世界著名防火墙最新测评报告的详细解读BlackIce篇(原版翻译)

govyvy

世界著名防火墙最新测评报告的详细解读BlackIce篇(原版翻译)

来自：MACD论坛(bbs.macd.cn) 作者：govyvy 浏览：2315 回复：1

感谢大家有兴趣浏览这篇翻译的文字，我想先说明一下：该篇文章取自www.matousec.com，由于该公司是专业的安全性产品评估测试公司，因此其发表的结论性报告有一定的参考价值，同时该公司还是一家测试并出售Bug产品的商业公司，其对送测安全类产品的标准相当的严格，评论近乎严苛，所以不管您是哪款防火墙产品的拥护者，阅读本文请以平和的心态面对，说到底，防火墙的实际应用和实验室测试还是有比较大的区别，一款产品是否好用，只有使用者心里最清楚，世界上没有完美的防火墙，只有最适合自己的防火请，发表这些文字只是希望对大家在选择该类产品时提供必要的参考资料。原文地址http://www.matousec.com/projects/windows-personal-firewall-analysis/results.php，感兴趣的朋友可以浏览。

该测评项目的所有防火墙测试报告译文已经汇总发布，请到http://bbs.hypost.cn/read.php?tid=116235查阅


BlackICE PC Protection 3.6.cpj - Review

BlackICE PC Protection is a personal firewall used by surprisingly many users. However, there are not many positives in this firewall. The security concept is very naive, the user interface is below-average, the number of bugs is excessive and together it is not the cheapest available solution. There is no why to use this product, not even if it was free.

BlackICE PC Protection 3.6.cpj-概览

黑冰PC防护是一款个人防火墙产品，其使用者之众出人意料。但是该产品却没有多少出众的特色，其安全理念相当的幼稚，用户界面尚未达到平均水准，而缺漏的数量却非常的多。总体来说，它也并不是市面上最便宜的个人电脑安全解决方案，该产品并没有吸引用户使用的理由，即便它是免费的也是如此。

Tested version

We tried to contact Internet Security Systems, Inc., the vendor of BlackICE PC Protection, twice with no success. This is why we chose an evaluation version for our tests. This version have same features as the full version and the only limitation are 30 days after which it stops working. The latest vesion of BlackICE PC Protection was 3.6.cpiE when we started with our analysis. Later we have updated it to version 3.6.cpj. Our analysis is valid for the later version.

The full version of BlackICE PC Protection is available for $39.95 for one PC, the licence for 5 PC's costs $175.00.

测试版本

我们尝试着两次联系了互联网安全系统公司，黑冰的开发者，都没有成功。所以我们只能选择评估版本来作为此次测试的蓝本。该版和完全版在功能上完全一致，区别在于评估版本有30天的使用限制，期限满后，产品将停止工作。我们开始进行测试时，3.6cpiE是其最新版，后面我们将其更新到了3.6cpj，而我们的分析同样适用于更新后的版本。

完全版的黑冰的单机授权价值39.95美金，而5台机器的授权需要花费175美金。

Installation and initialization

At first we downloaded 6 MB installation package of evaluation version of BlackICE which is a reasonable size for a personal firewall, and run the installation process. The installation wizard is standard and the user is asked only one important question and that is whether to run BlackICE with so called 'Application Protection' enabled or disabled. The only reasonable answer from a security point of view is to enabled it. Then comes the installation itself which finishes with so called 'Baseline scan'. That is the moment when BlackICE initializes its internal database of known programs. After the baseline scan this database contains all executable modules in the system and these modules are considered to be trusted. The unique and possitive thing on the installation of BlackICE is that it does not require the system to be restarted. The whole installation was fast enough and it was easy and trouble-free as well. The only thing we missed was a possibility to set a password to protect settings of BlackICE. It was an unpleasant surprise later when we found that there is no chance to protect the settings of BlackICE at all. Anyway, the installation process was ok and this is why BlackICE PC Protection received no penalty for the installation process. We were also pleased that default settings of BlackICE after the installation were defined very well for common use.

安装和初始化

首先我们下载了黑冰的安装包，大小为6M，对防火墙来说，这个体积是合理的，随后开始了安装。安装过程非常程式化，用户只被询问了一个重要的问题：在运行黑冰的时候启动还是禁用所谓的“应用程序保护”功能。以安全的观点来看，唯一合理的选择就是“启用”。随后安装程序自动运行，在结束的时候会进行所谓的“底线扫描”。该扫描完毕后，黑冰的数据库中将包含系统中所有的可信任的可执行模块。黑冰安装过程的独到之处在于它不要求系统的重新启动。整个安装过程迅速简捷，非常顺利，唯一遗憾的是不能在安装过程中设置密码保护对黑冰的设置。更让我们沮丧的是我们随后发现黑冰根本不支持密码保护功能。不管怎么说，黑冰的安装过程还算OK，因此在该环节测试获得满分。我们同样对黑冰安装后的默认设置非常满意，该设置非常适合普通用户使用。

Hardware requirements

Hardware requirements of BlackICE PC Protection are quite big for a personal firewall software but for average today's computers it does not present any problems and the user should not recognize the performance impact at all. BlackICE reduces the system performance for about 17% and uses from 17 to 26 MB RAM when it runs in the background. BlackICE uses only 10 MB on the hard disk which is not so much and it is reasonable for a personal firewall software. Hardware requirements of BlackICE PC Protection are lower than requirements of competitive products.

