Re: New LAN user needs laptop security assistance

From: Duane Arnold (notme_at_notme.com)
Date: 06/15/03

  • Next message: nemo outis: "Re: How does stunnel work?" 
    Date: Sun, 15 Jun 2003 10:41:33 GMT

    I would use a free firewall like Kerio or Tiny and BlackIce together.

    Why, because BI is an IDS/firewall solution based on the OSI model for
    network firewalls and has the ability to stop malware from coming in the
    network traffic or running on the machine.

    http://www.firewall-software.com/firewall_faqs/firewall_network_models.html

    There are times when I have to take my laptop to work and connect my laptop
    to the company's network. Yeah, the Raptor firewall the company uses works
    find for the entire network. But machines behind firewall connected to the
    network can and are being attacked by malware coming in the network traffic,
    because of file sharing on ports and services being used by the MS O/S
    connected to the network. BI has got my machine covered.

    http://www.uksecurityonline.com/products/intrusion-detection.php

    Although it has a link to discussing IDS applications, the good reason for
    using and IDS/firewall app is at the below link within how to protect one of
    the NT based O/S's.

    http://www.uksecurityonline.com/husdg/windows2000/ids.htm

    The key to understanding what BI is doing is to read the Server User manual
    which gives more detailed information.

    http://blackice.iss.net/product_documentation.php
    http://www.iss.net/products/networkice/eval/

    You may see someone trying to *dog* me. He is negative and I am about
    business.

    Below is my analysis on how and IDS/firewall like BlackIce and Sygate really
    work and other firewall applications are now implementing an IDS component
    in the applications..

     Please ignore my rant on this person.

    HTH

    Dr. *D* :)

    *********

    This post is about my knowledge about things that I have learned to look for
    since I have come to this <g>. Although my analysis is between BlackIce and
    Sygate. I have nothing against Sygate and it's moving in the right
    direction.

    I don't know what this fool Walter has said about me. But I know it cannot
    be good. I am not reading his sh*it anymore. Pull-up the history of my posts
    concerning my technical expertise. You will sure as hell find it. Pull up
    Walter's stuff, if you can find it. But really all you have to do is find my
    posts trying to respond to this *clown*, along with helping others. Help I
    in this <g> and others I frequent

    When a company such as the Archer Daniels Midland Company will pick-up my
    *** lock, stock and barrel and move me to their corporate head quarters
    and tell me that I have the credentials that are needed to help develop this
    critical multi tier International Web based application that the company
    has spent millions in a seven year period and it has not been successful.
    Well, it is successful as I and my team are bringing it up from scratch..

    The bottom line here is with this Taco Bell *** is that I cut him down
    on BlackIce. This fool even used BI and didn't know what the hell he was
    doing with it and started bitching and crying about his damn $40 big ones.
    Here recently, with all this BS about Outpost this *clown* showed up again
    bitching about BI again and I cut him down again. I didn't know it was this
    fool, because he will not post with his real name. This *clown* is in my
    face you should checkout what he did the first time. I am afraid he is on
    this same path again.

    I'll put my knowledge of computers and technical expertise up against anyone
    and will be able to hang there.

    So when I mention InterGate, it's more powerful than BlackIce in some ways.

    Really what this come down to is me against a *clown*

    Dr. *D* :)

    *********

    Malware test using Gator telling Gator to install from the Website:

    IE Security:

    IE stopped the download and I told it OK

    BlackIce:

    BlackIce Application control stopped the download reporting that
    *iegator.dll* wanted to use *iexplorer.exe* and I told it OK. BTW, I did an
    entire search of <C> looking for *iegator.dll* and it was not there, which
    means it was coming from the Website in the HTTP traffic.

    BlackIce Communication control detected that *iexplorer.exe* wanted access
    to the Internet, but of course it was *iegator.dll* who wanted access and I
    told it OK.

    BlackIce Application Control stopped *gatorsetup.exe* from executing and I
    told it OK. BTW, I searched for *gatorsetup.exe* on <C> and it was not
    there, which means it was coming from the Website in the HTTP traffic.

    BlackIce Communication control reported that *gatorsetup.exe* wanted access
    to the Internet and I told it OK.

    Sygate Pro:

    Sygate Pro after BlackIce detected everything upfront, indicated that Gain
    Setup was trying to connect to *gs.gator.com* using remote port 80 HTTP.

    My analysis of this is that BlackIce IDS is doing a detailed analysis of
    layer 7 (application) protocols such as HTTP, Telnet, etc and is looking at
    what is coming in the network traffic from a Website and stopping it. And
    BlackIce is checking its Application and Communication control database in
    real time based on its analysis of traffic in layer 7.

