BlackIce firewall from ISS - Is it a POS?

on 02 Jan 2007, something possessed Arnie to write:

You can Try Kerio Personal Firewall. It says it's Trial-ware, but after the 30 days is up, you just lose some web-content filtering stuff (adblocking, which I never really had to use anyway). It allows you to set rules based not only on how programs access the Internet, but also allows you to set custom rules for ports to block and leave open as well, should you ever want/need to block or allow a certain port range. It also can monitor your PC for changed programs, and alert you when a program is trying to access another program on your PC (i.e. when you click on a mailto link in your web-browser, the web browser will need to communicate with some program on your PC). You can, of course, turn this option off if you like.

Well, I hope you find something out there that will suite your needs. Good luck.

Regards,

Will

Anyone can do so. However, ISS credibility has been suffering more and more and now they're nothing more than just a bit blunder.

Well, or you just didn't recognize the overwhelming claims about this software as big fat irony.

Nothing. It's supposed to f*ck up your computer.

Which firewall? You have only been talking about BlackICE. This is, at best, a host-based packet filter unsuitable for building a firewall, and rather simply a piece of shit.

This isn't a firewall either. However, it's another f*ck-up-my-computer software.

Same as above.

Blah. What about getting a security concept first? Then installing such crapware would have never happened, not even been considered in first place.

;^}

So what _is_ your advice to the O.P. Seb' mate? Even I, who knows less than you've forgotten, could have said the above!

Jim Ford

So what is your take on it you lunatic, as I don't see anything coming out of you, with your head firmly planted up Jack the Ripper El Capitan William's ass? You're nothing but a lunatic nit picker follower.

You're another one that Death should have strangled you at birth with your placenta, so that you would not have made out here to the Internet.

Death

Why don't you call ISS about your problem with BI or send an email, as there could be a solution.

You do know that you can go to MSconfig to the Start-up tab and disable the BI GUI from running with the Windows O/S.

With the services still running for BI, which is the FW part of BI, you can use VisualIce (free), use goggle, to view the log entries, which will have the same information that would be displayed in the Intrusion Detection screen of attacks in the BI GUI, which VI will have even more information being displayed to you than the BI GUI screens, based on the logs.

You can also set VisualIce to start up minimized, sound an alert, flash its icon, down in the job trey, when an attack happens.

You have to enable BI's via it's GUI for logging to capture the logs that VI will use.

You can damn near tell BI to do anything from the BI configuration files and you don't need the BI GUI to do it. You need the BI GUI up only for some type of configuration of BI visually, but you don't have to have the BI GUI running all the time, with its icon sitting down there in the job trey.

There is also an ISS forum where you can post questions about BI too, for support.

So, you seem to agree with my obvious finding that the real problem is a lack of a security concept, and the O.P. is just fuddling around with the conclusion drawn from not having any concept?

At any rate, it seems quite common that people only state what they're trying instead of what they actually want to achieve. And that's a bad thing, indeed.

No, the _real_ problem is that no-one can get ever a straight answer from Seb' Gottschalk!

Jim Ford

No, the real problem here is with you and your lunacy nit picking and whining.

I understand what the man is saying and can read between the lines as to what he is saying. Are you that dense?

I use a PFW too when I am away from my network. Many of the features of a PFW trying to protect you from you, like Application Control and whatnot are just snake-oil.

Anything that runs with the O/S can be circumvented and defeated, just like the O/S can have it happen to it.

That's the message that being put out that you can't seem to comprehend.

Death

Then why don't you use a serious host-based packet filter without all of this crap? Like Windows Firewall or Wipfw?

So? Please show me how to break out of the Java VM sandbox.

That's why someone should focus on hardening the OS, thus limiting the attack range and the achievable results of an attack.

I am using one that has the one piece of snake-oil disable.

I don't view those as being any better than anything else with the snake-oil turned off.

No one cares about breaking out of some Java VM sandbox. And I must say that here is when the problem with you starts.

Yeah, do you mean like removing the Client for MS Network, MS F&P off the NIC or dial-up connection, shutdown unneeded services and programs on the O/S and a general hardening of the O/S, things of that nature?

I have been coming to this NG for years and learned from the best, read articles and books on securing the MS platform, and security in general.

I wouldn't say that I am in any league with those that make a living at and neither are you.

You should treat others like you would like to be treated, as that's a message that's coming back to you.

I am just the messenger.

Death

Thanks. I'll give it a try. I d>What about getting a security concept first?

