Is BlackIce a poor personal firewall?

[spidey07]

Don't have much experience with it but have heard rumors that BlackIce is inherently insecure as a personal firewall.

Some security consulting firm just told me that blackice rocks (mainly because they bought them) and I'm having my doubts.

Can anybody who is in the know enlighten me on BlackIce's reputation?

thanks bunches,
spidey

 

[bex0rs]

The Gibson doesn't like it too much. There is an article on his site about how bad it is, and of course promoting ZoneAlarm.

~bex0rs

 

[bex0rs]

Actually, here it is, scroll to the bottom for the BlackICE stuff.

~bex0rs

 

[Eug]

BlackICE does nothing to monitor outgoing traffic, hence the bad reputation. However, the review sites seem to think it does about the same as the other personal firewall programs for incoming traffic. Gibson hates it, but then again Gibson loves to rant. OTOH, Zone Alarm is free and does more than BlackICE. (I personally don't like the user interface of ZA though.)

ie. if you're already behind a router I guess there's not much point to BI, but most people who would use it currently have essentially nothing.

 

[spidey07]

This is to protect a rather large remote-access VPN rollout. Have a few thousand people that need broadband access to corporate network. No problem, got good VPN setup for that and all the goodie authentication that goes along with it.

The big problem? How do I protect our internal network from trojans and other hacker tools that could be loaded on these remote machines that I have no control over? Well if I can put a personal firewall that has some small form of intrusion detection built in i'll be happy with that. This personal firewall just HAS to have to ability for me to centrally manage policies, logging and reporting. That and the ability for me to disallow any user changes.

see my dilema?

thanks again, if it doesn't block outbound connections the what the heck good is it?!!!!

 

[Snoop]

spidey07, try this one, its made by tiny software and its free Im no sure it will do all the things you need but check it out.

Here is a review of it at Speedguide, it was 29.95, now its free to home users.

 

[JackMDS]

Spidey I think that the new version (2001 V. 3) of Norton Personal Firewall is capable to do what you need.

This program is built on the previous @Guard engine, and has both Auto and Manual control.

They offer Try before you buy deal.

http://software.symantec.com/dr/v2/ec_dynamic.main?cat_id=7&pn=16&sid=27674

 

[Xanathar]

Spidey, possibly look into Checkpoint Secure Client ? It is a firewall that is in effect only when a user is connected to the corporate VPN, you can also control all their access during this period also (Web, Mail, etc). The only downfall is cost.

 

[spidey07]

thanks JACK, i'm asking a little more than most personal firewalls do. It is the central administration and "keep users from muckin' wit it" that I need.

I'm still a little wary of a so called "leader in their field" security company toutin how great blackice is.

Does blackice really bite in terms of security?

xanthar,
yep been doing some testing with CP client. pretty nice, but the licenses are a little high.

 

[iNo712]

I'm probably way over my head here, but what about Tiny Personal Firewall? Tiny Software is free for personal use and they have some pricing info for commercial use on their website. It has remote administration, password protection so users can't change the settings, and logging capabilities.

Just a suggestion...

 

[n0cmonkey]

<< BlackICE does nothing to monitor outgoing traffic, hence the bad reputation. However, the review sites seem to think it does about the same as the other personal firewall programs for incoming traffic. Gibson hates it, but then again Gibson loves to rant. OTOH, Zone Alarm is free and does more than BlackICE. (I personally don't like the user interface of ZA though.)

ie. if you're already behind a router I guess there's not much point to BI, but most people who would use it currently have essentially nothing. >>



If you are behind a real router with real stateful packet filtering capabilities, and that router is set up well and securely and your systems are hardened correctly, no you wont need a firewall. I will rant about Blackice shortly, but zonealarm is at the top of my list of personal firewalls

 

[n0cmonkey]

<< This is to protect a rather large remote-access VPN rollout. Have a few thousand people that need broadband access to corporate network. No problem, got good VPN setup for that and all the goodie authentication that goes along with it.

