Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: BlackICE product description?

From: c105 () Globeset com (Calvin P. Tait)
Date: Fri, 16 Jun 2000 08:54:18 -0500

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Pairing Black Ice with Zone Alarm works really well.

Calvin Tait

-----Original Message-----
From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of
Bill Royds
Sent: Thursday, June 15, 2000 7:14 PM
To: Greg Shipley; ids () uow edu au
Subject: IDS: RE: BlackICE product description?

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-
Despite the marketing-speak, is reasonably accurate about INBOUND traffic.
It has four protection levels: Trusting, Cautious, Nervous and Paranoid.

Paranoid blocks all incoming traffic unless from trusted IP sources
Nervous blocks all TCP and standard UDP.
Cautions blocks standard TCP and standard UDP
Trusting blocks nothing (but will record).

When an inbound attempt comes in, it does an extensive signature comparison
to label the attempt so the log
has entries like Sub7 Trojan on port 27374.

It does NOT block outbound connections so Trojans can still have a heyday.
It is kind of a blocking IDS rather than a true firewall since it doesn't
allow one to have a tailored security policy and it is fairly simplistic in
logging.
Here is the log entries for my cable connection for the last few days. Count
is number of packets combined in log line.

#File format help at: http://www.networkice.com/Advice/Support/KB/q000018/
#Severity, timestamp (GMT),issueId, issueName, intruderIp, intruderName,
victimIp, victimName, parameters, count
59, 2000-06-13 11:41:37, 2003105, SubSeven port probe, 63.226.189.115,
mplsnas43poolA115.mpls.uswest.net, 24.112.232.x, , port=27374&name=Sub_7_2,
1, A
19, 2000-06-13 15:03:15, 2001507, PCAnywhere ping, 24.112.232.158,
cr1015685-a.rchrd1.on.wave.home.com, 24.112.232.x, , port=5632, 1,
59, 2000-06-14 02:01:17, 2003105, SubSeven port probe, 24.68.102.245,
24.68.102.245.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1,
A
59, 2000-06-14 11:09:01, 2002004, SNMP discovery broadcast, 24.112.93.26,
cr338445-a.flfrd1.on.wave.home.com, 255.255.255.255, , community=public, 2,
A
59, 2000-06-14 13:37:02, 2002004, SNMP discovery broadcast, 24.112.95.3,
cr711451-a.rchrd1.on.wave.home.com, 255.255.255.255, , community=public, 2,
A
59, 2000-06-15 00:54:31, 2003105, SubSeven port probe, 24.112.90.151,
cr719470-a.flfrd1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2,
1, A
59, 2000-06-15 03:58:47, 2003105, SubSeven port probe, 212.129.4.30,
dyn-212-129-4-30.paris.none.net, 24.112.232.x, , port=1243&name=Sub_7, 2, A
59, 2000-06-15 04:17:46, 2003105, SubSeven port probe, 24.16.91.33,
cx964033-a.rsmt1.occa.home.com, 24.112.232.x, , port=27374&name=Sub_7_2, 1,
A
59, 2000-06-15 07:57:53, 2003105, SubSeven port probe, 204.215.230.26,
max-roc11-26.digital.net, 24.112.232.x, , port=27374&name=Sub_7_2, 2, A
59, 2000-06-15 10:08:57, 2003105, SubSeven port probe, 24.112.235.205,
cr865480-a.slnt1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2,
1, A
59, 2000-06-15 17:02:18, 2003105, SubSeven port probe, 24.112.209.106,
cr853773-a.slnt1.on.wave.home.com, 24.112.232.x, , port=27374&name=Sub_7_2,
1, A
59, 2000-06-15 21:07:01, 2003105, SubSeven port probe, 24.42.34.135,
cr28327-a.cambr1.on.wave.home.com, 24.112.232.x, , port=1243&name=Sub_7, 2,
A
59, 2000-06-15 21:34:48, 2003105, SubSeven port probe, 212.83.132.92,
ppp-92.dialup-132.worldonline.fr, 24.112.232.X, , port=1243&name=Sub_7, 1, A
59, 2000-06-15 21:35:18, 2003105, SubSeven port probe, 24.5.8.72,
cx5123-a.cv1.sdca.home.com, 24.112.232.X, , port=27374&name=Sub_7_2, 1, A
59, 2000-06-15 22:01:38, 2003105, SubSeven port probe, 212.129.5.79,
dyn-212-129-5-79.paris.none.net, 24.112.232.x, , port=1243&name=Sub_7, 1, A

-----Original Message-----
From: owner-ids () uow edu au [mailto:owner-ids () uow edu au]On Behalf Of
Greg Shipley
Sent: Thursday, June 15, 2000 04:28
To: ids () uow edu au
Subject: IDS: BlackICE product description?

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-

I don't want to start any kind of marketing battle here, but a colleague
of mine pointed this out on Network ICE's site and now I am curious:

(See http://www.networkice.com/html/blackice_agent.html_

"BlackICE Agents actively defend each system by employing a multi-layered
defense mechanism.  Like a firewall, the first layer of protection blocks
the ports that do not need to be open on the protected machine.  The
second defense layer is the dynamic analysis of all of the traffic
destined to any open ports to ensure the validity of these communications.
While traditional firewalls cannot stop malicious activity directed at
available ports, Network ICE's 7-layer decode technology enables it to
thwart these attacks in real time."

I guess what I don't understand (and perhaps I need to do some more
homework) is whether or not this thing really DOES serve as a firewall?
What does this mean by "the ports that do not need to be open?"  Does it
block all INBOUND ports, by default?  As in, if I have file sharing
enabled on my Win32 box, will it block 135/139 out of the box? What about
other listening services?  All of them, too?

If so, this could indeed be a handy little tool to shove down the throats
of those pesky remote users.....

Me rambling,

-Greg
Previous By Date Next
Previous By Thread Next

Current thread: