Security: beware of BlackIce Defender

[igsi]

Quote from SWJ12:

igsi,

You are wrong on this issue.

The issue was using IDS on the desktop. You seem want to talk about something different.

I am a sysadmin and while I try to patch my systems whenever possible, it is a completely unrealistic expectation. First of all, while I try to stay on top of all patch notifications, the high # of warnings and alerts for the numerous systems I administer makes it impossible for me to be absolutely certain that all systems are always patched to the current version. Secondly, as all of the public servers I administer are in production environments, I cannot go and willy nilly update a server anytime I want. I have to schedule maintenance windows and downtimes, first perform the upgrade in a staging environment, QA against that upgrade, etc. Many times only a "warning" issued and we do not upgrade systems until a "high priority alert" issued. It's the realities of system administration.

OK, you point is "I am to busy to stay on top of the patches." If you were "homeadmin", how many systems you would be responsible for? See the difference? That's not it. I am not done with you as sysadmin yet.

For desktop users, how many times have you seen an MS update notification, and how long was the delay between when the update was available and when you actually installed the update?

The timing may vary but I hope you do realize that in automated environment the time frames we are looking at are hours not weeks. This includes both, BTW, desktops and servers.

Relying on such security hardening technologies as IDS (which is just one element of "hardening")

You confuse hardening security with hardening system and IDS is part of neither of those.

You don't have to take my word for it. Besides, compared to you I'm probably a technology neophyte. So why not take a recognized security expert's word on the risks of relying on patches as a security measure? (Look at Jay Beale's answer to the question "What are the top things sysadmins can do to protect themselves?")

http://newsforge.com/article.pl?sid=02/10/25/1728232

Note that Beale talks about:

1. Hardening your system using security measures such as IDS is the most important!

Here is an excerpt from the article you're referring to which lists what hardening involves:

1. Configuring necessary software for better security
2. Deactivating unnecessary software
3. Configuring the base operating system for increased security

Did it ever occur to you that Beale nowhere mentioned IDSs in the very article you were referring to?

2. Patches are important, obviously, but there is risk due to the non-zero time it takes a vendor to release a patch and you to apply it.

Yes, there is a risk for servers. And the servers should be hardened because of this. However, this is not applicable to desktops because, as a rule, you don't run on the desktop remotely exploitable software, with an exception of Internet software such as email clients and browsers. That kind of software must be patched immediately. And, BTW, IDS is not an appropriate technology to keep your browser and email client safe anyway.

3. With a a hardened system you can actually break the exploits so that you can't be hacked, even while you still have broken software on the system.

That's what Beale says. And below is how you continued:

We have a Cisco IDS in addition to Tripwire and Snort. Even if we have susceptible software, we are at much less risk because we scan all incoming packets at network and server, and if something slips through and is compromised we know about it the same day!

Oh boy, you are confused one. Beale is talking about how not to get hacked and you are talking about how to find out that you being or already got hacked. Let me just say that network based IDSs have nothing to do with hardening OS. It's not that the other types IDSs do but mentioning Cisco in this context is just hillarious.

5. Obviously, the best approach is do all 3 things Beale mentions (hardened system && patches && firewall) .

Correct.

I just wanted to raise my hand and say that dottom isn't the only one who thinks that relying on firewall and a system administer to patch all vulnerable systems is sufficient. No way.

First, we were talking about desktops, not the networks full of servers. Second, dottom was not talking about hardening, which I confirm again, is very important but about IDS. You think that IDS is part of hardening and that's where you dead wrong. Hardening has nothing to do with idss.

Neither you nor dottom could present an argument what to use IDS for, whether on the desktop or on the server, or on the network. Not because there is no use to it but because you do not understand what it's for and misuse it.

Besides providing some peace of mind, especially to paranoid one, IDSs can be used as tools for collecting forensic evidence and catching insiders in the act (see http://www.sans.org/resources/idfaq/ipe.php for the reference). I want to point out once again that none of these has practical application for home systems.

 

[SWJ12]

Quote from harrytrader:

Well as for me, I'm only interested in concrete not abstraction. Here was an attack by "zombies" http://grc.com/dos/drdos.htm
and in a paragraph he says that Black didn't alert of that.

