Re: [PEN-TEST] BlackICE

["Teicher, Mark" <mark.teicher () NETWORKICE COM>]

Jonathan,

Would it be possible for you to provide us your testing methodology so that
we can validate your results and the provide us the version of the Black
ICE you are testing and what magazine your will be submitting your review to.

Network ICE would be very happy to work with you to resolve any issues you
have encountered during your testing


The most common types of scans involve TCP SYN packets (either the vanilla
scan or the half-open 'stealth' scans). The normal firewall rules block
such scans.  Like most firewalls, the packet filters within the product are
essentially stateless. This means the filters match incoming traffic to a
set of rules on a packet-by-packet basis. It is not able to filter packets
that would require heavy amounts of state. In particular, it does not
filter out TCP ACK pings. A skilled user of nmap can use this technique to
bypass most firewalls in order to gleen such information from systems.
However, this information is mostly useless since the hacker cannot connect
to those ports. Secondly, the intrusion detection component will alert you
to TCP ACK pings.
The intrusion detection subystem is heavily state-based. This means that
while some features aren't blocked immediately by the firewall, they can
still be detected by the intrusion detection system. This setup is similar
to how corporations use firewalls and intrusion detection systems to
protect their networks, but bundled into a package that fits on your PC.

As the product sits today, the intrusion detection component and the
firewall component are independent subsystems. The main reason has to do
with latency. If the intrusion detection system interposed itself along
with the firewall, then programs sensitive to network response time would
suffer. A good example are games like Quake III Arena, which require the
minimum response time possible.

Possible Smurf-amplifier attempt; an ICMP echo frame has been sent to a
subnet address (x.x.x.0 or x.x.x.255). This may cause a flurry of
echoresponses, which can overwhelm the network or the systems involved.
A "smurf attack" uses "IP spoofing" in order to broadcast pings to an
"amplifier" in order to overwhelm the victim with responses. This is an
attempt to use your network as a "smurf amplifier". For example, somebody
on a cable-modem segment can send out a broadcast ping to his/her neighbors
while spoofing the IP address of a victim. All the neighbors will respond
to that victim, overloading the victim's link. In other words, it only
costs the attacker one packet to cause thousands of packets to be sent to
the victim. See smurf for more information.

False Positives can be triggered by people sending out broadcasts on the
local segment. This is commonly seen by people inside corporate networks or
on cable-modem segments. While this doesn't indicate an attempt to use your
network as an amplifier, it does indicate that somebody is attempting
discovery operations on your network.


Sincerely,

Mark Teicher
Security MAGE
Network ICE Corporation
2121 El Camino Real South; Suite 1100
San Mateo, CA 94403
P: 650 532 4139
F: 831 480 5872
email: mark.teicher () networkice com
http://www.networkice.com


At 01:23 PM 9/13/00 -0400, Jonathan Rickman wrote:
> >3. I've had many instances where BlackIce has misinterpreted a traceroute
> >or a
> >ping for an attack.
>
> >Frankly with all the talk on this list about "false positives" on
> >scanning
> >tools on this list, I'm surprised anyone knowlegeable enough to read this
> >list
> >would buy such a low rent product....just my two cents worth though;_)
>
> I couldn't agree more. We are currently testing BI for a writeup in our
> reviews section. So far most of the review is test data regarding false
> positives. For instance, BI called a standard nmap TCP connect scan a
> smurf attack...then 5 minutes later it called the same scan a SYN flood.
> On the third try, it reported correctly. I think it's popularity is based
> on the fact that it uses a few key buzzwords and ominous sounding
> descriptions to make the user feel like their PC might explode if BI
> wasn't running. Our testing isn't complete, but it has already earned a
> negative review. @guard and ZA seem to do a much better job.
>
> --
> Jonathan Rickman
> X Corps Security
> http://www.xcorps.net
>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: PGP 6.5.2
>
> mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH
> kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL
> j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73
> 0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK
> VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M
> TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt
> YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/
> d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+
> RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6
> Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC
> c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm
> nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN
> OKraa8g7Nyh4s8rSHFvq5A==
> =XYFV
> -----END PGP PUBLIC KEY BLOCK-----