Not understanding firewalls

I'm not sure I know enough to ask a decent question, but I thought that a firewall's function was to allow/block traffic. I don't understand what changes are needed to keep one up-to-date so that it remains effective.

I use LnS and Kerio 2.1.5. As far as I know nothing has changed with LnS since I first used it several years ago. Kerio has not been supported in years. Yet they remain effective as far as I can tell on my machines. If they block all traffic except what has been approved what is needed in the way of a change?

Hope I have made some sense.

Best,
Jerry

 

Bugs/vulnerabilities fixed and more features
That´s common to all signature-less security software.

 

Besides what's been said above, it depends on what you want the firewall to do. Many don't care about outbound control and the Windows XP firewall is great for them. If you want outbound control, does that version of Kerio understand the new OS vulnerabilities that have been introduced since it was last updated? Do the new leaktests get around that version due to this? Do leaktests even matter to you?

What about malware that has been designed to target firewalls and terminate the port control portion but leave the GUI unaffected. Can Kerio stop this type of termination? If Kerio is terminated, what does Kerio do - lock down the ports so no communication can take place or is it wide open such that the malware can operate freely on the PC?

It depends on what the user wants or considers possible on the PC they are using and other programs that are operating to supplement the firewall's capabilities whether it really matters.

 

~removed quote from post just above, Stem~

Hi Mem,
Thanks for the response. However, I don't know enough to answer questions. I am hoping someone will give me reasons that firewalls need to update, or direct me to a site that would provide that information.

I would like to hear from someone who has had such things as you mention actually happen to them. It seems that Kerio 2.1.5 is still used by some, and I would like to hear if anyone had it compromised. It seems to pass leak tests, at least GRC.

LooknStop is still often recommended, and I do not know of any change since I have used it.
How is it that the two mentioned are still used, and evidently without problems?

I might add that I am behind a NAT, but that is fairly recent.

Regards,
Jerry

 

Kerio 2.1.5 has no HIPS/tampering abilities. It only checks the name of the executable, the path and the hash/checksum (MD5).

You can add a full HIPS like SSM/PS/PG/AD (all have liteware versions) to address Kerio´s weaknesses.
However, I´ve read about some malware that install their own network stack, so all firewalls can be bypassed.

 

I'm a long time Kerio 2.1.5 user. It's never let me down in any way.
A packet filter like Kerio 2.1.5 still works because the internet apps still use the same system they did back when it was released. IP addresses, ports, protocols, basic internet structure haven't changed. When IPv6 (internet protocol version 6) becomes the internet standard, then Kerio 2.1.5 will cease to be useful. Until then, it's an effective firewall.

The term "firewall" has been changing to encompass more than just filtering and controlling internet traffic. Applications that are called a firewall are actually multi-function security suites. Besides controlling internet traffic, the firewall suites now control running processes, detect hooks or DLL injection, control popups, monitor the registry, and a host of other functions. Most of the time, it's these other functions that require the updating. Security-ware has greatly increased in complexity over the last few years. The typical or average user either doesn't know how or doesn't want to take the time it requires to learn enough to assemble an effective security suite from separate components. It's not the simple task it used to be, before everything used kernel hooks leading to potential conflicts at the systems core. The typical user just wants to install a security suite and let it deal with the problems. These need a lot of updating. Users who prefer to separate the firewall from the rest of their security apps are able to update only the components that need it. Separate components have several advantages over security suites with user choice and configurability topping the list.

You have to decide what you want from a firewall. If you're comfortable with assembling your own security package and don't require everything to be together, you can stay with an effective firewall like Kerio 2.1.5 until IPv6 takes over. I'm not looking forward to replacing it, but the day will eventually come.

The combination of SSM and Kerio 2.1.5 is an extremely effective package that's very light on a systems resources. They're an excellent choice for users who are comfortable with rule based security software. For users who want self configuring security-ware, they're the wrong choice. SSM and other HIPS software can prevent malware from installing that network stack. Malware that can't run doesn't install anything. With security packages like this, on which the different tasks are separated, they not only complement each other, they can defend each other, much more so than when they're part of the same suite and potentially vulnerable to a common exploit.
Rick

 

Rick,
Thanks, that is helpful. I suspected that firewalls were more that just firewalls as I think of them. They also seem to cause many problems with conflicts that firewalls like Kerio do not. Evidently they require a lot of rules.

Unfortunately, so many of us will never take the time to understand all the ins and outs of the firewall so that we can make all the rules. I really need as much an install and forget firewall as I can get that is reasonably effective.

Some of my security applications alert with statements like "an application from xxxx us trying to connect to port xxx owned by ssss. Allow?"
I don't have a clue what that is all about, unless I am doing something that clues me as to why the alert. I wish it would be more specific so I could make a more intelligent decision.

Best,
Jerry

 

Yes, a brilliant combination. You can use SSM paid (not sure about the free version) to protect your firewall from termination, suspension, remote code control and data modification attempts, as well.

