Personal Firewalls Tests: BlackICE Defender

An analysis of mini-firewalls for Windows users

by Seán Boran

This article is a part of a series of tests on Personal Firewalls / Intrusions Detection Systems. Refer to ¹ for an introduction to Personal Firewalls, risks, tips on 'hardening' your Windows even without a firewall, a feature comparison and a summary of analyses.

This report focuses on BlackICE Defender.

News: 12.Feb.02: Check out the eEye security alert ISS BlackICE Kernel Overflow Exploitable. Make sure you have it patched. It is a bad indication of software quality, perhaps more such bugs are lurking.

Security Effectiveness tests

Key criteria in choosing a Personal Firewall are:

• Effectiveness of Security Protection (penetration, trojans, controlling leaks, Denial-of-service)
• Effectiveness of Intrusion Detection (few false positives, alerting of dangerous attacks)
• User interface: ease of use, instructiveness, simplicity, quality of on-line help. Does the interface suit the way you use your PC?
• Price

How did we test firewall/intrusion detection effectiveness?

a) Ping and accessing shares to and from the test host.

b) A powerful, well known 'remote control' trojan (Netbus Pro v2.1) ³ was installed on the system on a non standard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

c) The telnet server was enabled on the Win2k test PC. It was then attempted to connect to this service remotely. It is not recommended that you enable telnet, we do this purely for testing purposes.

d) An nmap ² scan was run against each product (see below), to check that incoming ports were effectively blocked. With no firewall installed, the test PC (Win2k sp1) presented nmap (nmap -sT -P0 -O IP_ADDR) with the following ports:

Port State Protocol Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
23/tcp open telnet
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
No OS matches for host

BlackICE Defender

The first product tested was NetworkICE's BlackICE Defender ⁴. A few quotes from the web site:

...BlackICE works continually to defend servers and workstations from over 200 hacker signatures including the Melissa Worm, “Slow Scans” and “Back Orifice.” Even if hackers bypass firewalls or intrusion defenses, BlackICE bars entry at the desktop and server.

Many versions were tested from V1.8.6 in Dec.99 to V2.1.cb, on NT4/sp5 and Win2000.

Features

• This little tool sits in your taskbar (on NT) and informs you of incoming Network connections (possible attacks).
• It has four simple protection levels from paranoid (allow no inbound TCP or UDP ports) to nervous (allow non-standard UDP), cautious (allow non-standard TCP/UDP), trusting (block nothing, but warn when something bad happens).
• File sharing can be enabled or disabled, as can NetBIOS Neighborhood (other hosts in your domain can see you in the Network neighborhood).
• When an attack happens, the icon in the taskbar flashes (it changes to yellow, orange or red, depending on the urgency). On clicking on the icon, the user is presented with a list of attacks. Right clicking on the event allows several courses of action:
  a) trust this address
  b) block this address (hour, day, month, forever)
  c) ignore this attack
  d) ignore this attack by another intruder
• Firewall experts will be disappointed at not being able to specify more detailed filter rules, but the simple configuration makes it ideal for protecting non-techie PCs.
• Auto-port blocking response: Automatic blocking of all traffic from an IP address on certain critical attacks (e.g. LAND Dos or Trojan horse attacks like BackOrifice).
• BlackICE can be switched off on a specific interface, by hacking blackice.ini ⁴.
• Download size: 3MB
• Costs $39 (for entry level Defender)

Security Effectiveness

a) The Netbus server
BlackICE did not notice the server being started, but it could not be connected to remotely ( a 'TCP port probe' was reported).

b) An nmap scan

BlackICE does notice nmap scans by flashing a red icon, the attacks windows says "TCP Port scan",  "TCP port probe", "NMAP OS Fingerprint", "TCP Ace ping", "TCP OS Fingerprint" and "UDP Port Probe", among many others, which is pretty good. Nmap returned a massive list of  "unfiltered" ports, port 113 and may ports between 1024 and 65031. Nmap was unable to identify the OS either.

c) General

While browsing the Internet, I was subjected to PCAnywhere, BackOrifice and several TCP port scans (all identified by BlackICE). It certainly is a useful tool for increasing user awareness about the dangers of the Internet.

Advantages

• A nice idea well implemented.  GUI is pretty simple and easy to use.
• Good intrusion detection.
• No reboot need during installation (on NT4).
• Allows File sharing and Network Neighborhood visibility to be easily disabled.
• The "attack history" and list of attacks windows are useful. Informs immediately of an attack, and notes the attacker's host name and IP address.
• A corporate version can centralise configuration, policy and alerting.
• Free updates are included and can be easily downloaded (the default browser and proxy settings are used). V2 correctly determines (automatically at regular intervals if selected) whether the existing version needs updating.
• Innovation: testing with BlackICE started in December 1999, and useful new features have been regularly added to the free upgrades in this time.
• Stable.
• Documentation is pretty good.

