Security: beware of BlackIce Defender

Discussion in 'Trading Software' started by harrytrader, Jan 3, 2003.

  1. dottom


    Yes, the admins had months to patch their systems, yet how many systems were infected? Looks like relying on patching of systems wasn't so effective, was it?

    In fact, the WindowsUpdate is so effective that Microsoft released URLscan and IISlockdown tools, a form of IDS.

    You prove my point perfectly, thank you.
    #31     Jan 6, 2003

  2. Oh come on get off it. You too dottom. ZA is some of best protection you can get. BID brings up the rear. Face the facts.
    #32     Jan 6, 2003
  3. dottom


    They are two different products that do different things, albeit with some similarities. I have used both extensively, and have no allegiance to either. I will use the best tool(s) available. Just like in trading, show me something better than what I am using, or why my current toolset is flawed, and I will switch! Specific to this thread, I am simply correcting some misinformation that was originally posted about BID; as well as educating others on the difference between an IDS and a firewall. No ego or bias here except to get the facts straight.

    Also, instead of the usual "get off it" response or "you don't know what you're talking about" or "xx product rules, yy product sucks", I'd like to see specific responses to the specific vulnerabilities and scenarios I mentioned. (Just like many of the other threads on ET, the best discussions are ones where facts and analysis are rationally exchanged without ego, bias, hyperbole, speculation, sarcasm, etc. - not accusing anyone on this thread specifically, just speaking generally- let's deal with facts!)

    For example, how does Zone Alarm Pro or any other Level 4 firewall protect you from this an application-proxy vulnerability ( Or an unknown vulnerability in an application you are running or underlying OS? An IDS does not provide 100% security, but it is definitely more security. It's like having a guard dog (IDS) at your door in addition to an alarm system (firewall). Not 100% secure, but definitely more secure.

    At the time GRC did its analysis on BID (prior to version 2.1), BID's firewall was not the best, which is why many users ran *both* BID and ZAP. BID is now in version 3.5 with a much improved firewall. You can still run both BID and ZAP if you prefer ZAP's (or Tiny's or any other firewall). I find it easier to run one product for both IDS and firewall (we're talking about personal desktops here- obviously in enterprise/production environment you would consider industrial grade tools). Also, GRC only tested some very narrow firewall-specific vulnerabilities, and did zero IDS-related tests which would have been more realistic. Gibson has been a frequent poster on the security forums I previously mentioned so why not dig up the archives there and see the ad nauseum debates yourself...

    My point, on this thread, is not to clarify the difference between IDS and firewall.

    Someone else did a good summary on this issue so I'll just post this text unedited:

    #33     Jan 6, 2003
  4. igsi


    You just don't get it. They had months to patch their systems but they did not do it because they are too lazy/ignorant/sloppy and that's why their systems were compromised.:eek:

    There is a saying among IT security people: "The systems do not get hacked. Admins do." The simple reason too many systems were compromised is that their admins did not care about security to the extent they didn't even have patches installed. Got it?
    #34     Jan 6, 2003
  5. dottom


    This is my final post on this thread and you may have the last word.
    I'm sorry, but i believe it is you who does not get it. You never, ever know what you don't know. In other words, you don't know what vulnerabilities currently exist. A firewall does not address "Day Zero" attacks. You have never addressed this lag factor as a fundamental flaw of relying on "timely patching" as a defense. Some of the best admins in the world had their OpenSSL hacked between the time Slapper worm was discovered and patch applied. Who would've thought Linux + iptables + OpenSSL would be vulnerable? Those admins that ran Snort (a Linux IDS) caught the Slapper worm on "Day Zero".

    That is the basic premise of an IDS. I will give you one final analogy on this topic. A firewall will let all traffic through on an open port like a bank will let everyone through the front door. But an IDS is like an extra security guard at the bank. As soon as that robber pulls out that gun the security guard will attempt to take out the robber. A security guard will not detect and neutralize all robbers, but it knows the vast majority of signs of robber behavior and can help protect the bank. Like the security guard, an IDS is not perfect, but it sure is better than not having one.

    At this point, I will leave you to your own conclusions. I have stated what I believe to be the relevant facts on internet network security for your desktop based on my personal experience having used both BID and ZAP extensively, and my professional experience using a wide variety of enterprise network security products. I think if you posted my comments on any of the security forums I previously mentioned I believe you will find my views to have wide support amongst other security professionals. I believe I have been very rational about this entire discussion.

    Bottom line on this thread- ZAP is a good personal firewall. If you believe that a firewall alone is sufficient protection for your desktop directed connected to the internet (public IP) then as long as you understand the risk/reward of your decision (like in trading) that is all that matters.

    For me personally, because my livelihood depends on the reliability of my workstations, I take internet security very seriously. In fact, none of my desktops are directly connected to the Internet (all have private IP's), but instead are behind a hardware firewall and use application proxies. Because I am paranoid, I also run a local firewall + IDS + outbound connection management (BID) + antivirus (NOD32) on my desktop.

    For the vast majorities of traders, investing in an inexpensive DSL firewall/router and using desktops with NAT or port proxies (private IP's) would be sufficient, with personal desktop firewall and IDS recommended. I'll let Nitro address any questions on why one should use private IP's behind a hardware firewall.

