Send intruders into a spin

Network ICE has introduced a new intrusion-detection solution called BlackICE, part of the company's complete ICEpac security solution. To detect intrusion attempts, BlackICE relies on a set of rules you configure to define intrusive activity. After detecting such activity, the software can block all traffic from the intruder's address, leaving other traffic unaffected, and can prevent similar intrusion attempts on the remainder of a network. The product ships with more than 200 preconfigured and preenabled intrusion signatures.

BlackICE uses an agent-based architecture, relying on agents you install on each computer on a network. The agents monitor incoming traffic, adjusting filters dynamically to block unauthorized access when they detect suspicious activity and alerting other agents of such activity. BlackICE agents work in unison with an ICEcap server, which acts as an enterprisewide centralized host for collecting and monitoring data from BlackICE clients. After installing a copy of BlackICE on each machine you want to monitor, you can configure the software to communicate with an ICEcap server or to run alone.

Because intrusion signatures are central to intrusion detection, updates are paramount. Unfortunately, you have to visit Network ICE's Web site to learn of product updates, but the company says it's establishing a mailing list to alert customers about new updates. And because BlackICE doesn't employ any interpreted code or scripting languages, you must get complete product updates to stay current with the latest signatures. In my experience, the optimized compiled code of a complete update runs faster than interpreted code, which explains why BlackICE's operational performance is faster than some competing products. But without a scripting language or some type of interpreted code, you can't design and deploy custom attack signatures.

I tested BlackICE on a Windows NT 4.0 network running one server and several workstations. I installed the ICEcap server, which requires only a license key, a directory to store the necessary files, and port numbers for the Web server interface (ICEcap comes with a Web server that requires its own port number), and the ICEcap service started automatically. I then used the BlackICE installation utility to configure and install BlackICE agents on my test workstations, pushing out to remote systems without any trouble. You can deploy the product remotely without rebooting a remote NT system.

The configuration process was easy. Configurable options include an ICEcap server address and intrusion signature controls to turn on and off any signature rule. The configuration utility is the only means of configuring BlackICE client agents, other than manually editing an agent's .ini file. I couldn't use the ICEcap server management interface to manage agent configurations, but Network ICE said the next version of the product will have this capability.

After I configured and deployed the clients, I tried a barrage of well-known intrusion techniques on the test network, and BlackICE immediately detected and stopped each one. For example, the product had no trouble detecting and stopping a slow ping sweep, and it reacted equally well to a slow port scan of the systems on the network.

The ICEcap server reporting, which Screen 1 shows, is respectable, and the reports are easy to generate, read, and interpret. You can choose from a variety of preconfigured report types, including common items such as top security problems and most serious intrusion attempts.

Overall, I found BlackICE to be a well-designed product that installs easily and runs almost transparently on a network. Although the product is relatively new, I found it stable with excellent network performance. If you're looking for a new intrusion-detection software system, be sure to consider Network ICE's latest solution.

Contact:Network ICE * 650-341-6886
Price: Starts at $37 per monitored device
System Requirements: Windows 2000, Windows NT 4.0, or Windows 9x, 2.5MB of hard disk space