Kerio 2.15 questions

[n8chavez]

Using a modified version of the BZ rulset Kerio 2.15 passes all stealth scans at both PC Flank and GRC. But, does it offer SPI?

I must admit I like Kerio 2.15. In fact, I am leaning toward using that over LnS. It offers things I like; such as time-sensative rules, icon animation and the ability to 'block all' from the taskbar.

Is that uswise?

[Seer]

Hello Nate

Quote:

Originally Posted by n8chavez

Using a modified version of the BZ rulset Kerio 2.15 passes all stealth scans at both PC Flank and GRC.

That's nice. If you care about it, that is.

Quote:

But, does it offer SPI?

Oh yes, it does. This conclusion can easily be drawn from rules you have in place though...

Quote:

I must admit I like Kerio 2.15.

Nate, what happened to Jetico? Got a boot?

Cheese... I mean, cheers,

[n8chavez]

Quote:

Originally Posted by Seer

Nate, what happened to Jetico? Got a boot?

Cheese... I mean, cheers,

Yes, I think it did. JPF is great. But it has it's faults; no full SPI, for one. . But the biggest thing was that it was such a pain. They just added another cabability, which means more prompts. But with SBIE 3.31 (beta) adding complete process termination protection there doesn't seem to be a need for a firewall w/HIPS.

[Seer]

Quote:

Originally Posted by n8chavez

Yes, U think it did. JPF is great. But it has it's faults; no full SPI, for one. .

I'm not sure what you mean by "full SPI" but as most personal firewalls it will do SPI over TCP. SPI over stateless protocols such as UDP and ICMP is not possible. The same is with L'n'S, Jetico, Comodo, blah, blah.

[n8chavez]

Quote:

Originally Posted by Seer

I'm not sure what you mean by "full SPI" but as most personal firewalls it will do SPI over TCP. SPI over stateless protocols such as UDP and ICMP is not possible. The same is with L'n'S, Jetico, Comodo, blah, blah.

That's not true. There are many threads about this over at the Jetico forums. This has been the most requested feature for a long time. They seem to be more interested in passing leak tests.

[Seer]

What's not true? As I said, SPI over stateless protocols is not possible. There is a thing called "state table" which can be implemented to control these protocols, but that's not SPI.

[Kerodo]

Quote:

Originally Posted by n8chavez

Using a modified version of the BZ rulset Kerio 2.15 passes all stealth scans at both PC Flank and GRC. But, does it offer SPI?

As I recall, Kerio 2 had a very "basic" SPI implementation. Kerio 4.xx was more advanced and developed in that department, as are other firewalls. So Kerio 2 does have a very crude and limited SPI of sorts, but nothing like some of the newer firewalls. Google some, I think there are old threads here and there discussing this in more detail, but my memory is fading, it's been several years now since I used Kerio 2.

[Seer]

Guys,

if you want us to make any constructive discussion here (or elsewhere) you would need to define terms such as "full" and "basic". And be very specific.

So, what do you say, Kerio has SPI or not?

[Escalader]

Quote:

Originally Posted by n8chavez

Using a modified version of the BZ rulset Kerio 2.15 passes all stealth scans at both PC Flank and GRC. But, does it offer SPI?

I must admit I like Kerio 2.15. In fact, I am leaning toward using that over LnS. It offers things I like; such as time-sensative rules, icon animation and the ability to 'block all' from the taskbar.

Is that uswise?

Hello:

Respectfully suggest you review the following learning thread to assist you:

http://www.wilderssecurity.com/showthread.php?t=182158

[Alphalutra1]

No.

Cheers,

Alphalutra1

[Seer]

Alphalutra1,

while I do have high regards of your opinion, a single word post is somehow hard to accept. Can you please expand on it a bit. Kerio documentation clearly suggests that their product does stateful inspection. But there are different methods of implementation, as every vendor has its own right to choose how the state of connection will be kept. Are you actually suggesting that Kerio does not check TCP packet headers and keeps a simple IP/port table only?

[n8chavez]

Now that my original question has been answered, how secure is KPF 1.15 with BZ ruleset? Is it worth using anymore?

[Kerodo]

Quote:

Originally Posted by n8chavez

Now that my original question has been answered, how secure is KPF 1.15 with BZ ruleset? Is it worth using anymore?

