Is there anything wrong with using TPF to guard my computer and having BlackICE tell me the activity going around ? What I mean is are there compatibility issues or problems with either TPF or BlackICE's security?

What is the purpose of running to programs to monitor ports?

Thorazine


Where you been hiding? Have not seen a post from you for quite some time.

BlackICE is not for protecting it is so I can see what is commng in because it has a very good packet sniffer if u ask me and Tiny is the one that does the blocking.

So busy lately, new baby and lots of work. I try to keep with the board, but offen times i'll forget.

Also too, most of the boards posts are about home/client side security issues which most of the regulars are quite capable answering.

To answer the post, I'm not aware of (but not the authority either) any issues the two pieces of software have with each other. You may want to have a friend send malformed packets to your machine to see what happens when both pieces of software try and stop them. My snapshoot guess is you won't really know (unless it's documented somewhere) what they will do running together until their tested.

Now I have a question for you....

How bad do your resources take a hit from having both running?

Barely a thing at all I am running it on Win XP with 128MB RAM.

A bit of a topic change but:
I know alot of people don't like BlackIcE (including me) but it DOES block attacks, it had problems blocking trojan based attacks but this issue was resolved with release 2.5.co, BlackIcE also protects personal IIS web-sites with common attack resolution.
Not that I like BlackIcE, but I think that just because Steve Gibson said it doesnt work now all these people are starting to slap it down and not give the developers a chance to improve on their product. Steve Gibson is not the security/hacking genius some teens are making him out to be.

Steve Gibson is not the security/hacking genius some teens are making him out to be.

Did you ever read his DDOS page (all of it)?
I think it's not "teens" but pretty much the entire community that sees him as a top notch security mind.

He got on BI cause they call it a firewall. A firewall should block outbound traffic as well. Since BI doesn't, he said that they should call it an IDS. They bashed him for being **** (but correct) and have started to call it an IDS that acts like a firewall. I don't know what the hell that means, but I suppose they do.
Steve was just looking out for the rest of the internet community by simply stating that many people were PAYING for a product that really did not keep them as safe as they thought. If anything this HELPED us by forcing the BI developers to FIX their product.

FunK

I read his page and agree with him on many aspects, but think about this ... while he informed the internet community of what was going on he also inspired idiot haXors to begin searching for trojans to launch there own ddos attacks, these kids figure hey a 13 year old took down Steve Gibsons site I bet I could get these tools and take out some sites ..... not blaming him for the HUGE increase in ddos attacks but it did'nt help.

Well, here we go with another installment of "BlackIce isn't a firewall because it doesn't take outbound traffic into consideration". So again I'll state.

Machine Security (Physical or otherwise) isn't an after the fact issue. Besides, for all of you using IRC, ICQ, IM, or the Microsoft instant message software, your punching a hole right in your security software anyway. If an exploit comes out for any of those pieces of software, your firewall is worthless. Now if your one of these readers that is so afraid of software "phoning home" or releasing infomation about your machine, then maybe ZA(Pro) is the better solution for you.

My whole arguement is, if your not out there installing warzes, odd-third party apps and so on, then the chances of gettting a trojan on your machine is minimal. But I also understand that many readers have limited resources so installing illegal software is the only option. Again, ZA might be the better option.

I personally do not understand why I would run a piece of software that hogs resources when the same information can be gathered from the free utilities included with the OS.

Finally, the bottom line is that which ever piece of software you use, remember ZA, TPF, BI, NPF, Mcafee's firewall are all at the bottom of the security food chain. Any one of these products can be bypassed with a little know how because of the inherent nature of the software.

Oh and as far as Gibson is concerned. I really like his web site but I think the whole issue with Windows raw sockets is a little misguided. I think he sounded off a little too early and then didn't want to back down when he was wrong. IMHO, his credibillity has suffered because of it.

I run BID with Tiny and have found no problem. BID does "phone home" when it starts, so you should apply a permission rule for Tiny. Please note, however, that BID has nothing to look at if Tiny is configured correctly. Tiny operates very low on the stack, and what it blocks does not get to BID. My BID is only there for historical reasons, more of a second pair of suspenders on top of a belt, as most intrusion attempts are actually blocked by my router.

kirby

Originally posted by Kirby Smith
I run BID with Tiny and have found no problem. BID does "phone home" when it starts, so you should apply a permission rule for Tiny. Please note, however, that BID has nothing to look at if Tiny is configured correctly. Tiny operates very low on the stack, and what it blocks does not get to BID. My BID is only there for historical reasons, more of a second pair of suspenders on top of a belt, as most intrusion attempts are actually blocked by my router.

kirby
are you not just wasting resourses on your system?
Tiny, as you state is already blocking. Where is BID in the stack? Has it stopped anything since Tiny arrived?
The reason you don't have a problem with running both is they don't ever come in contact and probably never will.
I run 2 AV programs. Do I really need them both? Probably not, but as they do different work on my system I keep them both.
Tiny and BID with incoming do the same job. Tiny gets it all.
In a number of forums I visit, the resident experts advise not to use 2 firewall. If you want to go to a great forum on the subject of Security then try Voice of the Public (http://www.voiceofthepublic.com/cgi-bin/ikonboard/ikonboard.cgi) for a great read.
Ultimately, the choice is an individual one on what is running on an individual's system. The practice is not recommended by those in the know.
JMHO.

