Re: black ice usage question

From: Duane Arnold (notme_at_notme.com)
Date: 11/07/03 

Date: Fri, 07 Nov 2003 13:04:26 GMT

David <davidwnh@adelphia.net> wrote in
news:xhJqb.186$KN4.57036@news1.news.adelphia.net:

> It relies on it's application control for outbound protection. There
> is no way to restrict specific programs to only access specific IP
> addresses or destination ports. It's all or nothing. There is no way
> to restrict the entire machine from accessing certain ports either. A
> good firewall will allow the user to restrict all access to only the
> ports needed. For example if a user only uses a browser and email they
> should be able to set up a firewall that will only allow outbound
> access to ports 25,80,110, and 443. No can do with BI.You should also
> be able to set up your firewall so that you can restrict the
> destination IP addresses that can be accessed with certain protocols.
> For example you should be able to set up a rule so that only the SMTP
> servers that you use can be accessed. Once again no can do with BI.
>
>>
>> BlackIce is not for the novice. It's not as user friendly as the
>> others with the point and click.
>
> The logging is good. Better than most due to the integrated IDS. With
> quick web links to extended information regarding specific entries.
>>
>> 1) It has very good logging.
>>
>
>
> The IDS is OK. This is probable what has enamored most of it's users.
> As to how useful it is depends on the individual user. Many of the
> exploits it will catch are for servers that many home users won't be
> using anyhow and for vulnerabilities that have been patched. Most of
> the IDS definitions for client applications are for vulnerabilities
> that have been patched. This being said, most home users should make a
> decision based on other firewall functions because the IDS is limited
> in what it will "actually" provide additional protection from. One
> just needs to keep their system patched and up to date. The IDS does
> allow for some concise relatively easy to understand log entries as
> mentioned above.
>
>> 2) The IDS communicates to instruct the FW component to close the
>> port to attacks when detected.
>>
>
> Most firewalls allow you to block unsolicited inbound traffic. Some
> have
> a few vulnerabilities or "holes" in this regard but for the most part
> all personal firewalls can be configured adequately in this regard.
>> 3) It has FW rules sets than can be done at the desktop UI, but it
>> also has more sophisticated rule sets that can be entered into the
>> Blackice.ini and Firewall.ini files. And the FW component is a
>> powerful as any with the ability to stop all unsolicited inbound
>> traffic from reaching the machine. In other words, if the traffic
>> was not initiated from your machine behind BI, then it will stop it.
>>
>
> These controls make for a great real-time file integrity monitor (a
> little buggy but workable). However, it is a terribly incomplete and
> ineffective way for a firewall to filter outbound traffic. It leaves
> all instances of socially engineered exploits dependent on a single
> end user decision. And if you happen to install a program that is
> unknowingly trojaned or includes other malware you are screwed. There
> is no outbound packet filtering capability to give you a second
> chance. Definitely not *layered protection*.
>> 4) The Application and Communication Controls are as good as any in
>> stopping program execution and communicating to the Internet. It does
>> this better than any of the others I have tried, because it allows
>> one to control any program element type on the machine, if needed.
>> Application Control prevents anything from just installing itself on
>> the machine too and executing.
>>
>
> You certainly need to do a little extra work to tighten it up through
> edits of the .ini files, but it still falls short of other firewalls
> when it comes to outbound protection. Plus you shouldn't have to fire
> up a text editor to make it more restrictive, you should be able to do
> it from the GUI.
>> But like I said, BI is more for the technically minded person. That's
>> not to say that you're not that. But that's just the way it is. In
>> order to use it effectively, you have to get into it, because it is
>> not point and click. Any product is only as good as the person
>> setting at the keyboard or using the mouse.
>>
>
> If ISS added standard packet filtering for outbound initiated traffic
> BI would "rock". Without it? Seems to depend on the end user. A lot of
> people don't use the packet filtering capabilities that is included
> with some of the other personal firewalls anyhow. They rely only on
> the basic allow/deny functionality of those programs application
> controls. But if someone wants the extra protection afforded with
> addition packet filters to restrict the ports and IP addresses going
> outbound then other personal firewalls are a better choice.
>
>

But like I said, BI is not for the average Joe Blow home user, It does
the job that I need it to do. I have never been hacked and it protects
the way I need it to protect the machine. Yes, BI doesn't have some of
the bells. And most of the things BI protects are no different from any
of the other FW(s) when it comes to protecting services, If I am lazy and
forget a patch or two, the exploit is not coming past BI. Is that not
what a FW is suppose to do protect the services on the machine? No, home
user not even I have patched the MS O/S and locked it down as I should,
because I have BI on the machines.

The way I see it, all the FW(s) have short comings, but as long as any of
them do what is being asked to do, that's all that can be asked. It's not
a perfect world and it never will be that and all of the FW(s) are
exploitable, if one doesn't know what one is doing.

I like BI. It's never failed me and I thinks it's one of the best host
based FW(s) on the market -- bar none.

Duane :)

Relevant Pages

  • Re: Black Ice is bad stuff! BEWARE!
    ... BID's firewall to do many things to protect my home network. ... because I have read the Adv User Manual for BlackIce. ... IP* on those two ports. ... The protection of the machine is a process and is not a given! ...
    (comp.security.firewalls)
  • Re: Controlling ports used by natd
    ... > It'd be nice to restrict which ports the OS ... > allowed apps to use, not only so that they don't get blocked by a firewall ...
    (freebsd-net)
  • Re: TCP/IP Protocol Filter
    ... approach is to initially close everything and then open only the ports ... attacks unless you implement intrusion detection ... firewall but a general rule is to have as few ports open as possible and ... have multiple layers of protection. ...
    (microsoft.public.windows.server.general)
  • Re: Stay Away From Norton Personal Firewall and Norton Internet Security Suite (Was: Re: Recommenda
    ... UPD ports. ... BID's IDS protects *open* ports and will instruct its firewall to close a ... BID's IDS/firewall Communication control provides protection against ... BID's IDS/firewall real time Application control provides protection ...
    (comp.security.firewalls)
  • Should a firewall ONLY allow access to an IP range - as well as blocking ports?
    ... >We do have a firewall but it is set up to let all IPs access the open ... >ports - we can and know how to restrict this to only allowed IPs but ... >access on ports we use to administer the server to an IP range only? ... developed a firewall ruleset to block access to those. ...
    (comp.security.misc)