Kerio 2.1.5 + SSM - My New Favourite!

Discussion in 'other firewalls' started by cprtech, Oct 20, 2006.

Thread Status:
Not open for further replies.
  1. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    It was only very recently I, admittedly, viewed this security combination with some contempt, my reason being that Kerio needs a “crutch” to bolster its defenses because of its lack of application behaviour control. But after using this combo for a couple weeks because I simply wanted to try it out to satisfy my penchant for trialing different firewalls, I have grown very fond of this firewall/HIPS setup.

    The look and feel of Kerio 2.1.5 may be Spartan, but it offers excellent flexibility and control over packet and application filtering. I like the fact it is a firewall without all the bells and whistles. It runs light and my browsing speeds are faster using this firewall than they have been with any other pc firewall I have tried, with perhaps the exception of Tiny’s last version, where this seems to be on par with it.

    With the support of SSM (so impressed with the free version I purchased the full), all application behaviour is taken care of. The combination works extremely well together, consumes an impressively light ~20 MB memory and, as others in this forum have mentioned, provides that “layered approach” to system security.

    As much as I like Comodo and Outpost 3.51, I think I will stick with this setup. Any thoughts?
     
  2. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    I havent tried SSM but I am using Kerio 2.1.5 on another PC.
    I love that firewall, I've been using it for a few months now.
    You already mentioned the exact reason why I stay with Kerio 2.1.5, it's a basic firewall that is flexible and light without all the bells and whistles of other firewalls.
    I use Blitzenzeus rules setup but through time I have adjusted this firewall to my liking.

    Have you seen this thread? https://www.wilderssecurity.com/showthread.php?t=135983&highlight=kerio obsolete
    Thats about the time I started using Kerio, towards the end of the thread is where there is some good info.
     
  3. betauser2

    betauser2 Guest

    @cprtech, It's a good combo (stem, and others, also suggests ssm with kerio v2) and as long as it suites your needs (e.g low mem usage etc) that's what really matters.

    The proxy issue is the only reason I gave kerio (2.1.5) up. I like kerio but I like Avast even more :D
     
  4. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    Thanks for the link CJsDad. Time permitting, I’ll read it over. Betauser2, yes, positive endorsements from knowledgeable folks such as Stem, herbalist and a few others played a part in my decision to try it out. I’m very pleased with the setup and will stay with it unless I trial something else that changes my mind :)
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi betauser2,
    I wouldn`t say that Kerio as a "proxy issue",...... are you thinking of the problems with Sygate?
    I have used Kerio2+Avast,.. as the localhost access is controllable, its just a case of keeping tight rules.
     
  6. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    Just to add to what stem said, Kerio 2.1.5 does not have a proxy issue. It has performed excellent for me in locking up the proxomitron and access to it when I used kerio. However, sygate does have a proxy issue.

    The issue with Kerio 2.1.5 is that it doesn't handle fragmented packets properly. However, this can be circumvented by using a router, a registry tweak that prohibits fragmented packets from being assembled so they are just dropped, or installing CHX-I and the only piece of configuring you do is check the options for your LAN card to drop all fragmented packets. So, it is a really small problem, since no real attacks have been shown that can implement fragmented packets only.

    Cheers,

    Alphalutra1
     
  7. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I'm using Ad Muncher which, I believe, uses a proxy method for connecting, and there are no issues with it and Kerio. I'm also behind a router so I guess the fragmenting packet issue is something not to worry about either :)
     
  8. herbalist

    herbalist Guest

    I'm not aware of any proxy issue with Kerio 2.1.5. I use it with both Proxomitron and A4Proxy with no problems. When using Kerio with these apps, the position of the firewall rules for Proxomitron, A4Proxy, etc in relation to any loopback blocking rules is critical. Kerio starts at the top of the ruleset and uses the first rule that applies. A rule blocking loopback will prevent connections to a proxy application if it's positioned above the "allow" rules for them. It's also easy to enter the allowed port(s) in the wrong location (local vs remote). The "display alert box when this rule matches" option on the edit menu for individual rules can help with tracking down that kind of problem.
    Theoretical question.
    Assuming an attack could be launched using fragmented packets to get thru Kerio 2.1.5. With SSM behind it, what could they do with assembled packets that SSM wouldn't detect and block? If I understand this correctly, any such attack would only be able to function within the limits of what is permitted by the SSM ruleset.
    Rick
     
  9. betauser2

    betauser2 Guest

    Yep, (Stem & Alpha) you guys are on the ball. I think I've used the term "proxy issue" very loosely here. At the time I was, also running Ghostsurf aswell and application control was the first thing I encountered (without configuring the loopback rules), kerio did not alert any applications making outboud connections via the proxy.

