Total disappointment on firewall situation

I like Kerio 4.2.2 also and run it here sometimes. It does add a few features that can be useful, and it seems to have good SPI and otherwise do well.

Memory usage however was a consistent 26mb here total, that is the service and the 2 gui processes combined. That is nowhere near Kerio 2's 5mb, so if one is looking for 'light' and not bloat, then Kerio 2 is the clear winner.

 

Kerio 4.2.2 still has freezing issues with high traffic.I went to check in the Kerio forum a while ago.

 

Ok, will do so right now...

 

CHX seems to work...I have a LOT of UDP packets rejected because fragmented that passed through Kerio...

 

Not only CHX works, it has no slowdowns, I have a router and therefore have compared speed impact, as a matter of fact, I am now on CHX exclusively and have bridged the router to make it into a regular layer-I modem. With Kerio 2.15 for outbound, it makes a fantastic combination.

 

Yes in deed.Kerodo was very kind to help me with questions i had in PM.It doesn't cut speed at all and gives you a second layer of defence.My plans for router are postponed indefinetely after trying this combo.It really makes you feel much safer and with no speed or resource impact.

 

With what is recommended by vendors and others aside, if you feel you need to run two software firewalls implies that one, or both, does not do what is expected. Is running two applications to do the same function a viable and safe solution?

While the odd fragmented packet may be getting through, are they malicious or just part of your day to day network communications. It is unlikely most home users are going to see a directed attack involving fragmented packets.

Regards,

CrazyM

 

Not arguing the effectiveness of CHX-I or Kerio, but from a layered approach to security, why would you forgo what the router has to offer as a stand alone device and rely strictly on your system?

Regards,

CrazyM

 

CrazyM,

My router would work fine till I would open up high number of connection with P2P apps, then it would simply hang, I checked through the forums at DSL to find out I wasn't the only one with this bug,it affects different brands of routers as well, also my ISP requires PPPoE and my router's implementation is pretty flaky with frequent disconnects, could also be a poorly configured enternet from the ISP's side, I would rather use RASPPPoE which works out fine, also, CHX has never yet let me down, even from my dial up days so I guess I see no harm, my router would let UDP in from solicited connections, in case of CHX, I have to make rules for it which I find much better. Also the router allows remote admin through 192.168.1.1 so keeping my PPPoE password secure inside my PC is far better than let a hack extract it by remote admin to my router. As a backup, I have Harden IT and Samurai applied so even if in rare case CHX gets disabled, I am still protected.

 

CrazyM, I agree with you there, in this case the one that's not living up to expectations is Kerio 2, and the fact that it allows fragmented packets thru, which is concerning Hyperion.

Ordinarily, I would say yes, don't run 2 firewalls simultaneously. It is known to cause problems. In this case however, I have tried the Kerio 2/CHX combo for quite a long period of time, and had no problems. Others have as well, without any problems. So I believe in terms of cost and resource usage, this is indeed a viable solution for Hyperion, since he is a student now and does not wish to spend money on a router or pay for product if it's not necessary. Ram use is as low as you can get at total of 9mb for the both combined. He testifies that speed is unimpaired, particularly in p2p applications, which you cannot say for many of the other firewalls, paid products especially included.

So although it's surely not the ideal solution, it does work, and that is more than you can say for some of the other solutions. This of course, is all just my opinion, so others are welcome to agree or disagree as they like.

In my own case, I chose to run a router with a software firewall behind it for best protection, and that is what I would ideally recommend for most.

True, and agreed..

 

There are 2 reasons for this:

The first is the addition of "necessary" process monitoring/control features to block leaktest/malware techniques of piggy-backing on trusted software (using methods like DLL or code injection). Firewalls now have to be able to identify and block (or at least alert you to) such attempts and this carries overhead.

The second is that the problem may not be firewall-related at all but due to any anti-virus software on your system. Most firewalls produce logs and, unless configured, anti-virus scanners will keep rescanning these logfiles, slowing the firewall down. The kicker is that the CPU consumed during such scans, is shown by Windows as being used by the firewall since the anti-virus scanner is "hooking" into Windows file-access routines to intercept reads and writes, which means the parent process is held responsible for the extra processing involved.

Therefore firewalls that log more will appear to use more CPU, but exempting their log files from scanning will remove this (it should be perfectly safe since logfiles should never be run as programs).

 

Most of them must be because i tested the stability of this combo with p2p (which for me is the ultimate stability test for firewalls),so you are right.Nevertheless it proved me the fragmentation issue on Kerio 2 and that CHX catches them.

