Well I finally took the firewall plunge and installed one last night. Someone had given me a boxed version of Blackice Pc Protection and I installed it and updated it.No problems so far, loads up quick and fairly light on resources. Up until now I had been using the built in firewall that came with WinXP. I had done a few scans online and all ports always showed up as stealthed. With blackice enabled and WinXP firewall disabled ports 80 and 113 show up as closed but not stealthed.Anyway no big deal I found out how to stealth this ports. My question is what do you guys think of Blackice? I did some searching around and like most software some say it's better than a traditional firewall because of its IDS, others say it's not secure enough.As I am not that savvy with firewalls I want to hear what the experts on this forum have to say, keep it or get something else?

Hi achilles, :)

It should be interesting to see what opinions you get here regarding the BlackIce product. I have not used it myself, but have read that there have been improvments in the product over recent times, which may superceed some peoples concerns from previous versions.

There is an interesting thread over at DSLR regarding BlackIce. (If you go to the link below, read it all. There is some misinformation sitting side by side with some information and opinion. ;) )

http://www.dslreports.com/forum/remark,4836737~root=security,1~mode=flat

Obviously, you know about the various scanning sites, since you've done some testing already. For myself, to judge if a firewall is working at a basic level, I just check to see if its showing either closed or stealth ports at the scanning sites, when I know I have ports open (listening) for local usage. Then, there are leak tests, if you are interested in testing outbound protection. Although, there is a lot of debate regarding how valid leak tests are. I just fire up a few different network aware apps and see if the firewall let's me know if/when they try to make network access and see what happens if I refuse permission.

These simple tests, while clearly not noteworthy to the world of firewall testing, do tell me if a firewall appears to be doing its basic functions, convering inbound and outbound security. Combining that with what I can read at sites like this gives me the ability to decide if the product is worth using/keeping.

Best wishes on this,
LowWaterMark

Hi achilles. I guess my first concern is do you have the latest version?
Early versions offered no outgoing protection, thus the were concidered to be an IDS rather than a firewall. IDS is intrusion detection system, in case you were'nt familiar with that and the fact that BID has an IDS is by no means a ringing endorsement of excellence. Sygate and Outpost both have IDSs as I'm aware of and probably other firewalls have them too. Some like to make a big deal of it, to me its just part of what needs to be there in some form in a good firewall.
I personally would recommend, depending on skill level and surfing habits, LookNStop, Sygate, Kerio, Outpost, and for the very basic beginner ZA. (You asked) :)
I am not familiar with the current version of BID so I won't knock it. I have heard concerns voiced about it, but the same goes for every firewall.
If you try to do things like surf, check email, download FTP, and stuff like that, if the firewall doesn't require to to set up some rules for that, it's not doing its job.
Also, you should get full stealth on all ports, everywhere you test, except possibly Sygate, which has had some issues lately and giving false readings.
Better than M$s attempt at a firewall, I hope. :)

Sorry I could not respond last night guys as something came up. I am very surprised that this thread did not garner more responses judging by the reaction this product gets over at dslreports. More than any other firewall, Blackice invokes very strong reactions, be it like or dislike, and allot of misinformation. Interesting thread LowWaterMark, missed that one.Let me answer a couple of you statements. As far as the scanning Blackice stealths all ports "out of the box", except 80 and 113. This dismayed me a little, because as I had mentioned WinXP firewall stealth-ed all ports. ISS, the current owners of Blackice, say, over at their site, that these two ports being closed and not stealth-ed is not a security risk. There is allot of debate whether a stealth-ed port is more secure than a closed port, but that is something I would rather not get in to, it still would be nice if all ports were stealth-ed. As far as the leak tests, I tryed all the ones over at pcflank and Blackice passed all of them, very nice. :) Hi root, yes I do have the latest version. This version indeed does have outgoing protection and component control. Allot of people knock Blackice's component control, saying is too bothersome and asks allot of cryptic messages. I did not finds this to be true. Unless you are the type of person that installs and uninstalls ten programs a day than you should have no problem. Component control I feel offers allot more protection than just outbound control, as it alerts you when an unauthorized app. launches as well as when it tryes to connect to the net. I know there are other firewalls that have this also, and I think it's a very good feature. The only problem with the way Blackice's component control works, is that at installation, it scans you computer for all applications, so that component control launches itself for apps you install after Blackice, and you simply tell it to add that program to its database. But, if you machine is infected with a say a trojan , BEFORE you install Blackice than it will not alert you to that trojan calling home, as it sees it as a valid app. As far as Blackice having an IDS, I agree with you that, that in itself is not reason enough to buy it. But that does not mean that all IDS's are the same. I am not a computer expert to be able to say whether Blackic's IDS is better than Sygate's, but Blackice has been in the IDS market a long time. I remember back in 1998 when I first got DSL I came upon the term "firewall" as a means to keep hackers out of you computer. I then quickly lit my computer on fire, and sure enough it did keep hackers off it, as well as everything else :D. Back then, Blackice was a very well thought of IDS. I guess people feel that it did not keep up with the times, and its lack of out bound control hurt it. The controversy with what happened with Mr. Gibson also I feel hurt it in the publics eyes, justly and unjustly, anyway that is history. Root, I have tryed most of the firewalls you mentioned at some point and agree with you that those are also very good product, especially Kerio, but....I know I will get blasted for this but, I hate Zonealarm. This is one firewall that is feel has become progressively worst with every release. I had tryed Zonealarm Pro 3.xx and it was horrible. Computer hung at startup and shutdown and its a huge recourse hog, plus its become bloat ware. I do not need popup blocker or email scanner in my firewall. Anyway as usual I have gone on too long :-X. I have had Blackice on my computer for two days only now, but so far so good. I got a perfect score,0, with the full security scan over at dslreports.com. For know I will keep it and we'll see how it goes.

