Brady & Associates, LLC.
Personal Firewall Software Reviews


The following review appeared in the First Looks column of the July 2002 issue of PC Magazine:

Blocking Hackers – and Some Productivity

  BY KONSTANTINOS KARAGIANNIS

As we’ve said, it’s not just large enterprises that need to worry about PC security.  Home and small-office users also need an effective, un­obtrusive way to keep hackers out of their broadband connec­tions and networks. 8IackICE PC Protection 3.5 ($40 direct) has the effective part down but can be obtrusive at times.

PC Magazine - First Looks - Blocking Hackers - and Some Productivity.BlackICE’s core features are as solid as ever. The Intrusion Detection System (IDS) passed with flying colors on our barrage of sneak-attack tests, picking up even the tunneling we tried with state-of-the-art hacking tools.

Strengthening IDS is the Intel­ligent software firewall in Black­ICE, We also love how even non-savvy users can take fill advantage by picking the protection level that works for them (Paranoid, Nervous, Cautious, Trusting). You can enable file sharing in all modes, which is a practical must for family PCs.

      But one new feature, Applica­tion Protection, left us disappointed. In theory, it’s is an ex­cellent idea: Give BlackICE con­trol over anything that runs on your PC, and should the soft­ware detect some rogue or un­known application trying to communicate information or ac­cess the hard drive, it can notify you before allowing the applica­tion permission to act

     In testing however, we found the feature annoying at best. Al­though we ran the required scan, to let BlackICE detect what was on our test systems (and hence which applications to allow to do their jobs), BlackICE would subsequently fail to recognize applications that it supposedly added to the base line. Notably, when we launched Windows Media Player-as common an app as you’re likely to find- BlackICE brought up warnings. So if you plan on engaging Ap­plication Protection, plan on its warning dialog box to pop up often. The saving grace, of course is that you can turn Application Protection off.­­


After reading the above review of BlackICE PC Protection, I felt obliged to respond to Mr. Karagiannis’ review of BlackICE in order to provide important information regarding the product and to offer an explanation to readers of the review as to why the review was completely inaccurate.  Since there's no guarantee that PC Magazine will print my response, I felt it would best serve the users of personal firewall software at large to post it here.

Hello PC Magazine,

  Yesterday I received the July 2002 issue in the mail and took a few minutes to settle down and read one of my favorite sections, First Looks.

  What drew my particular interest right away, was a review of the latest version of BlackICE PC Protection from Internet Security Systems.

  Damned if they do... damned if they don't.

  After reading the review it was patently clear that Konstantinos Karagiannis didn't have a clue with regard to, hackers, personal firewalls, and most notably, BlackICE PC Protection, let alone reviewing personal firewall software.

  The issue of 'application specific outbound monitoring' has long been a thorny issue in the realm of 'personal' firewall software.

  It was obvious from Mr. K's comments that he had NEVER USED ZoneAlarm or ZoneAlarm Pro from Zone Labs or Norton Internet Security from Symantec or perhaps even Kerio Personal Firewall from Kerio Software.

  For the past couple of years, Network ICE, the creators of BlackICE, and more recently Internet Security Systems, the current publishers of BlackICE PC Protection had repeatedly been 'barraged' to introduce 'application specific outbound monitoring' that would allow home users to 'control’ which applications on their computers would have access to the Internet.

  This apparent 'lack of control' was made out by many, to be a severe deficiency in the functionality of the earlier releases of BlackICE Defender.

  The BlackICE Defender version of the product did perform outbound monitoring of traffic; however, this monitoring was not 'tied' to specifically identifying which application initiated the traffic.  The reason for this has to do with the history regarding the development of the BlackICE family of products.

  The BlackICE intrusion detection system was created for use in CORPORATE NETWORKS where it would be absolutely absurd to allow a computer user to allow security permissions for applications to access resources within the corporate LAN or access to the Internet.  As such, the BlackICE intrusion detection system would very quietly, in the background, completely oblivious to the user, monitor any traffic flowing through the user's computer and if some malicious traffic was intercepted, it would quietly block the traffic and log the intrusion attempt.  Without ANY impact on the productivity of the user.

  With the 'advent' of self-appointed Internet security guru Steve Gibson and his recommendation of ZoneAlarm from Zone Labs, an 'issue' was created in the minds of the millions of home computer users that it was imperative the user be 'allowed' to control the access to the Internet of the specific applications on their computer.  After all, the home user would know much better than any little personal firewall program or intrusion detection software, able to perform on the fly network protocol analysis, which applications were safe to allow access to the Internet from their computers.

  The hue and cry went up from the 'masses' that this apparent lack of application control functionality in the BlackICE Defender product somehow made it an 'inferior' product.

  Under the hood, the BlackICE intrusion detection system will ALWAYS be a technically superior product and it will always be able to protect users from hackers better than ZoneAlarm or any other personal firewall product that allows the user to make a security decision. 

  There are several reasons for this that are not readily apparent to the average user, however, let me explain...

  BlackICE will 'back trace' the intrusion attempt, in real time, as it occurs and log the complete analysis of the intrusion into a couple of different file formats, one of which can be used by network forensic experts to determine the exact intent of the offending traffic.

  It also captures DNS, MAC, NetBIOS name and other information relative to the intrusion attempt at the exact moment the event occurs. None of the other personal firewalls capture this type of information... because they can't do it without performing network protocol analysis, as an intrusion detection system performs.

  Quite frankly, ZoneAlarm and the other 'rules based' firewall products simply do not do this and without an effective intrusion detection system they can't!