Yes.If i had to ,i would buy the router.In fact before you posted on how CHX is free,i went to check prices for routers.But since this is working fine and i like light programs that don't slow down the PC or browsing and since i m a univ student (and most books costs min. 50Euros each=the price of a cheap router and up to 160+ Euros in case of 2 volume books ),i can use the money i would give for the router elsewhere without feeling that i have a hole in my protection.And i let it be tested with p2p overnight and there was no problem.Other firewalls (like past editions (4.x,5.x) of ZA or Kerio 4) they would either freeze or BSOD or provoke memory leak after so many hours.So maybe it's not the perfect solution ,but as Kerodo says,it works good enough.And to this day,even if i ve been more than a year with Kerio 2,i m still unhacked and i m not an imprudent user anyway.I know people with router that are full of trojans simply because they download anything.At the end,i have regprot,AVG,Kerio 2,Winpatrol and CHX-i as residents and it's a VERY light setup.Plus i have a2Free,Ewido and AntiVir as backup.I delete all unknown mails at the server through poptray and the only virus i got in the last year was the usual byteverifyjava that is cleaned easily empying the java cache.I use Firefox and i avoid suspicious sites.I could also use NIS2005 instead,but why bloat my startup?

Even without a router,i m more safe than other people i know and i can spare the money for a book or something else.If i do get instability despite the first impressions,then i will buy the router and finish with this story once and for all.But for the time being, this combo is good enough for me.In the past i also had for some periods SSM,PG,Winsonar,and Abtrusion Protector,but apart my paranoia,their only use was to increase my clicking reflexes to "Allow" and the only victim was my nervous system.I also bought KAV 4.5 once,cause of the very good things reading about it,but i saw that again,i don't get infected so easily,so as soon as i learnt about the ADS i uninstalled it and went back to free AVs.At the end,i realised that for what i do and in the way i use internet,i can have good defence with no money.

The router would have been necessary without CHX-I ,since i don't feel comfortable with Kerio 2 leaving these UDP packets through.But now,i think i can save the money till something else is needed or a really good firewall comes out,which would allow me to drop both Kerio and CHX and then i would be glad to pay for it.

Yes...But i would have prefered a different application to do that.Apart the fact that in real life in my PC i have never seen any DLL injection.That's why i m quite happy with Kerio 2's simple md5 match control.The worst months i had with my PC were after i read about the "beast" and was running SSM and AP at the same time.And for what...If i am so idiot to download the beast in the first place,then i deserve to be hacked.That's how i see it now.Apart the fact that you get so many daily alarms about legit operations,that speaking for myself,i doubt that after this "use" to see alerts for months i would understand the difference between an alarm for malicious dll injection from a legit one.

This is a very interesting thing to know,thanks.Anyway right now i don't have such a problem.

 

Hyperion,

Glad you are enjoying CHX, I have been using it since it came out and that too thanks to Kerodo for referring that to me. If you are doing P2P, I would suggest the addition of an IP blocker like Peer Guardian, Protowall or Vampeer for the final layer of safety, there is also a way you can incorporate IP blocking with CHX and Snort but its a bit complex for first timers.

As for router, as you can read by my previous post, my router is now bridged and acting as a modem and I have left all the firewalling to CHX. For outbound, I just use Antihook, I also run Netmeter which is similar to DU meter but free, this gives me an active indication of inbound and outbound traffic, so in case I am not surfing or downloading, I have a good idea if some app is sneaking behind my back and connecting to net, I then use TCP View to check for connections.

 

Thanks Arup,i ve been using peer guardian for a while,but it's not convincing me for the effectiveness of its purpose.I mean,IP block lists are good,but one can use an "innocent" IP from home and bypass all peer guardian lists.And in any case,i m sporadic p2p user and usually search for really old stuff(80s) that i can't find in real life and that nobody cares about.

I also use something similar to Netmeter ("DLULMeter", discontinued about a year ago,but does the same job) and i use it too to see if everything is "0" when i do nothing I haven't tried antihook,but from what i ve read it's PG-like and i don't want to mess again with "allow" ,alerts all the time etc.

Thanks for the tips.

 

Hi... Why wouldn't you try getting back to smaller, simpler, lighter ZoneAlam versions, say something like ZA2.6 !? I'm on WXP and it works very smooth and fast and excellent. What do you think of it?

Of course, it's probably less armed to fight against leaktests, but I don't know...

What do you think?

Cheers

 

Well,i think that since 2.6 there were some vulnerabilites fixed,and right now Kerio 2 + CHX run fine and secure ,so i d rather not make further experiments.Thanks for the help though.

 

Hi,
Another 80s' child, I see...
You should try Hungarian mime b&w porn from 20-30s in p2p, find resources for that!
Mrk

 

Glad to see i m not alone and i see you 're a true conosceur in your sector ,so i ll follow your advice!!!I ve found till now even the Potemkin Battleship and the 1934 Holmes The Sign of Four.True jewels.Not to mention Citizen Kane!