Croc

They do different things. One blocks and the other is great for logs and reporting on the spot that only reason I use it.

Ok, if that is the case which one is blocking and which one is logging?
Tiny is obviously doing the blocking so if it is blocking and loaded earlier in the stack then how would BID see what to log when what is to be logged is blocked?
Please understand, I am not trying to start a blue (flame) here. I am just trying to understand how this can happen given that Kirby has said that BID has nothing to look at.
Also, what is wrong with the Tiny logs?
I guess I should d/load a copy of BID and try it. I have it on a disk here but because it only does half a job I never bothered with it.
The problem also with doing this is I am running WinRoute Pro on this system so BID would be BLIND here also.

Croc

I really dont want to keep explaining lets just say I like it never mind this forum.

I agree with Croc. If you have Tiny configured properly, BID will never see a thing. The only reason that BID will be seeing anything is if you have Tiny configured improperly

MrTrix..
That stand unfortunately can't guide anyone (let alone me) to understand how BID can work with Tiny in front of it.
Do you get logging ability in BID? If you do, I am sure we would all benefit from your input and BID may be of help with incoming. I understand you are happy with your use of BID. Allow us the opportunity to share that understanding by sharing what you know. Isn't that why we are all here?

Again I do not wish to annoy, p*ss anyone off or flame. I do however, want to learn and understand.

I used to run 2 firewalls, namely ZoneAlarm and Sygate. I always thought they played together well and I was happy with the combination. Sygate always loaded early in the stack and I never saw a ZoneAlarm popup. Then I switched off Sygate and the alerts I received from ZA were fewer than Sygate. Sygate alerted me to more outgoings when it was switched back on. This told me that Sygate was doing more.

I should also say that Tiny would also be of no use here with WinRoute Pro in use. The only benefit any firewall would have is when loaded on a system behind the router. The rules would be duplicated and would be affected in the stack at boot.

Then I read info from people like Steve Gibson, Davidovv and others who convinced me this was of no benefit and could be detrimental to overall performance of the firewall.
JMHO

Croc

Ok I sorry I thought u just wanted to dismiss the idea of my Firewall setup. What I have is BlackICE allowing all packets through and logging enabled to the full. Now BlackICE I think has great logging capabilities because it will tell that you have been attacked right away, say who its from, and there HOSTNAME. Also many other good thing such as the parameters of the packets. Now I let TPF allow all TCP and UDP both IN and OUT of it so it can log that information. I realize that doesnt allow the ICMP, ARP, etc. information but the TCP and UDP alone are very helpful in learning what the attacker would be looking for or if it is even an attacker. Then in TPF I set the rest of the stuff I am going to allow and at the bottom I make a Universal DENY command. It is a command at the end of the ALLOWS that DENIES all of Anything in both directions so that I do not have to set DENY rules for every program. I hope that explains it clearer.

I am aware that BID is unlikely to have anything to do once Tiny is installed. BID was installed first and I haven't removed it yet. I am sure that they don't interfere for just such reasons as you state.

You aren't with the resource police, I hope.

kirby:)

OK there is no resource problems maybe your comp doesnt handle it by mine thinks its a walk in the park.

Originally posted by MrTRiX
They do different things. One blocks and the other is great for logs and reporting on the spot that only reason I use it.

What everyone is trying to explain, MrTRiX, is that TPF will do each and every thing, plus much more than BlackIce. The only limit to TPF is your filterset knowledge.

Now, right out of the box, with no additional filtersets, TPF is pretty weak, to say the least. But with the multitude of filtersets available, you can lock up your system tighter than a drum with TPF. So tight that it'll log and flash and literally make you crazy with alerts and you'll be reading logs for months. It all depends on how you set it up.

I have never downloaded BlackIce and have no intention to do so because from the reviews I have read, it's not worth the few seconds of my time to download it. I have used ZAPro and Tiny PFW in the past and I consider Tiny the king of the software firewalls, with ZAPro right behind, ZA Free Version after that, and then there's really no reason to consider the others, from the reviews I have read.

As for the resources being used, that's a personal choice. Most of us preserve every K of our resources we can as most of us run multiple IE sessions, IM software and more when we're online. We just don't see any need to run something -- BlackIce in your case -- when it really isn't doing anything.

Now, to run a backup firewall while you're configuring Tiny, then yeah, run BI or ZAPro or whatever until you get it running at 100%. Then, when it's all configged, dump BI and surf and download to your heart's content.

Another thing to consider is that you will be slowing down your speeds to a certain extent by sending your data through a multitude of filters, so you may consider that too when thinking about running two firewalls.

Originally posted by Kirby Smith
You aren't with the resource police, I hope.

kirby:)
LOL... Nah, not me!

MrTrix.... Thanks for that. It helps to understand what others see as important in their setup.
I probably do have a resource problem but the one advantage I do have is I am on dialup so there is no gap between logging on and the firewall coming on line. It is already up and running. This IMHO is a problem when the firewall loads late in the stack on a 24/7 connection.

