Are these 2 fw still useful?

Hello...

My question regarding the free KERIO 2.15 and OUTPOST 1.0.1817 is: are these two firewalls still useful, or are they dangerous because of certain flaws? If so, which ones?

Asking that because I tend to see those on some friends's machines because they're easier to use than more recent pro versions.

Thx

 

Kerio YES . Outpost 1.0 version , NO .

 

I'll second hollywoodpc's opinion. Kerio 2.1.5 is still a solid dependable product, whereas I've found Outpost v1 to be far less stable (and obviously lacking in process control). That is, of course, merely my own opinion as garnered by testing both apps on several different systems.

 

Another vote for kerio 2.1.5 and another vote against outpost v1(it's sorely in need of an update )

Alphalutra1

 

I use KERIO 2.1.5 and its never let me down

 

Kerio 2.1.5 is a very compact rule based firewall. No extra bells and whistles but it's very effective. Been using it for several years and it's done better than any other firewall I've used. It's especially good on the older systems that don't have a lot of RAM or disk space.
Rick

 

I used Kerio 2.1.5 for quite a while but after reading about the fragmented packets issue I stopped using it. I'm now using the Windows Firewall to great effect.

I must admit, I miss Kerio 2.1.5 and its light footprint. If I was to be convinced that the fragmented packets issue isn't such a big deal, I'd probably use it again.

 

If you are familiar with Kerio 2.1.5 and consider switching to another one, then you won't have too much trouble switching to TF2005 pro (at least the firewall part of it is also rule based). Unfortunately it is not free. I made the step from Kerio 2.1.5 to TF long time ago and still do not regret it. With TF you also get IDS/IPS (intrusion detection and prevention) and Windows Security (sandboxing). Especially the latter gave me some headaches in the beginning.
Ciao
Itsme

 

The frag packet issue is not such a big deal, and the truth is, you're not likely to ever be effected by it in any way.. Kerio 2 has a one-of-a-kind interface and if you like it, I'd just go ahead and use it if I were you.. just my 2 cents..

 

My 2 cents are the same as yours

 

You always can use CHX-I to stop all fragmented packets. It has always worked well for me. Also, I think there is a registry hack that prohibits all fragmented packets from being assembled, which renders them useless.

Alphalutra1

 

Hi Alphalutra1.

The Kerio firewall has been taken over by Sunbelt,they still offer a free version.

http://www.sunbelt-software.com/Kerio.cfm

 

I already knew this . I was refering to solving the old version of Kerio 2.x.x's fragmented packet vulnerability. It hasn't been in development for over three years now.

Alphalutra1

 

Instead of switching to a combined firewall/process control suite, I kept Kerio 2.1.5 and added System Safety Monitor. IMO, keeping the firewall and HIPS separate is the better option. When combined into one suite, it becomes possible to attack a weak point in the suite and crash all of it. This has happened with several security suites. When a firewall is used with an app like SSM, it can be set to keep the firewall in memory, automatically restarting it if someone manages to terminate it. An attacker would have to either attack both simultaneously or find a way to bypass the firewall and execute some kind of code that SSM wouldn't detect and stop. This would be no easy task.
Regarding Kerio 2X and fragmented packets, there's really just one question to answer:
What can an attacker do with these fragmented packets?
If the fragmented packets don't manage to perform some task or assemble into something executable, they accomplished nothing. If Kerio is backed up with SSM or another equally effective app, any new code trying to execute should be detected and stopped. SSM lets you define what every executable can and cannot do, what other processes it can start, and what it can't.
Lets assume that an attacker has managed to pass enough fragmented packets thru Kerio to execute a malicious command, and has chosen what app or system component he wants to use for this. If this application or component isn't specifically permitted to perform this action, (like editing the registry, terminating a process or deleting a file) SSM will not permit the process to execute. There wouldn't be much an attacker could do with this exploit unless he can kill SSM right off. IMO, the combination of Kerio 2x and SSM makes fragmented packets a non-issue.
While SSM is still beta software, it's nearly ready for release. Unlike the equivalent available programs, it does run on 98 and ME without loading down the system. Combined with Kerio 2.1.5, it represents a formidable security package that solves most of the vulnerabilities normally associated with these systems and gives you a level of user control they never had before.
Rick

 

Thanks for all your answers guys.
Do you think using HardenIt can compensate for the Kerio's fragmented packets problem if used in conjunction with it?

Cheers

 

I think Hardenit performs the memory tweak that drops fragmented packets without assembling them, so yes, it would work

Alphalutra1

 

I use Kerio 2.1.5 with router with built in firewall and no probs what so ever, A lot of people will tell you this version is of no use to anyone because it is old and has had no updates for a while but I would suggest as long as you are careful on the net and understand basic rules and confugurations you should be OK, as far as HadenIt goes I have never tried it, if you want to tighten Kerio up a bit you can also use Sponge's Kerio firewall list from here http://www.geocities.com/yosponge/updates.html, Hope this helps and good luck.

Thanks

 

Do not recommend sponges ruleset at all. It is trying to take the place of a HOST file, and will slow Kerio down (you can't create any more rules in Kerio because the stupid ruleset has so many rules that can be easily replaced by a HOST file, its also faster). Instead, use Blitzen Zeus's here http://www.dslreports.com/forum/remark,8023708 . Highly regarded amoung that forum, and has always served me well. I use it as the basis for all the rulesets I create in all the firewalls I have tested (too many, trust me )

Alphalutra1

 

I'll give it a go but granted yes when I used Spnge's I did notice a slight slow down, saying that I dont use the rule set myself any more as I hide behind hardware.

Thanks

 

Kerio 2.1.5 should not slow you down at all, even if your system is old. I use it on win98 and my internet speed is slightly faster than it is when I'm not firewalled. It's not a big difference and it wouldn't be noticable at all if I wasn't on dialup, but my speed definitely increases slightly. Best I can tell, this is because my bandwidth isn't being consumed unnecessarily by system components, like windows explorer does on an internet shortcut to give that little preview and other equally useless items.
Using someone elses ruleset does have some disadvantages. It will likely contain rules that don't apply to your operating system. If you're using any software the maker of rules wasn't, you'll still have to add rules for them. The DNS rules won't be matched to the specific IPs used by your service. Kerio also keeps tract of the MD5 signatures of the internet apps on your system. Many of theirs won't match yours. Expect alerts for all that don't.
Using a compiled ruleset like that is a good starting point. Just don't treat it as a finished product. They are also good material to study thru to help you determine just what needs to be permitted or blocked, but with many applications, it will take trial and error to make them match your system and needs.
Rick

 

Herbalist, Bz's ruleset comes with no application rules, and only requires tweaking of the DNS rules, so it is basically a finished product with only the minor tweaks depending on your situation. That is why I recommend it so much

Alphalutra1