Thanks a lot!

 

The problem with the firewall business is that once their initial basic "firewall" product is finished, there isn't much room to grow to show how much better your product is than another. How many ways are there to show your firewall is better than a competitors if you both block packets and control applications? The GUI? Logging? Well those were the first 2 things improved, and when they ran out of things to improve they started to go into other security areas thanks to leaktests and malicious software.

The extra security most firewalls have now added doesn't really compare to dedicated packages (with some complicated exceptions) and most of them you will have a hard time disabling from the core firewall. I tried every major firewall when testing the latency they added to packets, and it was really quite bad how companies which produce the "biggest" and most popular firewalls were the worst culprits of bloat and latency. Even when disabling every single feature that wasn't needed to run the firewall(s), it was still just as bad, which indicates poor design. Most people won't notice the latency they add to packets, and maybe that means these firewalls are ok for these users, I don't know.

All I know is that I personally have a problem with bloat and packet latency. I would never run any firewall on Windows which isn't the Windows XP built in one, or my own firewall GhostWall. These 2 firewalls are the only ones which I have recorded as adding almost negligible latency and bloat to your system. I have tested with 2000+ connection stress tests with both of these firewalls and they handle it very well. Whereas you will bring your computer to a grinding halt doing this with a big brand firewall.

Routers are another good choice for latency, but a lightweight software firewall on todays CPUs can usually be faster at processing packets than a router. Of course with a router you don't need to run any software at all on your PC, so you save some resources in that regard.

GhostWall has replaced the Windows XP one on my machine due to issues I was having with it, and the fact that I prefer the logging and other options of GhostWall. That was the main reason I wrote it actually, because it works across every Windows operating system after Windows 2000 (standardizes the rules) and saves you having to run the "application layer gateway" service on Windows.

 

Hi,
Citizen Kane is excellent.
BTW, I also love the old Frenchies from the 50s and 60s, especially their comedies. Having trouble finding the resources...
Mrk

 

@JasonR0:

I agree with what you say about competition and marketing that forces the vendors to add always more "features".But at the end,there ARE some unhappy customers too (for example think of how many even in this forum still use Kerio 2.In an Internet cafè i know they still use it in all PCs).Then personally i ve an odd ISP.There are days that you can feel the sudden speeding in browsing.But most days,there is an initial lag,and then suddenly goes up to 30kb/s or more and loads the page.Now,as you say,with different firewalls,there is even more latency.Sometimes i can "feel" the browser "struggle" to get past that initial latency and go to "boom" phase that peaks suddenly to 30kb/s or more.That's why i still use Kerio 2 + CHX-i.I also tried your Ghostwall and indeed ,it's very light and reactive.If you ever decide to put a simple application control,i ll dump Kerio 2 the next day and install Ghostwall.
Just look where this "my features are more than your features" has ended.ZA is still buggy and hordes of people are using older versions or abbandon it.Kerio finally realised the mistake of the experiment called Kerio 4.Sygate absorbed by Symantec.Seems like in the struggle between them,the big guys wounded mortally each other...
Anyway.

@MrkVonic

As much as i like French commedies too (Fernandel,Louis De Funnes),the problem is i don't speak french unfortunately.When i was a kid i could choose between learning Italian and French,i chose Italian,cause it was easier to learn I like old Italian cinema too,but i would have prefered the French one...Lucky you

 

Hi,
I don't speak French. I know some Italian, though. And some other languages. I download subtitles files and watch the movies in BSplayer. I did it successfully with a load of languages, including Chinese movies.
Mrk

 

Nice post

Did you tried the excellent CHX on your latency test?

Regards

 

IMHO - as far as outbound protection goes (and beyond simple application/port filtering).

A LOT of security risks can be removed for correctly configuring and securing your OS. It does take a lot of time and knowledge to secure a Windows NT OS, but it is possible to prevent a LOT (even all in a given real world situation) of what software firewalls CLAIM to do.

ALSO - this is something I have an issue with... surely its easier and safer to detect and stop a nasty running on your machine (Via a malware-scanner) than letting it run on your machine and stopping it connecting out to the internet. The effert to detect via signature (even heuristics/patterns) is much less than stop via having deep leak-security-outbound-protection AND have that outbound protection driver/app upto date enough.
YES it is another layer of protection, but IMHO I feel its not effective enough to be worth using leak-security-outbound-protection.

PS I do understand there are rare cases where people do need/want the control of outbound protection (I have a control enviroment for testing).

 

No I havn't tried that firewall. Next time I am doing some tests for the next version of GhostWall I will have a look at it. It looks like it tries to be a minimalist also, although it doesn't appear to have a Windows XP64 version.