Re: [PEN-TEST] BlackICE

["Teicher, Mark" <mark.teicher () NETWORKICE COM>]

Again,

One is speaking of Black ICE Defender and not our Corporate product.

/m
At 12:31 PM 9/13/00 +0000, Jonas wrote:
> James Kelly wrote:
> >
> > I work at a major isp who will remain nameless and I see countless Blackice
> > logs in my daily work.
> > My gripes against it are:
> > 1. It takes a computer with not many or no ports open and opens ports
> to listen
> > on them, thereby making your computer an attractive target for would-be
> > attackers.
> > 2. The logs it creates are nonstandard and difficult to get at. I need
> to see
> > src port and ip, destination port and ip and I don't want to see what
> BlackIce
> > interprets...The logs are also not very informative.
> > 3. I've had many instances where BlackIce has misinterpreted a
> traceroute or a
> > ping for an attack.
> >
> > Frankly with all the talk on this list about "false positives" on scanning
> > tools on this list, I'm surprised anyone knowlegeable enough to read
> this list
> > would buy such a low rent product....just my two cents worth though;_)
>
> I also work for an (albeit small) isp.  We gave Blackice a shot, and
> while I was not particularly impressed, it did accomplish one goal,
> which was reassuring mgmt that a) things were being done to prevent
> intrusion, and b) my job was worthwhile.
>
> We got vast quantities of false positives, and, more frightening, it
> took very little effort to produce false negatives.  I initially pushed
> for a stronger system, but soon decided that I would leave that alone
> and work out a local solution.  A pro-active approach to locking down
> ports, periodic pen-testing (fortunately I have near free-rein in that
> regard), and A few improvements of my own which are still in
> development, are keeping us mostly safe, keeping me in a job, and not
> killing us for cash.
>
> Anyway, I figured that as a mgmt happy, Black Ice is cheap at the price.
> --
> Jonas
>
> "Never mistake motion for action." --Ernest Hemingway