Kerio 2.1.5 Test

Following my posting of the Windows XP2 Firewall test i decided to use the pcflank tests on my own firewall kerio 2.1.5 - which has recently replaced the windows firewall in my dialup setup. i would hope that kerio would return a performance at least equal to the XP2 firewall to merit it's inclusion in protecting my puter.

The results of Stealth Test

We have sent following packets to TCP:1 port of your machine:

* TCP ping packet
* TCP NULL packet
* TCP FIN packet
* TCP XMAS packet
* UDP packet

Here is the description of possible results on each sent packet:
"Stealthed" - Means that your system (firewall) has successfuly passed the test by not responding to the packet we have sent to it.
"Non-stealthed" - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

Packet' type...........Status

TCP "ping"..............stealthed
TCP NULL...............stealthed
TCP FIN.................stealthed
TCP XMAS..............stealthed
UDP......................stealthed

Recommendation:

Your computer is invisible to the others on the Internet!

So a good result from the old timer kerio

 

Kerio 2.1.5 is a good firewall. I have used it in the past andit always performed just fine.

 

so it would seem BigC - i next performed the advanced ports scan using the TCP SYN scanning option (This technique is also known as "half-open" scanning, because the scanner doesn't open a full TCP connection. The scanner sends a SYN packet, as if it is going to open a real connection and waits for a response)

Results of Advanced Port Scanner

TCP SYN scanning (scanned in 73 seconds)

We have scanned your computer' ports used by the most widespread trojan horses. Here is the description of possible ports' statuses:

"Stealthed" (by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
"Closed" (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
"Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor.


Port: Status Service Description

21 stealthed FTP File Transfer Protocol is used to transfer files between computers

23 stealthed TELNET Telnet is used to remotely create a shell (dos prompt)

80 stealthed HTTP HTTP web services publish web pages

135 stealthed RPC Remote Procedure Call (RPC) is used in client/server applications based on MS Windows operating systems

137 stealthed NETBIOS Name Service NetBios is used to share files through your Network Neighborhood

138 stealthed NETBIOS Datagram Service NetBios is used to share files through your Network Neighborhood

139 stealthed NETBIOS Session Service NetBios is used to share files through your Network Neighborhood

1080 stealthed SOCKS PROXY Socks Proxy is an internet proxy service

1243 stealthed SubSeven SubSeven is one of the most widespread trojans

3128 stealthed Masters Paradise and RingZero Trojan horses

12345 stealthed NetBus NetBus is one of the most widespread trojans

12348 stealthed BioNet BioNet is one of the most widespread trojans

27374 stealthed SubSeven SubSeven is one of the most widespread trojans

31337 stealthed Back Orifice Back Orifice is one of the most widespread trojans

Recommendation:

All the ports we have scanned are Stealthed (by a firewall). So just continue following the fundamental security measures and regularly update your security software.

 

having got a good result on the first two tests i now proceeded to the exploits test.

i almost had secong thoughts when confronted with the following warning....

The test may take up to 5 minutes depending on speed of your Internet connection. If your system is unable to pass this examination the test should cause your computer to hang and/or necessitate the rebooting of your system.

well did i want to risk my puter crashing to see how secure it was? - i eventually decided to risk it but to run the tests individually rather than en-masse.

igmpsyn
targa3
fawx
kod
ssping
jolt2
twinge
moyari13
nuke
teardrop
nestea
land
synk4
opentear
stream
stream2
rfpoison
rst_flip
redir

suffice it to say my puter did not crash and for each test i received the message....Your system successfully defended itself from this attack!

All in all a very creditable performance from kerio.

 

Kerio 2.1.5 is great, except for one flaw which has been discussed at length in previous threads.. It allows fragmented packets thru without blocking or logging.

 

Hi Kerodo - yes i read your link to the discussion on the subject - i guess all firewalls have their strong and weak points - as far as the free firewalls go i think kerio 2.1.5 is good enough for the time being.

 

It is surely one of my favorites too.. And with a router, there's no problems at all. I still use it from time to time here myself...

 

i concluded the tests by running the trojan test....

We have scanned your computer' ports used by the most dangerous and widespread trojan horses. Here is the description of possible ports' statuses:

"Stealthed"(by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
"Closed" (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
"Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor.