The big problem? How do I protect our internal network from trojans and other hacker tools that could be loaded on these remote machines that I have no control over? Well if I can put a personal firewall that has some small form of intrusion detection built in i'll be happy with that. This personal firewall just HAS to have to ability for me to centrally manage policies, logging and reporting. That and the ability for me to disallow any user changes.

see my dilema?

thanks again, if it doesn't block outbound connections the what the heck good is it?!!!! >>



I am trying to remember who (And I will try to look through my notes to check if I do not get back to you and you dont find out shortly send me a msg) several VPN companies are integrating blackice into thier products. Also I think the linksys routers can do some filtering and be configured for vpn operation which may help with this. If you can get a solution that will only allow the user to go through the vpn over your network it should help. And no matter what any marketing fool tells you make sure the vpn users go through a properly configured firewall!

 

[n0cmonkey]

I mentioned in another thread somewhere that the security community seems to be divided on blackice. Some people swear by it and some swear at it. If I had a windows machines (behind my OpenBSD boxes of course ) I would try zone alarm and blackice (seen it done) at the same time. This gives you the benefit of both. Blackice has the benefit though of being able to be managed at a central location. This ensures that blackice is setup the way you want it setup. Also think about a norton license (I am sure they have site licenses or something that would work) for everyone who would connect through a vpn. If there is a way you could have an update be applied when logging into the domain through a script or something you might be able to get a full night's sleep instead of worrying about this all night long

 

[Lightbulb]

BlackICE couldn't block outgoing connection, it only secure some or any ports from someone attemping to hack. But it won't acts as an agent to monitoring ports.
Try ZoneAlarm Pro. so far..I think it's the best software firewall out there. It helps you to monitoring incoming &amp; outgoing connection.

 

[spidey07]

thanks guys,

I'm probably going to stick with CheckPoints firewall/VPN client (run about 6 checkpoint firewalls anyway). It really does all I need it too. the small personal firewalls just don't have the features I need.

thanks again!
spidey

 

[Southerner]

This is to protect a rather large remote-access VPN rollout. Have a few thousand people that need broadband access to corporate network.
...
The big problem? How do I protect our internal network from trojans and other hacker tools that could be loaded on these remote machines that I have no control over?


Short answer: pay the money (probably $250/hour) to have someone competent come out, look at your business, evaluate the risks you're facing, and recommend appropriate security policies and countermeasures.

Longer answer: you can't stop your users from surfing the internet and running an trojan executable labelled &quot;Britney Speers HOT XXX clip.&quot; Making sure your users are running something like Norton AV + Zone Alarm (do the right thing and buy a license if you're using it for business) increases the odds of catching the file before it can do any harm (Norton should alert; if not, Zone Alarm will request permission before allowing the trojan access to the internet), but *someone* is going to be a dope and do something stupid.

You've got to figure out how to limit the damage that can happen when a client machine does get compromised, and the answer is going to be specific to you -- no-one here can really help. There are decent books on designing security policies that you can buy, but nothing that can answer the questions you've got *now* with any authority.

And BTW, what you're looking for is a good security policy -- trying to come up with countermeasures before you've defined the risks you're facing and the possible/probable losses resulting from a security compromise is foolishness.

Possible answers include: locking down client machines as much as possible; installing firewalls/routers that allow no internet access -- only VPN tunnels to work are allowed; basing access to corporate resources on something other than a password (smart card might work); allowing users to access the system via Metaframe only with appropriate security policies enabled on the server, etc.

There's nothing anyone here can really tell you without knowing more about your situation. Hire a competent consultant.

No offense intended to the poster or other thread participants. It sounds like you're talking about a (possibly expensive) business decision, but you're approaching it from more of a hobbiest's perspective.

As always, IMHO.

 

[Southerner]

Oh yeah -- forgot. Black Ice is cool to watch, but it (used to) have the problem that it would stop filtering traffic but would still look like it was functioning normally.

They may have fixed the issues (this was something like a year and a half ago), but I'm disturbed by the existence of the original problem. As far as I'm concerned, a firewall should deny-as-default, and a failure should take the internet connection down rather than maintain an insecure connection.

Again, this is old information, but may say something about the design philosophy behind the product.

 

[spidey07]

<< No offense intended to the poster or other thread participants. It sounds like you're talking about a (possibly expensive) business decision, but you're approaching it from more of a hobbiest's perspective. >>



The security consultant idea you recommended would be me. I've already talked to three different security companies and am none too impressed (one of them just bought networkICE and was toutin how great it is). I've already designed and installed most of the security infrastructure, written security policy and reaction procedures.

