Dennis, That was a very old version of BlackIce Defender you are referring to. I know exactly which version you are talking about as I had similar problems with it. However NetworkIce seems to be a pretty responsive company when it comes to complaints and I beta test their products for them. All of the dev/null stuff has been eliminated in the last few releases, including erroneous reports and extraneous information. You should try it now, I think you will be more impressed than the experiences you had with the older version. -----Original Message----- From: Dennis Dayman [mailto:ddayman@mail-abuse.org] Sent: Friday, November 03, 2000 11:21 AM To: nanog@merit.edu Subject: RE: Security on a home DSL Line
Hmm.. Zone Alarm is a nice product, but I'd prefer to use BlackIce Defender for all my Wintel boxes.
When I was Director at SBCIS we dev/null complaints coming in from BlackICE. It tends to report unnecessary information or attempts. It said things about TCP 80, it would report customers other windows boxes on the same home DSL line doing netbios, and sometimes depending on their mail client setup's would report them check their own E-Mail. --------------------------- Thanks Dennis Dayman Senior Consultant Consulting Services Group at MAPS http://www.mail-abuse.org ddayman@mail-abuse.org Voice/FAX 972-682-7556 ---------------------------------------------------------------------------- -- What goes up, must come down. Ask any system administrator. ---------------------------------------------------------------------------- --
You should try it now, I think you will be more impressed than the experiences you had with the older version.
I will thanks for the info, but I will say this...nothing like a good non-win box after the DSL router/bridge. ; ) --------------------------- Thanks Dennis Dayman Senior Consultant Consulting Services Group at MAPS http://www.mail-abuse.org ddayman@mail-abuse.org Voice/FAX 972-682-7556 ------------------------------------------------------------------------------ What goes up, must come down. Ask any system administrator. ------------------------------------------------------------------------------
It still doesn't do things like list the source port of the offending attack. It still reports things like traceroutes as suspicious activity. It's not so much that BlackIce is a bad product, it's the fact that most of the users who use it and the other software packages like it are generally not very clued and will fly off the handle reporting all sorts of things as attacks or attempts to access their computer. I've actually spent an entire weekend being paged by our NOC to deal with someone who had BlackIce, and another program that would e-mail abuse@ for the IP address it considered to be attacking, in this case what it was saying was a UDP flood coming from various IP's of equipment we have. One thing led to another, and it turned out he was being UDP flooded by streaming media servers (RTSP anyone?), and his automated reporting facility was mailing these complaints out to the NOC. We had another person who was screaming bloody murder about being hacked, when he was tracerouted to twice over a 24 hour period. That hardly counts as an intrusion. Generally, if someone is having an issue and all they have to go in is BlackIce output, we need pretty evident proof that there's an actual problem. One cool feature is the fact that BlackIce can detect certain types of traffic, like nmap scans, queso, snmp queries, and the like. But if all I've got to go on is a 5 packet 'UDP flood,' the source IP, the destination IP, and the destination port, it gets old quick. Couldn't it just look at the source port and say "This looks like RTSP," or "This is only 5 packets, probably not a big deal." It really depends on how sensitive the person who has it sets it, but I've yet to see anyone who doesn't set it as high as it will go. A warning that says it might be as ultra-paranoid as a strung out conspiracy theorist at the highest settings might not be a bad idea. I think the last version we looked at was the latest version available in July/August. We were looking at it to use as a firewalling solution for our mobile users, but we just couldn't deal with the amount of calls people would make to us saying they were being scanned by all the local windows machines on the network while they were in the office, or countless other issues. We're still looking at other solutions, but few really have any sort of centralized monitoring/reporting ability. -- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named because I don't speak for them here. I have public opinions, and they don't. On Fri, 3 Nov 2000, Rishi Singh wrote:
That was a very old version of BlackIce Defender you are referring to. I know exactly which version you are talking about as I had similar problems with it. However NetworkIce seems to be a pretty responsive company when it comes to complaints and I beta test their products for them.
All of the dev/null stuff has been eliminated in the last few releases, including erroneous reports and extraneous information. You should try it now, I think you will be more impressed than the experiences you had with the older version.
participants (3)
-
Dennis Dayman
-
Joe Shaw
-
Rishi Singh