  ZoneAlarm, NIS and other rules based personal firewall programs will only log the date and time of the event, the source and destination IP address and in most cases the source and destination port numbers as well as the type of network packet, i.e., TCP, UDP or ICMP.

  With this limited amount of information the rules based personal firewall is pretty much 'brain dead' in terms of accurately informing the level of threat to the user.  Not having enough information in this case, imparts a false sense of security on the part of the user, because they inherently believe they are being adequately protected, when in reality just the opposite may be true.

  The BlackICE intrusion detection system automatically blocks any incoming traffic that has not been requested by the user's computer (there are many cases where there may be traffic requested by the user's computer that the user didn't specifically request with an action.) and it also blocks any traffic that appears to have malicious intent based upon the content of the packet whether the traffic request was initiated by the user's computer (or the user). This effectively allows the user to be protected from any traffic flowing in either direction.  This functionality has always been in the BlackICE product.

  Now why is Mr. K's reviewing so 'over the top'?  

  Anyone that has EVER installed ZoneAlarm, Kerio Personal Firewall, Norton Internet Security, etc., has had to put up with the constant barrage of popup messages (very similar to that of BlackICE PC Protection) for every application the user runs that attempts to access the Internet.  These popups are like an incessant two year old asking Grandma for a cookie!  They bug you and bug you and bug you until you respond to them with the "Do Not Ask Me Again" checkbox checked and then the 'personal firewall' becomes quiet.

  The problem with ZoneAlarm, Kerio Personal Firewall and NIS, is that when the user elects to click on the "Yes" button to allow access and they have the 'Don't Ask Me Again' checkbox checked, they have just created a rule that will allow the application to use the connection forever, without regard for the content of the traffic being passed back and forth within their computer.  This 'rule' will never be 're-assessed' for validity in specific situations.  This is the inherent danger of personal firewall software because, due to human nature, the inclination will be to ALWAYS check the "Do Not Ask Me Again" checkbox and click on the "Yes" button.

  The weakest link in the rules based personal firewall software is the user themselves. 

  The BEST solution is the use of a tool such as BlackICE PC Protection because the intrusion detection component continues to protect the user from themselves and any mistake they might make regarding their security decision when prompted to allow or deny an application access to the Internet.

  With respect to the "Rouge Application" protection component of BlackICE PC Protection, it is up to the user to ensure the following prior to installing the BlackICE product:

  • they have to make sure their computer is free of any   viruses or trojan programs that might be lurking on their system.

  • they must go through the 'baselining' process during the install of the BlackICE product.

  The baselining process does not create ANY rules for applications with regard to allowing or denying access to the Internet or other network resources.  

  What the baselining process DOES is create a special, unique signature for every executable file format on the computer in order for BlackICE to detect whether or not any files have been tampered with at any point in the future.

  There are many trojans that attempt to replace critical system components and other executables with 'loader' programs that will do their dirty work.

  BlackICE PC protection compares this 'baseline' signature calculated at the time of installation, with the application's current signature at the time of execution to determine whether or not the file has been modified.  If the signatures match, then BlackICE allows the application to run.

  If the signatures do not match, one of two things has happened:

  • the application has never been baselined

  • the application has been updated and the signature has  changed

  In the case of an intentional application update, if the user has installed an update of their software, they need to allow BlackICE to re-baseline their computer or at the prompt presented by BlackICE, allow the updating of the baseline signature.

  In the case of any other sort of update, then the application is considered suspect and the user should use all due caution in the execution of the application until they can determine why the application has changed.

  Mr. K's remarks about the supposed impact productivity belong squarely on the shoulders of all personal firewall products that allow the user to make a security decision, at run time, of applications on their computers and cannot be blithely cast at the feet of BlackICE PC Protection and Internet Security Systems.

  For the past couple of years, Internet Security Systems, and Network ICE before it, held that allowing the user to control security decisions regarding the applications on their computer was not in the best interest of the user and this position, at least from my vantage point as a user and student of personal firewall software, has ultimately proven to be the correct one.

  When ISS was 'pressured' by pubic demand to offer the application control functionality and they stood on their position they were 'castigated' by product reviewers and the likes of Steve Gibson...

  Now, when they offer the best technically viable solution on the market, with the exact functionality demanded by their critics, they are once again criticized for doing the very same thing that the other personal firewall packages tout as being their overriding claim to superiority.

  It should be stated that I am not without bias with regard to this issue, as a developer of personal firewall log analysis and reporting tools for BlackICE PC Protection, ZoneAlarm, WinRoute Pro and XP Personal Firewall (which ships with Windows XP Home) I have had occasion to study this genre of software in great detail. 

  I have no connection whatsoever with Internet Security Systems, Zone Labs, Kerio Software or any other personal firewall vendor.

  Personal firewall and intrusion detection software perform two functions incredibly well...

  • they block traffic (some do this better than others)

  • they fill up your hard disk with meaningless, inaccessible data that is incomprehensible to the average user.

  We provide tools for the user to make sense of that data and allow them to become empowered against the intruders that would rather remain anonymous in the obscurity of the personal firewall log files.

  Feel free to check out our web site at http://www.firewallreporting.com for details regarding our personal firewall log analysis tools.

--  
Best regards,
Ben E. Brady - Managing Owner
Brady & Associates, LLC.
www.firewallreporting.com
We put the "personal" into personal firewalls.
If you have any feedback, we would appreciate hearing from you, however, try to be at least able to explain your viewpoint.  Don't just tell me 'ZoneAlarm is the best' just because you happen to use it and cannot back up your opinion with logic and facts.

ClearICE Home Page