Kerio 2.1.5 is fine for inbound, but it won't compete with the newer stuff on outbound as it wasn't designed with leak-testing in mind like Comodo or some of the newer breed. It's only as good as your rule set, and I'd say it would score pretty poorly on outbound leak-tests. Depends on what you need it to do.

[act8192]

As Kerodo indicated, as secure as your rules
BZ posted suggestions, not something to use as is, since BZ cannot possibly provide for your setup. Kerio 2.1.5 has to match YOUR computer, your applications, your uses.

Build rules from alerts, use BZ-rules as a GREAT source of ideas and for answers to prompts you may not know.

As far as leaktests go - MY opinion -Kerio is fine, add a good, dedicated, HIPS product.

One more thing: when IPv6 comes around, I gather Kerio 2.1.5 will then be really obsolete. Couple more years to go

[n8chavez]

Quote:

Originally Posted by act8192

As Kerodo indicated, as secure as your rules
BZ posted suggestions, not something to use as is, since BZ cannot possibly provide for your setup. Kerio 2.1.5 has to match YOUR computer, your applications, your uses.

Build rules from alerts, use BZ-rules as a GREAT source of ideas and for answers to prompts you may not know.

As far as leaktests go - MY opinion -Kerio is fine, add a good, dedicated, HIPS product.

One more thing: when IPv6 comes around, I gather Kerio 2.1.5 will then be really obsolete. Couple more years to go

Right. I am using the BZ set as a foundation for my own, of course. I thought that was implied. There are a few things I like about it; time sensitive rules and easy "block all, among others. I'll just stay with LnS.

[arran]

http://img151.imageshack.us/my.php?image=keriokt2.jpg

I thought of an easy way to configure kerio. Instead of wasting time with all these advanced rule sets floating around why not just delete all the existing rules and only create rules with the applications you need to have connect to the internet with a "Block everything else" rule at the bottom?

This way every else that is not on your allow rule is automatically blocked.

If a web browser or something you need to connect to the internet is not working properly you can allways have a look at the logs and see where you have made a mistake.

What are peoples thoughts on this?

http://img151.imageshack.us/my.php?image=keriokt2.jpg

[Kerodo]

It's not quite that simple, you still need rules for DHCP, DNS, loopback, and the usual stuff. But a block all rule at the end is often used yes.....

[Nebulus]

Any firewall config is very dependent on the programs you use and the configuration of your network. For instance, I don't have DHCP on the network I'm on, so no rules for that. For DNS, I use a separate rule for every application that needs it (and that is only because I use maximum 10 apps that require net access). But this is probably not the case for the majority of setups. So, to answer your question Kerio 2 is very good, but the strength comes from the way you create your own rules.

With the "FINAL RELEASE DOWNLOAD" of the BlitzenZeus rules,I
had the problem that Kerio 2.1.5 sometimes just would not start
at boot up.
Also if some reason you terminated the program,it wouldnt restart
without reboot.
Anyone else have that problem?
So,reluctantly retired Kerio 2.1.5.

[Kerodo]

That shouldn't have anything to do with the rule set. If you're running Kerio 2 on XP, all I can say is, it can be a bit flakey, it ran great on Win2k, and some people say it runs fine on XP, but I had issues with it on XP when I tried it, as well as some other folks too. So all I can suggest is, if it won't work reliably, then just give it the old heave-ho and find something else. But the BZ rule set should not have anything to do with that, unless that indirectly triggers some other issue.

[Nebulus]

normishmael, I encountered this problem some time ago, on a computer with an "exotic" network interface. Kerio 2 didn't recogized that interface and refused to run. The only solution was to disable that interface (it was not the one used to connect to the internet, so I was lucky). Unfortunatelly I don't remember the details exactly.
On my present computer, Kerio 2.1.5 runs perfectly in WinXP.

[MICRO]

Quote:

Originally Posted by Nebulus

So, to answer your question Kerio 2 is very good, but the strength comes from the way you create your own rules.

I hope my rules are correct on 2.15 which I copied to XP from my previous
98se.
After installing 2.15 on this XP Home when I got it about 12-15 months ago
I then installed OA too - they work very well together and OA Disabled the
Windows Firewall - I tried a couple of times to Enable the latter but OA
Disabled it each time.

