Older Firewall Software Still Effective

firewallBlackIce Defender lets remote users not only deflect attacks but also see who’s doing the hacking

Network Ice Corp.’s BlackIce Defender 1.0 gives IT managers a handy way to prevent hackers from getting into a company’s network by hitching a ride on a remote user’s Internet connection.

In some recent tests, the personal intrusion detection utility proved bothsupersimple to use and effective against scads of common attack methods. As a bonus, it identifies the attacker by IP address and DNS (Domain Name System) name, domain and node name, media access control address, and log-in user name whatever it can get.

And, at only $39.95 for a two-year subscription (volume pricing isn’t available for BlackIce but probably will be for a network version of the product that Network Ice plans to release next month), the product isn’t very expensive for anyone concerned about hackers. However, Black Ice Defender does not afford protection against things that several “personal firewall” products rebuff: cookies, ads, viruses and active content. Those products would need to run alongside BlackIce Defender.

Overall, the cost of acquiring this product will be less than for other personal security products. BlackIce Defender offers greater value to organizations than personal firewalls do because it deals with intruders rather than just safeguarding personal information.

Corporations should in particular consider providing BlackIce Defender to tele commuting employees, especially if those employees are connected throughout the day via fast cable or DSL (digital subscriber line) modems, because these employees make attractive targets. Any connection an employee makes to the office through the Internet (even via virtual private networks) can be piggy-backed by a hacker who has compromised the employee’s PC.

Organizations may even find it useful on company networksto prevent “inside job” hacks and to identify the snooping employees for disciplinary action. However, the software has no administrative component for reporting invasions to administrators; the only person who would know who’s doing the hacking is the person under attack.

Little else in its league

BlackIce Defender, which began shipping last month, has no close rivals. Personal firewalls, such as WRQ Inc.’s AtGuard, Sterling Strategic Solutions Inc.’s SOS Best Defense and Signal 9 Solutions Inc.’s ConSeal PC Firewall, provide privacy against some types of invasive programs. How ever, they are not capable of general intrusion detection, they use rule sets that often confuse users (BlackIce Defender’s operation is completely automatic), and they do not identify the perpetrator.

We tried BlackIce Defender on both Windows 95 and Windows NT PCs. The product detected suspicious port probing, spoof attempts and other activity, alerting users via an icon on the desktop tray. However, it did generate false positives from some normal network functions, a common problem with this type of software that the company plans to fix in its next monthly update. If an attack is serious enough, BlackIce Defender shuts down all communications with the offending IP address.

BlackIce Defender detects almost 300 types of attack methods and denial- of- service exploits. According to a company spokesman, it even detects such attacks as BackOrifice attempting to run on a non-default port, the AOL buffer overflow exploit and attacks based on Windows NT Service Pack 4’s vulnerability to predictable IP sequence numbering.

Network Ice made the product easily updatable from a menu option that automatically downloads the latest attack signatures for free, but it needs scheduling. The product keeps logs and graphically displays suspicious activity. We also could easily look up background information about any attack from Network Ice’s Web site but found most of the information sketchy.

Hooks to management consoles to allow centralized deployment and remote configuration are, of course, not part of this stand-alone product, but BlackIce’s defensive capability will be rolled into the enterprise network version, which will be called ICEpac and is designed for larger-scale detection and management.

Add a Comment Trackback

Add a Comment