(and also:)

I _can_ get some positive benefits from a PFW such as BI using App control and IP blocking. If you mean hardening the OS by disabling unused services, I shut down all except 5 or 6 Windows services out of the ~50 or so. Just enough to get connected. I've run Steve Gibson's (grc.com) tools on it and just took it through his Shields UP! pages and Leak test. It passed all tests except Port 113 and ICMP (pings). I blocked port 113 with BlackIce which worked and found this manual: BlackICE Advanced Administration Guide

which has info on editing BlackIce .ini files. You have to add a line to stop pings being acknowledged. Also found a thread from this NG from 2003: helped with the ICMP (ping) reject entry for firewall.ini In fact the above thread was better than the manual. After shutting down BlackIce and it's services I added this entry to firewall.ini under the section [MANUAL ICMP ACCEPT] : REJECT, 8:0, ICMP, 2001-10-15 00:01:00, PERPETUAL, 5000, MANUAL

And guess what? Here's the funny thing. I made sure my new entry, the section header and the last char on last line of firewall.ini had manual carriage returns and saved it. I fired up BlackIce again with the intention of testing the ping blocking at Shields UP! and lo and behold the CPU spiking had stopped. The edit and save on the firewall.ini must have fixed it as the problem had nothing to do with pings. Before the edit it wasn't yo-yo'ing anymore just flatout 100% CPU usage with no net connection. Anyway I tested the ping/ICMP entry at Shields UP! and got a perfect score as well. So all's good in the home computing world again. In a roundabout way I fixed the problem and made a few improvements.

Thanks for all your replies and suggestions

Arnie

"Mr. Arnold" wrote in news:BvCmh.5784$ snipped-for-privacy@newsread4.news.pas.earthlink.net:

Yep. I found that stopped the spiking while still leaving the services running.

I actually have that but have not installed it. It may be good I'm very wary of any 3rd party addons, plugins, extensions etc. especially for a security program or programs that need to be secure eg. web browser etc. All your efforts at 'hardening' what you've got could be rent asunder. Maybe better to use a separate app for extra monitoring? I've got Ethereal but haven't installed/used it yet.

Now I've got the manual I'm on my way. BlackICE Advanced Administration Guide

Yes, I discovered that and it was my initial fix for the problem. And now I've fixed it completely thru sheer luck.

I haven't found it yet not from their site or google. A link would be appreciated. Thanks Arnie

"Mr. Arnold" wrote in news:BvCmh.5784$ snipped-for-privacy@newsread4.news.pas.earthlink.net:

sorry "Mr. Arnold" I forgot to swap ID's when I replied to you. See the post from 'blah' (aka Arnie)

PS. I really would like the link to the ISS forum

Arnie

Please differ between "turned off" and "disabled". Even when "turned off", it's not "disabled" and keeps on f****ng up your computer, introducing security holes and all kinds of problems.

Anyway, even the supposedly serious parts (the packet filter, and... what else?) are total crap.

You were claiming that everything that runs on the O/S can be circumvented/defeated. The Java VM runs on the O/S. Now, show me how to circumvent it.

Or what else do you mean? It something runs in a higher security context as a service of the O/S, it can't be trivially circumvented either.

Some serious advices, some useless things, some pile of shit. What exactly should a router give in to security? Which virus scanner beside ClamWin doesn't make the system less secure? And no scriptkiddy falls for renamed or faked Admin accounts, anything goes by the SID and group memberships today. Or ever tried those auditing settings? A wonderful idea to flood your eventlog with masses of useless messages.

D'oh, even the official "Windows XP Security Guide" at the Microsoft Website debunks a lot of this stuff as useless.

Can't you see the irony? It should be obvious. "Personal Firewall" is a well-known synonym for "crapware".

Yes, intrusion detection. At best. Not outnumbering the negative influence on your system. No positive net benefit.

Sorry, but that's bullshit. Automatic blocking is only good for shooting in your own foot, and nothing else.

Then you should think and read again.

Then you've proven that you have no clue whatsoever. You f***ed up identd, you're going to f*ck up ICMP, passing this "Shields Up" crap means you f***ed up your network connection, and just thinking of taking those "Leak tests" shows that you don't understand your system at all.

No. Just in your illusionary world. As you already stated, technically your system is now a total mess.

Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:

Maybe, but | V

No, it's the exact opposite. Blocking applications from connecting to remote servers/machines. I get a positive benefit. Phone home apps give me the s**ts but that's just me. I might be irrational but I still love to whack em, turn em 'round and send them back to work with blood and snot running out of their noses. Jesus! I'm starting to adopt the tone of this group. I'm not really like that. And I have very few apps that do that, 1 or 2 sneaky litle bastards that used to go straight under the FW but now they can't. Well maybe they still can but when they get out they can't find home. Yes, I'm aware of the PFW's limitations (BI in this case). And that's not it's only weakness. But if it's not malicious and not chewing up CPU cycles than until I find a better solution I'm happy for it to be doing it's little bit. Hell, I only just got a guide on editing it's .ini files although I did completely write it's ACTLCL.TXT file by hand (with a good txt editor using copy&paste and regex, I didn't type much but it ended up 20KB). That's where it stores App Control network blocking settings. For some reason whenever I added another app using the GUI it would drop some other previously blocked app off the list. Strange and shitful behaviour but now that I wrote it myself it's holding the settings. Weird but it's working. I thought that might be causing the CPU usage but obviously not as I've fixed that another way (editing and saving the firewall.ini) Maybe I should copy all its files onto fresh sheets of notepad and save them. Yes, it doesn't strike me as a very serious attempt at a security program with such dumbass useless behaviour as above.

