[prev in list] [next in list] [prev in thread] [next in thread]
List: blackicedefender-technical
Subject: ZA vs BID? BID wins hands down. Period.
From: classifiedagent
Date: 2000-04-25 4:39:03
[Download RAW message or body]
Gee, I dunno if anyone remembers little old me here.. but anyways..
I've always known and felt deep down that BID was an excellent IDS
with quality features comparable (if not better) to that of bulky
disgusting systems costing hundreds more. I mean, just look at the
way the developers built the BID engine. It is better and more robust
than other systems for a number of reasons which, I'm sure all you
users are very much aware of.
But what about ZA? Its free! Hmmm. Now that should be worth looking
at right? Well, for those of you in the past months that have been
beating on BID in favor of ZA, Don't let your eyes decive you my fine
FEATHERwalled freinds. Just take a look at this unbelivable exploit
semi-recently found in ZoneAlarm:
<<SNIP>>
This Firewall has been found to contain a serious security hole that
would allow a remote attacker to TCP and UDP scan the entire host's
port range without detection. This is done by specifying a special
port number in the source port part of the TCP or UDP packet.
Details
Vulnerable systems:
ZoneAlarm version 2.1.10
ZoneAlarm version 2.0.26
If one uses port 67 as the source port of a TCP or UDP scan,
ZoneAlarm will let the packet through and will not notify the user.
This means, that one can TCP or UDP port scan a ZoneAlarm protected
computer as if there were no firewall there IF one uses port 67 as
the source port on the packets.
Exploit:
UDP Scan: You can use nmap to port scan the host with the following
command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
Notice the -g67 which specifies source port).
TCP Scan:
You can use nmap to port scan the host with the following command
line: nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 which specifies source port).
<<SNIP>>
Needless to say BlackICE wins hands down not only because its a true
IDS, but because the hybrid firewall/signature engine simply cannot
be compared to the likes of a product such as ZoneAlarm.
-=A9lassifiedagent
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic