[prev in list] [next in list] [prev in thread] [next in thread] 

List:       blackicedefender-technical
Subject:    ZA vs BID? BID wins hands down. Period.
From:       classifiedagent
Date:       2000-04-25 4:39:03
[Download RAW message or body]

Gee, I dunno if anyone remembers little old me here.. but anyways..

I've always known and felt deep down that BID was an excellent IDS 
with quality features comparable (if not better) to that of bulky 
disgusting systems costing hundreds more. I mean, just look at the 
way the developers built the BID engine. It is better and more robust 
than other systems for a number of reasons which, I'm sure all you 
users are very much aware of.

But what about ZA? Its free! Hmmm. Now that should be worth looking 
at right? Well, for those of you in the past months that have been 
beating on BID in favor of ZA, Don't let your eyes decive you my fine 
FEATHERwalled freinds. Just take a look at this unbelivable exploit 
semi-recently found in ZoneAlarm:

<<SNIP>>
This Firewall has been found to contain a serious security hole that 
would allow a remote attacker to TCP and UDP scan the entire host's 
port range without detection. This is done by specifying a special 
port number in the source port part of the TCP or UDP packet.

Details 
Vulnerable systems:
ZoneAlarm version 2.1.10
ZoneAlarm version 2.0.26

If one uses port 67 as the source port of a TCP or UDP scan, 
ZoneAlarm will let the packet through and will not notify the user. 
This means, that one can TCP or UDP port scan a ZoneAlarm protected 
computer as if there were no firewall there IF one uses port 67 as 
the source port on the packets.

Exploit:
UDP Scan: You can use nmap to port scan the host with the following 
command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88 
Notice the -g67 which specifies source port).

TCP Scan:
You can use nmap to port scan the host with the following command 
line: nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).

<<SNIP>>

Needless to say BlackICE wins hands down not only because its a true 
IDS, but because the hybrid firewall/signature engine simply cannot 
be compared to the likes of a product such as ZoneAlarm.

 -=A9lassifiedagent

[prev in list] [next in list] [prev in thread] [next in thread]