    I should have mentioned the other issue I faced i.e. Perfectdisk BSOD (that's post build 36), but I didn't want to go off topic.

    Sorry :(


    BTW Guys, this will be my last post (spending too much time online) so, thanks to every memeber, contributor, mods, experts, admins, helpers, updaters. It's been a learning process, started as a Novice moved onto become extremely paranoid, and am ending self-assured in terms of online privacy & security. THANKS!!!
     
    Last edited by a moderator: Oct 20, 2006
  10. 12fw

    12fw Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    111
    Location:
    Canada
    No issue have been found using the Kerio2.1.5 and the free SSM and the fully enabled KAV6. Delightful homemade suite. Am using a router, naturally.
     
  11. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    The fragmented packet issue really is a non-issue if you ask me. Many people always bring up the fact that it has that weakness. In reality, I don't really know how much damage could really be caused even without SSM. Noone has ever(at least to my knowledge) figured out an exploit with fragmented packets. The worst thing that is probably feasable right now is come kind of DoS attack, but why the heck would anyone single out one pc just to make it shut down? With SSM, anytype of malware that somehow manages to sneak through would be stopped before it could be executed and do any harm, so basically the setup is pretty darn secure. As you said, all the attack would be able to do is function in the limits of what is permitted by the SSM ruleset, which is most likely little to nothing.

    Cheers,

    Alphalutra1
     
  12. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The combo of SSM + Kerio 2.1.5 is the cornerstone of my security wall. They work together just beautifully. I use SSM paid, and have it set to protect all my security apps from termination.
     
  13. djg05

    djg05 Registered Member

    Joined:
    Apr 6, 2005
    Posts:
    1,504
    I do try out different firewalls but always end up coming back to Kerio 2.1.5. I have just ditched PG full and am trying it with SSM and it does seem to be a good combination. Looks like I may have to find a few pennies for it if I continue to like it.
     
  14. herbalist

    herbalist Guest

    Thanks. I thought that would be the case. Just wanted another input on the matter. I try to work on the assumption that any one layer or security app can be compromised, and if that does occurr, how well am I still protected? So far, the combination of Kerio and SSM looks about as secure as it gets with software, assuming the user doesn't get deceived into doing something they shouldn't.
    I made SSM part of my core security when Max Burmistrov was developing it. It was an impressive piece of work then and has only gotten better. While the paid version doesn't run on my 98 box, the free version works very nicely. IMO, it's the best thing that's happened to 98 in a long time, more than sufficient to make up for the lack of support by MS.
    Rick
     
  15. cprtech

    cprtech Registered Member

    Joined:
    Feb 26, 2006
    Posts:
    335
    Location:
    Canada
    I'm happy running this setup on my Pentium 4 XP box. Maybe the majority of people, with the exception of you herbalist and others knowledgeable about Kerio 2.1.5, view this firewall as too rudimentary for machines capable of running the more "feature packed" firewalls such as Outpost, ZA, Comodo, to name only a few, feeling it is most suitable for Win98 boxes instead. From what I have seen so far, this setup is astonishingly splendid :)

    Nothing else I have tried gives me the near-perfect balance of terrific system and network security, fast browsing speeds, low resource usage, and conflict free functionality that this dynamic duo has provided. I love it!
     
  16. herbalist

    herbalist Guest

    The majority of people seem to want most if not all of their security-ware in one package, configured via one interface, maintained by one updater. Sure, that kind of convenience is nice, but not if it comes at the expense of performance.
    IMO, SSM can offset many of the designed weaknesses in the DOS based systems, particularly when it comes to user control and system access.
    I've been installing Kerio 2.1.5 on most of the PCs I service when the customer doesn't have another preference, from Win98 to XP. With the exception of one very tempramental WinME unit (which doesn't seem to know what it likes from one day to the next), Kerio has run dependably on all of them. SSM has also worked very well on all the units I've put it on. These 2 apps have proven one thing beyond any doubt. Security software doesn't have to be bloated and resource hungry to perform.
    Finding an app with the power of SSM that can still function properly on an older system without having to use everything available in the process is refreshing. I've run the Kerio/SSM combination on units with as little as 64mb of RAM and processors as slow as 366mhz, with no problems whatsoever, and had plenty of system left for what the user wanted to do. Most security suites would be lucky to even run on such systems, but then XP wouldn't either. If only more software vendors would do that, but then the hardware vendors wouldn't sell as much.
    Rick
     
  17. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,183
    kerio 2.1.5 certainly have no issue with local proxies, but it needs rules to control applications. Otherwise it lets them out without asking the same way as sygate.
    in this post is my solution agains avast local proxies.
    http://www.dslreports.com/forum/remark,16592654

    It is rather tight and i have since added a few programs like google earth and jucheck to have webshield proxy besides browsers. It is a good reason always to have the blocking rule logged.

