legover Posted July 29, 2003 Report Share Posted July 29, 2003 Very long URL ?BlackICE is a Network Intrusion Detection System, and ZoneAlarm is a software firewall, and it is fine to run both programs alongside each other. In my opinion, the only good thing about ZoneAlarm is that when a program trying to make an outward bound connection from your system to any other, it asks you if you want to allow it. ZoneAlarm works by blocking everything except what you want to allow. BlackICE on the other hand monitors each packet on your connection for anything suspicious. It still stops port scans and various DoS attacks, but the thing I like most about BlackICE is that it has the ability to help stop attackers using exploits against you. For example, Scenario : - User has IIS installed - IIS suffers from the ISAPI Buffer overflow. Zone Alarm Firewall: - Since ZA is setup to allow Inbound connection to IIS port 80, it will do so. It will also let pass the malicious buffer overflow attack which will exploit IIS. Result : Security compromised. BlackIce Defender : - Blackice defender will identify the Attack, depending on the mode BID has been setup it will block further requests to the attacking IP which has send the malicious Internet Packet. Result : Security partially compromised (depending on exploit and setup) Also, BlackICE detects trojan connections such as SubSeven by the packets, not which port it is listening on, so no matter which port it tries listening on or someone tries connecting to it on, BlackICE will detect and stop it. BlackICE also includes such information as MAC addresses etc. and gives a much better detailed report on any types of attacks. Another good feature of BlackICE is that it can detect suspicious activity on your own computer, such as telnet abuse. So say if you were on a network that had already been comprimised it can detect any activities that a hacker might use, such as IP spoofing etc. If you want more details on why using BlackICE on a network, http://www.securityhorizon.com/whitepapers/technical/IDSplace.html is a pretty helpful text on where the place such an application and why". might be a good idea to have both running. [Edited URl - KS] Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.