硬件要求

就个人防火墙软件来说，黑冰的硬件要求比较大，但是对现在主流配制的计算机不算什么问题，而且用户也不会追究其影响。黑冰在后台运行需要占用17M到26M的内存空间，同时降低17%的系统运行效能，而它的硬盘占用却只有10M，属于个人防火墙软件的合理范围。总体看，黑冰的硬件要求低于其竞争对手的水平。

Common behaviour and control

BlackICE maintains a list of known applications and other executable modules. After the installation this database is inicialized with all modules on logical disks. Since then BlackICE alerts the user and asks what to do when a code from a new module is going to be executed. To prevent excessive number of prompts during a new software installation BlackICE implements so called 'Install Mode'. When firewall is operating in this mode, Application Protection is paused and the user is asked to disable Install Mode from time to time. Finally, when the user disables Install Mode BlackICE updates its baseline. On one hand this feature improves the performance during the installation of new software but on the other hand this feature is half-implemented. The user has no chance to disable the Install Mode until BlackICE shows the dialog for it and during the time in Install Mode the user must be very careful because every file that is copied to the system will be trusted after the update of baseline. Fortunately, BlackICE asks the user whether the update should be done automatically or manually.

The user interface of BlackICE is accessible via tray icon which also offers to disable the protection of the firewall and Application Protection. The interface itself is plain and standard, compared with interfaces of competitive products it is not designed very well but the functionality is sufficient. The real problem is with dialogs of BlackICE. The user is hardly ever informed about what is really happening in the system because these dialogs are very poor in the information they provide. As an example we can take a dialog of Application Protection which was shown when we changed one of libraries used by the Internet browser. The only information on the dialog was that an unknown application was detected with the name of the Internet browser module and the name of the changed library. Much worse example is when an application that is not trusted to access the network tries to run some trusted application (e.g. Internet browser) to access the network using another trusted application (e.g. 'cmd.exe'). In this case the only information provided by BlackICE is that an unknown application called 'cmd.exe' tries to access the network which is simply false. Thus it can be very hard to make a good decision for common users in these situations. This is why we gave only 90% in Easy of use classification to BlackICE PC Protection.

习惯性应用和控制

黑冰含有一张已知应用程序以及其他的可执行模块的清单。在安装完成后，数据库将初始化所有逻辑磁盘上的模块，随后黑冰将警告并询问使用者当一个新的模块中的编码试图被执行的时该采取什么措施。为了阻止在新的软件安装过程中出现过多的提示，黑冰会执行所谓的“安装模式”，当防火墙在这个模式下工作的时候，应用程序保护将被暂停，同时用户将一次又一次的被提醒关闭“安装模式”。最后，当用户禁用了该模式后，黑冰将更新其底线数据库。这样的功能设置一方面改善了防火墙运行下的新软件的安装表现，另一方面这个功能实际上却处在半运行的状态。除非黑冰自己跳出终止“安装模式“的对话框，用户本身没有权限关闭这个功能。同时，在”安装模式“下用户要特别小心，因为复制到系统内的每一个文件在底线数据库被更新后，都将被识别为可信任。所幸黑冰会询问用户是选择手动还是自动更新底线数据库。

黑冰的操作界面可以通过系统托盘图标调用，该图标同时提供了禁用防火墙和应用程序防护的功能。与其他竞争对手的界面相比，黑冰的界面缺乏良好的设计，显得简朴而标准，但是依然能提供足够的功能选项。真正的问题在于黑冰的对话框。由于对话提示提供的信息量过少，用户很难了解到系统所发生的真实情况。举例来说，当我们修改一个被IE使用的程序档案库的时候，我们将看到应用程序保护发出的对话框。该对话仅仅能告诉使用者一个名为IE模块的未知应用程序被侦测到，以及被更改的档案数据库的名称。更严重的例子是一个因被设置为不可信而不能连接到网络的应用程序能够通过试图运行某些被信任的应用程序（比如IE）的方式，从而获得进入正使用另一个可信任的应用程序（如cmd.exe）的网络的途径。而此时黑冰的对话提示“名为“cmd.exe”的未知应用程序试图连接网络“则显然是错误的。因此在上述的情形下，黑冰很难帮助使用者做出正确的决定。这就是为什么我们在易用性环节只给了黑冰90%评分的原因。
Security

We have already mentioned above the basic security concept of BlackICE - the baseline. Unfortunately, this is the only idea of its security design. Moreover, its implementation is very naive and thus it can be bypassed very easily by malware. The situation of the security of BlackICE PC Protection is even worse because even in the concept with only one simple idea there are plenty of bugs in its implementation. Developers of BlackICE also forgot to implement crucial features for security of personal firewall. These missing crucial features are listed as design bugs in the bug list below with very high unique penalties such that their values are greater than possible sums of penalties of bugs in these features if they were implemented in BlackICE. Another security flaw was already mentioned, BlackICE does not support protection of its settings. The overall bad impression of the security of BlackICE is underlined by the fact that the whole application is distributed in debug mode. The security level and the software quality of BlackICE PC Protection 3.6 is the lowest possible and we can not recommend this product to anyone. You can see public information about BlackICE's bugs in the following sections below.

