Firewall Net	tests, installation & configuration

" BlackIce " Tests of BlackIce Firewall -->

Choice
? Tests
? Install
? Configure
? Checking
? FAQ

Firewall Windows
.	ZoneAlarm
.	Tiny
.	LookNStop
.	Norton
.	Private firewall
.	Sygate
.	WinRoute
.	BlackIce
.	Conseal
.	WinGate
.	AtGuard

Firewall Linux
.	ipchains
.	iptables

Firewall Mac
.	Netbarrier
.	Others

Other
.	Nuke
.	Backdoors

? Checking
? Compare
? Directory
? Forum
? Thanks
? Statistics

Contact Firewall Net
e-mail

Tests of Blackice

A - Security effectiveness Tests

Key criteria in choosing a personnal firewall are :

Effectiveness of security protection : penetration, Trojans, controlling leaks, denial of service.
Effectiveness of intrusion detection: few false positives, alerting of dangerous attacks.
User interface: ease of use, instructiveness, simplicity, quality of online help. Does the interface suit the way you use your PC ?
Price.

How did we test firewall/intrusion detection effectiveness?

Ping and accessing shares to and from the test host.
A powerful, well known "remote control" Trojan (Netbus Pro v2.1 [2]) was installed on the system on a nonstandard port (to make detection more difficult), the Netbus server started and attempts made to connect from a remote system.
An nmap [1] scan was run, to check that incoming ports were effectively blocked. With no firewall installed, nmap detected the OS version (NT4 SP5) on the test PC and the following open ports (nmap ST -P0 -O IP_ADDR).
A test using Leaktest [4] was done.

NB : These tests do not pretend to be exhaustives. By the way the aim is to be sure that the tested software offers at least expected security (or not) for a personnal use (do not compare this to professional use).

Jump to the test results.

B - Overview

The Blackice v 2.1 cn and 2.5 cg firewall [3] are full of interesting features :

Many security levels : "Trusting" (allows all), "Cautious" (supposedly block some inbound flow), "Nervous" (blocks most inbound flow) and "Paranoid" (Blocks any unautorised flows) are available.
Possibility to define allowed or forbidden addresses (since release 2.5).
Possibility to define allowed or forbidden services ( ports) (since release 2.5)
Download size : 2.8 MB

C - Prices

39 $ US.

D - Security Effectiveness

Ping: possible at all security levels, this is a bad result.
The Netbus server: Blackice does not stop the Netbus server from being started, nor does it complain to the user. However, the attempt to remotely connect to the Netbus server shows the usual warning to the user. The result of this test is good.
The Leaktest : Blackice (release 2.x) does not detect the software start (like Netbus) , the connection attempt looking like a ftp connection is nore filtered nore logged, the result of this test is bad.

An nmap scan without Blackice (on Win 2000 OS SP1 with a "standard" installation, it means NetBios active and so on) :

$ nmap -sT -O -P0 -v IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 135 (state open).
Adding TCP port 1025 (state open).
Adding TCP port 445 (state open).
Adding TCP port 139 (state open).
The TCP connect scan took 0 seconds to scan 1523 ports.

For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection will be MUCH less reliable

Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)

Port	State	Service
135/tcp	open	loc-srv
139/tcp	open	netbios-ssn
445/tcp	open	microsoft-ds
1025/tcp	open	listen

Too many fingerprints match this host for me to give an accurate OS guess
TCP/IP fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 29 seconds

An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.1 cn (Allow internet file sharing and Allow Netbios neighborhood unchecked) gives events registered in the log which is a good result for detection , but the protection is totally unefficient :

$ nmap -sT -O -P0 -v IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 1025 (state open).
Adding TCP port 445 (state open).
Adding TCP port 139 (state open).
Adding TCP port 135 (state open).
The TCP connect scan took 30 seconds to scan 1523 ports.
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
For OSScan assuming that port 135 is open and port 1 is closed and neither are firewalled
WARNING: OS didn't match until the 2 try
Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)