No, it's good. Blocking specific IP's. Combined with the above (blocking the application) I might also do a whois on the host name and block any other IP's they're using.

I'm happy to listen if you care to explain.

Well, you say f***ed up and I say fixed up. Your 'security concept' is different to mine. It may well f*ck up your machine for what you do with it but it has no effect for me besides a possibly minor security gain. There are more restrictions you can apply to ICMP, I simply applied one to pass Gibson's test. He knows more than I ever will so I'll take his word for it considering it's a pretty harmless tweak. I don't understand where you're coming from. On the one hand you say a user should have a 'security concept' if they are serious about security. I take that to mean they should have an idea, a goal and a plan to achieve it. If there was a universal 'security concept' then you could publish it. If you have one then post it. Otherwise a 'security concept' is user specific. If I were running an office I wouldn't disable 'file & printer sharing' but on a standalone machine I would. What do I need 'identd' for? Quite likely I never will so I'm happy it's off. If I ever need it I can turn it on. And I'm moving ahead with _my_ 'security concept'. I don't even have Print Spooler running, I turn it on when I want to print. "identd (identification protocol) is pointless and potentially dangerous":

you're an IRC user (which I am not) then you probably want to leave it alone. "IRC Connection Problems":

No, it's better now. I had a problem and I fixed it (the CPU usage). And I moved ahead a couple of points with _my_ 'security concept' in the meantime.

Arnie

But this doesn't work.

And a large negative benefit (security vulnerabilities and problems introduced by BlackIce).

Yes, you are irrational. From a technical point of view, you can only control legitimate applications - which is superfluos. Illegitimate applications simply bypass your measures, trivially.

Wrong again. Adding complexity makes your system more vulnerable and less stable. Generally, always. If you can't justify this with a significant improvement in security that can't be accomblished otherwise, then it's better to not add such a thing.

Remember: Doing nothing is better than doing something wrong.

nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $yourdnsserver1 nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $yourdnsserver2 nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $yourdefgateway nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $yourmailserver nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $yourfavoritewebsite nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $google nmap -sS -p1-100 -T Insane -P0 -e eth0 -S $windowsupdate

Nuff said. You obviously like allowing other to trivially cut you off from the net.

Well, let's take a look at my Windows box... yes, there are 28 services running. Only 20 belong to Windows. Tapi+RAS could be disabled as well if I wouldn't like to have such a direct dialup connection instead of the oh-so-praised routers. WZCSVC could be started on demand. AeLookup isn't needed either, just for my convience. Task Scheduler is also just good for automation and App Prefetch.

I wonder if the default config of Windows even has more than 40 services running...

This has nothing to do with a security concept. Your network is f***ed up, that's the technical point of view.

That's the worst possible criterion. Even random behaviour would be a better one.

Doubtful. He is a proven idiot, you're just one the way of making yourself look like one.

At the moment, I'm coming from

after having searched for some updates on if this clown has done another big dumb thing.

eMail, Usenet, IRC. I presume that at least the second holds for sure.

What about reading the relevant RFC instead of the opinion of someone who obvious doesn't have any clue? After all, no one asked to actually run any kind of ident server - just you should REJECT ident requests instead of DROPping them. Just like almost any other incoming connection. Anyway else you'll just DoS yourself with tons of repeated traffic, timeouts, non-working load balancers and strange protocols, without just the littlest gain of security.

Your problem is a defective piece of software which is also superfluos. Fixing it at some point doesn't stop it from permanently f****ng up everything (whereas you obviously don't have the expertise to recognize it) or from breaking again in future.

Expect that you don't have any concept. Instead of saying "ICMP is bad, thus I'll deny it" you should give reason for why ICMP should be bad, and maybe you'd recognize that it simply isn't bad at all, and you initial idea was total nonsense.

What are you talking about? It's a log viewing utility that allows you to view the BI logs in real time, gives better information than any screen you're looking at in BI and is a stand alone application, with some nice features. It has nothing to do with the BI application, other than to view the BI logs in real time

It's just like Wallwatcher which is another log utility and standalone application for routers and FW appliances. It gives better information on the events that are happening with the device, than can be done in viewing the Admin screens of the device. A the device such as router broadcasts the log information over the LAN in real time to a machine that has WW running.

WW is just an example.

There is also the ISS Knowledge base that you can get to via the BI UI and I think VI when looking at log information.