 

Nice Kerio 2.1.5 tutorial

 

Printing. Thanks. I've been looking for a systematic approach on all this. Maybe i'll install Kerio. I want to learn.
Thank you!

 

Glad to help you

 

Thanks for the help. That is an excellent tutorial.
Best,
Jerry

 

The free version doesn't include termination protection for selected apps but it does intercept a processes attempt to terminate another. Process Explorer for example can't kill a process unless you allow it thru SSM. The free version also has a "keep process in memory" option that can be set for individual apps, which will restart them should they get terminated.
While being able to protect apps from termination is a good feature, it's actually somewhat redundant. A malicious process that terminates security apps wouldn't be able to run unless you specifically allowed it in the first place. It also couldn't execute any conventional "kill" command without SSM also intercepting that. Add the "keep process in memory" option and you already have 3 layers of protection against a malicious process killing another security app. I don't see why another layer would really be needed as the only way it could happen is if the user made at least 2 bad decisions answering prompts and didn't enable the protection already available in the free version. While the expanded control available in the paid version is useful, I can't really call it necessary. Terminate, suspend, and other such commands come from running process and the free version prevents that malicious process in the first place.
Rick

 

Am back to my trusted kerio 2.1.5 after 2-3 weeks of playing with Comodo.
It just started to act wierd with my system yesterday.
https://www.wilderssecurity.com/showpost.php?p=934067&postcount=19

I uninstalled it, cleaned what CCleaner found from my registry etc.
Still windows security center tells I have it "protecting me".
Does not bother me though, it is pretty dumb.

Anyways all seems well now. It was really easy to install kerio 2.1.5 back.
Just executed the file and loaded my configuration file back.

Jarmo

EDIT

I tend to not agree on Rich with making ruleset from blank. It is a nice web page though and many good information to read from there Someone.
Go to http://www.dslreports.com/forum/kerio
And download Blitzen's ruleset from that "default replacement" replacement sticky, the last one and tailor it to your usage. Save it on time to time with a different name, like date or whatever you wish. Just my opinion. Only if you are willing to take some time and study. It is not hard.
After you have learned all, you can put a password too. That only when it is not on day to day base to change the rules.

 

To clear Security Center from still reporting Comodo do this:

1. Open "Control Panel"
2. Select: Administrative Tools"
3. Select "Services"
4. Locate: "Windows Management Instrumentation", right click on it and click "Stop"
5. Go to the "wbem" folder (C:\Windows\system32\wbem)
6. Locate the "Repository" folder and delete it (ONLY DELETE THE REPOSITORY FOLDER!!)
7. Repeat steps 1 - 4 but this time "Start" "Windows Management Instrumentation". This will recreate the "Repository" folder.
8. Reboot

 

Thanks. I'll look into that
I'm happy with Comodo, it's a formidable install and forget. The thing is, the more i think about this, the more i want to learn, learn about networking, firewall rules, etc. Kerio seems more appropriate somehow, more mechanical, up to the user.

If i'm to switch some day to Linux, i must have this lesson . Enough playing with security proggies, more Firewall, the most important part of security.

 

Hi JerryM

May I ask what part of the firewall (say Look ‘n’ Stop) you basing your opinion on regarding nothing having been changed since ‘several years go’? Are you looking for changes specifically in the applications GUI, packet-filtering or application-filtering drivers, or all the above? I’m curious because Look ‘n’ Stop product has the entire time being maintained, in every area going, simply for starts look at the history section of the Look ‘n’ Stop help-file...

 

Hi Phant0m,

I am going by the indication that my copy is 2.05p2 Oct 5 2004. Maybe there was another version, and I updated/upgraded to the one I have now, and I do not remember. But nothing has updated for over 2 years at least.

Edit
In looking at the help file there were some updates prior to Oct 04. However, with all the changes in other anti-malware applications it does appear that there is much less need for changes in firewalls. I continue to wonder if firewall changes, with all the attending problems, are really necessary.

Thanks for some clarification.
Jerry

 

There is v2.05p3 – Sept 18, 2005 and different driver updates since then…

Visit the v2.05p3 sticky in the official Look 'n' Stop forum.

 

Thanks, will do.
Jerry

 

https://www.wilderssecurity.com/showthread.php?t=163492
i found this thread in the look n stop forum about the 2.06 version beta coming in less than a month hopefully.

 

A bit can be said in response to your original post, however regarding Application-filtering layers, I think things might begin to change at least with some software firewall products that do keep in mind of user’s system resources. Every time there is a new firewall leak demonstration utility, developers of software firewalls has to take time and research and find ways to battle these, you’ll find more of these leaktests are behaving more systematic then simply accessing network environment. Keeping that in mind, I think products like SSM will be recommended by more software developers and the focus placed elsewhere, areas in the firewalls development which is more firewall appropriate…

Just remember I haven’t mentioned a specific product, but I can bet that Outpost and ZoneAlarm products for instances aren’t going to drop battling everything that comes onto the scene.