Background

To understand how firewalls work, it is necessary to have a basic understanding about how computers communicate over a TCP/IP network, such as the Internet. You get services on other machines through virtual connections known as ports. There are TCP and UDP ports. UDP connections are similar to TCP but UDP does not include error correction. 

When your web browser tries to load a web page, it tries to connect to port 80 on the remote machine. If a web server is listening at port 80, it sends the default web page to your browser. To send e-mail to a remote server, you try to connect to port 25 on the other machine. If an SMTP daemon is listening on port 25, it answers with a standard greeting. Services can listen on non-standard port numbers, but in most cases this defeats the purpose, since the machine connecting to them must know to attempt the connection on the different port number. PUB II uses this capability to support an extra FTP server used to maintain web pages. 

There are a total of 64K ports available. These are categorized as system ports (those under 1024) and application ports (those over 1024). System ports are generally more powerful. This comes from the fact that, under Unix, only processes running under the root context (the most powerful account on the system) may open ports under 1024. 

Enter BlackICE Defender. It has four basic configurations. The most open is Trusting, where no ports are blocked and a connection may be made to any listening port. Other settings are Cautious, Nervous, and Paranoid. Each setting blocks more inbound TCP and UDP ports. Paranoid blocks all inbound ports. If someone can't connect to a port on your computer, they can't exploit a weakness there. The more ports you block, the more secure the machine will be. 

The manual says outbound connections are never blocked, meaning you can connect from a BlackICE-protected machine to other computers without interference from BlackICE. Tech support tells me that due to UDP's connectionless nature, all outbound UDP ports are blocked when set to Paranoid, meaning some applications like ICQ will not work at Paranoid. 

If BlackICE does not block a port, it must try to determine if the packets of data are normal traffic or an attack. This is not a simple task and this ability, more than anything else, separates a good firewall from a bad one. Even set to Trusting BlackICE has a lot of work to do. It must allow all connections to happen normally. It then has to decide if the traffic is legitimate or an attack which it must block. BlackICE can detect and block over 250 different types of attacks. 

The default configuration is Cautious which blocks TCP and UDP ports under number 1024. PUB II hosts a web server, two FTP servers, a POP3 mail server, Telnet services and an SMTP daemon, all of which listen on port numbers under 1024. One alternative was to use Trusting, where no ports are blocked, and rely on BlackICE's ability to detect and block attacks. A better alternative was to use a customized firewall.ini file that allows the use of the Cautious configuration while opening the specific ports we need for proper PUB II operation. 

Installation and Configuration

The installation of BlackICE was about as simple as any install could be. After installation, I replaced the customized firewall.ini file. To test if BlackICE is working, the NetworkICE web site can send a simulated Back Orifice probe, one of the attacks that BlackICE can detect and block. When I tried this, the tray icon for BlackICE immediately began to flash. A single click on it opened the console where I could see the information about the attack. 

The Gibson Research site (www.grc.com) has a page called Shields Up. It will do a port scan on your machine looking for common listening ports. On PUB II, it found the ports purposely left open, but nothing else. BlackICE was effective at concealing more details. 

I disabled BlackICE Defender to see how much more information could be gleaned. Shields Up discovered the NetBIOS names Mustang, PUB2, and UserGroup (user name, machine name and workgroup.) It enumerated the shares and discovered they were password protected. It also determined the MAC address of the network card. Keep in mind that the more information you provide a cracker, the better their chances of breaking in. 

When BlackICE detects an attack it does a back trace to gain as much information as possible about the intruder. In addition to the IP address, depending on the attacker, it may be able to determine the NetBIOS name, the Workgroup or Domain name, the DNS name, and the MAC address of the network card. Attacks are categorized as Informational, Non- threatening (but worthy of note), Suspicious (non- threatening but maybe an indication of someone probing for vulnerabilities), Serious (attempts to access information but not damaging), or Critical (a deliberate attack designed to damage or crash your machine). A button on the Attacks page takes you to the NetworkICE web site and provides more information on the attempted intrusion. 

BlackICE has a history tab where you can see graphs of frequency of attacks and network traffic. As well, there is a summary of the total number of Critical (actually, both Critical and Serious) and Suspicious events. Informational events are not plotted. 

The configuration menu allows you to configure packet logs, which log all TCP/IP traffic, as well as evidence logs, which log just the traffic during an attack. These files are not human-readable but may be useful to an ISP or law enforcement. You can configure addresses you want to trust. BlackICE will completely ignore traffic from these hosts. This may be appropriate for machines on a LAN. 

A menu option connects you with NetworkICE to check for updates. If an update is available it downloads automatically. Otherwise it sends you to a page that tells you your version number. A bug in the current version prevents the system from understanding you already have the latest release. It will be fixed in the next release, but it might be a bit of a challenge getting word out about a new release after customers repeatedly download an update file only to discover it's always the same version they already are running. 

The Acid Test

I expected the first real attack to come within minutes of installing BlackICE Defender. Well, it was not quite that fast, but a computer in Australia did a port scan within an hour. Over the last week we have had a couple of dozen attacks. So far, attacks not initiated by me have included port scans, NetBIOS Port scans, Back Orifice pings, PC Anywhere pings, TCP Trojan horse probes, NetBus probes, RPC port probes and SOCKS Port scans. We have had attacks from Israel, Germany, France, Russia, the Netherlands and Canada, as well as computers in the .NET and .COM domains. 

Overall, I am very impressed with BlackICE Defender. We now have a good level of protection against crackers trying to crash PUB II or use it as a launching pad to attack other systems. I've noticed no performance problems. It only takes a couple of megs of RAM and even in the middle of an attack, BlackICE never took more than 1% of CPU cycles. Right now, PUB II has been up for over 100 hours and BlackICE has used 81 seconds of CPU time. Considering PUB II is running on a Pentium 200, that's impressive. The tweaker in me would like to see more documentation about tuning BlackICE: according to NetworkICE, that may be coming. 

Do You Need One? 

Do you need a firewall? I would have to say a definite maybe. If you have an always-on connection to the Internet, consider the fact that you are almost certainly scanned every day for vulnerabilities. Even dial-up connections are at risk, since people "out there" are scanning millions of addresses. If you are connected to a LAN as well, you almost certainly have shares on your computer than may be discovered and accessed: especially if your shares have no passwords. It may only take seconds or a few minutes to grab password information and credit card numbers or destroy data and more. 

The least you should do is determine how vulnerable you are. Go to www.grc.com, www.dslreports.com, www.it-sec.de/vulchke.html, and www.hackerwhacker.com. All of these sites will do a scan on your machine looking for vulnerabilities. Most of them will also tell you how to make your machine more secure. 

Purchase Details

BlackICE Defender may be purchased for US$40 at www.networkice.com. This includes updates for a year. Updates are very important when it comes to security products since new vulnerabilities are discovered all the time and defenses must be devised to protect against new attacks. Subsequent yearly subscriptions for updates cost US$20. The 111-page manual (over 60 pages are short descriptions of the attacks BlackICE can block) comes in Adobe Acrobat format and must be downloaded from the web site. BlackICE Defender requires a Pentium and Windows 9x or NT. 

NetworkICE is interested in providing a discount to members of the OPCUG, but it might be a couple of months before their program is set up. They have been overwhelmed with the response to BlackICE Defender and are struggling to keep up with the demand right now. I will let members know as soon as I know more.

Bottom Line:

BlackICE Defender
Proprietary package (US$40)
NetworkICE
http://www.networkice.com