Re: [PEN-TEST] BlackICE

[Jonas <jbull () HUBSERV COM>]

James Kelly wrote:
> I work at a major isp who will remain nameless and I see countless Blackice
> logs in my daily work.
> My gripes against it are:
> 1. It takes a computer with not many or no ports open and opens ports to listen
> on them, thereby making your computer an attractive target for would-be
> attackers.
> 2. The logs it creates are nonstandard and difficult to get at. I need to see
> src port and ip, destination port and ip and I don't want to see what BlackIce
> interprets...The logs are also not very informative.
> 3. I've had many instances where BlackIce has misinterpreted a traceroute or a
> ping for an attack.
>
> Frankly with all the talk on this list about "false positives" on scanning
> tools on this list, I'm surprised anyone knowlegeable enough to read this list
> would buy such a low rent product....just my two cents worth though;_)

I also work for an (albeit small) isp.  We gave Blackice a shot, and
while I was not particularly impressed, it did accomplish one goal,
which was reassuring mgmt that a) things were being done to prevent
intrusion, and b) my job was worthwhile.

We got vast quantities of false positives, and, more frightening, it
took very little effort to produce false negatives.  I initially pushed
for a stronger system, but soon decided that I would leave that alone
and work out a local solution.  A pro-active approach to locking down
ports, periodic pen-testing (fortunately I have near free-rein in that
regard), and A few improvements of my own which are still in
development, are keeping us mostly safe, keeping me in a job, and not
killing us for cash.

Anyway, I figured that as a mgmt happy, Black Ice is cheap at the price.
--
Jonas

"Never mistake motion for action." --Ernest Hemingway