安全性

我们在上文已经提到过黑冰的安全概念---底线数据库。遗憾的是，这也是黑冰仅有的安全性设计。更糟糕的是，底线数据库的运作非常的初级，恶意软件可以很轻松的绕过它的防护。由于黑冰简单的理念主导下的安全性概念本身在运作时就漏洞百出，黑冰的安全性就更加糟糕了。黑冰的开发者也忘记了为黑冰开发些对个人防火墙的安全性来说非常重要的功能。这些缺失的关键性功能都被作为设计Bug在下面的Bug清单上罗列了出来，并且因它们造成的独特恶果的危害远比完善后（指修正了这些设计Bug）的黑冰所暴露的Bug造成的大量潜在恶果的危害要大。另一个安全缺陷上文已经提过，黑冰不支持对于其设置的保护。对黑冰安全性的总体不良印象在这样一个事实下得到了强化：整体化的应用程序在“除错模式“下被分割。黑冰的软件质量以及其安全水准可能是（我们测评过）最差的，我们不能把这样的产品推荐给大家，您将在下面浏览到关于黑冰的相关Bug的公开信息。

Open public bugs

The following list contains open bugs that are public. This means that a full name, description, testing method and testing program is available for every bug in the list. The list is sorted by the bug penalty, the higher penalty means the more dangerous the bug is.

公布的公共信息Bug

下面的列表列出的是具有公共信息的Bug，也就是说表上的每一个Bug的全名、描述、测试方式以及测试项目都是可用的，列表按照Bug的危害性进行了归类分级，级别越高意味着这个Bug的危害性越高。（略掉细节，仅仅罗列Bug名称和危害等级，下同）

Filelock protection bypass 栏锁定保护迂回漏洞
Risk:Critical bugs 关键性Bug

BlackICE DLL faking of run-time linked libraries Vulnerability 黑冰DLL伪装run-time关联程序档案库漏洞
Risk:Critical bugs 关键性漏洞

Insufficient validation of arguments of NtOpenSection NtOpenSection参数有效性缺失漏洞
Risk:Serious bugs 严重性漏洞

O pen private bugs

The following list contains open bugs that are private. This means that their names, descriptions, testing methods and testing programs are not available for free. You can buy private information about a single bug or you can buy the full analysis. The following list is sorted by the bug penalty, the higher penalty means the more dangerous bug.

公布的隐私信息Bug

下面的列表列出的是具有隐私性质的Bug，也就是说表上的每一个Bug的名称、描述、测试方式、测试项目都不是免费使用的。您可以选择购买单个Bug的分析信息或者购买全套的分析信息。列表按照Bug的危害性进行了归类分级，级别越高意味着这个Bug的危害性越高。（略掉细节，仅仅罗列Bug名称和危害等级）

BUG00017P003BI Risk:Critical bugs 关键性Bug

BUG00018P003BI Risk:Critical bugs关键性Bug

BUG00019P003BI Risk:Critical bugs关键性Bug

BUG00020P003BI Risk:Critical bugs关键性Bug

BUG00021P003BI Risk:Minor bugs微小型Bug

BUG00012P003BI Risk:Critical bugs关键性Bug

BUG00015P003BI Risk:Critical bugs关键性Bug

BUG00016P003BI Risk:Critical bugs关键性Bug

BUG00009P003BI Risk:Critical bugs关键性Bug

BUG00010P003BI Risk:Critical bugs关键性Bug

BUG00001P003BI Risk:Serious bugs 严重性Bug

BUG00007P003BI Risk:Serious bugs严重性Bug

BUG00011P003BI Risk:Serious bugs严重性Bug

BUG00002P003BI Risk:Serious bugs严重性Bug

BUG00003P003BI Risk:Serious bugs严重性Bug

BUG00004P003BI Risk: Serious bugs 严重性Bug

BUG00008P003BI Risk:Minor bugs 微小型Bug

BUG00014P003BI Risk:Unimportant bugs 非重要Bug

BUG00005P003BI Risk:Unimportant bugs非重要Bug

BUG00006P003BI Risk:Unimportant bugs非重要Bug


原帖转自绅博论坛

[ 本帖最后由 govyvy 于 2007-10-21 16:09 编辑 ]

govyvy

注意这些评测是～年初进行的～不代表该软件的实际使用水准～

[ 本帖最后由 govyvy 于 2007-10-21 16:31 编辑 ]