Trojan:................Port.............Status

Infector...............146.............stealthed
RTB666................623.............stealthed
Net-Devil.............901..............stealthed
Net-Devil.............902..............stealthed
Net-Devil.............903..............stealthed
Subseven............1243.............stealthed
Duddies Trojan.....1560.............stealthed
Duddies Trojan.....2001.............stealthed
Duddies Trojan.....2002.............stealthed
Theef.................2800.............stealthed
Theef.................3000.............stealthed
Theef.................3700.............stealthed
Optix..................5151.............stealthed
Subseven............6776.............stealthed
Theef.................7000.............stealthed
Phoenix II............7410.............stealthed
Ghost.................9696.............stealthed
GiFt...................10100............stealthed
Host Control........10528............stealthed
Host Control........11051............stealthed
NetBus...............12345............stealthed
NetBus...............12346............stealthed
BioNet................12348............stealthed
BioNet................12349............stealthed
Host Control........15094............stealthed
Infector..............17569............stealthed
NetBus................20034...........stealthed
MoonPie..............25685............stealthed
MoonPie..............25686............stealthed
Subseven............27374............stealthed
BO.....................31337............stealthed
Infector..............34763............stealthed
Infector..............35000............stealthed
GiFt...................123................closed

We have determined there are no open Trojans' ports on your system. But following ports we scanned are non-stealthed: 123.

Although these ports are non-stealthed, they are not open, so your system is not infected. However, having non-stealthed ports on your system means your computer can be "seen" over the Internet. This makes your system a potential target for remote attacks.

Recommendation:
The absence of a Trojan horse on your system does not mean this problem cannot happen, of course. Anti-virus and/or anti-Trojan (we recommend Tauscan or PestPatrol) software should be installed and used on your system. If you already use this type of software on your system, its virus definitions (virus database) should regularly be updated. If you have a firewall, check if it is set to make all your computer ports stealthed.

(nearly the perfect score on all the tests - just port 123 closed instead of stealthed - i wonder why just that port? and how does one stealth it?)

 

well in conclusion kerio took everything that pcflank could throw at it and finished the bout a worthy winner

 

@toploader -

Look at this page:

http://www.seifried.org/security/ports/0/123.html

quote:

Firewalling recommendations: Allow port 123 inbound to known public time servers only, incoming traffic that is part of an established connection should also be allowed. Outgoing connections should be allowed, although it may be advisable to block and force systems to use an internal NTP server(s) in order to ensure synchronization.

Attack detection: Inbound NTP traffic to anything but known time servers is most likely an attack.

end of quote

so I guess this is a good explanation on that port ;.)

 

I get the same results regularly with Kerio 2.1.5. I get excellent results with GRC's tests also.

This is definitely an issue and widely accepted as such . However I really do not know as to what an extent home-users , like most of us , are affected by this. But let us do remember that PCFlank's tests include at least 6 tests dealing with different types of malformed/invalid fragmented packets and if the system continues to show "stealthed" after these tests then , maybe , we don't have much to worry on this account.

 

ok there has been much talk about leaky firewalls on this forum so i downloaded the GRC leaktest and executed it.

kerio 2.1.5 immediately notified me that it was trying to connect to the GRC site and gave me the choice to permit or deny - i chose deny and leaktest confirmed it was unable to connect. i then repeated the test this time choosing permit to allow leaktest to connect just to confirm that it was kerio that was stopping it.

result - kerio's outbound protection passes the GRC leaktest.

 

thanks for the info anon - cheers

 

You're welcome - and thanks for the test ;-)

 

i also ran the advanced firwall test at http://www.auditmypc.com/freescan/scanoptions.asp

scanned - common ports - then the first 35000 - no ports found open.

 

GRC - Shields Up - File Sharing Test....

Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!


Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

 

the sygate stealth test

http://scan.sygatetech.com/prestealthscan.html

all tested ports reported as stealthed (and kerio reported the scan)

the sygate quick test

http://scan.sygatetech.com/prequickscan.html

all tested ports reported as stealthed (and kerio reported the scan)

 

Certainly one of my favorite firewalls, but noticed that after checking the firewall log one time after running this test that only 2 log entries were listed. When I run the same test now using CHX-I, I get 13 entries in the log(5+2+2+2+2).

 

Noway, can you post screenshots to compare the results?

thanks,

-rich
________________
~~Be ALERT!!! ~~

 

I just installed Kerio 2.1.5 and disabled CHX-I, ran the test with Kerio and made the following screenshot. Logging on all TCP/UDP/ICMP was enabled
in Kerio for this test, including "Log Packets Addressed to Unopened Ports".

 

It looks like you have other packets including ACK (Acknowledgemant code) set to log in CHX.

If you check "Log suspicious packets" in Kerio you do the same. (Kerio calls them "attacks") - see image below.

I just checked it to get an example. I normally keep it unchecked because it bloats the log.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Thanks for the fix!! I'll keep that option checked next time I try Kerio.