Re: black ice usage question
From: David (davidwnh_at_adelphia.net)
Date: Mon, 10 Nov 2003 10:31:00 GMT
The point is with a router already there, all ports are already being
blocked from unsolicited traffic. The only additional blocking you get
would be from traffic that is allowed to pass through the router for
secondary connections set up through the router's algs, ftp for example.
Maybe not what a person would want since this would effectively break
port mode ftp transfers, for example. Then again not bad if someone was
always dealing with ftp servers that allowed passive mode and always
tried to force passive mode.
In any case many of the personal firewalls have the same functionality,
they will often have two or three different security level settings
which do the same thing. If someone needs to use a program that uses
dynamically assigned secondary connections that are initiated from other
machines then they have to lower the settings. That is what the settings
are for because many of these personal firewalls do not use algs for
such protocols.Another alternative is to give specific ip addresses more
privileges if someone knows what the IP addresses will be in advance.
>>Go ahead and set up a rule for ports 1-65535. Your router is already
>>protecting you from that anyhow.
> Let's start there. The rules make a difference for a machine that is
> using BI that is not behind the router.
> The protection level of Paranoid does accomplish this too, but I prefer
> to have the rules set, just in case the machine is taken off of the
> Paranoid level.
> With BI set in the Paranoid mode with the 1-65535 rules set, Auto Block
> and possible ICMP rules set, BI is as solid as any other host based FW on
> the market. You cannot convince me otherwise that it is not solid
> protection for unsolicited inbound traffic to the machine.
> No person in their right mind using BI who knows anything about BI would
> not have BI setting at its maximum protection level with additional rules
> being enabled, if a machine is connected directly to the Internet. I
> would not even do it. And I don't with the other machine for my family
> member's machine.
If someone has a machine set up so that there are no listening services
bound to the high ports on their internet facing adapter then there is
no *serious* risk. Otherwise statically bound services there can be
protected with additional filters and dynamically bound services are
hard to find and identify if the user has the portmapper blocked from
> Setting up BI in any other fashion other than what I have explained above
> is taking serious risk with BI, if not behind a NAT router or FW
> appliance. What? Do you think I don't know that? Please man please do you
> think I am that stupid?
No, I have specifically stated in several different threads that BI has
some features which do a better job than some other firewalls, some that
are comparable, and some that are not as good or non-existent. The
settings are put the ini files so that they can be managed by a
administrative server. My comment is just an observation. I have the
same complaint about many programs. When you are dealing with Windows in
which most users only deal with the GUI, certain things should be put
where they are accessible to the user base they are catering to.
> You kind of also implied that BI was inferior due to it not having the
> means to give all rule sets at the UI level. Well, I am here to tell you
> that just because some element of the program is being done at the UI
> level, doesn't make it a superior product. Many a program I have dealt
> with or have written still use (INI) files to get information to the
> program. It's easier to hack the registry or some database table than it
> is to hack a (INI) file that is protected.
And that is fine that you do this, but others may desire to have
outbound packet filtering capability built into their firewall. This is
a public forum in which you need to realize that many people counter
other's statements to foster discussion and supply information for
others who are involved in the group. Most people in here are not adding
to or countering other participants comments to attack them personally.
It is an anonymous forum in which adding to or disputing other posters
statements are the basis to its usefulness to all.
> I am glad you brought this up and I'll take a look. BI does have a short
> coming on the outbound in as far as outbound protection to IP(s). But
> I'll say it again. I do not like the cat and mouse game concering this
> area. The program is to be terminated by BI or the communications blocked
> and it's all or nothing. I like that and I don't want to play the game
> and I don't respect it. That's why I am using ACtive Ports and Process
> Explorer to see what's running on the machines.
One of the purposes of this group is to discuss the advantages and
disadvantages of specific firewalls so that people can choose which is
best for them. All firewalls have their own shortcomings and it is just
as if not more important to discuss these things. That is what security
is all about. Finding ways to configure,correct or supplement the
insecurities and shortcomings of OS's, applications, and other security
tools. If you don't like the fact that people will continue to discuss
these issues about products that you may be using then you can ignore
it, go elsewhere, counter with quality observations and opinion, or
continue on as you are. I don't think many really care whether you
choose to change your ways or continue to humor us.
> I say you're wrong on that. The only shortcomings I will deny are
> NEGATIVE ASS PEOPLE BITCHING AND WHINING. That's why I got into trouble a
> few months back on Outpost, because I HATE NEGATIVE ASS PEOPLE BITCHING
> AND WHINING. There is no room in the world for NEGATIVE ASS PEOPLE
> BITCHING AND WHINING. Do you get my drift? Stay POSITIVE David!