Disadvantages

1. Not free and no demo version available for download.
2. It would be nice if power users could customise the rules more. The file firewall.ini can be manually edited to block/allow udp/tcp ports. It would be better to be able specify port ranges or wildcards and even better to be able to filter state based protocols like ftp. It would also be better that individual ports could be open/blocked from the GUI rather than hacking the firewall.ini file.
3. The default configuration does not protect against Trojans like Back Orifice.
4. BlackICE waits until a connection is made before it takes action, it doesn't prevent a connection by shutting down the system's ports
5. Outgoing ports cannot be blocked.
6. False alarms when used on a LAN: from SNMP servers, Network management agents, NetBIOS connection attempts, Exchange servers  etc. (these are not really annoying as they only generate "yellow" alerts). This is not necessarily a bug, but on a large corporate Intranet, there can be many such connections that are harmless, in a hostile environment such as the Internet, it is good to know about such probes. So it depends on your needs.
7. The attacks windows cannot be "drilled down" to list exactly what ports were connected to and what (packet) information was sent. (Clicking on the advICE bottom does help and you can see the port in the URL, and the file attack-list.csv be examined).
8. False positives: One often sees "UDP port scan", but don't know exactly what is causing it: a real scan, heavy dns or SNMP traffic etc. In one case if was an Exchange server trying to make a (legitimate) connection back to an Outlook client, BlackICE didn't help discover the reason at all. attack-list.csv can be examined to see what Port number was used.
9. No tool to browse packet or evidence logs (but some of the logs are in CSV format, easily browsed with Excel). However a third party tool is available ⁵.
10. Deinstalling could be cleaner, Registry Keys are left behind. Optionally, the NetworkIce directory is left in C:\Program Files\ with configuration and logs files, which is useful.
11. BlackIce does not allow copy/paste of IP addresses for use in a traceroute.
12. Bugs
    • Updates did not always work perfectly: from 2.1.u to 2.1.x and access denied to blackdll.dll was reported. Re-running the updated worked.
    • On Windows 2000/SP1, v2.1.cn or later is needed, older versions would stop unexpectedly.
    • In cautious mode or higher, the Cisco/Altiga Concentrator VPN client won't work.
    • Some security bugs have cropped up, for example, one posted on Bugtraq:
      BlackICE Defender versions 2.1 and prior, as well as BlackICE Pro versions 2.0.23 and prior, when configured for security level Nervous or lower, do not properly block or filter Back Orifice traffic. NetworkIce recommends setting your security level to Paranoid, which will correct this problem. http://archives.neohapsis.com/archives/bugtraq/2000-06/0190.html
    • ICEcap, the corporate management tool for BlackICE, listens on Ports 8081 and 8082 and it can be flooded with UDP or TCP Denial-of-Service (DoS) to these ports. If logging is enabled (packet and evidence) and DNS and NetBIOS traces are selected, then ICEcap either
      a) completely stops responding and CPU is at 100% or
      b) slows to such a crawl that the user cannot reliably do anything.
      The  workaround found is to disable packet logging (which is the default).
      Notes:
      1. that BlackICE is not affected by the slowing down of the ICEcap server.
      2. Packet logging should not normally be enabled, as ALL network packets are logged, this will obviously drain disk and CPU resources.

Tips

I used BlackICE for several months, sometimes on the Intranet, Internet and Intranet via VPNs. It worked well and was setup as follows:

Tools|Preferences: Visible indicator=Red/Orange (not yellow), no sound.
Tools|Settings: Paranoid, Allow NetBIOS Neighborhood, Enable Evidence log. I added the IP address of my Exchange server, VPN gateway and known Intranet SNMP managers servers to "trusted addresses".

Summary

Useful, easy to use, unobtrusive.
Laptop users will appreciate powersaving modes working properly.
Corporate users will appreciate the centralised management.

Not the most effective security (outgoing ports are not blocked), and power users may be disappointed at not being able to customise packet filter rules.

References

1. Personal Firewalls/Intrusion Detection Systems (The base reference for this article).
   pf_main20001023.html
   
2. Nmap
   http://www.insecure.org/nmap
   
3. Netbus Pro: Remote control program often used as an attack tool to control remote PCs.
   http://netbus.nu/
   
4. NetworkICE's BlackICE Defender  
   http://www.networkice.com/Products/BlackICE/default.htm
   • How do I block an IP address permanently? 
   http://advice.networkice.com/Advice/Support/KB/q000030/default.htm
   • Format of Firewall.ini file 
   http://advice.networkice.com/Advice/Support/KB/q000091/default.htm
   • Ignoring an internal adapter
   http://advice.networkice.com/Advice/Support/KB/q000023/default.htm
   
5. Firewall Log Analyzers from Brady & Associates, LLC, for BlackICE, ZoneAlarm and Winroute. The BlackICE log analyse was tested and works well. It costs $20.- for BlackICE, $10 for ZoneAlarm, with a one month evaluation period.
   http://clearice.hypermart.net/
   
6. Other reviews available on the web:
   http://www.webattack.com/reviews/blackice_rv.shtml

Changes to this article

18.Oct.00 Published

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.