Re: BlackICE IDS

[robert_david_graham () yahoo com (Robert Graham)]

--- "Marcus J. Ranum" <mjr () nfr net> wrote:
> It's definitely not a sniffer-type IDS....

Um. there seems to be some confusion here. It most definately IS a sniffer-type
IDS. There are two versions: desktop agent and network agent. The desktop-agent
runs on Win95/WinNT desktops. The network agent runs just like any other
sniffer-type IDS. The network agent is called "BlackICE Sentry".

The confusion arises from the fact that the desktop variant (BlackICE Defender)
is hugely popular, primarily because there's nothing else like it. It's really
the only reliable way to have full network-based IDS protecting your CEO's
Win98 laptop inside the corporation on a switched fabric, or outside the
company while on the road attached to the Internet (for example).

The network-based Sentry is very, very good when its capabilities are compared
to the competition. The entire technology was designed around the network-agent
even though it's also included in a host-agent. The founders of Network ICE all
came from the Sniffer(tm) Network Analyzer team from Network General (now NAI),
and have years and years of experience analyzing network traffic.

It does handle very high, real-world traffic levels. Several customers have
replaced market leading probes with Sentry probes because their traffic levels
were too high. I personally run 148,800 transmitted from a custom traffic
generator (from real-world tracefiles) against my personal dual-Celeron 450,
but Your Milage May DEFINATELY Vary (I ran a week-straight that way for an
endurance test; it was irritating because the mouse jerks around a bit and the
memory cache and pagetables get all out of wack, but my workstation was
definately usable under the load). Another cool feature is that it has
extensive anti-evasion algorithms to handle things like
fragmentation/segmentation and signature alteration issues. The documentation
is also very good. For example, check out the page:
http://networkice.com/advice/intrusions/2003017/
(YMMV: common intrusions are rather better documented than rare ones :-)

As for the original question on using the consumer "BlackICE Defender" version
to evaluate the "BlackICE Sentry" network probe. The executables are the same;
the exact feature set is determined by the license key. There will be some
minor performance difference (depending upon the nature of the traffic).
However, you could just stick Defender on a WinNT router, replay traffic
against it by altering the MAC address, or use some other product to put the
adapter in promiscuous mode. Use the option "adapter.isLocal = true" in order
to take it out of filtering mode (You can't believe how frusterating it is
spending an entire day figuring out why your agent isn't detecting any attacks
from a scanner, only to realize that the upstream router running Defender has
decided it's had enough from the scanner and dynamically added it to its
built-in firewall ruleset!).

A huge number of variables come into play, the most important of which is the
nature of YOUR network traffic. But this will give you a rough estimation to
what is going on.

Regards,
Rob.

--- "Marcus J. Ranum" <mjr () nfr net> wrote:
> > <QUOTE>blackice runs at 148,000 packets per second, checks all 7 layers of
> > the stack and rates each attack on a scale of 1 to 100 so that only attacks
> > it considers serious are alerted on</QUOTE>
>
> It's somewhat deceptive marketing, in my opinion - perhaps someone from
> Network Ice could clarify/contradict if I'm off base.
>
> As I understand it, the product is a cross between a firewall "shim" at the
> bottom of the IP stack, and an intrusion detection system. Since it's
> operating
> in the bottom of an individual machine's IP stack, it doesn't need to
> deal with packets promiscuously; it's more like a firewall doing multilayer
> packet inspection with some attack detection thrown in. So, it's a host-based
> solution. Arguing that it can run at <some number> of packets/second is
> pointless since it's really based on the number of packets directed to the
> host in question.
>
> "BlackICE is a sophisticated application that is designed to run on every PC
> in your extended enterprise"
>
> It's definitely not a sniffer-type IDS, which means the packets/second count
> is irrelevant. Host based IDS are free to drop all the packets they like,
> since
> the loading and retransmission properties are very different from a
> sniffer-type
> IDS.
>
> I'm sure it's a fine solution if you want to watch your Windows machines
> and only your windows machines, and are willing to shim out the bottom
> of IP on every desktop and server.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com