Harry, please indicate in which paragraph in the URL you gave that GRC even mentions BlackIce with regards to that DoS attack on grc.com? I can't find any reference to BlackIce in that URL.

Also, there is no client solution to defend against a DoS attack. There are also very few network solutions to defend against a massive DoS attack. Remember the ones that brought down Yahoo, Hotmail, Microsoft, etc? A DoS attack is just a pure bandwidth burning process and has nothing to do with IDS. That URL you posted Gibson even says Client-profile machines, like that of the typical end user, can not be protected. So it doesn't matter what firewall or IDS or anything that you run on your client machine.

As for Mr Gibson he is a searcher at GRC how can one affirm such a strong thing that he is practically the Director of sale of zone alarm ?! If there are proofs well I would find that Mr Gibson is rather dishonest but if it just an opinion well that opinion is dishonest.

Harry, judging from your initial post I think you are quite new to the whole Gibson vs. BlackIce debate. Maybe you should catch up and read the years of archives first? I think the first discussions began in 1999!

Gibson has purposefully left outdated information on grc.com regarding BlackIce. It has been documented that Gibson improperly used BlackIce during his first tests (when he was recommending it!). Yes, Gibson is a frequent poster on the security forums I think dottom mentioned them a couple times. They are well known forums among security professionals.

Just to save you some searching, I will give you a brief summary of Gibson and BlackIce. Go back to 1999... Gibson was publishing that BlackIce was a firewall, when at the time it was not. It was only an IDS. In fact, Gibson was recommending BlackIce! People on comp.security.firewalls were trying to explain to Gibson (yes he was an active poster) that BID was not a firewall. The NetworkIce product pages specifically distinguished between the need for an IDS in addition to a firewall and never advertised their product as a firewall. Yes, our security expert Gibson believed BlackIce in early 1999 was a firewall. None of this is opinion but are facts you can verify on the Google archives yourself.

Now about mid-1999 Gibson suddenly 'discovered' that BlackIce was not a firewall at all! This despite the numerous posts by others telling him of this very fact. Gibson had made a dumb mistake but instead of admitting his error or quietly drop BlackIce for another firewall, Gibson jumped on the warwagon and slammed BlackIce on his website and all his mailings. He reversed all his recommendations on using BlackIce. All this because he made a very simply mistake and thought BlackIce was a firewall in 1999 when at the time it was only an IDS. Steve couldn't have made a mistake, no way! It must've been NetworkIce that misled him. (Hello, Steve, did you read any of those posts on that forum you were so fond of posting on to bash BlackIce?) Since that time, Gibson has continually made bad reviews on BlackIce by subjecting it to firewall tests. Finally, when BlackIce finally came out with a firewall in addition to its core IDS, Gibson stopped updating his website! Except for a few blurbs on LeakTest which has been long dismissed by the security industry as a flawed test.

Steve Gibson is a good source for many new internet users. But if you have been following him at all you will know that he will never admit when he is wrong and will leave outdated and sometimes pure wrong information on his website for years. It is for this very reason that many security professionals do not take his website and information seriously. He's very good at waiving the red flag, but he will never admit when he was wrong. That is very bad for a security educator.

If you have been following Gibson, you perhaps will remember his red flag waiving when he was warning every IT professional in the world via his website that Windows XP raw sockets would bring the entire internet down to its knees? I am not adding hyperbole here. Gibson was very serious about this. Well, guess what? Raw sockets and Windows XP are still here and the internet is just fine.

Remember what Gibson said about UPNP?

Harry, since you are interested in concrete data and not abstraction as you are a scientists, don't just take it from me, do the research for yourself! Go to groups.google.com and search on "+comp.security.firewalls +gibson +grc". There are over 1000 posts, actually more if you remove "grc" or "gibson" but you also get more unrelated posts. That should be a good start. Better yet, get an NNTP reader and start posting your own questions directly to that group. I'm sure there are a lot more network security buffs there than here!