-{ Quote: " quoting: achilles link=board=23;threadid=4574;start=0#30095 date=1036181485]The only problem with the way Blackice's component control works, is that at installation, it scans you computer for all applications, so that component control launches itself for apps you install after Blackice, and you simply tell it to add that program to its database. But, if you machine is infected with a say a trojan , BEFORE you install Blackice than it will not alert you to that trojan calling home, as it sees it as a valid app." }-

This is not just the situation with Blackice but also with others. With the Tiny Trojan Trap (TTT) sandbox application you end up in the same exact situation. At installation, you'd better have a clean machine when it first scans and adds all existing EXEs to its list of unrestricted applications. The installation does warn you, but, how many people can be certain they have no pre-existing viral conditions unless they just came off a clean install.

I found it useful to work my was through the database of apps (EXEs only, and yes, it took a while ;) ) and reclassify some applications to tighten things up a bit. Obviously, you could not do this at the component level (for thousands of dll files), but, perhaps you can do something like this at the EXE level.

Well, I'm glad you're giving Blackice a good test. Perhaps you can report back you're findings as time goes by and let people know how today's Blackice stands up. :)

Best Wishes,
LowWaterMark

I would leave WinXP's firewall enabled :)

-{ Quote: " quoting: achilles link=board=23;threadid=4574;start=0#30095 date=1036181485]There is allot of debate whether a stealth-ed port is more secure than a closed port, but that is something I would rather not get in to, it still would be nice if all ports were stealth-ed." }-

Yes the stealth versus closed debate is usually a lively one ;) It sounds like you have a grasp on that and realize you are secure either way. To your credit, you took the time to learn your product and how to resolve that particular issue.

-{ Quote: "The only problem with the way Blackice's component control works, is that at installation, it scans you computer for all applications, so that component control launches itself for apps you install after Blackice, and you simply tell it to add that program to its database. But, if you machine is infected with a say a trojan , BEFORE you install Blackice than it will not alert you to that trojan calling home, as it sees it as a valid app." }-

A good point for anyone thinking of using the new BlackIce that has been mentioned eslewhere. It should be installed on a clean system to insure only trusted apps are approved in the first instance.

-{ Quote: "I have had Blackice on my computer for two days only now, but so far so good. I got a perfect score,0, with the full security scan over at dslreports.com. For know I will keep it and we'll see how it goes.
" }-

Along with all the recommendations you are likely to get, an important part of the security for your system is finding something that works for you and that you are comfortable with. Keep us posted on how it goes.

Regards

CrazyM

Controller, may I ask why you recommend I keep WinXP firewall enabled? LowWaterMark, CrazyM I will let you know how thing go over time. :)

I've had great results with black ice. I will voice my opinion and that is the whole stealthed idea is a waste of time. Lock down your ports and do not stealth and that way you send the packet that says you hit a closed port, scanner will move on...

