At work, our firewall logs thousands of
attacks from the Internet every week. That made me start
thinking about protection for PUB II. Since it is
connected to the Internet 24x7, I thought it would be a
likely target for the random attacks from the script
kiddies: those individuals who attack computers on the
Internet using pre-compiled scripts targeting well-known
vulnerabilities. I concluded we were not the target of
professionals for a couple of reasons. First, we don't
really have anything to attract them and second, well...PUB
II is still operational. I don't think it would have
stood up well against the crackers who really know what
they are doing.
The NT security log showed some
periodic failed attempts to log on as Administrator,
Guest, PUB2, Root, Admin, etc. I was unaware that this is
a tell-tale trace of attacks. I could see no other
evidence of tampering. I knew we could not afford
something like the firewall we use at work, which costs
thousands of dollars and is a bear to configure. But
recently, there have been a number of personal firewall
products released on the market at under $100. One
getting rave reviews from people such as Ziff-Davis' Bill
Machrone and Steve Gibson of SpinRite fame is BlackICE
Defender from NetworkICE.
To understand how firewalls work, it is
necessary to have a basic understanding about how
computers communicate over a TCP/IP network, such as the
Internet. You get services on other machines through
virtual connections known as ports. There are TCP and UDP
ports. UDP connections are similar to TCP but UDP does
not include error correction.
When your web browser tries to load a web
page, it tries to connect to port 80 on the remote
machine. If a web server is listening at port 80, it
sends the default web page to your browser. To send e-mail
to a remote server, you try to connect to port 25 on the
other machine. If an SMTP daemon is listening on port 25,
it answers with a standard greeting. Services can listen
on non-standard port numbers, but in most cases this
defeats the purpose, since the machine connecting to them
must know to attempt the connection on the different port
number. PUB II uses this capability to support an extra
FTP server used to maintain web pages.
There are a total of 64K ports available.
These are categorized as system ports (those under 1024)
and application ports (those over 1024). System ports are
generally more powerful. This comes from the fact that,
under Unix, only processes running under the root context
(the most powerful account on the system) may open ports
Enter BlackICE Defender.
It has four basic configurations. The most open is
Trusting, where no ports are blocked and a connection may
be made to any listening port. Other settings are
Cautious, Nervous, and Paranoid. Each setting blocks more
inbound TCP and UDP ports. Paranoid blocks all inbound
ports. If someone can't connect to a port on your
computer, they can't exploit a weakness there. The more
ports you block, the more secure the machine will be.
The manual says outbound connections are
never blocked, meaning you can connect from a BlackICE-protected
machine to other computers without interference from
BlackICE. Tech support tells me that due to UDP's
connectionless nature, all outbound UDP ports are blocked
when set to Paranoid, meaning some applications like ICQ
will not work at Paranoid.
If BlackICE does not block a port, it
must try to determine if the packets of data are normal
traffic or an attack. This is not a simple task and this
ability, more than anything else, separates a good
firewall from a bad one. Even set to Trusting BlackICE
has a lot of work to do. It must allow all connections to
happen normally. It then has to decide if the traffic is
legitimate or an attack which it must block. BlackICE can
detect and block over 250 different types of attacks.
The default configuration is Cautious
which blocks TCP and UDP ports under number 1024. PUB II
hosts a web server, two FTP servers, a POP3 mail server,
Telnet services and an SMTP daemon, all of which listen
on port numbers under 1024. One alternative was to use
Trusting, where no ports are blocked, and rely on
BlackICE's ability to detect and block attacks. A better
alternative was to use a customized firewall.ini file
that allows the use of the Cautious configuration while
opening the specific ports we need for proper PUB II
The installation of BlackICE was about as
simple as any install could be. After installation, I
replaced the customized firewall.ini file. To test if
BlackICE is working, the NetworkICE web site can send a
simulated Back Orifice probe, one of the attacks that
BlackICE can detect and block. When I tried this, the
tray icon for BlackICE immediately began to flash. A
single click on it opened the console where I could see
the information about the attack.
The Gibson Research site (www.grc.com) has a page
called Shields Up. It will do a port scan on your machine
looking for common listening ports. On PUB II, it found
the ports purposely left open, but nothing else. BlackICE
was effective at concealing more details.
