FireWall.net - Guide to install & configure a PC FireWall
o Home > Blackice > Tests of Blackice

>Sofware tests
--------------------------------------------------------
>Installation
--------------------------------------------------------
>Configuration
--------------------------------------------------------
>Checking
--------------------------------------------------------
>FAQ
--------------------------------------------------------



Contact Firewall.net :
e-mail-mail.

Tests of Blackice

oTests oOverviewoPrice oResultsoAdvantagesoDisadvantages oImprovementsoSummaryoReferenceso

A - Security effectiveness Tests

Key criteria in choosing a personnal firewall are :

  • Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

  • Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

  • User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

  • Price.

How did we test firewall/intrusion detection effectiveness?

  1. Ping and accessing shares to and from the test host.

  2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

  3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With no firewall installed, nmap detected the OS version (NT4 SP5) on the test PC and the following open ports (nmap ST -P0 -O IP_ADDR).

  4. A test using Leaktest [4] was done.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

B - Overview

The Blackice v 2.1 cn and 2.5 cg firewall [3] are full of interesting features :

  • Many security levels : "Trusting" (allows all), "Cautious" (supposedly block some inbound flow), "Nervous" (blocks most inbound flow) and "Paranoid" (Blocks any unautorised flows) are available.

  • Possibility to define allowed or forbidden addresses (since release 2.5).

  • Possibility to define allowed or forbidden services ( ports) (since release 2.5)

  • Download size : 2.8 MB

C - Prices

39 $ US.

D - Security Effectiveness
  1. Ping: possible at all security levels, this is a bad result.

  2. The Netbus server: Blackice does not stop the Netbus server from being started, nor does it complain to the user. However, the attempt to remotely connect to the Netbus server shows the usual warning to the user. The result of this test is good.

  3. The Leaktest : Blackice (release 2.x) does not detect the software start (like Netbus) , the connection attempt looking like a ftp connection is nore filtered nore logged, the result of this test is bad.

  4. An nmap scan without Blackice (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :

    $ nmap -sT -O -P0 -v IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Adding TCP port 135 (state open).
    Adding TCP port 1025 (state open).
    Adding TCP port 445 (state open).
    Adding TCP port 139 (state open).
    The TCP connect scan took 0 seconds to scan 1523 ports.

    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable

    Interesting ports on (IP_ADDR):
    (The 1519 ports scanned but not shown below are in state: closed)

    Port State Service
    135/tcp open loc-srv
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open listen

    Too many fingerprints match this host for me to give an accurate OS guess
    TCP/IP fingerprint:
    T1(Resp=N)
    T2(Resp=N)
    T3(Resp=N)
    T4(Resp=N)
    T5(Resp=N)
    T6(Resp=N)
    T7(Resp=N)
    PU(Resp=N)

    Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds


  5. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.1 cn (Allow internet file sharing and Allow Netbios neighborhood unchecked) gives events registered in the log which is a good result for detection , but the protection is totally unefficient :

    $ nmap -sT -O -P0 -v IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Adding TCP port 1025 (state open).
    Adding TCP port 445 (state open).
    Adding TCP port 139 (state open).
    Adding TCP port 135 (state open).
    The TCP connect scan took 30 seconds to scan 1523 ports.
    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
    WARNING: OS didn't match until the 2 try
    Interesting ports on (IP_ADDR):
    (The 1519 ports scanned but not shown below are in state: closed)

    Port State Service
    135/tcp open loc-srv
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1025/tcp open listen


    TCP Sequence Prediction: Class=random positive increments
    Difficulty=13035 (Worthy challenge)
    Sequence numbers: E2E0F47D E2E1D241 E2E28274 E2E361F3 E2E43C2B E2E585A2
    Remote operating system guess: Windows 2000 RC1 through final release

    Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds

    YOu have the following events logged in the Attack window :
    24 TCP port probe
    721 TCP port scan
    3 TCP SYN flood
    156 TCP port scan
    25 TCP SYN flood

    This means that at Cautious level not any security is offered !! This is a very bad result.

  6. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.1 cn (Allow internet file sharing and Allow Netbios neighborhood unchecked) gives events registered in the log which is a good result for detection and in this case the protection seems efficient :

    $ nmap -sT -O -P0 -v IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Skipping host (IP_ADDR) due to host timeout

    Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds

    You have the following events logged in the Attack window :
    51 TCP SYN flood
    2582 TCP port scan

    This means that at Nervous level , the security seems efficient.

  7. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.5 cg (Allow internet file sharing and Allow Netbios neighborhood unchecked , Enable autoblocking checked) gives events registered in the log which is a good result for detection :

    $ nmap -sT -O -P0 -v -T5 IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Adding TCP port 1025 (state open).
    The TCP connect scan took 30 seconds to scan 1523 ports.
    Interesting ports on (IP_ADDR):
    (The 1519 ports scanned but not shown below are in state: closed)

    Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds


    You have the following events logged in the Attack window :
    6 TCP port probe
    1 TCP SYN flood
    143 TCP port scan
    33 TCP SYN flood
    4340 TCP port scan

    This means that at Cautious level , the security seems efficient, much more than in the release 2.1 cn !

  8. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Nervous" of Blackice 2.5 cg (Allow internet file sharing and Allow Netbios neighborhood unchecked , Enable autoblocking checked) gives events registered in the log which is a good result for detection :

    $ nmap -sT -O -P0 -v IP_ADDR

    Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
    Initiating TCP connect() scan against (IP_ADDR)
    Skipping host (IP_ADDR) due to host timeout

    Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds



    You have the following events logged in the Attack window :
    56 TCP SYN flood
    6456 TCP port scan

    This means that at Nervous level , the security seems more efficient.

E - Advantages
  1. Close the unused ports, only if the Autoblocking option is checked .

  2. Allows to describe rules different for some particular IP addresses or services (ports).

  3. Huge security improvements in the release 2.5 cg, leaving 2.1 cn realy to weak.

F - Disadvantages
  1. Blackice cannot be configured to ignore ping from unknown sources.

  2. The GUI could be much more easy to use (compared to ZoneAlarm's)

  3. The log is unreadable without using a third party software.

G - Suggested improvements
  • Improve the Gui.

  • Improve the logs.

  • Iprove security efficiency !

  • Product internationalization.

H - Summary

A simple tool, which needs attention to be efficient. New users may well appreciate, could be much easier to use, though.

I - References
  1. Nmap - Network mapper, a really efficient tool to check networks
    URL http://www.insecure.org/nmap

  2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
    URL http://www.netbus.org/
    URL download

  3. blackice
    URL http://www.networkice.com

  4. Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
    URL http://grc.com/
    URL download
This site is copyright Chryjs 1999-2001, all copies forbidden.