Re: black ice usage question
From: David (davidwnh_at_adelphia.net)
Date: 11/07/03
- Next message: Wolfgang Kueter: "Re: searching for hardware firewall with web history"
- Previous message: Bart Lamiroy: "Re: Sygate free edition disappearing on Win XP"
- In reply to: Duane Arnold: "Re: black ice usage question"
- Next in thread: Duane Arnold: "Re: black ice usage question"
- Reply: Duane Arnold: "Re: black ice usage question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 07 Nov 2003 09:07:41 GMT
It relies on it's application control for outbound protection. There is
no way to restrict specific programs to only access specific IP
addresses or destination ports. It's all or nothing. There is no way to
restrict the entire machine from accessing certain ports either. A good
firewall will allow the user to restrict all access to only the ports
needed. For example if a user only uses a browser and email they should
be able to set up a firewall that will only allow outbound access to
ports 25,80,110, and 443. No can do with BI.You should also be able to
set up your firewall so that you can restrict the destination IP
addresses that can be accessed with certain protocols. For example you
should be able to set up a rule so that only the SMTP servers that you
use can be accessed. Once again no can do with BI.
>
> BlackIce is not for the novice. It's not as user friendly as the others
> with the point and click.
The logging is good. Better than most due to the integrated IDS. With
quick web links to extended information regarding specific entries.
>
> 1) It has very good logging.
>
The IDS is OK. This is probable what has enamored most of it's users. As
to how useful it is depends on the individual user. Many of the exploits
it will catch are for servers that many home users won't be using anyhow
and for vulnerabilities that have been patched. Most of the IDS
definitions for client applications are for vulnerabilities that have
been patched. This being said, most home users should make a decision
based on other firewall functions because the IDS is limited in what it
will "actually" provide additional protection from. One just needs to
keep their system patched and up to date. The IDS does allow for some
concise relatively easy to understand log entries as mentioned above.
> 2) The IDS communicates to instruct the FW component to close the port
> to attacks when detected.
>
Most firewalls allow you to block unsolicited inbound traffic. Some have
a few vulnerabilities or "holes" in this regard but for the most part
all personal firewalls can be configured adequately in this regard.
> 3) It has FW rules sets than can be done at the desktop UI, but it also
> has more sophisticated rule sets that can be entered into the
> Blackice.ini and Firewall.ini files. And the FW component is a powerful
> as any with the ability to stop all unsolicited inbound traffic from
> reaching the machine. In other words, if the traffic was not initiated
> from your machine behind BI, then it will stop it.
>
These controls make for a great real-time file integrity monitor (a
little buggy but workable). However, it is a terribly incomplete and
ineffective way for a firewall to filter outbound traffic. It leaves all
instances of socially engineered exploits dependent on a single end user
decision. And if you happen to install a program that is unknowingly
trojaned or includes other malware you are screwed. There is no outbound
packet filtering capability to give you a second chance. Definitely not
*layered protection*.
> 4) The Application and Communication Controls are as good as any in
> stopping program execution and communicating to the Internet. It does
> this better than any of the others I have tried, because it allows one to
> control any program element type on the machine, if needed. Application
> Control prevents anything from just installing itself on the machine too
> and executing.
>
You certainly need to do a little extra work to tighten it up through
edits of the .ini files, but it still falls short of other firewalls
when it comes to outbound protection. Plus you shouldn't have to fire up
a text editor to make it more restrictive, you should be able to do it
from the GUI.
> But like I said, BI is more for the technically minded person. That's not
> to say that you're not that. But that's just the way it is. In order to
> use it effectively, you have to get into it, because it is not point and
> click. Any product is only as good as the person setting at the keyboard
> or using the mouse.
>
If ISS added standard packet filtering for outbound initiated traffic BI
would "rock". Without it? Seems to depend on the end user. A lot of
people don't use the packet filtering capabilities that is included with
some of the other personal firewalls anyhow. They rely only on the basic
allow/deny functionality of those programs application controls. But if
someone wants the extra protection afforded with addition packet filters
to restrict the ports and IP addresses going outbound then other
personal firewalls are a better choice.
- Next message: Wolfgang Kueter: "Re: searching for hardware firewall with web history"
- Previous message: Bart Lamiroy: "Re: Sygate free edition disappearing on Win XP"
- In reply to: Duane Arnold: "Re: black ice usage question"
- Next in thread: Duane Arnold: "Re: black ice usage question"
- Reply: Duane Arnold: "Re: black ice usage question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