Port	State	Service
135/tcp	open	loc-srv
139/tcp	open	netbios-ssn
445/tcp	open	microsoft-ds
1025/tcp	open	listen

TCP Sequence Prediction: Class=random positive increments
Difficulty=13035 (Worthy challenge)
Sequence numbers: E2E0F47D E2E1D241 E2E28274 E2E361F3 E2E43C2B E2E585A2
Remote operating system guess: Windows 2000 RC1 through final release

Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds

YOu have the following events logged in the Attack window :
24 TCP port probe
721 TCP port scan
3 TCP SYN flood
156 TCP port scan
25 TCP SYN flood

This means that at Cautious level not any security is offered !! This is a very bad result.

An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.1 cn (Allow internet file sharing and Allow Netbios neighborhood unchecked) gives events registered in the log which is a good result for detection and in this case the protection seems efficient :

$ nmap -sT -O -P0 -v IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Skipping host (IP_ADDR) due to host timeout

Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds

You have the following events logged in the Attack window :
51 TCP SYN flood
2582 TCP port scan

This means that at Nervous level , the security seems efficient.
An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Cautious" of Blackice 2.5 cg (Allow internet file sharing and Allow Netbios neighborhood unchecked , Enable autoblocking checked) gives events registered in the log which is a good result for detection :

$ nmap -sT -O -P0 -v -T5 IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Adding TCP port 1025 (state open).
The TCP connect scan took 30 seconds to scan 1523 ports.
Interesting ports on (IP_ADDR):
(The 1519 ports scanned but not shown below are in state: closed)

Nmap run completed -- 1 IP address (1 host up) scanned in 45 seconds

You have the following events logged in the Attack window :
6 TCP port probe
1 TCP SYN flood
143 TCP port scan
33 TCP SYN flood
4340 TCP port scan

This means that at Cautious level , the security seems efficient, much more than in the release 2.1 cn !
An nmap scan with Blackice (on Win 2000 SP1 OS with a "standard" installation, it means NetBios active and so on) with the configuration "Nervous" of Blackice 2.5 cg (Allow internet file sharing and Allow Netbios neighborhood unchecked , Enable autoblocking checked) gives events registered in the log which is a good result for detection :

$ nmap -sT -O -P0 -v IP_ADDR

Starting nmap V. 2.53 by [email protected] ( www.insecure.org/nmap/ )
Initiating TCP connect() scan against (IP_ADDR)
Skipping host (IP_ADDR) due to host timeout

Nmap run completed -- 1 IP address (1 host up) scanned in 75 seconds

You have the following events logged in the Attack window :
56 TCP SYN flood
6456 TCP port scan

This means that at Nervous level , the security seems more efficient.

E - Advantages

Close the unused ports, only if the Autoblocking option is checked .
Allows to describe rules different for some particular IP addresses or services (ports).
Huge security improvements in the release 2.5 cg, leaving 2.1 cn realy to weak.

F - Disadvantages

Blackice cannot be configured to ignore ping from unknown sources.
The GUI could be much more easy to use (compared to ZoneAlarm's)
The log is unreadable without using a third party software.

G - Suggested improvements

Improve the Gui.
Improve the logs.
Iprove security efficiency !
Product internationalization.

H - Summary

A simple tool, which needs attention to be efficient. New users may well appreciate, could be much easier to use, though.

I - References

Nmap - Network mapper, a really efficient tool to check networks
http://www.insecure.org/nmap
Netbus Pro - Remote control program often used as an attack tool to control remote PCs.
http://www.netbus.org/
download
blackice
http://www.networkice.com
Leaktest - Small testing software written by Steve Gibson to check firewalls. It makes a simple TCP (ftp) connexion that simulate sennding of personnal content, which can also be used to take remote controle in reverse mode (arg).
http://grc.com/
download