Personal Firewalls Tests: BlackICE Defender

An analysis of mini-firewalls for Windows users

by Seán Boran

This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to 1 for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on BlackICE Defender.

News:
  • 12.Feb.02: Check out the eEye security alert ISS BlackICE Kernel Overflow Exploitable. Make sure you have it patched. It is a bad indication of software quality, perhaps more such bugs are lurking.

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) 3 was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2k test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet, we do this purely for testing purposes.

d) An nmap 2 scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2k sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host


BlackICE Defender

The first product tested was NetworkICE's BlackICE Defender 4. A few quotes from the web site:

...BlackICE works continually to defend servers and workstations from over 200 hacker signatures including the Melissa Worm, “Slow Scans” and “Back Orifice.” Even if hackers bypass firewalls or intrusion defenses, BlackICE bars entry at the desktop and server.

Many versions were tested from V1.8.6 in Dec.99 to V2.1.cb, on NT4/sp5 and Win2000.

Features
Security Effectiveness

a) The Netbus server
BlackICE did not notice the server being started, but it could not be connected to remotely ( a 'TCP port probe' was reported).

b) An nmap scan

BlackICE does notice nmap scans by flashing a red icon, the attacks windows says "TCP Port scan",  "TCP port probe", "NMAP OS Fingerprint", "TCP Ace ping", "TCP OS Fingerprint" and "UDP Port Probe", among many others, which is pretty good. Nmap returned a massive list of  "unfiltered" ports, port 113 and may ports between 1024 and 65031. Nmap was unable to identify the OS either.

c) General

While browsing the Internet, I was subjected to PCAnywhere, BackOrifice and several TCP port scans (all identified by BlackICE). It certainly is a useful tool for increasing user awareness about the dangers of the Internet.

Advantages
Disadvantages
  1. Not free and no demo version available for download.
  2. It would be nice if power users could customise the rules more. The file firewall.ini can be manually edited to block/allow udp/tcp ports. It would be better to be able specify port ranges or wildcards and even better to be able to filter state based protocols like ftp. It would also be better that individual ports could be open/blocked from the GUI rather than hacking the firewall.ini file.
  3. The default configuration does not protect against Trojans like Back Orifice.
  4. BlackICE waits until a connection is made before it takes action, it doesn't prevent a connection by shutting down the system's ports
  5. Outgoing ports cannot be blocked.
  6. False alarms when used on a LAN: from SNMP servers, Network management agents, NetBIOS connection attempts, Exchange servers  etc. (these are not really annoying as they only generate "yellow" alerts). This is not necessarily a bug, but on a large corporate Intranet, there can be many such connections that are harmless, in a hostile environment such as the Internet, it is good to know about such probes. So it depends on your needs.
  7. The attacks windows cannot be "drilled down" to list exactly what ports were connected to and what (packet) information was sent. (Clicking on the advICE bottom does help and you can see the port in the URL, and the file attack-list.csv be examined).
  8. False positives: One often sees "UDP port scan", but don't know exactly what is causing it: a real scan, heavy dns or SNMP traffic etc. In one case if was an Exchange server trying to make a (legitimate) connection back to an Outlook client, BlackICE didn't help discover the reason at all. attack-list.csv can be examined to see what Port number was used.
  9. No tool to browse packet or evidence logs (but some of the logs are in CSV format, easily browsed with Excel). However a third party tool is available 5.
  10. Deinstalling could be cleaner, Registry Keys are left behind. Optionally, the NetworkIce directory is left in C:\Program Files\ with configuration and logs files, which is useful.
  11. BlackIce does not allow copy/paste of IP addresses for use in a traceroute.
  12. Bugs
Tips

I used BlackICE for several months, sometimes on the Intranet, Internet and Intranet via VPNs. It worked well and was setup as follows:

Tools|Preferences: Visible indicator=Red/Orange (not yellow), no sound.
Tools|Settings: Paranoid, Allow NetBIOS Neighborhood, Enable Evidence log. I added the IP address of my Exchange server, VPN gateway and known Intranet SNMP managers servers to "trusted addresses".

Summary

Useful, easy to use, unobtrusive.
Laptop users will appreciate powersaving modes working properly.
Corporate users will appreciate the centralised management.

Not the most effective security (outgoing ports are not blocked), and power users may be disappointed at not being able to customise packet filter rules.


References

  1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
    pf_main20001023.html
  2. Nmap
    http://www.insecure.org/nmap

  3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
    http://netbus.nu/

  4. NetworkICE's BlackICE Defender  
    http://www.networkice.com/Products/BlackICE/default.htm
    • How do I block an IP address permanently? 
    http://advice.networkice.com/Advice/Support/KB/q000030/default.htm
    • Format of Firewall.ini file 
    http://advice.networkice.com/Advice/Support/KB/q000091/default.htm
    • Ignoring an internal adapter
    http://advice.networkice.com/Advice/Support/KB/q000023/default.htm
  5. Firewall Log Analyzers from Brady & Associates, LLC, for BlackICE, ZoneAlarm and Winroute. The BlackICE log analyse was tested and works well. It costs $20.- for BlackICE, $10 for ZoneAlarm, with a one month evaluation period.
    http://clearice.hypermart.net/
  6. Other reviews available on the web:
    http://www.webattack.com/reviews/blackice_rv.shtml

Changes to this article

18.Oct.00 Published


Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, Seán Boran, All Rights Reserved     Last Update: 13 février, 2002