    Sygate is not doing an analysis of layer 7 and not stopping anything from
    coming from a Website. Sygate only knew to stop the outbound communications
    of *gatorsetup.exe*. Once Sygate has given approval of iexplorer.exe to
    communicate to the Internet, it doesn't have the means to stop a *dll*
    executing from a site using iexplorer.exe on its behalf.

    Conclusion is that BlackIce has better features with its IDS then Sygate pro
    in controlling program execution and communication to the Internet and is
    better at stopping malware on the machine. Not only is BlackIce looking at
    dll's, it is looking at exe, com, sys, drv, ocx too and BlackIce can be made
    to look at more sub component program types. You see an attack will not
    always come from a dll or exe trying to use IE, OE or Outlook the host to
    get out. Not only is BlackIce's IDS looking at what's executing and
    communicating at the machine level, but it is looking at the network traffic
    too.

    Sygate is using a Signature Analysis IDS engine. They consider this type of
    IDS engine to be extremely elementary. Most products that employ signature
    analysis also use basic protocol analysis. Layers 3 (network) and 4
    (transport) of the OSI model, which contain IP, TCP and UDP, are all
    examined. So Sygate as well as BlackIce use a Signature Analysis IDS engine

    Signature analysis systems have a few key strengths. They are very fast,
    since packet matching is a relatively non-processor intensive task. The
    rules are easy to write and understand, as well as very customizable.
    Additionally, there is fantastic community support for rapidly generating
    signatures for new alerts and warnings. These systems excel at catching low
    level, simple attacks since they tend to employ prepackaged exploits that
    are easy to recognize. Lastly, signature-based analysis conveys exactly what
    has happened very well, since it takes a very specific event to trigger an
    alert or tell it's firewall component to close the *open* port with Sygate
    or BlackIce.

    Signature analysis while initially very fast, performance edge slips away as
    the ruleset grows. This is particularly problematic as the ruleset can grow
    very fast - basically, for each attack or exploit that is created by
    attackers, a new rule must be created to detect it. Despite data normalizers
    and packet reassembly, both of which eliminate some evasion techniques,
    uncountable variations of attacks can slip by a signature-based system.
    Application level attacks such as Unicode, multiple variations similar to
    those found in SNMP community strings, and evasion programs that morph shell
    code like ADMutate can cause serious problems for any signature system. The
    slightest variation in an attack is often enough to defeat a signature. The
    only solution is more rules, which eats away at performance and increases
    complexity.

    This is where *BlackIce* starts to separate itself from *Sygate*. While at
    first glance protocol-based IDSs are slower than signature-based systems,
    they more than make up ground in terms of scalability and performance as
    signature-based rulesets grow. Furthermore, since they search for generic
    violations, protocol analysis engines can often catch zero-day exploits,
    something that is impossible for a signature system; unfortunately, they can
    sometimes miss obviously deviant events, such as a root Telnet session, that
    do not violate any protocol. Protocol-based systems keep the false alarms to
    a minimum, since they log real violations. And the BlackIce IDS closes the
    *open* port with its firewall component.

    IMHO from this point forward, this is where *BlackIce* IDS/firewall blows
    *Sygate* and the rest away. Of course, the effectiveness of an IDS depends
    upon the environment in which it will be employed. Monitoring a large,
    diverse network is very different from smaller, homogenous environments.
    Signature analysis models are best suited for average-sized networks looking
    to catch standard threats. Administrators can draw on the fantastic
    community support for releasing updated signatures, and performance is not a
    crucial factor. However, a bigger, ever-changing network would likely
    benefit from some of the strengths of a protocol analysis system:
    performance, minimal false positives, and generalized alerts.

    Without a doubt this is where the BlackIce IDS/firewall solution out shines
    the rest, anyone choosing an IDS based on one of these techniques has
    several factors to consider. Each model excels in different arenas.
    Fortunately, it appears as though we're headed in the direction of
    reconciliation between the two divergent methods. The engineers and
    programmers behind these systems recognize the obvious strengths and
    weaknesses of each approach. As can be expected, the developers are
    attempting to pull together the best components of each approach in order to
    provide a more robust product - a fact that is evident in several of the
    more recent IDS offerings. Currently, almost all of the protocol-based
    offerings perform pattern matching at some point in the application level
    decode. There are IDS systems that, even though they perform protocol
    analysis, also allow the user/operator the ability to create signatures for
    particular traffic. We can expect to see more of this as well. Similarly,
    signature-based systems are bundling application processors to more
    effectively recognize attacks.

