Configure Kerio 2.1.5 to monitor outbound only?

Discussion in 'other firewalls' started by bellgamin, Sep 25, 2010.

Thread Status:
Not open for further replies.
  1. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    I have an SPI/NAT router that monitors inbound. Therefore I want to configure Kerio 2.1.5 so that it will NOT monitor any inbound connections whatsoever.

    Can someone who is now using Kerio 2.1.5 tell me a rule or configuration whereby I can accomplish this?
     
  2. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    May I ask why?

    Anyway, create a rule like this:
    Description= ...(e.g. allow incoming)
    Protocol= TCP/UDP
    Direction= Incoming
    Local endpoint:
    Port type= any port
    Application= Any Application
    Remote endpoint:
    Address type= any address
    Port type= any port
    Rule valid= always
    Action= permit

    (or if you want to allow all traffic at the protocol choose ANY)

    ps.If you do that I would advise you to keep windows firewall activated too, since it has better packet filtering than most home/soho routers.

    Panagiotis
     
  3. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    Uh... well I figured, since my router handles inbound, why let Kerio duplicate its actions? Surely Kerio's surveillance of inbound causes at least a teeny bit of slow-down. Doesn't it? So, if I take Kerio out of the loop on inbound, I'm saving a nanosecond or 2, right? Wrong? Dumb way for me to think?
     
  4. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Have not tested it in ages so I cannot really tell.
    At least a nanosecond or 2 you will definitly save. :D

    But leave windows firewall on if you do (is more up to date and supports ipv6 too).;)

    Panagiotis
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    As to the Win FW -- you DO know I'm running WinXP SP3 Home edition right? {I also have a fully operational computer running CP/M :blink: }
     
  6. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Yes, I had XP SP2/SP3 in mind when I wrote to leave it on. :)

    CP/M= ?

    Panagiotis
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There should be no real difference. Kerio filters all packets, in and out. It then uses the first rule that applies. Even with a "permit all inbound" rule, Kerio still checks the packets.

    Even with a router, I wouldn't automatically allow all inbound with Kerio or any other firewall, even if there was an improvement. Routers and external hardware attacks are appearing. I seem to remember one that used UPnP and Flash. I doubt it'll be the only one.
     
  8. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,572
    Not according to the manual.
    Panagiotis
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    One of the early OS -- era of the 1970's (when dinosaurs still roamed the earth). I was a whiz at using it. I was also a fairly *dangerous* programmer in Forth. Later... Pascal.

    In those days, 8-bits was the deal & 64K of RAM was really really BIG. Programmers wrote VERY compact/efficient code because they HAD to. :cool:
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    You are right. Kerio will filter inbound no matter what you do, rule or no rule. There is no way around it.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Kerodo,

    I didn't know this!

    From the Kerio Help File:

    Five years ago, several of us ran w/o a firewall to demonstrate that if all ports are closed, nothing can penetrate. (You may remember this discussion at DSLR)

    I set things up so that Port 135 was open, hoping to snag the MSBlaster that was still going around. I configured Kerio to permit all traffic, and I logged everything. There were no alerts from Kerio to deny anything, so I assumed that Kerio was not monitoring.

    Check here -- maybe my setup was not a valid test!

    http://www.urs2.net/rsj/computing/tests/fw_test


    ----
    rich
     
    Last edited: Sep 25, 2010
  12. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    Hi Rich,

    Ok, maybe you are right. I thought Kerio would have to filter regardless of what rules were in place, but I didn't realize that without any rules it was transparent.

    Yes, I remember running without a firewall, I was one of those people. I actually ran for 2 months or so on Win2k with no firewall or router, just closed all my ports. It was fun, and nothing horrid ever happened. :)
     
    Last edited: Sep 25, 2010
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, I remember now, you were one that ran w/o a firewall. There was a regular at DSLR (whose name I've forgotten) who ran w/o a firewall with WinXP. He had some system monitor and no intrusion showed up with all ports closed.

    Remember, our ports were *closed* and not *stealthed* which was another point of the exercise.

    Yes, it was fun!

    ----
    rich
     
    Last edited: Sep 26, 2010
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Bellgamin,

    noone_particular is correct - even with a "Permit All" rule at the top, Kerio still checks "some" packets.

    Here is my ruleset with a "Permit ALL" rule at the top. I've disabled my system rules disabled to test:

    kerio-ruleset.gif

    Here is my log with Suspicious Packets configured to log, and you can see that even though Kerio lets all traffic through -- trojan ports included! -- it does block what Kerio calls "suspicious" packets.

    kerio-log.gif

    It's not really an attack, of course "Ack" means ACKnowledge something has been received (or blocked)

    You can tell Kerio not to log these (I normally don't log them -- I enabled logging just to test here).

    For all practical purposes, Kerio's inbound protection is disabled and I doubt if the Ack Packet garbage is slowing down your system even a nano second!

    Outbound protection still works. Here, my DHCP attempting to connect out. With the outbound rule disabled, Kerio alerts:

    kerio-dhcpOut.gif

    And my utility to sans.edu with my outbound rule disabled:

    kerio-iscEdu.gif


    ----
    rich
     
    Last edited: Sep 26, 2010
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    OT, but some history

    http://inventors.about.com/library/weekly/aa033099.htm
     
  16. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    Nicely demonstrated Rmus! MANY thanks for putting so much effort & expertise into this discussion.

