Our product line was designed as a distributed intrusion detection system and
firewall for corporations. Many companies have
users at home or roving with notebooks in the field. These users are outside
the protection of the corporate firewall. We've designed our product such
that the ICEcap console centrally manages firewall rules, and receives reports
of intrusions.
For example, a common rule that corporations place on their firewalls is
to block all incoming TCP connections. In much the same way, a corporation
could place the same rule in ICEcap. This
rule then propagates down to all the BlackICE agents. Thus, ICEcap acts
as a virtual firewall: the rulessets are centrally managed at the ICEcap console,
but the actual filtering takes place in all the agents.
Similarly, the agents report intrusions up to the ICEcap console. This allows
the companies to monitor attacks against their users. The information can
be correlated in order to find hackers that are attacking more than one user.
This allows the managers to block the hackers IP address for all the
other agents, before the hacker ever reaches those other users.
The "snitch" server
We are currently working on a system that will allow our home users to
report back to a single ICEcap server. We call this our "snitch" server.
This will allow Network ICE to track current trends in hacking, and
track the most serious hackers on the Internet. We are currently in
trials with some beta customers (the beta versions of our product
allow the customers to turn this feature on).
Before we can consider going live with this server, we must address
two major issues. The first is massive scalability when tens of thousands
of home users all try to hit the same server at the same time. The
second issue is privacy: we want to publish the results
from the snitch server, but at the same time we want to protect the
privacy of customers who decide to report to this server. We want
as many as possible to report, but most will be shy about revealing
their info and will not want to sign up. In particular,
since most customers have static IP addresses; we need to hide that
piece of information.