    Good trading.
    #35     Jan 7, 2003
  6. nitro


    I hate repeating myself over and over again. It gets old after a while.

    You seem to be doing a good job...continue!

    #36     Jan 7, 2003
  7. igsi


    Well, I am glad that my effort is not completely wasted. It seems that you've learned that BID could not stop Slapper. However, I am tired pointing to the nonsense you post because you just keep coming with more. Anyway, here is an answer to your clueless "argument" above.

    Slapper worm appeared on September 13th, 2002. It was not exploiting anything what you call "Day Zero". It was exploiting vulnerability which vendor had patched on July 30th, 2002 and what they posted advisory about:

    There is no such thing as a gun in your analogy. It's just something that you imagined but does not really exist.

    No, you were not.

    I can tell.

    :D I won't comment that baloney. I don't want my post deleted. :D
    #37     Jan 7, 2003
  8. SWJ12



    You are wrong on this issue. I am a sysadmin and while I try to patch my systems whenever possible, it is a completely unrealistic expectation. First of all, while I try to stay on top of all patch notifications, the high # of warnings and alerts for the numerous systems I administer makes it impossible for me to be absolutely certain that all systems are always patched to the current version. Secondly, as all of the public servers I administer are in production environments, I cannot go and willy nilly update a server anytime I want. I have to schedule maintenance windows and downtimes, first perform the upgrade in a staging environment, QA against that upgrade, etc. Many times only a "warning" issued and we do not upgrade systems until a "high priority alert" issued. It's the realities of system administration. For desktop users, how many times have you seen an MS update notification, and how long was the delay between when the update was available and when you actually installed the update?

    Relying on such security hardening technologies as IDS (which is just one element of "hardening") has been absolutely vital to our security. Our Apache servers have tripwire and snort installed and caught the Slapper worm, so the use of an IDS definitely help us catch the intruder!

    You don't have to take my word for it. Besides, compared to you I'm probably a technology neophyte. So why not take a recognized security expert's word on the risks of relying on patches as a security measure? (Look at Jay Beale's answer to the question "What are the top things sysadmins can do to protect themselves?")

    Note that Beale talks about:

    1. Hardening your system using security measures such as IDS is the most important! Patches and firewall rank 2nd and third.

    2. Patches are important, obviously, but there is risk due to the non-zero time it takes a vendor to release a patch and you to apply it.

    3. With a a hardened system you can actually break the exploits so that you can't be hacked, even while you still have broken software on the system. We have a Cisco IDS in addition to Tripwire and Snort. Even if we have susceptible software, we are at much less risk because we scan all incoming packets at network and server, and if something slips through and is compromised we know about it the same day! While you are sitting here waiting for the vendor to release a patch.

    4. Regarding firewalls, Beale says always remember that firewalls rarely protect applications that you need accessible to the world. For instance, my firewall can't block access to my public webserver! It won't do a thing to protect it. Honestly, this is probably where much of the hacking effort is going to go.

    5. Obviously, the best approach is do all 3 things Beale mentions (hardened system && patches && firewall) . I just wanted to raise my hand and say that dottom isn't the only one who thinks that relying on firewall and a system administer to patch all vulnerable systems is sufficient. No way. Say that in a job interview and you'd never get hired at my firm.

    Now, I think a strange feeling this topic won't get resolved here as there are some philosophical differences. But one difference I cannot ignore is that relying on patches from my software vendor (and the time it takes for me to test/validate/apply them) without an IDS installed we would have failed all of our annual Ernst & Young security audits to date.
    #38     Jan 7, 2003
  9. SWJ12


    I rather enjoyed the bank robber holding a gun analogy, as well as the guard dog analogy in a previous post. Makes perfect sense to me.

    I don't know about you, but if I had an IIS server, I consider:
       GET /[unicode...backtick...]/winnt/system32/cmd.exe?

    a gun pointed directly at my web server's head! I would want my IDS system to lock out that remote IP for a certain period of time based on the severity of the threat. This is something a firewall alone cannot do. The firewall will just let that user do all the GET /[unicode]/ he wants all day long.

    You must also keep in mind that network security exploits are like STD's! Every computer that you hook up to your local network is a potential disease carrier. For example, you might have locked down your production servers, but all you need is one user with one compromised machine to plug into the corporate LAN and that machine can now scan all of the other machines you thought were protected behind that firewall! Maybe you're the best systems administrator in the world and patch all your systems immediately, but what about the other 200 employees at your company who take their laptops home, expose their laptops to risk, and then bring their laptops back to work or VPN in? Now imagine you were at a company with 2000 employees.... a personal firewall alone is not enough! Relying on individual users to click on "Windows Update" every day is not enough!
    #39     Jan 7, 2003
  10. Well as for me, I'm only interested in concrete not abstraction. Here was an attack by "zombies"
    and in a paragraph he says that Black didn't alert of that.

    As for Mr Gibson he is a searcher at GRC how can one affirm such a strong thing that he is practically the Director of sale of zone alarm ?! If there are proofs well I would find that Mr Gibson is rather dishonest but if it just an opinion well that opinion is dishonest.

    #40     Jan 7, 2003