    The fundamental IDS concepts are these devices, similar to firewalls,
    inspect incoming and outgoing network traffic. Unlike firewalls, however,
    they do not alter the traffic flow by dropping or passing certain packets.
    Rather, they look for malicious traffic that may be indicative of an attack
    or other misuse and log an alarm with specific data for administrative
    review.

    BlackIce has taken this a step further with the introduction of its
    *firewall* sub system and it does alter the traffic flow by dropping or
    passing certain packets. BlackIce has taken the protection of the machine
    even further by integrating and coupling its Application and Communications
    control sub systems to the IDS main system.

    It is evident that BlackIce's main focus is not on the firewall sub system,
    because of how one must go to the *firewall.ini* file to manual configure
    the firewall with more sophisticated rulesets. But BlackIce's firewall sub
    system is as powerful as any other firewall on the market and one can
    control it just as well. But the firewall sub system is tightly integrated
    to the IDS main system and is mainly there for the IDS component.

    BlackIce does take on the role of the traditional IDS application when it
    *red* alerts and doesn't always block an IP, although ISS indicates that
    BlackIce always takes some protection measures during a *red* alert. I think
    people are confused when that happens along with not seeing the *blocked*
    symbol thinking that BlackIce did nothing. But in fact, BlackIce did do
    something and it altered on the attack issue. It's up to the ADMIN to take
    the appropriate measures if necessary by *blocking* the IP by using the ADV
    Firewall Settings UI and set the appropriate rule.

    I have yet to lock down SQL Server 2000 running on my Win 2K ADV Server
    machine. Why, because the security patches are very difficult to apply. The
    very first security patch blows up and I am not getting on the phone with MS
    to find out why. I suspect this kind of attitude by a lot SQL Admins,
    otherwise, SQL Slammer wouldn't have hit as hard as it did in the wild.
    There was a security patch for SQL Slammer from MS. I'll just let BlackIce
    protect the *open* ports and services.

    Also, I have yet to completely lock down the Win 2K ADV server or the Pro
    workstations due to the fact that BlackIce is on the machines protecting
    *open* ports and services running on the machines, along with the Linksys
    NAT router, which doesn't have SPI. BlackIce is performing the role of SPI
    on the network and is performing it well.

    Don't get me wrong, I like Sygate it's a fine product and has a couple of
    nice features that BlackIce doesn't have in it. But on the other hand, I can
    use TCPview and the Task Manager and do the same thing. I do like the Update
    Signature, Outbound Application protection, and the ability to give
    sophisticate rulesets through the UI.

    But Sygate is just a *Personal* SWF that is just now becoming aware of IDS
    and is no where in the league with the BlackIce IDS/firewall - no way, no
    how and no sir is it in the league with BlackIce. And point blank, neither
    are the other SWF's for the Windows Desktop platform are in the league with
    BlackIce. If Snort is the equivalent for the Linux platform, then it's not
    in the league either.

    Yeah -- yeah, let some *clueless* one come at me now about BlackIce. The AKA
    is fully loaded! ;-)

    Soon, I'll be learning just what does a firewall do.

    Later!

    Dr. *D* J 

    --
The protection of the machine is a process and not a given!
-- 
The protection of the machine is a process and not a given!
"J44XM" <j44xm@seventy8.n_t> wrote in message
news:Xns939916E9CF312j44xm@206.66.12.209...
> Hello and thanks for reading. I'll try to keep this short.
>
> I just bought a basically-new Toshiba Satellite 1415-S173 laptop (1.8 GHz
> processor, 30 GB HD, 256 MB RAM, Windows XP Home) and I am using it to
> connect to my university's LAN. I unfortunately just had a brief brush
with
> a couple of viruses (now apparently eliminated), so I wanted to ask you,
the
> experts, directly: What do I need to keep my computer safe?
>
> Do I only really need anti-virus and firewall software? Can you recommend
> high-quality software, preferably (but not necessarily) try-before-you-buy
> shareware? Since I'm a college student, I don't have much money, so
> expensive solutions are out; but I'm certainly willing to spend a bit to
> ensure my data's safety. Also, is it safe to keep my LAN connective
active,
> or should I make it a habit to connect only when I'm actively using it? (I
> like streaming music ...)
>
> Any advice you can offer will be very, very much appreciated.
> -- 
> J44XM (#seventy8.net)
  • Next message: nemo outis: "Re: How does stunnel work?"