Creating Rules

Like others have mentioned, I do not like the idea of an auto update that I can't turn off. Zone Alarm and myself have suddenly become incompatible. The problem is, it is the only firewall I have ever used, so I don't know diddley squat about rules creation.

Installed Kerio after disabling ZA, went through all the configuration options and it created a few basic default rules. I then got online and started all of the applications that I would ordinarily use or update through their built in updaters, allowing Kerio to create rules for each in turn(learning mode). After finishing with this, set Kerio to it's highest security setting, therefore blocking all other traffic(as I understand it). Went to PC Flank site and ran quick test, advanced port scanner, and exploit tests. Passed everything, no problems. So why don't I feel secure?

The problem is I don't understand what I am doing. I have read a lot of info from posts here and SpywareInfo site, plus looked at the provided links in the various threads. I understand how to use the program. I do not understand the whys and wherefores behind the creation of the rules. In the screenshot attached are the basic rules created by Kerio. I do not know if they are good as they are, or should be edited. Looking at some of the screenshots in other threads, people have far more rules, so I can't believe that I am good to go as it stands now. I realize that if something is not working, that I may have to add a rule or edit an existing one in the future.

Concerning the apps that I allowed Kerio to create rules for on an individual basis, some apps needed two rules(TCP and UDP). Some of Javacool's apps are an example of this. I understand the deny if you are not sure theory, but how are you supposed to know? I am not looking for an answer on a rule by rule basis. What I need is someone to point me in the right direction as to understanding why the rule needs to be created and being able to properly create the rule so that it fits my needs.

I have no need to be on the internet. I do it because it is fun and I particularly enjoy the security aspect of it. If I do not acquire the knowledge to be comfortable with rule creation, it will not be fun anymore. I am drowning here, someone throw me a life line. Please!

 

Hi Vietnam_Vet

Not sure if you have read the following:

Customizing Rules
System Wide
Global Permit/Block
Application
Final Block

Another link to basic Kerio configuration:
http://www.broadbandreports.com/forum/remark,2896630~root=kerio~mode=flat

If there is anything in particular that needs clarification, ask away and hopefully someone will have answer for you.

Regards,

CrazyM

 

Yeah, I just want to add some reinforcement to what CrazyM said in his reply. Now, he and I both use NIS/NPF and have earlier experience with AtGuard. CrazyM has experience with ConSEAL (which I don't).

What's not well understood is that all of the rules-based firewalls pretty much work the same way. In other words, what's applicable to NIS/NPF/AG (or ConSEAL) is largely just as applicable to Tiny/Kerio, Outpost, Sygate, or LooknStop. Oh, sure, there are some subtleties that are applicable to one that aren't applicable to the others.

For that matter, ZA Pro is now getting rather close to being a rules-based firewall.

So, for many of the rules-based firewalls, it can easily come down (primarily) to a question of which user interface you find yourself most comfortable with. Secondly, it can come down to an issue of which software firewall provides help files, user documentation, and tutorials that make the most sense to you -- personally. Until you've got these issues in hand, I question whether getting into the esoterica of what specific add-ons are present in one software vendor's firewall, but not anothers.

For the most part, any of the guys here that use software-based firewalls (from whatever vendor) can provide assistance to you when and if you need it. Sure, we all have our own preferences, but you really don't need to worry about that.

Just "Ask" and "It shall be given." Okay?

 

http://itsec.commontology.de/firewalls/lns/lns-rules.html
Take a look at each rule listed there and you will quickly understand how rules are made.

You can make your rules as tight as you want.
For example each client can be limited not only to ports, but also to ip's.
Emailers for example use ports 25 & 110 and you can restrict those ports to certains ip's.
You could even restrict port 80 to each site you go to if you wanted, but that would be paranoia to it''s extreme (no one has to be like me )

 

Thanks for the info and links provided. It is much appreciated.

CrazyM, yes I had already seen that information, but went back and reread and even printed your contributions for further study.

My take on all of this is that you need a working knowledge of the various protocols or services, etc., in order to make an intelligent decision concerning deny or permit. I firmly believe in order to "fix" something , you have to know how it works first(ignoring blind luck for this discussion). While I may recognize the terms used, I do not think that I know enough about the inner workings to make rules for the various protocols. What appears to be common knowledge for many of you is a foreign language to me. Making a rule is simple. Knowing why I need that rule, what ports to permit or deny, which internet addresses should be allowed or excluded, all are questions that I cannot answer.

Having said all of the above, I do have a couple of questions concerning the basic setup described in my first post. Passing all the tests thrown at it would seem to infer that is a reasonably secure setup. Judging by all of the additional rules everyone apparently uses, the basic setup would seem to be sadly lacking. Are these tests worth the time it takes to run them? Or is it that most of these additional rules are for things that would not necessarily apply to the testing being done?

Thanks again.

 

Vietnam Vet.

When you add a rule you can check the boxes at the bottom for "log when this rule matches" and "display alert when this rule matches".
That may help.

I watch for rule suggestions when I'm at any security forum and then decide if it's something that I want to add.

I have the adminstrative panel set to "ask me first".I'll keep it set that way untill I'm comfortable with "deny unknown".

I'm not an expert.
I'm new to rules based firewalls myself.
The people that use Kerio have been a major help to me.

 

Hi Nam Vet. You said you use the net for fun, not as a necessity and I do too. Gotta do something to get the taste of that Saigon tea outa your mouth, eh?
A couple of years ago, I got interested in security and kind of made it a hobby. When I started, I had no training in computers or security. I just learn it one piece of information at a time. I do not consider myself a security expert by any stretch of the imagination, but it no longer is that scarey green monster it used to be.
If you haven't read How Firewalls work it is an interesting read.
Since you seem to have your firewall at the point where you have basic protection, you can now start asking question about specifics, one or two rules at a time, and mention you want to know why a rule is made a certain way.
I find it very enjoyable learning security at my pace. I will not get frustrated by trying to understand it all at once. It ain't gonna happen.
One last thought. I find google a tremendous resource of information. For instance, you can take something like TCP, do a search and start checking out the articles. Soon, you should come across one that starts at your level and explains from there.
Hang in and enjoy the ride.

 

Hi Tester and root,

Thanks for the additional replies and encouragements. Just as kind of an update to my situation, I am using ZA right now simply because I do not have time during the week to experiment and learn much. 22 of the 24 hours a day are already accounted for and I regularly visit 6 different forums, 3 of which are very active. As you might guess it is almost impossible to keep up with that during the work week. Will switch back to Kerio this weekend and follow up as many leads as possible in the learning process.

Will not be using Kerio on a fulltime basis until I feel comfortable with it. Will hold off on any specific questions until I have time for experimentation and testing because to be honest this is all creating far more questions than it is answers.

Once again, thanks for all help offered.