BlackICE Defender - a Personal Firewall
by Suicidal_251
To start I will say that the motivation for this article comes from the fact that I have not seen any articles on firewalls in quite some time.
Firewalls are very important to any computer user. Most of the older gurus have heard of or have used previous versions of BlackICE Defender, back before it became mainstream. I am not sure how recent the buyout was but Network ICE, maker of BlackICE was acquired by Internet Security Systems (ISS).
BlackICE Defender, from here on out referred to as BID, got a facelift and became moron friendly (AOLish?) meaning that the interface has become a nice little GUI where any moron can point and click on the functions and make them happen.
I recently acquired my own copy of BID and am so far pretty impressed with its performance strictly as a firewall. Let's just say that it complements other software that I use and will mention further in the article. Remember, these are my opinions on how I see things and if you disagree, oh well. Write your own damn article.
I am going to start out by going over the initial interface which the user is presented with when he brings up BID. Everything is done by tabs across the top of the window which are labeled Attacks, Intruders, History, and Info.
Attacks
Shows any attacks or suspicious events that BID has found taking place over your network.
It lists the Result, Time, Attack Type, Intruder, and Count.
Result: Shows an icon of a certain color letting you know the severity of the attack. BID breaks attacks down into Critical, Serious, Suspicious, or Informational. It also has an icon overlaid to let you know whether BID was effective at stopping the attack or whether the computer has been violated. (I haven't seen BID beaten yet by others or myself.)
Time: If you truly don't know what this is, jump out a window.
Attack: Tells you what type of attack was conducted against your machine. Examples include HTTP PORT PROBE, NETBIOS PORT PROBE, or ECHO STORM (from a Smurf attack).
Intruder: BID will try to resolve the NetBIOS name of the intruder. The NetBIOSname is "usually" the name in which the attacker is logged onto his computer with. If BID cannot resolve it, normally meaning the attack is running a firewall also, it will display the attacker's IP address.
Count: Amount of times the attacker tried his attack.
Example:
(ICON) 09/05/01 22:38:11 NetBIOS Port Probe BOBWHITE 4 |
Intruder
This tab shows the information that BID got from the attacker during its Back Trace (more on Back Trace later). The information displayed is IP, Node, NetBIOS Name, Group, MAC Address, and DNS.
IP: If you don't know what an IP is, read TCP/IP For Dummies.
Node: Shows the computer network node of the intruder.
NetBIOS Name: Was covered above under "Attacks: Intruder".
Group: The network group to which the intruder's computer belongs.
MAC Address: Media Access Control (MAC) address, a hardware address that uniquely identifies each node of a network. There are services on the web that will track this for you. Have fun searching for them.
DNS: Domain Name Service will normally give away what system or ISP the user is logged onto.
Example: (X's added to protect the ID of the guilty)
IP: 168.49.210.XXX Node: COMPUTER ## NetBIOS: COMPUTER ## Group: AD#XX_XSD MAC: 00C0F562BXXX DNS: adsl-168-49-210.dsl.XXXX21.pacbell.net |
History
Interesting information for your personal reference. This shows how much traffic was used for attacks and for normal traffic in a nice graphical format. It can be viewed from the last 90 minutes, hours, or days. It also tells you the total number of attacks and total number of packets in the same time frame as above.
Info
Shows your registration info, license info, and version info. Useless note: All this info can also be found in various TXT files under the BID directory on your HD.
Settings Menus
This is the different tab menu under the settings. Very quickly:
Protection: You can set BID to four different settings to protect you at different levels. You can choose from Trusting, Cautious, Nervous, and Paranoid.
Log Packets: You can set BID to save a log file of all packets to your computer so that you can review them later at will. External software is needed for this unless you're really good with Notepad. Good luck.
Log Evidence: BID will log all the traffic and information of the intruders to a log file for future use or proof. If someone really bugs the hell out of you, this file will be helpful in dealing with his or her ISP. Some will say that they won't turn a fellow hacker in. wait until he pings you or probes you 625 times in 10 minutes. It gets real old. Or you can handle it yourself but we won't go there right now.
Back Trace: I told you there would be more on this. BID has two types of back traces - direct and indirect. An indirect trace will not alert the intruder that you are tracing him. BID will analyze the incoming packets from the various routers to gain information about the user. This will normally only net you his IP address. A direct trace will actually pull information from the intruder's computer. If he is running a firewall, you will not get anything except his IP. But if not, you will net his Node, Group, NetBIOS name, MAC, and DNS. If he is monitoring his ports and information with something like McAffee's Guard Dog, he will know he is being traced. Or he can even block it and you will get nothing. I run direct and indirect traces on every attack. What the hell, you're protected, why not nab all his info?
Detection: Allows you to manage trusted or ignored IP addresses.
Preferences: This is where you can set up BID to do auto-update checks. You can also configure how BID will alert you to attacks.
Useful Features
A few things I find useful:
Stop BID Engine: You can stop your protection and restart it at will. Sometimes you have to shut down your firewall protection in order to play some online games or do other online tasks. Quick and easy to do.
One Year Tech Support: If you actually lack the intelligence to figure out this AOL "User Safe GUI," you can use the free tech support to figure it out for you.
AdvICE: Anyone can use this feature whether you have BID or not. Go to advice.networkice.com/advice. This site has a ton of information about all the types of attacks and how to deal with them. It has a lot more information - too much to cover here - so go look for yourself. You can also highlight one of the attacks in your attack menu and hit the AdvICE key and it will automatically take you to the portion of the AdvICE site regarding that specific attack.
Outside of the BID GUI
Inside the directory where you installed BID there are a few files that are fun to look at and play with. Take a look at these:
Attack-List.CSV: Open with MS Excel. This tells you all the information that the GUI tells you under the Attack tab except in column 1. That column will tell you exactly what port the attack came across on.
Example: Port=80|4109|4110|8945&Reason=Firewalled
f I had my way I would put this information into the GUI itself to make it easier to access but I think Network ICE didn't do that so it wouldn't confuse the AOL or CompuServe users. (Yes, I fu*king hate AOL!)
BlackD.LOG: This is the log that contains all the changes, settings, etc. that has happened within BID. Take a good look through this file. It is long but contains some good stuff.
Firewall.CFG: Configuration file for the firewall. BID does not recommend manually configuring this file. Yeah... sure...
Issuelist.CSV: Open with MS Excel. This file contains every attack and issue known so far that BID protects against. I strongly suggest you take a look at this file and do some reading. Good trash...
Readme.TXT: Don't, it is useless and really boring.
BlackICE Def Quickstart.PDF: Information card that comes with BID when you buy it in the store.
Host Directory: Contains TXT files of all intruders named by the intruder's IP address.
Personal Notes and Thoughts
I like BID.
Easy to use and has good features. I also like how it pulls information from the attacker and stores it for you. Even if the attack was running a firewall and all you could gain was his IP address, you could use external software like VisualRoute and AccessDiver to find him, his ISP, and do other interesting things to teach him not to mess with you again. (Note to law enforcement: I do not condone this behavior or partake in naughty things.)
I really do not have an opinion on hardware firewalls versus software firewalls. Sometime when you are doing certain online tasks behind a hardware firewall like playing online games, UDP and some TCP probes/attacks can still get through the hardware. That is where BID comes in.
If you have any questions, ask someone else because this should have answered them all.