q000025

How does your product compare with "personal firewalls"?

This article applies to: BlackICE Defender.

SUMMARY

This is a competitive analysis of our product when stacked up against AtGuard, Conseal, and the soon-to-be-announced personal firewall products from Symantec/Norton, NAI, and others. Our product is a "next-generation" technology, and is the only product among the bunch that can detect hacker signatures regardless if the traffic matches the firewall rules.

DETAILS

Our product Defender is not a "personal firewall" in the classic sense, though it does have some personal firewall functionality. The product was designed to do dynamic intrusion detection, intruder identification, and intruder-blocking. As normally defined, firewalls do not "detect" intrusions, though they do indicate when traffic has been sent at a machine that is blocked by the firewall (which is one symptom of an intrusion).

Intruder Detection

Firewalls are not designed to detect attacks. Instead, they are designed to be an "On" or "Off" switch based on either IP addresses, protocols, or UDP or TCP ports. Take an example of port 80, used for standard web servers. Let's say a home user wants to set up his/her own personal web server. To allow others to connect to this web server, he/she turns "ON" port 80 via the personal firewall. Thus, all port 80 traffic is allowed to traverse the firewall. This includes potential hacking traffic such as a buffer overflow attack on port 80. The personal firewall detects that the packet is on port 80, and allows it through. It does not log this potentially damaging traffic.

Our product adds an intrusion detection component. If it is configured to allow traffic on port 80, it will still monitor the traffic for exploits against the web-server. If it detects hostile traffic, it will block access to port 80 by the hacker. Note that our product is the only personal firewall that monitors allowed traffic for hostile activity.

Some personal firewalls will say they detect hacking attempts, but in reality they are simply detecting attempts to connect to known hacking ports. As an example, the default BackOrifice port is UDP port 31337. Many firewalls will "detect" a BackOrifice attempt if any computer attempts to talk to UDP port 31337. But, it could be a totally innocent program that uses this port because it was dynamically assigned by the operating system. Also, BackOrifice runs on port 31337 by default, but it is easy for someone to make BackOrifice run on a different UDP port. These simple personal firewalls will not call it a BackOrifice attempt if it is on a different port. We use a much more sophisticated algorithm. We detect BackOrifice attempts, regardless of the port number. If someone sends a BackOrifice packet at port 2000, we will detect it and call it a BackOrifice attempt.

The vast majority of detection in the standard personal firewall comes from "log file analysis". The firewall creates a log file of all TCP and UDP connection activity. Later, a log file analysis program will analyze the log file and notice hacking attempts. In our opinion, this is a little late. Our product is the first truly real-time intrusion detection for the consumer market. Because we are instantly analyzing the frames, we stop the hacker before he can do any damage.

Reverse Identification

The product will scan the suspected intruder in order to discover more information that can be used for legal purposes. For example, many hackers leave NetBIOS running on their machines, which can be queried for username and MAC address information.

It is critical to do reverse identification while the attack is in progress. Doing reverse identification later will not work. Hackers often use dialup networks, because they get a different IP address every time they log in. Personal firewalls do not have instant reverse identification. If you are using a standard personal firewall product such as Conseal or AtGuard, it may tell you that a particular IP address has been attempting to connect to your system. Because the product is doing real-time intrusion detection, it can instantly start reverse identification on the hacker while they are still logged on the network. This instantly raises the probability of a correct reverse identification. It then saves and displays the reverse identification information to the user, which they can use to contact the hacker's ISP, and have the hacker kicked off the Internet.

Dynamic Protection

Firewalls use mostly static protection. They depend on the user to identify and configure the IP addresses and ports they want to block. Most users do not know what they want to block. The "configuration wizards" included with AtGuard and Conseal do not solve this problem for the average user. The configuration wizard gives the user a confusing series of questions to answer. As an example, let's say someone attempts to connect to your PC and AtGuard or Conseal detects it. The AtGuard configuration wizard will ask "Do you want to block TCP port ## from IP address WWW.XXX.YYY.ZZZ all of the time? Some of the time? None of the time?" The average user does not know how to answer this question, and even expert users will not answer it correctly all the time. The average user does not even know what a TCP port is.

Our product does not ask questions. Because we can differentiate between normal network activity and hacker activity, we automatically block hacker activity while allowing normal activity to flow. Our product is designed to protect the system with zero configuration by the user.

Static Protection

In certain situations, static protection is a great way to provide a high level of security for the home consumer. Our product includes strong firewall capabilities, but we have greatly simplified the configuration. We give the user 4 levels of protection. We have "trusting", "nervous", "cautious", and "paranoid". This is something the average home user can understand. The vast majority of users can run at the "paranoid" level, providing a very high level of static port protection for both UDP and TCP ports. But, for consumers that do need to allow some external connections to their systems, they can configure to run at a lower level.

But, it is important to remember that regardless of the level of "protection", it has no effect on "detection": Our program provides full hacker detection on all ports regardless of whether they are blocked or allowed by the firewall. Even though our personal firewall capability may allow external systems to connect to a given port, we still detect and block any packet we consider malicious.

Real-time Protection from Denial-Of-Service attacks

Personal firewalls often do not protect from Denial-Of-Service attacks except if they have been configured by an expert. Lets say I send a improperly fragmented IGMP packet in an attempt to crash a system. As long as the protocol is enabled, the firewall will let the packet through to the underlying Microsoft TCP/IP stack. This may crash certain versions of Windows. Because our program is built to detect invalid packets, it detects the bad fragmentation, and does not allow it to be passed up to the Microsoft TCP/IP stack regardless if IGMP is allowed or not. This stops most Denial-Of-Service attacks dead in their tracks. But, a product must be able to do real-time intrusion detection at full network speed to accomplish this task.

 
Keywords: personal firewall, AtGuard, Conseal 
Version:  1.8.6 
Fixed:     
Modified: 1999-09-07