Best solution for Kerio 2.1.5 weaknesses (fragmented packets, bsod, ...)

How about this option in Harden IT, should do the job for the frag pack issue I would think.

 

@ RWA (first, sorry for my bad english)

you have to understand whats happening when you use the ping command the way you do. the command you specified

C:\>ping -l 5000 www.freebsd.org

will initiate the following tasks:

1. www.freebsd.org will be resolved to its ip address (www.freebsd.org -> 216.136.204.117)
2. ip address will be pinged in consideration of the chosen parameters

(1.) is the interesting point here. first the local dns caches of windows will be checked for the corresponding ip address. if no cached entry is available, the dns server you use (i guess automatically assigned by your isp) will be queried to resolve the ip. ping is not working without a valid ip address. it cannot ping urls like www.anything.org.

so after setting kerio's "stop all traffic" mode, no more dns queries are passed to your assigned dns server, kerio will block them. but ping will be successfull as long as windows has a cached dns entry of www.freebsd.org. with no cached entry available (ipconfig /flushdns) the ping will fail. but it wont fail because kerio is blocking the fragmented ping packet, it fails because ping has no valid ip to send its (fragmented) packets to.

now please try pinging the ip instead of the url to verify your results:

C:\>ping -l 5000 216.136.204.117

if your ping is still timing out, with flushed dns caches, while kerios "stop all traffic" mode is activated, and you're having a working internet connection i'm VERY interested in how you got so far



@ghostxxxxx (the "sourceforge.net/projects/kerio" guy)

stop every activity right now and go code this thing. i will kiss your hairy ass if you get it done

 

I also mentioned in another post that this site
http://www.spfld.com/ping.html
offers selectable packet size for pinging your computer.
If you use largest packet size with Kerio 2.x it will show that
it received a reply from you...lower sizes are blocked if you
have proper rules in place (although site just seems to timeout
rather than giving you feedback if you computer successfully
blocks these smaller ones).

 

I've been using Kerio 2.1.5 along with CHX, the only time fragmented packets have ever been log in CHX is doing all these ping test. Where are these fragmented packets ? I don't get any so whats the big deal ?

 

@fastgame

packets can get fragmented due to different mtu sizes in devices (e.g. routers) or hosts. theres no big deal with it in general. just like sending a big sms from a mobile phone, it will get splitted if it reaches the maximum allowed size (e.g. 160 chars). but the point here is kerio is not using its filter rules for fragmented packets. so imagine the following situation:

a box with standard windows xp installation has several open listening ports. a spammer can use the messenger service on this box to send stupid spam messages to it. so the user (not capable of safely configuring his client) installs kerio firewall to block all packets addressed to the ports used by the messenger service on his machine. if the spammer will generate modified (big enough to get fragmented on the way) packets and send them to this box, kerio won't be able to block these fragmented packets and the user will see messenger popups. so you get the idea? any running service on a kerio protected box can be reached using fragmented packets. even modified worms can use security holes in windows services (e.g. rpc, netbios) on a kerio protected machine, if it uses a way to generate fragmented packets. imagine a "kerio-worm", targetting old kerio v2.x users (like me) by sending fragmented packets to a vulnerable windows service, hehe. so maybe at the moment fragmented packets are very rare and not used for attacks. but who knows

hint: secure your client by shutting down vulnerable and unneeded services, dont rely too much on security software like firewalls.



@ all

i think the mentioned way to block fragmented packets directly in the windows tcp/ip stack with the "EnableFragmentChecking" registry value is working on windows server versions only (according to the german msdn library, see http://www.microsoft.com/germany/ms...DerSicherheitVonWebanwendungen/secmod109.mspx for details)