Security: beware of BlackIce Defender

Discussion in 'Trading Software' started by harrytrader, Jan 3, 2003.


    "Protecting a client

    Here's the rather bad news. Client-profile machines, like that of the typical end user, can not be protected. Since most clients spend all of their time connecting to remote servers all over the Internet — to the very servers that might be inadvertently attacking them — they require access to data coming back from many of the most common low-numbered service ports.

    Consequently, a characteristic of reflection attacks is that no sort of upstream filtering, short of full inbound connection proxying or ISP-resident NAT routing, can protect users who require access to remote servers. "
    #21     Jan 5, 2003
  2. igsi


    That means if you want to keep your machine hack-proof you should not follow every link you see, unless your browser is set to maximum security. Otherwise, eventually you might visit a webpage specifically designed to attack its visitors via their browsers and no firewall will prevent this because the user will initiate and allow communications with that page (site).
    #22     Jan 5, 2003
  3. Babak


    ummm, I don't know how to say this but here is how ZA works for me. My ports are invisible. Not closed. Invisible. Any scan of any kind gets bounced back saying 'nothing there!'. I've gone to grc and other scanning sites to make sure.

    It is not as you suggest, going back and saying 'this port is closed'. The difference being that the 'hacker' doesn't even know for sure whether there is anything there or not!! Big difference. They will then move on to easier prey.

    As well I have a freeware software that allows me to log all attempts of intrusion. Every month or so I go through the log (you can sort and play around with it). If I find anything fishy (say a certain IP pinging me or scanning continuously) I contact the admin for that IP.

    I have to date gotten one person kicked off their ISP in South Korea, Netherlands and Belgium. Unfortunately I don't have a stuffed geek gallery on my wall to go along with those adventures.
    #23     Jan 5, 2003
  4. dottom


    Because you may have open ports that your firewall allows through, such as port 80 and 443 for a web server.

    How effective was ZoneAlarm when Code Red and Slapper worm did massive infections to many, many web servers? BID blocked them clean, even without the updated database signatures. It recognizes the buffer overflow attempt on the HTTP port, even if it did not know the specific attack being performed.

    Look, I'm not knocking ZA, I've said in previous post that many users used *both* BID and ZA before BID had a viable firewall.

    My point... and I'll say it again, is you need to distinguish the *difference* between an IDS and a personal firewall. Each is a separate technology designed to do different things.

    That is all....
    #24     Jan 5, 2003
  5. dottom


    This is how most firewalls work, including BID and almost every personal firewall available on the market. The packets are dropped, so response sent, so it looks "invisible" to the client.
    #25     Jan 5, 2003
  6. igsi


    No arguing here.

    BID could have blocked Code Red but it would be highly unlikely and reflects rather theoretical possibility to find BID installed on the machine which had not been patched for month and because of that was vulnerable to Code Red's attack. Again, had machine been patched, it would not need BID to stop Code Red.

    BID could not have blocked slapper because BID is a host based IDS running on Windows machines while Slapper spreads on Linux machines.

    I would not argue if that was all but that was not all.

    First, in your post, where you used isapi Buffer overflow example, which BTW you cut-and-pasted from, you implied that the home user may need IDS.

    Second, in another post you stated: "IDS and firewall are two different things. Use both!"

    That's what I was arguing about. My point is, if you system is patched and you are running desktop firewall, you are fine and you do not need IDS. The point that Longshot made, and I agreed with, is that it's not worth it to pay for BID while you can have ZA (or Sygate, as I mentioned) for free. That's what you were arguing with. However, you arguments refer to either highly improbable or impossible events. I am sorry but I think you are not knowledgeable enough on this subject so that you could present an opinion that would be worthy enough to take into account while choosing a product to secure a desktop connected to the Internet.
    #26     Jan 5, 2003
  7. I use black ice and it is a very sensitive intrusion detection system. Worth the money. 5 years ago, a similar system would only be sold to corporations for thousands of dollars.
    #27     Jan 6, 2003
  8. dottom


    I disagree with this. What happens between the time you patch your system and another vulnerability is discovered? I used Code Red and Slapper worm as an example of widely known vulnerabilities that infected many, many systems quickly before administrators had a chance to patch their systems. Relying on "firewall + patches" is insufficient. You also need an IDS.

    Even though Slapper is a Linux worm the concept is the same - how many machines with iptables or ipchains were affected by Slapper despite the high regard in opensource community for these firewalls? The point is it's not just the firewall alone- vulnerabilities within the individual service are also at risk. Very few people expected Linux + iptables + openSSL to be at risk, but viola, it was.

    I did not cut & pasted from intentionally, but from another post on a security forum. Don't know which was the source- all I was interested in was the content. (i.e. look at the facts, and decide which are relevant, refute them as necessary, and perform your analysis... just like trading!)

    Hmm... you should not make such assumptions. You don't even know what I did in my former life before I started trading full-time. If you dig deep in some of my previous posts you might have an idea. This is typical EliteTrader behavior where so many people have to put others down. Why speculate on what you think I may know or not known. Do you know my credentials? I have not called you any names. Why not just address the specific points and leave it at that?