    PG works also well with kerio 2.1.5, but you all tempt me into changing to SSM.
     
  18. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    What is wrong with Kerio's 4.3 version?? I admit to being a newbie on firewall discussions, but I'm at a loss as to why there is no talk about 4.3 (!).

    While I'm at it, in my newbie-ness, what is SSM?? I've googled it but alas... nada.

    Thanks!



    //
     
  19. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    SSM=System Safety Monitor http://syssafety.com/

    As for Kerio, I haven't used version 4.3 but Kerio 2.1.5 is probably one of the lightest firewalls available that does its job of a basic firewall (rule based) without the additional bells and whistles of the more common FW's out there.
     
  20. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415

    I've always used either ZoneAlarm free (trying Pro now on another computer) or Symantec Corporate (in my laptop). I tried Comodo but it slowed my download speed by 40% (not sure why), so I went with Kerio for the first time, which is the 4.3 iteration at present. No experience with 2.xx, so I couldn't comment.

    4.3 seems good. It comes with a HIPS, as well as NIPS (network intrusion prevention), and it even has "Application Behavior Blocking" for controlling the opening, changing, and launching of applications. Each one of these may be enabled/disabled.

    Seems to hit several birds with one stone.


    //
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,183
    Thanks to posts by Rick and others I changed yesterday to SSM. All is working well.

    I made an initial mistake of putting Process Monitor in Learning Mode. That gave many Applications 'Allow to start' default access. I have since changed those rules to have 'Ask user' as both child and parent defaults. And also blocked a few like realplayer update checker something etc. I know from PG time.

    Also put SSM to 'Start automatically'.

    I have all events to be logged. Now in my amd athlon 2400 xp+ SSM takes 0 to 2 percent CPU, mostly zero. This has more options running than PG, so it is quite acceptable. Now it is time to learn, but it seems it is not nearly as tough as I initially thought compared to PG free that is easier cause it is simpler. Really seem to like SSM. Help file was nice too. Very readable and clear.

    Regarding Kerio 4.3, it is good on paper. Only someones who have run both kerio 2.1.5 and it know how much it sucks in stability, usability, resource usage, etc. Last sunbelt version I tried. It did not alert on those rules I asked it to alert, very bad. Then I expected rules i have set to be logged, many were not. Some where "half logged", like it only logs when it has time from doing something else. It is not possible to see a log file same time when editing rules, very very not functional. Plus I got a BSOD like also with previous non sunbelt version.
    I don't like Kerio 4.

    Jarmo
     
    Last edited: Oct 26, 2006
  22. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    The risk in reality is quite minimal, both in terms of what can be done with unreassembled packets and the effect of what could possibly be done to the firewall application itself.

    Two of the most informative threads on the subject:
    http://www.dslreports.com/forum/remark,11787449
    http://www.dslreports.com/forum/remark,13171662
     
  23. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I've just gone from trying a series of newer firewalls and gone back to Kerio 2.1.5. In addition to running it with System Safety Monitor (free), I run Sandboxie all the time with Opera browser, even though I practice very safe surfing. Also am running Avira antivirus.

    Between the above and having a hardware firewall on our modem, I'd like to think I'm fairly well protected. Now that I've finally gotten something I think I can stay with a while, my elderly (5 yr old) computer is making strange noises and groans.
     
  24. SamSpade

    SamSpade Registered Member

    Joined:
    Oct 22, 2006
    Posts:
    415
    Maybe the sandbox is putting a bit too much strain on your system? Just a guess.



    //
     
  25. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I wish that it was just the sandbox. It does it even when I'm not online and it's just sitting doing nothing. It's a generic computer built locally, and I have a hunch the builder used the cheapest parts he could find, or older used parts.

    It's lasted 5 yrs. It's time for me to buy myself a Christmas present, or the wife to surprise me with one. But, I'll probably hang onto this one until it's stone cold dead.
     
Thread Status:
Not open for further replies.