In larger corporate environments, InstallPac can be used to install agent software onto target hosts remotely, thus removing the need to perform individual installations.
For NT systems, the InstallNet push program works very effectively for installing and automatically starting BlackICE Pro on a large number of systems simultaneously. For Windows 9x systems that have not been configured for remote disk access, the AgentUpdate pull program allows those systems to “pull” a copy of BlackICE Agent. The AgentUpdate program can be included in a logon script on a network server, so that Windows 9x clients automatically pull the software the next time they log in to the server
ICEpac documentation is only available on-line as PDF files, not as hard copy. The documentation is comprehensive, however, and includes a
Getting Started Guide for the ICEpac suite, a User Guide for the BlackICE
Agent, Administrator Guides for ICEcap and InstallPac, and a Reporting and
Reference Guide for ICEcap.
Configuration
With the basic BlackICE Agent installation there is virtually nothing required in the way of configuration before the product will run. Whereas other IDS products require the administrator to define security policies containing the attack signatures to look for and the hosts to be monitored, BlackICE Sentry simply looks at every packet on the wire and always watches for every attack in its database.
Although there is limited scope for configuration via the graphical interface, there are some key text-based configuration files that can be edited
Whilst it is not possible to define new attack signatures per se (since BlackICE does not use pattern matching) it is possible to modify the behaviour of the protocol decode by defining new “rules” that can specify what objects or resources the engine should monitor.
For instance, it is a simple matter to have BlackICE watch a specific file, directory or Windows registry key for tampering (and a number of sensible defaults are included in the standard configuration). It is also possible to alter settings such as failed login counts or SYN flood thresholds to suit the characteristics of your own network. It would be nice to see the GUI developed further to provide the means to modify these parameters within the application rather than via editing text files, however.
BlackICE GUI
The default installation includes a simple graphical interface on the host PC with a number of different tabbed views. The Attacks window shows details of all attacks including date and time, attack name, intruder ID, victim ID and a count of the number of attacks seen. Unfortunately, we found the count information to be one of the less accurate of the IDS systems tested, but this is not due to BlackICE missing packets. Because it is designed to operate at high speeds (it can handle 100 per cent network load of 148800 packets per second on a 100Mbit network) there is a certain amount of what is known as “pre-filtering” and “coalescing” of events when a serious attack is underway. The most obvious result of this is that multiple attacks will begin to be shown on a single line with a source IP address of 0.0.0.0 instead of on separate lines, and the count information seems to be approximate at best once this starts to happen.
Figure 54 – BlackICE: Viewing attacks in the console
Additional columns can be added to the Attacks display (attack parameters, attack ID, severity, etc) by right-clicking on the column headers, and
columns can be re-ordered and re-sorted as required. Each severity level is colour coded (red, yellow, or green) and audio-visual alerts can be triggered at the console depending on the severity. By selecting any attack, a brief description is displayed at the bottom of the GUI.
A more detailed description – including further reference material and occasionally suggestions for fixing the problem – can be obtained by clicking on the “Advice” button. Unfortunately, none of this information is installed locally – BlackICE has to go off to the Network ICE Web site to retrieve it (which might be a problem if the attack has brought down your Internet connection).
The next tab is the Intruders display, which displays a list of attackers, together with any details BlackICE has been able to determine by means of “back tracing”. This feature, which can be disabled if performance is paramount, enables BlackICE to trace back to the attacker in an attempt to discover as much about him as possible. Along with the IP address (which could be spoofed, of course), BlackICE will display the DNS name, NetBIOS name, Windows Workgroup/Domain name, node name, and even the MAC address if they can be determined.
Figure 55 – BlackICE: Viewing attack history in the console
The third tab is the History tab, which displays graphs of attacks, suspicious activity and network traffic over a user-selectable period of time. When BlackICE installation is controlled by InstallPac, it is possible to install a “silent” version of the Agent with no GUI. This makes the Agent completely invisible to users of the host machine, whilst still allowing control of the Agent from the ICEpac management console.
Firewall
Unlike most other IDS systems, BlackICE also incorporates a firewall. This can operate as a personal firewall, with BlackICE Agent, or as a network perimeter firewall with BlackICE Sentry when installed on a dual-NIC host. There are two parts to BlackICE protection: the standard protection filter, and the dynamic protection filter. Standard protection filtering stops many common attacks before they can get started. This includes blocking corrupt packets, badly fragmented packets, and other potentially damaging
transmissions. The standard filters include configurable filters for IP addresses, TCP and UDP ports.
Dynamic protection filtering works much like an IP address filter used on routers and other network devices. When a malicious attack is detected, BlackICE adds the hacker’s IP address to a dynamic address table, following which, any traffic from the hacker’s IP address is rejected at the network stack level.
Right clicking on any attack or intruder in the BlackICE display allows the user to immediately trust or block a user, and ignore or block an attack. Ignoring attacks or trusting certain IP addresses provides the means to run automated scanning tools on the network without triggering false alarms on all the BlackICE Agents.
Logging
In addition to the trusting and blocking settings, the only other parameters that can be configured via the GUI interface relate to packet logging and
evidence logging.
When packet logging is enabled, BlackICE Agent records all system traffic into log files, the size of the files and rotation characteristics controlled via the Packet Log tab in the BlackICE settings. It is important to note that packet logging keeps track of ALL system traffic, not just intrusions, which can result in some large files. Packet logs are encoded as “sniffer” style trace files, and will require a decoding application (which is not included) to view the contents.
If you want to be more selective in what is recorded, you can employ evidence files, which are also controlled via the BlackICE settings. Whenever an attack is detected, BlackICE Agent captures network traffic specific to the attack in progress and stores that information in an evidence file. These files also require a trace file decoder to view the contents.