How to create very restrictive security with Kerio?

Discussion in 'other firewalls' started by pcalvert, Dec 15, 2005.

Thread Status:
Not open for further replies.
  1. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Hi,

    I think something might have slipped onto my computer that several anti-virus and anti-trojan computers have failed to detect. So I am going to wipe the HDD and do a clean install of Windows as soon as I have time (which may not be soon). Until then, I'd like to create some highly restrictive rules in Kerio PF (2.1.5), to hopefully limit the ability of any malware to "phone home." Basically, what I'd like to do is set up a filter or filters that will block all traffic except outbound traffic to a small number of IP addresses (e.g., ISP mail server, Yahoo! Mail, Gmail). If possible, I'd also like to have Kerio set up so that only certain programs can access those IPs, but that's not as important.

    I already started to set this up, but I wasn't sure I was doing it right. I was concerned that I might accidently decrease my security, so I didn't save the changes I made. BTW, I am using BlitzenZeus' standard ruleset which I have configured to work with my ISP.


    Phil
     
    Last edited: Dec 15, 2005
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Kerio will automatically alert or block if a trojan attempts to connect outbound using an application for which you don't have a permit rule.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Dec 15, 2005
  3. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Hi Rich,

    That's good. But what if the trojan is smart (or just lucky), and uses some application for which I have a permit rule? By expliciting allowing outbound connections to only a select list of IP addresses, the trojan won't be able to connect to the trojan creator's site, and I will be alerted to the unauthorized connection attempt.

    Phil
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, if your rules are set up that way, Kerio would alert if otherwise.

    -rich
     
    Last edited: Dec 15, 2005
  5. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    That's one way trojans will defeat a firewall. You'll need another program like ProcessGuard or AppDefend which will detect and/or prevent changes to trusted apps.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Or just use a firewall like Sygate that has anti-application hijacking and will protect you against such things.
     
Loading...
Thread Status:
Not open for further replies.