Re: FW: BlackIce Defender???

[Robert Graham <robert_david_graham () yahoo com>]

Disclaimer: I have something to do with Network ICE.

BlackICE Defender is a scaled down version of BlackICE Sentry, our network IDS
agent. We basically built a host-agent out of the network-agent, then added
personal firewall capabilities.

The term "personal firewall" is sort of an oxymoron -- because the whole point
of firewalls is to have a many-to-one relationship (many machines behind one
firewall). It's kinda pointless to have a one-to-one relationship, you can just
as easily harden the system in the first place. Defender makes "personal
firewalls" work in two ways: First, it uses the IDS component to juggle the
firewall rulesets and makes it easy enough for home users to manage (not great
security, but tons better than what they had before). Secondly (coming in a few
weeks in v2.0) the management console can maintain a common ruleset for groups
of Defender agents. Thus, you can think of the console itself as the
"firewall", and the desktop agents as where the packet filtering actually
occurs.

Thus, if your firewall ruleset is "block all incoming SYN packets", the 500
telecommuters out on the Internet running Defender will have roughly the same
protection as the other 500 users inside the real firewall.

This is intended for your VPN telecommuters outside the firewall, as well as
employees inside, because everyone knows that desktops are easier to breach
than servers, but give you roughly the same level of access to corporate data
(who's watching your CEO's desktop?)

Robert Graham
CTO, Network ICE

PS: A list of intrusions detected (aka. signatures) that both Sentry and
Defender detects is at:
http://networkice.com/advice/intrusions
Details on the network-agent really aren't appropriate for this list.


-----Original Message-----
> From: crispin () cse ogi edu [mailto:crispin () cse ogi edu]
> Sent: Tuesday, October 26, 1999 6:54 PM
> To: Rick Smith
> Subject: Re: FW: BlackIce Defender???
>
>
> Rick Smith wrote:
>
> > Black Ice sounds like a PC firewall and intrusion detection bundle. I don't
> > see any surprising technology. The main thing seems to be pricing and
> > packaging -- it's designed for home/small office use.
>
> It would be interesting to hear how it compares with Marcus' (free for
> download) BackOfficer Friendly.
>
> Black Ice marketing lit is fairly uninformative.  However, when I said so in
> comp.security.misc:-) I got this very helpful post back from the Black Ice
> CTO (
> http://x36.deja.com/[S0=90708c11189f544]/getdoc.xp?AN=471128515&CONTEXT=940988836.161874077&hitnum=15
> , a deja.com query of subject="BLACKICE IDS" and looing for posts from Robert
> David Graham).  The particularly interesting technologies seem to include:
>
>   * back-scanning the intruder
>   * the usual claim of "we have more signatures than anyone else" (I wouldn't
>     know :-)
>   * allegedly smarter scanning algorithms that do packet reassembly to detect
>     fragmented attacks
>   * designed to detect attacks inside the corporate LAN
>
> Disclaimer:  I have absolutely nothing to do with Black Ice. I have not tried
> their product, I'm just passing along the relevant info.


__________________________________________________
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com