Re: BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda
From: David (davidwnh@adelphia.net)
Date: 03/11/03
- Next message: Robin T Cox: "Re: Rule help for novice"
- Previous message: Black Ice is crapware!: "Get home, chimpie!"
- In reply to: Alexander Delarge: "Re: BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda"
- Next in thread: Alexander Delarge: "Re: BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David" <davidwnh@adelphia.net> Date: Tue, 11 Mar 2003 22:57:43 GMT
There is no doubt you can reconfigure BI beyond what is available in the
GUI and most of what you can do is very much documented. But there is a big
difference between turning off certain signatures and a java parser, and
filtering what traffic is put into the memory that BI allocates and then
processed. There is no telling how well BI implements bounds
checking in regards to its memory use, and even though this unknowingness is
something that is inherent with most software, you have to keep in mind that
this type of program listens to and processes all incoming traffic if you do
not put it behind a filter. You can compare that to opening up all ports and
turning off all ip filters for this single program. Very different from a
firewall or border router or even an unprotected OS listening to traffic and
then initially dropping
or responding to single packets based on packet header information alone.
For the most part BI seems to be
dealing with single packet signatures so I'm not too concerned, but
experience tells me to filter out most of the BS at the perimeter using the
simplest methods and then start looking for the intrusions closer to
their destination. Generally why I suggest putting this program behind a
cable/dsl router for example where that may apply. Then your IDS only has to
deal with attacks that are somewhat solicited.You may want to see what is
actually going on out there and that is fine for someone who likes to
"tool around", but curiosity killed the cat. It's not a matter of whether
this is a good product or not. It is a matter of filtering out packets that
are of no consequence before they get to the IDS so do don't have to trust
that the developers have left a bugs or vulnerabilities behind. Not to
mention I would rather have a router or other device blocking something like
a DOS attack as opposed to a program using cpu cycles on my desktop to block
and tell me that there is something going on which can be effectively
blocked elsewhere.
As you state no single program
can make your system safe and I agree, but I guarantee you a single program
can totally compromise your security if you fail to use it with care.
Enhancing security means using all reasonable precautions when using such a
program which includes some level of distrust of the developers of such
software.
>
> This can be done in blackice. If you are fortunate enough to have access
to
> some "undocumented" aspects of blackice, you quickly learn some of the
> amazing things you can do with it. For example, you can tune out specific
> probes, ports and signatures. You also can control the IDS engine and how
> rigiorous it scans traffic. For example, you can turn off Java
preprocessing
> and many other features. You also can feed blackice Snort signatures.
> Something only a handful of people (I happen to be one of them) know how
to
> do.
> One thing I do know is that if you think a peice of software will make you
> secure - you're hopelessly wrong. software is merely a tool to help you
> improve security. Real security begins with intelligence and expertise -
not
> software.
That's because that is what it is...a file integrity monitor. I don't like
the way it is implemented or maybe more it's lack of configuration, but it
is a very powerful feature. It works in real time which is something most of
the file integrity programs don't do.
And it does it with relatively little overhead to boot.
> I don't care much for the
> baselining utility. We use it as a integrity monitor.
>
For the most part I have no problem with BI. It is a pretty good firewall
that has some great features, but it also has some poorly implemented ones.
This can be said about most if not all the personal firewalls. Generally it
is a matter of choosing a firewall that best suits one's personal needs and
finding a few add-ons or additional programs to make up for what they lack.
BI is more geared towards protecting services and servers although it does
have benefits as far as web browsing and email clients are concerned.
Unfortunately the companies would rather tell us how great their wares are,
but at least we have some forums like this to throw around the facts and our
opinions so we can all figure out what they don't tell you.
- Next message: Robin T Cox: "Re: Rule help for novice"
- Previous message: Black Ice is crapware!: "Get home, chimpie!"
- In reply to: Alexander Delarge: "Re: BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda"
- Next in thread: Alexander Delarge: "Re: BlackIce (with 3/2002 defs) / Sygate Pro does not detect Nimda"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
