The truth about firewalls (BlackIce 3.5)
Written: Jan 12 '03 (Updated Jan 15 '03)
|
Product Rating:
|
|
|
Pros: Excellent IDS capabilities offer more protection than a firewall alone.
Cons: Some people may prefer the way that application protection is done in products like ZoneAlarm.
The Bottom Line: BlackIce is good highly-configurable firewall with an excellent IDS. If you run any servers on your machine then BlackIce will offer you better protection than a firewall alone.
|
|
|
| daveP86's Full Review: Macmillan BlackICE Defender Full Version for PC (1... |
A firewall is an application that allows you to selectively block certain types of Internet traffic in order to minimise risks of hackers compromising your system. Even if you don't know it, it is likely that countless bored 12 year olds across in the world are scanning your system for weaknesses several times a day.
The truth about firewalls
BlackIce is different to most personal firewalls such as ZoneAlarm because it includes an IDS.
A standard firewall allows you to block certain types of network traffic, and to allow other traffic through. Assuming that the firewall isn't completely useless it won't let any traffic through that you have blocked, and yet major sites with firewalls still get hacked. Where you are vulnerable is with the network traffic that you do allow through, and unless you intend to be completely disconnected from the net you will be letting something through. A standard firewall will not offer any protection for the traffic that you allow through it (and as this is the only place you are really at risk anyway, well... make up your own opinion, this is why I went for a firewall with IDS capabilities)
What's an IDS?
BlackIce's IDS monitors all traffic that the firewall component has allowed through. If the traffic is dangerous in some cases it can block the attacker by dynamically creating new firewall rules.
BlackIce uses a technique called "protocol decode" which means that it can detect suspicious network traffic before it is known to be a problem by understanding high level protocols and knowing how things normally work. Apparently BlackIce detected the CodeRed worm from day one, before it had been given a name. It can detect events such as an excessive number of failed logins to your computer; this sort of behaviour won't be detected by a plain firewall, which will either let the traffic through or not.
...do I need one?
Maybe? If you don't run any servers on you computer, which includes things like file sharing, web servers, or file sharing apps such as Gnutella, then maybe an application control firewall such as ZoneAlarm may be better for you. I suggest you try both and see which you prefer, although identifying whether you have good security or not isn't something that you are going to be able to easily determine. One of the advantages of BlackIce is that its IDS can identify some harmless traffic that other firewalls may scream about, so how much the program bugs you isn't really an indication of your level of security. ZoneAlarm can be downloaded for free from http://www.zonelabs.com
Another advantage of the BlackIce approach is that it provides you with very detailed information about any events and attacks including the full packet logs of any attacks. The main screen describes the events in fairly simple English however. BlackIce can back-trace attacks to find out a wealth of information about the attacker, for attackers running windows this can even reveal their username, computer name, and MAC address. BlackIce can also be used as a packet logger, although you need additional software such as the free Ethereal (http://www.ethereal.com/) to analyse this information.
The IDS can also open holes in the firewall when necessary, which is better than having holes open all the time. For example even on the most secure setting BlackIce can properly handle the common "Active FTP" problem, and allow popular UDP protocols such as Netmeeting, NTP, and some games to operate safely without disrupting your workflow with bogus alerts. Remember that it is the holes that you open in the firewall that are the security risk, and by carefully controlling some of these holes for you, your system can be kept more secure by BlackIce.
The IDS in BlackIce is really excellent, it is the same engine as used in ISS's high-end enterprise products.
Outgoing application protection
New to version 3.5 is application protection. This feature detects when unauthorised code runs on your computer and gives you the opportunity to allow it to run, or to terminate it. If you do allow the software to run, BlackIce will alert you again if the software attempts to access the Internet.
Application protection is a quite separate module from the firewall/IDS component of BlackIce, although it is controlled from the same interface. You can choose to disable it if you prefer.
BlackIce's application protection has advantages and disadvantages over approaches used in other firewalls such as ZoneAlarm. With BlackIce you must ensure that your computer is free from viruses and trojans when you install it. It can be a bit irritating to be prompted every time you install a new application, but because it detects software before it even has the chance to run it offers greater protection. There is little chance of a trojan deliberately trying to crash the firewall, because the program can't even run until you approve it. Also the application protection will detect changes to DLLs and other stealth ways to access the Internet which other programs may not.
That said, I chose disable this option. As an IT professional I install a lot of software, and I am careful with email attachments so I feel safe without it. However it may be useful for many users.
Support
ISS seem to be quite forthcoming with the product's limitations in their README file and their Knowledge Base, which is good to see.
It is worth knowing that the price includes a years worth of free upgrades and support, and you can extend this support for another year online. The software is licensed to be used after 12 months, but you won't be able to download any more free upgrades.
An evaluation version of BlackIce is available, but it is a bit hard to find on the site, so here is the link: http://blackice.iss.net/eval.php
The user interface
BlackIce has a plain user interface, which I prefer to the flashy interfaces of some of its competitors. If you don't use the application protection module, BlackIce won't bother you with pop-up warnings all of the time, so you won't see much of the user interface most of the time.
BlackIce can make audible alerts and flash the systray icon when an alert occurs, and it allows you to customise the levels at which these events occur. You can set BlackIce to ignore certain types of alerts, block and trust specific intruders, and set-up specific firewall rules from the interface.
Avoiding misinformation
If you buy BlackIce then reading the documentation is a must if you want to be informed about the product. A "popular security site" has spread a lot of misinformation about BlackIce, so it is best to learn about the topic yourself. A popular gotcha is that BlackIce doesn't block ICMP pings or connections to the ident service by default. This is done for sensible reasons described in the documentation, but like most things it is configurable, and if required they can be blocked.
BlackIce is highly configurable, the default settings are probably fine for many people, although the advanced configuration has to be done by editing .ini files. If you are a bit of a security enthusiast with a good knowledge of TCP/IP then I recommend reading the Advanced Administration Guide on ISS's site, and have a look at Robert Graham's site at http://www.robertgraham.com, he is the CTO of ISS, and has some excellent information.
Additional Information
I run Windows XP Home. I have tried some other firewalls including ZoneAlarm, Tiny Personal Firewall, and a some others that I wasn't keen on, but BlackIce is my favourite because of it's excellent IDS capabilities.
Finally don't get too obsessed with a firewall. After you have had a bit of fun playing around with BlackIce for a few weeks set it to only alert you about "orange alerts", if you find yourself looking at the logs every five minutes you have a problem, sit back, and watch TV or something :). Unless you are quite experienced in TCP/IP you will probably have difficulty knowing the difference between an attack, some lamer scanning you, and normal Internet "background noise". I suggest reading http://www.samspade.org/d/persfire.html, whilst this is arguably an extreme view I think it is fairly sensible. If you don't understand your firewall logs then you could ask someone about them in a newsgroup or something, but the main thing to understand is that the firewall blocked the attack, you can probably ignore it.
Recommended:
Yes
|
|
|
|
Epinions.com ID:
daveP86
|
|
Member: David Powell
Location: Stoke-on-Trent, England
Reviews written: 9
Trusted by: 3 members
About Me:
23 year old computer scientist from England.
|
|
|
- Add to My Yahoo!: 
- Add to Google Homepage: 
© 1999-2009 Shopping.com, Inc.