    The upshot of what I have learned herein is that I shall NOT configure K215 so as to keep it from messing with inbound. Also, I have gained a newly increased respect for K215's ability to be a high-grade firewall for use in 2010, despite K215'2 age & status as abandonware.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    P.S. Does anyone have the history of K215? When it was first released? When it was assimilated by Sunbelt? When discontinued? And so forth?
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome, Bellgamin, it was nice to re-visit the inner workings of Kerio 2.1.5

    See this article:

    Kerio Personal Firewall
    http://en.wikipedia.org/wiki/Kerio_Technologies#Kerio_Personal_Firewall

    Two things to keep in mind:

    1) Kerio will not control IPv6. There doesn't seem to be any consensus as to at what point a Kerio 2 user will be vulnerable to exploits via ports.

    2) The general consensus (which you are free to ignore) that you are vulnerable to trojan outbound exploits because Kerio 2 fails most Firewall Leaktests.

    Years ago, when the Firewall Leaktests were all the rage, (Leaktests today test more than just the Firewall) and vendors were scrambling to keep their Firewall products updated to contain these "exploits" that the Leaktests demonstrated, Kerio 2 ceased being developed.

    However, in one of the on-going threads, I stated that my Kerio 2 passed all of the tests.

    "Say what?"

    My reasoning was thus: The Leaktest executables simulated the action of a trojan which, once installed, would bypass the firewall's outbound protection.

    So, I showed a screen shot of an attempt to download/install one of the Leaktests. It was blocked by my security from downloading/installing, so, I claimed a "Pass" since it didn't get past my firewall:

    leaktest-dl.gif

    "Foul Play" was the outcry. It didn't bother me, for if the trojan can't install, why worry about a firewall to catch a phantom exploit?

    "What about a drive-by download?"

    That was easy to demonstrate. I put the path to the Leaktest executable into an IE exploit:

    leaktest-code.gif

    And ran the code:

    leaktest-ie.gif

    Same thing. Leaktest executable blocked, end of exploit.

    Depending on the peace of mind your security setup provides you, the Firewall Leaktest thingy is either important, or irrelevant.

    CONCLUSION

    Many people, including myself, would agree with your assessment of Kerio 2 as "a high-grade firewall for use in 2010, despite K215'2 age & status as abandonware."

    regards,

    rich
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    As far as I know, Kerio 2 evolved from Tiny Personal Firewall. Version 2.0.15 of Tiny was extremely similar to Kerio. Kerio could even import Tiny's rulesets. I still have a copy of it. The installer is a tiny 1385KB.

    Regarding Kerio and leaktests, with properly configured rules, Kerio will pass more of them than the tests would have you believe. Then again, those tests seem to be based on the assumption that the user has one security app and it has to be a firewall. IMO, the tests have been reduced to the role of advertizing gimmicks with little if any basis in reality. Just blocking Internet Explorer will make it pass several of those tests, which tells me that the problem isn't the firewall, it's Internet Explorer. Some of the older tests were very useful for tightening firewall rules. PCAudit2 was excellent for tightening loopback rules. Even if I allow the hook with SSM, Kerio will pass that test provided you have control over loopback (local) connections. IMO, Kerio 2.1.5 will remain viable as long as IPv4 is in use.

    Regarding Kerio slowing things slightly, a long time ago when I used some really old hardware and had dialup, I ran several speedtests with and without Kerio, then averaged the results. The results were just slightly faster with Kerio running than without it. The difference was about 2%, barely noticeable. Best I could determine, the results with Kerio were faster because Kerio prevented the unnecessary use of bandwidth by system components like windows explorer, making it all available to the browser. With DSL or better, it would be meaningless (as would any slowdown) but on dialup, the user would probably notice the change.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    So . . . for WinXP, what FW will match K215's lightness & simplicity, and WILL control IPv6?

    By the way, what app generates that "Guard dog on duty" pop-up --- Anti-executable or ?
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I haven't checked, and am not looking forward to replacing Kerio. Until something comes along to bypass Kerio, I subscribe to noone_particular's view:

    Yes, AE - you can customize the bitmap image.

    ----
    rich
     
  21. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    Huh? I fully expected you to say something nice about Look'n'Stop. (I am leaning toward it at the moment.)

    By the way, I have a hard-to-find stand-alone version of Dynamic Security Agent. DSA is a fairly decent replacement for K215 IMO.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've heard nice things about it but haven't tested it, so I'm reluctant to say anything about it.

    I've not heard about this.

    For both of the above, since you have mentioned them, can we look forward to an in-depth report of your tests?!!

    ----
    rich
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,650
    Location:
    Hawaii
    Hola Rich-sensei,

    I am unqualified to test LnS. I have a lot of information about DSA but any all-out discussion could get me busted for going off-topic. Therefore I shall start a new thread for DSA at HERE
     
  24. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Just my 5 cents, I'm no expert. A while back I got concerned how LookNstop watches/doesn't local host vs Kerio which does it perfectly
    see last 2 posts in this thread if local host activity is important to you as it is to me
    https://www.wilderssecurity.com/showthread.php?t=256474
     
Loading...
Thread Status:
Not open for further replies.