    For example, you still have not satisfactorily addressed the scenario of a firewall letting *all traffic* on a specified port through, thereby allowing hackers to attack specific vulnerabilities on a service listening on said port. Several HTTP, SSL, SSH apps have all had *major* vulnerabilities discovered in the last year alone. You have said that timely patching of your system is a solution. I say it is not. Relying on system administrators to "quickly patch" a system is 100% impractical. Ask on any real security forum, like or if relying on firewall + system administrator to patch vulnerabilities is sufficient security?

    Now I will give some *specific examples* on the usefulness of BID vs. traditional firewall.

    1. Does ZA or Tiny or any other personal firewall protect against application-proxy type attacks as described in BID does, because BID is [begin cut & paste] a protocol analysis based IDS which in addition to spotting anomalous protocols, it also has a signature base that can spot suspicious patterns in the traffic stream. Protocol analysis based IDS's are more accurate because they can see traffic inside encrypted, fragmented, or even mangled transmissions. So, an IDS can spot malware based on its signature. And it doesn't matter which application was used to send the information. Because an IDS is looking at raw network traffic (packets) the application sending those packets is irrelevant. Therefore, BID is not susceptible to application-proxy type attacks [end cut & paste] as described in above URL.

    2. Here are three major exploits that were stopped by BID without updating intrusion signatures. These three were:

    2a. Code Red
    Code Red attempts an ISAPI overflow, so even though Black Ice did not know to call the vulnerability a "Code Red attack" it labeled it as "ISAPI Extension Overflow" and stopped Code Red for two weeks before it was made public. There was a press release on the NetworkIce page around the time Code Red came out, as well as concurrent reporting on and regarding this very issue (this was during the height of the "BID vs. ZAP" discussions).

    I personally had ICEcap with BID agents (an enterprise level client/server implementation of BID where intrusion attempts are shared to other machines so as soon as one node locks out an intruder all nodes will) and distinctly remember seeing a lot of ISAPI overflow attacks about a week before the first public release about Code Red. There are many users on the security forums I've previously mentioned who had BID version 2.1cn (very old!) running and caught Code Red prior to the public announcement.

    2b. Nimda "hybrid" threats
    The Nimda viruses, similar to Code Red, attempted ISAPI backtick overflow and IIS system32 exploits, both of which BID detected and stopped before it even knew what a Nimda attack looks like. Both Nimda and Code Red passed right through Level 4 firewalls, completely undetected. You had to have employed a Level 7 firewall to have detected Code Red or Nimda. Or... an IDS protocol analyzer such as BID.

    2c. Code Blue
    Code Blue didn't get as much press in US but it was deemed by many security experts as deadlier than Code Red. Fortunately it did spread as widely as Code Red. Now Code Blue attempted a:
       GET /.. [Encoded characters] ../winnt/system32/cmd.exe?/c+dir

    BID blocks both the encoded unicode directory traversal and the IIS system32 command because it inspects the actual packet itself. Again, the vast majority of all firewall products would have let Code Blue traffic through on port 80. If and only if you had patched your system of the specific vulnerability would you have been protected. And this assumes that said vulernability was previously discovered and patch available prior to when the attack took place! An IDS gives you an extra layer of protection.

    Perhaps you remember during this period when there were so many IIS exploits being discovered, that MSFT released URLscan? What is URLscan? It's a specific type of IDS. Deals specifically only with port 80 traffic & only examines the URL request string, but it is an IDS, and it works where firewalls let traffic through.

    Also, if you are an internet security professional you should know that the biggest danger is the unknown. In internet security "you don't know what you don't know". That's why a firewall alone is not enough. You don't know what vulnerabilities have not been made public yet. But an IDS can help you be more secure (not totally, but more) by detecting such common exploits as buffer overflow attempts, ISAPI attacks, unicode hacks, etc.

    Expecting a system administrators to timely patch their servers is a completely reactive approach fraught with dangers (such as lag between when exploit is discovered vs. vulnerability is announced -> patch is made available -> system administrator installs patch). Why not be proactive and consider the benefits of an IDS?
    #28     Jan 6, 2003
  9. nitro


    Anything that runs on the very same machine you are trying to protect is a piece of crap, including Tiny or ZA.

    #29     Jan 6, 2003
  10. igsi


    Dottom, you just demonstrated one more time that you do not know what you are talking about. The admins had months to patch their systems.

    I do not speculate and your credentials are irrelevant if you are saying nonsense. I appreciate your interest in the subject, though.

    Thank you. Did I?

    Fine, give me a real life example. I hope you finally got it that the example above does not count.

    Again, as I already said in my previous post about your examples and as I said above. If those systems were patched you would not need IDS to stop the attacks.

    Dottom, we are mainly discussing desktops here. And no, I do not find it appealing to discuss servers and network security with you, which, again, I am sorry about.
    #30     Jan 6, 2003