Re: Home network security WAS Re: upgrade from 98 to XP

[Andrew Plato <intrepid_es -at- yahoo -dot- com>]

--- eric -dot- dunn -at- ca -dot- transport -dot- bombardier -dot- com wrote:
> 
> With that kind of language being used, lets not forget Andrews
> connections with
> BlackICE security products. Hardly an unbiased view.
> I'll check out www.grcsucks.com as Andrew suggests, but who supports
> that site?
> Seems strange to blame someone of posturing and emotional manipulation
> with that
> kind of tone.

I never claimed to have an unbiased view. I am very biased, I like
powerful security stuff, not point-and-click feel-good stuff. Its why I
have three firewalls at home. 

> >>Steve's Leaktest for example has to be one of the biggest jokes on the
> >>planet.
> 
> Then if this is the case, why did BlackICE attempt to foil the test by
> detecting
> traffic to only grc as Steve Gibson claims? Sounds like a BlackICE
> cover-up and
> that Gibson has a valid point.

BlackICE did not foil the test, they merely updated their signatures to
detect it - like any security product signatures must be updated
frequently. In Steve's world, this is apparently unacceptable. Meaning
that no security vendor could ever update their signatures and must
innately know every possible attack ever created...and that ever will be
created. That's insane. 

Leaktest merely sends an HTTP packet out. Like a browser or any other
application in the universe. Leaktest's main purpose is to test the
function of ZoneAlarm. In Steve's world, unless it works EXACTLY like
ZoneAlarm...its crap (in my biased, totally skewed, personal, independent,
take-it-or-leave it opinion). 

> >>Steve's Leaktest doesn't tell you anything other than your PC
> >>can send HTTP packets - which virtually any PC in the world could do.
> 
> But his point that spyware and other 'unauthorized' activity should be
> monitored
> and blocked on your PC is a valid one. Something BlackICE seems to admit
> as they
> tried to bypass the leaktest but not address the overall problem. And he
> has a
> very good point. Shouldn't outbound traffic be monitored and controlled?

Sure, but do you want to sit there and inspect every packet one by one?
Your machine would slow to a crawl. 

Funrthermore, BlackICE does monitor outbound traffic, it just does not, by
default block it. Unless the traffic poses and immediate threat to the PC,
the traffic is allowed. 

> Yes,
> any PC and any program can send out HTTP packets. But should they be
> allowed to?
> The whole question seems to be whether a firewall is any good if it
> doesn't
> detect once the enemy is behind the wall.

"Firewall" is a term thrown around by a lot of products when they are not
firewalls. A true firewall is a layer 2 device that controls access based
on packet header information (source port, destination port, etc.) and
other fundamental network components. 

Zone and other products are really access control programs that merely
create ACLs for applications. And they too have their weaknesses. 
> Personally I'd like to learn about the weaknesses
> of both
> products. It was quite sometime ago that I went to the grc site, but
> doesn't
> Gibson recommend others including Freeware and some of the products he
> himself
> sells?

All security products have weaknesses. Zone has some, BlackICE has
some...BlackICE is not very good at handling a small segment of spyware
that merely logs information about your machine and sends it out. What
BlackICE is good at stopping is when somebody tries to use that
information to actually attach to your machine and hack it. 

> >>I wouldn't waste much time listening to Steve Gibson. Go to a real
> >>security site like Security Focus.
> 
> I think the trick is to never take any one person or group's word as
> gospel and
> to always take the advise of someone who voraciously supports or attacks
> any one
> product with a grain of salt. Pretty basic intelligence really.

And I completely agree. One of the smartest dudes on security is a guy
named Lance Spitzner. He is part of the HoneyNet project
(www.honeynet.org). He has excellent articles on security issues and is a
very smart guy. Another one is David Dittrich from University of
Washington: http://www.washington.edu/People/dad/

Now, none of these guys will tell you "go buy ZoneAlarm" but they will
tell you that security isn't as simple as installing a pretty
point-and-click program and watching it blink. Security starts inside that
grey mush in your skull. Tools merely extend our abilities to be secure. 

Gibson isn't 100% wrong, he is just a blowhard. He tends to shoot first
and ask questions later. He is also infamous for making mountains out of
molehills. His dire warnings about the fall of the internet at the hands
of "raw sockets" never came true nor will they any time soon.

Andrew Plato 

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Did you know you can get RoboHelp certified?
To learn how, visit http://www.ehelp.com/techwr. Be sure to also check out
our special pricing offers and promotions for RoboHelp 2002.

---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot-  Visit 
http://www.raycomm.com/techwhirl/ for more resources and info.