Tests of Blackice

Key criteria in choosing a personnal firewall are :

• Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.

• Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.

• User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?

• Price.

How did we test firewall/intrusion detection effectiveness?

1. Ping and accessing shares to and from the test host.

2. A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.

3. An nmap [1] scan was run, to check that incoming ports were effectively blocked. With no firewall installed, nmap detected the OS version (NT4 SP5) on the test PC and the following open ports (nmap ST -P0 -O IP_ADDR).

4. A test using Leaktest [4] was done.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

The Blackice v 2.1 cn and 2.5 cg firewall [3] are full of interesting features :

• Many security levels : "Trusting" (allows all), "Cautious" (supposedly block some inbound flow), "Nervous" (blocks most inbound flow) and "Paranoid" (Blocks any unautorised flows) are available.

• Possibility to define allowed or forbidden addresses (since release 2.5).

• Possibility to define allowed or forbidden services ( ports) (since release 2.5)

• Download size : 2.8 MB

1. Ping: possible at all security levels, this is a bad result.

2. The Netbus server: Blackice does not stop the Netbus server from being started, nor does it complain to the user. However, the attempt to remotely connect to the Netbus server shows the usual warning to the user. The result of this test is good.

3. The Leaktest : Blackice (release 2.x) does not detect the software start (like Netbus) , the connection attempt looking like a ftp connection is nore filtered nore logged, the result of this test is bad.

4. An nmap scan without Blackice (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :
   
   $ nmap -sT -O -P0 -v IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 135 (state open).
   Adding TCP port 1025 (state open).
   Adding TCP port 445 (state open).
   Adding TCP port 139 (state open).
   The TCP connect scan took 0 seconds to scan 1523 ports.
   
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
   
   Interesting ports on (IP_ADDR):
   (The 1519 ports scanned but not shown below are in state: closed)

   Port	State	Service
   135/tcp	open	loc-srv
   139/tcp	open	netbios-ssn
   445/tcp	open	microsoft-ds
   1025/tcp	open	listen

   
   Too many fingerprints match this host for me to give an accurate OS guess
   TCP/IP fingerprint:
   T1(Resp=N)
   T2(Resp=N)
   T3(Resp=N)
   T4(Resp=N)
   T5(Resp=N)
   T6(Resp=N)
   T7(Resp=N)
   PU(Resp=N)
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds
   
   

5. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.1 cn (Allow internet file sharing and Allow Netbios neighborhood unchecked) gives events registered in the log which is a good result for detection , but the protection is totally unefficient :
   
   $ nmap -sT -O -P0 -v IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 1025 (state open).
   Adding TCP port 445 (state open).
   Adding TCP port 139 (state open).
   Adding TCP port 135 (state open).
   The TCP connect scan took 30 seconds to scan 1523 ports.
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
   WARNING: OS didn't match until the 2 try
   Interesting ports on (IP_ADDR):
   (The 1519 ports scanned but not shown below are in state: closed)

   Port	State	Service
   135/tcp	open	loc-srv
   139/tcp	open	netbios-ssn
   445/tcp	open	microsoft-ds
   1025/tcp	open	listen

   
   TCP Sequence Prediction: Class=random positive increments
   Difficulty=13035 (Worthy challenge)
   Sequence numbers: E2E0F47D E2E1D241 E2E28274 E2E361F3 E2E43C2B E2E585A2
   Remote operating system guess: Windows 2000 RC1 through final release
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds
   
   YOu have the following events logged in the Attack window :
   24 TCP port probe
   721 TCP port scan
   3 TCP SYN flood
   156 TCP port scan
   25 TCP SYN flood

   This means that at Cautious level not any security is offered !! This is a very bad result.
   

6. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.1 cn (Allow internet file sharing and Allow Netbios neighborhood unchecked) gives events registered in the log which is a good result for detection and in this case the protection seems efficient :
   
   $ nmap -sT -O -P0 -v IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Skipping host (IP_ADDR) due to host timeout
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds
   
   You have the following events logged in the Attack window :
   51 TCP SYN flood
   2582 TCP port scan

   This means that at Nervous level , the security seems efficient.

7. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.5 cg (Allow internet file sharing and Allow Netbios neighborhood unchecked , Enable autoblocking checked) gives events registered in the log which is a good result for detection :
   
   $ nmap -sT -O -P0 -v -T5 IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Adding TCP port 1025 (state open).
   The TCP connect scan took 30 seconds to scan 1523 ports.
   Interesting ports on (IP_ADDR):
   (The 1519 ports scanned but not shown below are in state: closed)
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds
   
   You have the following events logged in the Attack window :
   6 TCP port probe
   1 TCP SYN flood
   143 TCP port scan
   33 TCP SYN flood
   4340 TCP port scan

   This means that at Cautious level , the security seems efficient, much more than in the release 2.1 cn !

8. An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Nervous" of Blackice 2.5 cg (Allow internet file sharing and Allow Netbios neighborhood unchecked , Enable autoblocking checked) gives events registered in the log which is a good result for detection :
   
   $ nmap -sT -O -P0 -v IP_ADDR
   
   Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
   Initiating TCP connect() scan against (IP_ADDR)
   Skipping host (IP_ADDR) due to host timeout
   
   Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds
   
   
   You have the following events logged in the Attack window :
   56 TCP SYN flood
   6456 TCP port scan
   

   This means that at Nervous level , the security seems more efficient.

1. Close the unused ports, only if the Autoblocking option is checked .

2. Allows to describe rules different for some particular IP addresses or services (ports).

3. Huge security improvements in the release 2.5 cg, leaving 2.1 cn realy to weak.

1. Blackice cannot be configured to ignore ping from unknown sources.

2. The GUI could be much more easy to use (compared to ZoneAlarm's)

3. The log is unreadable without using a third party software.

• Improve the Gui.

• Improve the logs.

• Iprove security efficiency !

• Product internationalization.

A simple tool, which needs attention to be efficient. New users may well appreciate, could be much easier to use, though.

1. Nmap - Network mapper, a really efficient tool to check networks
   http://www.insecure.org/nmap

2. Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
   http://www.netbus.org/
   download

3. blackice
   http://www.networkice.com

4. Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
   http://grc.com/
   download