Penetration Testing mailing list archives
Re: [PEN-TEST] BlackICE
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Wed, 13 Sep 2000 15:37:39 -0700
Jonathan, Would it be possible for you to provide us your testing methodology so that we can validate your results and the provide us the version of the Black ICE you are testing and what magazine your will be submitting your review to. Network ICE would be very happy to work with you to resolve any issues you have encountered during your testing The most common types of scans involve TCP SYN packets (either the vanilla scan or the half-open 'stealth' scans). The normal firewall rules block such scans. Like most firewalls, the packet filters within the product are essentially stateless. This means the filters match incoming traffic to a set of rules on a packet-by-packet basis. It is not able to filter packets that would require heavy amounts of state. In particular, it does not filter out TCP ACK pings. A skilled user of nmap can use this technique to bypass most firewalls in order to gleen such information from systems. However, this information is mostly useless since the hacker cannot connect to those ports. Secondly, the intrusion detection component will alert you to TCP ACK pings. The intrusion detection subystem is heavily state-based. This means that while some features aren't blocked immediately by the firewall, they can still be detected by the intrusion detection system. This setup is similar to how corporations use firewalls and intrusion detection systems to protect their networks, but bundled into a package that fits on your PC. As the product sits today, the intrusion detection component and the firewall component are independent subsystems. The main reason has to do with latency. If the intrusion detection system interposed itself along with the firewall, then programs sensitive to network response time would suffer. A good example are games like Quake III Arena, which require the minimum response time possible. Possible Smurf-amplifier attempt; an ICMP echo frame has been sent to a subnet address (x.x.x.0 or x.x.x.255). This may cause a flurry of echoresponses, which can overwhelm the network or the systems involved. A "smurf attack" uses "IP spoofing" in order to broadcast pings to an "amplifier" in order to overwhelm the victim with responses. This is an attempt to use your network as a "smurf amplifier". For example, somebody on a cable-modem segment can send out a broadcast ping to his/her neighbors while spoofing the IP address of a victim. All the neighbors will respond to that victim, overloading the victim's link. In other words, it only costs the attacker one packet to cause thousands of packets to be sent to the victim. See smurf for more information. False Positives can be triggered by people sending out broadcasts on the local segment. This is commonly seen by people inside corporate networks or on cable-modem segments. While this doesn't indicate an attempt to use your network as an amplifier, it does indicate that somebody is attempting discovery operations on your network. Sincerely, Mark Teicher Security MAGE Network ICE Corporation 2121 El Camino Real South; Suite 1100 San Mateo, CA 94403 P: 650 532 4139 F: 831 480 5872 email: mark.teicher () networkice com http://www.networkice.com At 01:23 PM 9/13/00 -0400, Jonathan Rickman wrote:
>3. I've had many instances where BlackIce has misinterpreted a traceroute >or a >ping for an attack. >Frankly with all the talk on this list about "false positives" on >scanning >tools on this list, I'm surprised anyone knowlegeable enough to read this >list >would buy such a low rent product....just my two cents worth though;_) I couldn't agree more. We are currently testing BI for a writeup in our reviews section. So far most of the review is test data regarding false positives. For instance, BI called a standard nmap TCP connect scan a smurf attack...then 5 minutes later it called the same scan a SYN flood. On the third try, it reported correctly. I think it's popularity is based on the fact that it uses a few key buzzwords and ominous sounding descriptions to make the user feel like their PC might explode if BI wasn't running. Our testing isn't complete, but it has already earned a negative review. @guard and ZA seem to do a much better job. -- Jonathan Rickman X Corps Security http://www.xcorps.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 6.5.2 mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73 0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/ d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+ RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6 Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN OKraa8g7Nyh4s8rSHFvq5A== =XYFV -----END PGP PUBLIC KEY BLOCK-----
Current thread:
- [PEN-TEST] BlackICE Rhodes, Brian PFC--3SIG (Sep 12)
- Re: [PEN-TEST] BlackICE James Kelly (Sep 13)
- Re: [PEN-TEST] BlackICE Jonathan Rickman (Sep 13)
- Re: [PEN-TEST] BlackICE Jonas (Sep 13)
- Re: [PEN-TEST] BlackICE Teicher, Mark (Sep 14)
- Re: [PEN-TEST] BlackICE Eric (Sep 13)
- Message not available
- Re: [PEN-TEST] BlackICE Teicher, Mark (Sep 13)
- Re: [PEN-TEST] BlackICE James Kelly (Sep 13)