 

[igsi]

Quote from SWJ12:

I rather enjoyed the bank robber holding a gun analogy

Nobody brings a gun to the bank. Understand? There may be something dangerous inside the bank (exploitable software) which should be kept in the box (hardened OS) that nobody could create a damage using it. With a gun, you can damage something otherwise healthy. Hacking is attacking unhealthy systems. It's more like a strawberry for the allergic person than a gun, if you like analogies that much. If I am not allergic, I do not care if someone throwing strawberries around me. And I do not need IDS unless I want to submit that person to the authorities.

as well as the guard dog analogy in a previous post

A guard dog is fine. It points out nonnecessity to have one if you live in the apartment. It is fine as long as you enjoy playing with it but hardly a security must have.

 

[SWJ12]

igsi,

Your big mistake here, and i know you mention "IT" as your occupation in your profile, is that the vast majority of home desktop users use Windows, which is not a hardened OS by any means. There are many Windows vulnerabilities not yet discovered.

The use of an IDS helps. It has been proven many times that with an IDS you can discover attacks and disable all access from that IP in real-time before any damange is done, not the reactive response you are referring to. Same is true with Cisco IDS which you can go ahead and read the whitepaper on. It echoes all incoming network traffic to a protocol analyzer device which then automatically updates the PIX firewall rules to block malicious network traffic. I use that as an example that best defense is multiple layers, network and system. You can 'harden' your environment such that you can exist with vulernable systems (although obviously it's non-ideal to have vulnerable systems, relying on immediate patching is not reasonable).

You mentioned automated patching. You obviously have never worked in a production environment then. The risk of installing a service or library or whatever the fix is too great to have it automated. That is why you always have a QA/stage/production environment. You obviously glossed over that part. You can't just deploy any patch immediately at any time.

Your continued attempt to put others down, because you are
such a big IT professional it seems, does not help prove your point.

I hate the bitterness of these boards...

 

[igsi]

Quote from SWJ12:

The use of an IDS helps.

Of course it does. If one shits himself, then spending the rest of his life in diapers would work for him too. However, it would be more beneficial to get cured instead.

It has been proven many times that with an IDS you can discover attacks and disable all access from that IP in real-time before any damange is done

Which, most importantly, would prove that your operations are flawed if you have to rely on that. I already said that in my previous post, this is a misuse of IDSs. So, if you do not agree with me you can go and argue with SANS that you know better what IDS is for.

not the reactive response you are referring to

Relying on IDSs hoping not to get hacked is reactive approach. Patching and hardening systems is preventive approach.

Same is true with Cisco IDS which you can go ahead and read the whitepaper on. It echoes all incoming network traffic to a protocol analyzer device which then automatically updates the PIX firewall rules to block malicious network traffic. I use that as an example that best defense is multiple layers, network and system.

That's a very fine point. Multi-layer defense using Cisco IDS. There is that home desktop we are protecting in that picture? :eek:

You can 'harden' your environment such that you can exist with vulnerable systems

If that's your idea of hardening, I feel sorry for you.

(although obviously it's non-ideal to have vulnerable systems, relying on immediate patching is not reasonable).

I already explained about "Day Zero" and "immediate" patching in my previous posts.

You mentioned automated patching. You obviously have never worked in a production environment then.

You making very interesting conclusions.

The risk of installing a service or library or whatever the fix is too great to have it automated. That is why you always have a QA/stage/production environment. You obviously glossed over that part.

You see, automated does not mean "automatically applied right after downloading". OK?

You can't just deploy any patch immediately at any time.

Not immediately and not at any time but automated patch distribution is just an unavoidable reality. How many servers you've got? 20? Ever thought how would you deal with it if you had 200? 2000? Anyway, back to our desktop. Why is that again I "can't just deploy any patch immediately at any time" to my home desktop?

Your continued attempt to put others down, because you are such a big IT professional it seems, does not help prove your point.

You are making this up. I never used my occupation or experience in an argument as a prove of my point. While you did, BTW. And if I did not prove my point to you, I could not care less. I know that I did prove my point and that's enough for me.

I hate the bitterness of these boards...

You don't have to be here, you know?