I have 2.15 set on 'Deny Unknown' but when a new version of an App.
downloads I must remember to switch 2.15 to 'ASK' because it has to take into account the new App. via a popup saying this App. has the same name
as previously but it's different - I tell it 'Allow' and away it goes.

Didn't realize until recently that OA has a button called 'History' which tells
on a daily basis what's happening from startup to shutdown - I like these two Apps. working together.

Kerodo and Nebulus,
Yeah,Really there are very few softwares that really get
to me to give up.
Kerio 2.1.5 is just one of them.

[n8chavez]

Anyone interested in playing 'test the rulset' for me? I'd be very interested to know what others think of my set, and how it stacks up to other in terms of security. Also what, if anything, should I change?

Rename to .conf

Thanks all.

[noone_particular]

This ruleset is for XP? I'm not a professional but I see a few problems with your ruleset. It appears that you've started with the BZ ruleset and added to it. Most of the networking rules contained in the BZ ruleset won't apply to a home network. In most setups, only one of the private IP ranges is in use. I see that you read thru the Kerio learning thread and changed them from network/mask to network/range. Those guys put a lot of work into that thread. It's good to see someone is actually using it.

On the miscellaneous tab, you have "check for new versions of personal firewall" checked. There will be no updates to Kerio 2. Uncheck it.

Your DNS rules have a problem. I see that you use OpenDNS. You used the network/range when specifying the remote endpoint. This not only allowed the 2 IP you listed but all IPs between them. There's 2 ways you can limit the DNS rules to just the 2 specific IPs you're using:

1. 
   Use a separate rule for each address, which would double the number of DNS rules.
2. Add both OpenDNS IPs to the custom address group as single IPs, then use "custom address group" for the remote endpoint in your DNS rules.

You could also allow DNS for any application and add blocking rules above the DNS rules for apps that aren't allowed internet access. This would drop your ruleset down to 1 or 2 DNS rules.

You have one rule allowing svchost.exe to connect out on any port using UDP. Most of the services that connect via svchost.exe use specific ports. By specifying the port and protocol allowed in svchost rules, you can control which services are allowed to connect out. Malware that runs as a service will often use svchost.exe to connect out. The default rules for most firewalls allow svchost.exe unlimited outbound access so that any services the user needs won't break when the firewall is started for the first time. Malware often uses svchost to connect, taking advantage of the fact that most users haven't tightened those rules.

If I'm looking at your rules correctly, Opera is your default browser and IE is only used on specific sites? I see that you've allowed inbound TCP to Opera on several ports. Is this to accommodate specific web applications or games? Most of the time it's not necessary to allow inbound TCP to the browser. If certain sites truly need it to function, I'd limit the inbound permission to those specific sites.

The Miranda rules can be a bit of a project. If I'm reading them right, you use Miranda for just MSN and Yahoo so far? The inbound access can be limited to very specific IP ranges. I see you've allowed inbound for port 7001, used by MSN. You might have to allow it for port 9 also. I've limited the inbound access to an IP range from 207.46.26.200 to 207.46.27.255. So far, it's all I've had to allow for inbound. These can be time consuming rules to tighten up. If you use some of the additional functions in Miranda and other IM programs, this can add quite a few rules. IM programs are one instance where the "deny unknown" setting and "block all other traffic" rules on Kerio can be a problem.

I see you have enabled the standard loopback rule. Depending on how much control you want to have over loopback connections, you might want to make loopback rules for only the specific apps that need it, then follow those with a blocking rule for all other loopback connections. If you use any apps that function as a proxy service, you'll want tighter loopback rules. If you use TOR, good loopback rules are critical. If none of the user or security apps you run function as a proxy service, then it becomes a matter of preference.

One general suggestion I'd make is to group the rules differently. I'd move all global blocking rules towards the top of the list. I'd also keep rules of specific types together, such as the ICMP rules. Some are near the top. Some are towards the bottom. I'd also keep all the system, services, and network rules together. Kerio starts at the top of the rules and uses the first one that applies. This makes the order the rules are in just as important as the rules themselves. I start with global blocking rules at the top, followed by the system/networking rules. These include DNS, allowed services, allowed network rules, etc. After these I have the rules for specific applications with the rules for individual apps kept together.

Hope this helps.

edited to add link.
This link might help you with LAN network rules and private IP ranges.