have uninstalled ZA, the registry my be messed-up. Use
*regclean* or something similar to fix the registry
    a) BlackIce will have trouble if 1 - 3 are not taken care of before
installing BlackIce.
4) Set BlackIce's Settings to the following:
    a) *paranoid*
    b) *auto block*
    c) *enable Internet Sharing* --- that's Intranet/LAN to you since the
machines are behind the router
    d) *enable NetBios Neighborhood*
5) Take the Alert Notification off of *yellow* and put it on *orange/red* or
*red*.
6) You will have to tell BlackIce about 192.168.1.1 in the Advanced Firewall
settings
     a) rule like IP = 192.168.1.1 *on all ports* *Accept* * Forever*
     b) DHCP IP(s) that can be issued to the machines so that they can
communicate like.
         1) rule like IP range = 192.168.1.100-192.168.1.150 *on all ports*
*Accept* * Forever*.

Hey, that's about it, and if you have any questions, post back, because
there are several others in the newsgroup who know a hell of a lot more
about BlackIce then I do.

Good luck

Duane :) 

--
The protection of the machine is a process and is not a given!
Quantcast