BlueJetta.... Isn't it a shame that when we put our faith in a program and learn the rulesets that go with it to secure our system we just don't go the extra step and trust that program we have put our faith in. Those who believe in ZA have the option of turning off the popup warnings. How many do?

Croc.;)

Originally posted by TheCroc
BlueJetta.... Isn't it a shame that when we put our faith in a program and learn the rulesets that go with it to secure our system we just don't go the extra step and trust that program we have put our faith in. Those who believe in ZA have the option of turning off the popup warnings. How many do?

Croc.;)

Good point!

These days we are automatically untrusting. With all the trojans, virii, scripts, phone-home software, etc, it can be quite daunting. Most of us just wanna surf the Net, yak with friends, and just have a good time, but it seems that everytime we turn around, someone else is trying a different way to screw up our machines.

Pretty much these days it's if you have protection software that IS NOT finding something wrong, then it must not be working. That used to be the other way around not all that long ago.

We're almost to the point of showering with a raincoat on. ;)

Just to clarify this pop-up issue with Tiny. In the case of Tiny, running the default level of protection but having user set-up filter rules, pop-ups only occur for conditions not covered by the rules. This is useful to see whether one needs another rule or not. If the user follows his filter rules with a rule blocking everything, all popups disappear (assuming he didn't deliberately set a rule to notify).

So, one can use Tiny to learn, or one can use Tiny to provide an invisible firewall. The choice is up to the user.

kirby

Originally posted by Kirby Smith
So, one can use Tiny to learn, or one can use Tiny to provide an invisible firewall. The choice is up to the user.

kirby

And that's the beauty of Tiny. Fully configurable.

Originally posted by BlueJetta

We're almost to the point of showering with a raincoat on. ;)
:rotfl: Yeah, well, err, umm....
you're right. The thing is that showering with a raincoat on is not something that is seen during the act of showering so we are actually at the point?:rotfl:

Kirby... And with my setup using WinRoute Pro which is a network server type Tiny I see nothing and no one else does either (i hope). It is just as configurable as Tiny and written by them as well. I admit I still have a lotta lernin to do tho.

Croc

I believe Tiny is directly derived from Winroute Pro.

kirby

Westell ADSL > Nexland ISB Soho NAT router > Tiny PF > BlackIce Defender (temporary) > TDS-3

Originally posted by TheCroc

:rotfl: Yeah, well, err, umm....
you're right. The thing is that showering with a raincoat on is not something that is seen during the act of showering so we are actually at the point?:rotfl:
Croc

Geeze. I guess you're right Croc. :p

Originally posted by Kirby Smith
I believe Tiny is directly derived from Winroute Pro.

kirby

Westell ADSL > Nexland ISB Soho NAT router > Tiny PF > BlackIce Defender (temporary) > TDS-3

That's right, Kirby. Don't know which was first, but one was definately hatched from the other.
In another forum you visit a post referring to visible ports being detected at PC Flank I found interesting. I had the EXACT SAME port numbers reported on a scan I did last night too. I wonder if he was also using Tiny? Visible and open are poles apart though.

Croc

Early in my Tiny rules set are rules to control just what ICMP responses are allowed in and out. Among other things these block external ping responses.

kirby

Kirby,
can you post them here for us to see how you have set them up. I would really appreciate it and we could all benefit.

Croc.

OK, I'll interpret your request to mean just the ICMP rules in the context of the nearby rules. Let me look into the forum picture posting rules.

[edit] Hmm. I see attachment posting is "off." this means I will have to upload them to my Verizon-supplied web site (which doesn't actually have a real homepage yet) for you to FTP from. I will have to do that tonight. For now, let me try in writing:

There are three ICMP rules in the following order:

Outgoing ICMP allow, Incoming ICMP allow, ICMP Block All.

Outgoing permits types 3, 4 and 8
Incoming permits types 0, 3, 4, 11, 12
Block All denies all types, thereby blocking anything that wasn't previously allowed
These rules are for any ports any applications

The ICMP rules follow the:
Loopback rule, revised to limit it to Tiny
NETBIOS blocking rules
ISP DNS allowing rules

and preceedes the rules for various programs.

Note that with respect to ICMP types, I have followed those who have gone before.

HTH

kirby

Croc:

Was the above adequate? I wasn't able to do the pictures last night and can't guarentee I can do them tonight.

kirby

Thanks, Kirby.
It helps to have a bit of an understanding of these rules.
See what you can do with the pic.

Thanks again.

Croc

OK Croc, I think this will work. Direct your browser to:

http://members.bellatlantic.net/~vze287b8/images/Tiny_top.jpg

and

http://members.bellatlantic.net/~vze287b8/images/Tiny_bot.jpg

Sorry for the lack of webpage elegance. I haven't had time to get into that yet.

Where you see a reference to trustful addresses, the only one I have is that of my router.

kirby

Thanks Kirby.
Both worked and we will check em out tonight.
This type of info sure does help those like me that are still lernin. ;)

Entrigued Croc.