All I'm left with now is how to safely and effectively roll out broad-band based VPN remote access and still protect network against &quot;sally jeans&quot; computer or little brat that likes to play with hack tools.

Now I'm starting to get an even better idea!
As long as there is some kind of firewall on home PC then I don't care...I'll manage what you can do through an already in place firewall (between VPN concentrator and internal net). That way I don't have the headache of managing home pcs.

sweet I like simple

 

[Salvador]

Someone told me that Blackice was weak and told me to try Neoworx. Is this firewall any good?

I've been running Zone Alarm and it seems fine. Blackice is less obtrusive to the user, but I bet it's because it doesn't protect as well as Zone Alarm. The price was right on Zone Alarm too.

I haven't had a chance to try out Neoworx yet and since I found this thread, I thought that I would throw it out to you network experts and see if there were any opinions on this software.

Also.. Someone mentioned about a &quot;real&quot; router protecting a network so you wouldn't need a firewall. What is exactly meant by a &quot;real&quot; router? My Netgear RT314 wouldn't happen to fall under the &quot;real&quot; category, would it?

TIA,

Sal

 

[Jvolm]

Blackice is great for telling you that someone just tripped into your system from the outside. It does not block the access unless you had specified that it block that IP.

It does not tell you anything about outgoing traffic, and it does not default block inbound traffic.

Get Zone Alarm from Zone Labs. It works a lot better, and its free for personal use.

 

[n0cmonkey]

<< Someone told me that Blackice was weak and told me to try Neoworx. Is this firewall any good?

I've been running Zone Alarm and it seems fine. Blackice is less obtrusive to the user, but I bet it's because it doesn't protect as well as Zone Alarm. The price was right on Zone Alarm too.

I haven't had a chance to try out Neoworx yet and since I found this thread, I thought that I would throw it out to you network experts and see if there were any opinions on this software.

Also.. Someone mentioned about a &quot;real&quot; router protecting a network so you wouldn't need a firewall. What is exactly meant by a &quot;real&quot; router? My Netgear RT314 wouldn't happen to fall under the &quot;real&quot; category, would it?

TIA,

Sal >>



I did not see a mention of stateful packet filtering on netgear's page so I would say it does not fit the description I provided. I doubt your system is hardened as well as it should be anyhow. Keep the firewall, atleast you may feel secure.

 

[lamplighter]

I'm not in &quot;the know&quot; but I do use Blackice. I like it, except the past few days I have been getting &quot;Filter failed&quot; errors :| Anyone else having this problem?

 

[pissedoffwookie]

I'm enjoying my ISA server and love the control, and the ability to filter attachments on incoming mail. but the main thing I like about ISA server are the dynamic ports, what a brilliant Idea, close all ports unless an authorized client needs access then just open what they need.

 

[Bglad]

I agree, pay someone to look at your system if it is that big.

But... ZoneAlarm Pro is configurable like you asked, can be password protected so employees cannot change settings and will route intrusion alerts to the host computer. Not free but still cheap and easy to manage on lots of computers.

 

[spidey07]

thanks for the help guys.

I'm going the route of &quot;as long as you have some sort of software firewall on your machine then that is good enough for me&quot;. I decided I DON'T want my NOC or helpdesk to manage firewall policy on personal home computers.

1) already use secureIDs for remote access, been using it for VPN access anyway. So inorder to even connect you have been identified, authenticated and logged. Address filters have been pushed to you. one time passwords in use here as well.

2) OK, so that keeps out the riff raff. No split tunneling is allowed so you can't be a gateway.

3) Well, if you have some kind of trojan i really don't care. The VPN network that you have access too is isolated/protected by firewalls and IDS which shut you down automagically if hacking like activity is occuring. IDS alerts go immediately to NOC/openview which is monitored and staffed by at least 4 guys 24x7

Seems a decent compromise between security and ease of use. Hey if joe user has virus or trojan on his machine and gets immediately denied then that is not my problem. security policy states you can only communicate if security systems have verified acceptable risk (defined in another section)

I've always liked zone alarm, so probably go with that.

whew! been a fun week. Believe it or not there are a large number of ways to approach this decision. This technology solution was based on a risk assessment, which was approved by legal, audit and risk management. I love it when a plan comes together!

thanks again fellas!