Sygate with BlackICE

I was just wondering if this was necessary to use both Black ICE and Sygate together. After being told that Sygates firewall can be shut down in 15 seconds, I want to add another layer of security. Also wondering how intrusion detection work...thnx!

 

I would be interested to know if that person could really shut down Sygate in 15 seconds. I would be even more interested if this person could do it remotely without a RAT. Locally, cant you just shut down the sygate service by going to admin tools and services?

As far as Sygate and BID together, I do not think it is really necessary. While Sygate's IDS may not be as strong as BID's it is quite comprehensive. It identifies some commonly used RAT communication attempts, as well as some common exploits, and DDoS/DoS attacks. Many times the "firewall component" of Sygate will already block these attempts though.

IMO, rather than looking to layer your firewall with an IDS (on a single windows computer), you may want to look for one firewall that you are comfortable with configuring, and that offers good inbound packet filtering, and decent outbound protection/application control. You can then use programs like SSM or Regrun to further monitor programs that might try to disable your firewall or that might try to sneak by your firewall's outbound protection/application control. That way you have more than one way to protect from malware that is going outbound.

Look 'n' stop and Visnetic both have good packet filtering.

IMO I also think that Look 'n' stop is one of the harder firewalls to manipulate and shutdown by malware or "hacking." Bitguard should also be mentioned in this category as well. Both of which operate at quite low levels.

Network Intrusion Detection Systems work by analyzing traffic for well known patterns of attack. Some might look for fragmented packets, or invalid protocol behavior, or ip spoofing, or buffer overflows, or DoS attacks. Depending on how the IDS is configured it could either notify you of this event (maybe just through its log) or close the connection attempt completely. By identification of this event it might help you better configure your security setup. However, it should be noted that sometimes an IDS' signatures can be too sensitive/restrictive and also give you false information or restrict valid communication attempts.

 

I personally like running BI with ZA or NPF - they work well together. I assume Sygate would be ok.