Re: win2k firewall

[alexanderdelarge () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

I too am going to stick my nose into this debate.

First, no single product or configuration is going to make a web server secure. The process of making a web server 
secure involves many layers.

1.  Harden the system. Turn off every thing that isn't absolutely necessary.

2. Use a hardware firewall to block-off the bulk of port scans and what not.

3. Use an IDS (host or network based) to watch the traffic that is entering and exiting the system.

4. Run integrity checks on the system using something like Tripwire.

5. Manage ACLs very carefully on the system.

6. Monitor the logs and watch for suspicious activity.

None of these solutions, individually, is sufficient to make the system secure. But as a whole, they would comprise 
"due diligence" on making the system secure.

However, if money/resources are tight priorities must be made. Sometimes a hardware firewall is out of the question due 
to network configuration, cost, etc.  In this case, something like BlackICE might not be the perfect solution, but it 
is better than nothing.

That said, I have used BlackICE (aka RealSecure Desktop Protector) on our network, I have found that it is very capable 
IDS. For about $300 a server, I get a very potent IDS engine that can monitor port 80 and port 443 traffic for 
potential intrusions. I also get central management, great reports, and a highly customizable IDS. However, as I have 
told others I was fortunate to have gotten a very good education on BlackICE.

As for performance, one of the things I have noticed is that most of the people who complain about BI's performance, 
are using the desktop version. The desktop version was not designed for a high-volume server. This is why there is a 
server version. In this case the engine has been tuned for lots of connections. I tested BI in my lab on a Win2k 
Server. At 100% load on 100Mbps network, BlackICE Server was only at about 30% CPU utilization. I can live with that 
considering my network never comes close to 100% utilization.

The other thing I have noticed about BI is that there is a wide gap in expertise with BI. BI is a tool that tends to 
have a very niche appeal.   BI has, arguably, one of the most advanced IDS engines ever built. So advanced that ISS 
uses that same engine (modified of course) in their enterprise RealSecure products - even the flagship Gigabit IDS.

However, there are still a lot of people who are still riding this "Steve Gibson era" propaganda about BlackICE and as 
such, will hate it no matter how much evidence is given to counter their opinions. My suggestion to anybody considering 
BlackICE is to look a little deeper than just the UI. Read the docs and learn the parameters and you'll quickly learn 
that BlackICE can do a lot.

One thing to keep in mind, however, is that NONE of the "personal firewalls" on the market (and I mean NONE) are 
intrusion detection systems. Zone, Sygate, Tiny, Kerio, etc. etc. are all just firewalls and application controls. They 
have NO IDS features AT ALL.

Alex
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmUEARECACUFAj4fIoYeHGFsZXhhbmRlcmRlbGFyZ2VAaHVzaG1haWwuY29tAAoJEE6F
/F3PSQdxFSAAoLbMhDcTOkUNwFL0zqGtQHoWDZMzAJ0SM+lkrdt+V+olh/pS6oxq3Q3r
OQ==
=JyZp
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427