The new version of BlackIce is a fine piece of Security software, and I'll have words with anyone who thinks otherwise.

Between the very strong IDS and the now strong Firewall and application protection, this product is easily a great choice for both newbies or advanced users. The only problems I have with it involve the interface; if they make some improvements there it will be a top-notch application.

;)

Hi Achilles,

If you want a thoroughly scan, give a try at this one :
https://secure1.securityspace.com/smysecure/login.html

Free registering and choose No risk audit

It's done by the Nessus scanner and more complete than which on
dslreport.

Rgds,

The latest BlackICE is a great improvement over previous versions.

I'm testing the latest version, v3.5, right now and the outgoing control seems to work flawlessly. The IDS has always been a strong point of BlackICE, so I don't believe I need to comment on that here. ;) I have noticed that resource usage is extremely low in this version, even while the IDS portion is processing large amounts of incoming data.

No crashes so far - and it hasn't added any obvious delay to either bootup or logging on.

Final Impression: In this latest version it seems as though BlackICE has finally caught up with the rest of the pack (with the integrated application and communications control). Online testing seems to indicate it is a good-quality, hardened firewall. I'll have to do a resource comparison at some point to see how it fares against other firewalls such as ZA, Outpost, Sygate, etc but it seems to lean towards the low end.

Regards,

-Javacool

I have BID 3.5 on my 98 machine and it does great. Please come back to this thread and keep us up to date on how your testing is going on XP, any reboots etc. or any problem at all.

Why is the BlackIce makers not offereing a free or even a trial version like everyone else?
Javacool? are you beta testing this new version?

controler,

There is an evaluation version available; check this one (http://www.iss.net/products/networkice/eval/register.php) out ;).

regards.

paul

Thank You ;D

I am going to try it out... I went back to their site again and I din't see where they make the trial easy to locate.

If you go to their main page and even click on downloads you will find it very difficult to locate the trial.

http://www.iss.net/

My pleasure ;). Most people do find the link mentioned over here (http://www.wilders.org/firewalls.htm) ;D.

regards.

paul

I actually had a copy sitting around and figured now was as good a time as any to try it. ;D

Since someone asked: Still no conflicts with Windows XP (seems to be extremely stable) or any other programs (AV, AT, etc.) on the system.

Regards,

-Javacool

-{ Quote: " quoting: Raygun link=board=23;threadid=4574;start=0#31281 date=1036882398]
I've had great results with black ice. I will voice my opinion and that is the whole stealthed idea is a waste of time. Lock down your ports and do not stealth and that way you send the packet that says you hit a closed port, scanner will move on...
" }-

Raygun,
why do you feel that blocked ports are better than stealthed ports ?
And "the whole stealthed idea is a waste of time" ?

regards,
bill ;)

I installed Black Ice on one ME machine so far. All I have besides Black Ice is Norton AV 2003. Black Ice keeps shutting down and asking to be restarted. Does this every 30 seconds or so. Going to try it on another ME machine, then My XP machine.

Why does Black Ice generate Log*.enc and evd*.enc but then only allows you to view those files with a third party peice of software?

" General Information ------------------------------------------------
-----------------------------------------------------------------------

. Packet/Evidence Files

BlackICE generates packet and evidence logs (log*.enc and evd*.enc
respectively). To view these files, you will need a utility that
can read and decode them. This URL lists such utilities:

http://www.robertgraham.com/pubs/sniffing-faq.html#software-windows"

The very first packet sniffer listed at the page above is a bad link for me. If I try going to the site below from the site above, I get bad link, If I go from here and just click on the link below, I get a username - password box.
This is getting confusing kids :(
ftp://ethereal.zing.org/pub/ethereal/win32/

For Ethereal try the following link:
http://www.ethereal.com/

Some other utuilities for viewing BlackIce log files:

BlackIce Attack List Viewer
http://www.philholder.co.uk/blackice/

IceWatch
http://www.geocities.com/icewatch2000/

VisualIce Report Utility
http://www.visualizesoftware.com/

ClearIce Report Utility
http://www.y2kbrady.com/firewallreporting/clearice/index.htm

Thanks CrazyM
I will try a few of these out.
I wasn't aware they also made an Windows XP firewall Log analyzer.

http://www.y2kbrady.com/firewallreporting/


I like the link at bottom left of page to watch the firewall interview video with Tech TV ;D

http://www.y2kbrady.com/firewallreporting/callforhelp.htm