I disabled BlackICE Defender to see how
much more information could be gleaned. Shields Up
discovered the NetBIOS names Mustang, PUB2, and UserGroup
(user name, machine name and workgroup.) It enumerated
the shares and discovered they were password protected.
It also determined the MAC address of the network card.
Keep in mind that the more information you provide a
cracker, the better their chances of breaking in.
When BlackICE detects an attack it does a
back trace to gain as much information as possible about
the intruder. In addition to the IP address, depending on
the attacker, it may be able to determine the NetBIOS
name, the Workgroup or Domain name, the DNS name, and the
MAC address of the network card. Attacks are categorized
as Informational, Non- threatening (but worthy of note),
Suspicious (non- threatening but maybe an indication of
someone probing for vulnerabilities), Serious (attempts
to access information but not damaging), or Critical (a
deliberate attack designed to damage or crash your
machine). A button on the Attacks page takes you to the
NetworkICE web site and provides more information on the
BlackICE has a history tab where you can
see graphs of frequency of attacks and network traffic.
As well, there is a summary of the total number of
Critical (actually, both Critical and Serious) and
Suspicious events. Informational events are not plotted.
The configuration menu allows you to
configure packet logs, which log all TCP/IP traffic, as
well as evidence logs, which log just the traffic during
an attack. These files are not human-readable but may be
useful to an ISP or law enforcement. You can configure
addresses you want to trust. BlackICE will completely
ignore traffic from these hosts. This may be appropriate
for machines on a LAN.
A menu option connects you with
NetworkICE to check for updates. If an update is
available it downloads automatically. Otherwise it sends
you to a page that tells you your version number. A bug
in the current version prevents the system from
understanding you already have the latest release. It
will be fixed in the next release, but it might be a bit
of a challenge getting word out about a new release after
customers repeatedly download an update file only to
discover it's always the same version they already are
The Acid Test
I expected the first real attack to come
within minutes of installing BlackICE Defender. Well, it
was not quite that fast, but a computer in Australia did
a port scan within an hour. Over the last week we have
had a couple of dozen attacks. So far, attacks not
initiated by me have included port scans, NetBIOS Port
scans, Back Orifice pings, PC Anywhere pings, TCP Trojan
horse probes, NetBus probes, RPC port probes and SOCKS
Port scans. We have had attacks from Israel, Germany,
France, Russia, the Netherlands and Canada, as well as
computers in the .NET and .COM domains.
Overall, I am very impressed with
BlackICE Defender. We now have a good level of protection
against crackers trying to crash PUB II or use it as a
launching pad to attack other systems. I've noticed no
performance problems. It only takes a couple of megs of
RAM and even in the middle of an attack, BlackICE never
took more than 1% of CPU cycles. Right now, PUB II has
been up for over 100 hours and BlackICE has used 81
seconds of CPU time. Considering PUB II is running on a
Pentium 200, that's impressive. The tweaker in me would
like to see more documentation about tuning BlackICE:
according to NetworkICE, that may be coming.
Do You Need One?
Do you need a firewall? I would have to
say a definite maybe. If you have an always-on connection
to the Internet, consider the fact that you are almost
certainly scanned every day for vulnerabilities. Even
dial-up connections are at risk, since people "out
there" are scanning millions of addresses. If you
are connected to a LAN as well, you almost certainly have
shares on your computer than may be discovered and
accessed: especially if your shares have no passwords. It
may only take seconds or a few minutes to grab password
information and credit card numbers or destroy data and
The least you should do is determine how
vulnerable you are. Go to www.grc.com,
All of these sites will do a scan on your machine looking
for vulnerabilities. Most of them will also tell you how
to make your machine more secure.
BlackICE Defender may be purchased for
US$40 at www.networkice.com.
This includes updates for a year. Updates are very
important when it comes to security products since new
vulnerabilities are discovered all the time and defenses
must be devised to protect against new attacks.
Subsequent yearly subscriptions for updates cost US$20.
The 111-page manual (over 60 pages are short descriptions
of the attacks BlackICE can block) comes in Adobe Acrobat
format and must be downloaded from the web site. BlackICE
Defender requires a Pentium and Windows 9x or NT.
NetworkICE is interested in providing a
discount to members of the OPCUG, but it might be a
couple of months before their program is set up. They
have been overwhelmed with the response to BlackICE
Defender and are struggling to keep up with the demand
right now. I will let members know as soon as I know more.
Proprietary package (US$40)
Originally published: December, 1999