Kerio 2.1.5 Test

Discussion in 'other firewalls' started by toploader, Sep 7, 2005.

Thread Status:
Not open for further replies.
  1. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Following my posting of the Windows XP2 Firewall test i decided to use the pcflank tests on my own firewall kerio 2.1.5 - which has recently replaced the windows firewall in my dialup setup. i would hope that kerio would return a performance at least equal to the XP2 firewall to merit it's inclusion in protecting my puter.

    The results of Stealth Test

    We have sent following packets to TCP:1 port of your machine:

    * TCP ping packet
    * TCP NULL packet
    * TCP FIN packet
    * TCP XMAS packet
    * UDP packet

    Here is the description of possible results on each sent packet:
    "Stealthed" - Means that your system (firewall) has successfuly passed the test by not responding to the packet we have sent to it.
    "Non-stealthed" - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

    Packet' type...........Status

    TCP "ping"..............stealthed
    TCP NULL...............stealthed
    TCP FIN.................stealthed
    TCP XMAS..............stealthed
    UDP......................stealthed

    Recommendation:

    Your computer is invisible to the others on the Internet!

    So a good result from the old timer kerio
     
    Last edited: Sep 8, 2005
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Kerio 2.1.5 is a good firewall. I have used it in the past andit always performed just fine.
     
  3. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    so it would seem BigC - i next performed the advanced ports scan using the TCP SYN scanning option (This technique is also known as "half-open" scanning, because the scanner doesn't open a full TCP connection. The scanner sends a SYN packet, as if it is going to open a real connection and waits for a response)

    Results of Advanced Port Scanner

    TCP SYN scanning (scanned in 73 seconds)

    We have scanned your computer' ports used by the most widespread trojan horses. Here is the description of possible ports' statuses:

    "Stealthed" (by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
    "Closed" (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
    "Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor.


    Port: Status Service Description

    21 stealthed FTP File Transfer Protocol is used to transfer files between computers

    23 stealthed TELNET Telnet is used to remotely create a shell (dos prompt)

    80 stealthed HTTP HTTP web services publish web pages

    135 stealthed RPC Remote Procedure Call (RPC) is used in client/server applications based on MS Windows operating systems

    137 stealthed NETBIOS Name Service NetBios is used to share files through your Network Neighborhood

    138 stealthed NETBIOS Datagram Service NetBios is used to share files through your Network Neighborhood

    139 stealthed NETBIOS Session Service NetBios is used to share files through your Network Neighborhood

    1080 stealthed SOCKS PROXY Socks Proxy is an internet proxy service

    1243 stealthed SubSeven SubSeven is one of the most widespread trojans

    3128 stealthed Masters Paradise and RingZero Trojan horses

    12345 stealthed NetBus NetBus is one of the most widespread trojans

    12348 stealthed BioNet BioNet is one of the most widespread trojans

    27374 stealthed SubSeven SubSeven is one of the most widespread trojans

    31337 stealthed Back Orifice Back Orifice is one of the most widespread trojans

    Recommendation:

    All the ports we have scanned are Stealthed (by a firewall). So just continue following the fundamental security measures and regularly update your security software.
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    having got a good result on the first two tests i now proceeded to the exploits test.

    i almost had secong thoughts when confronted with the following warning....

    The test may take up to 5 minutes depending on speed of your Internet connection. If your system is unable to pass this examination the test should cause your computer to hang and/or necessitate the rebooting of your system.

    well did i want to risk my puter crashing to see how secure it was? - i eventually decided to risk it but to run the tests individually rather than en-masse.

    igmpsyn
    targa3
    fawx
    kod
    ssping
    jolt2
    twinge
    moyari13
    nuke
    teardrop
    nestea
    land
    synk4
    opentear
    stream
    stream2
    rfpoison
    rst_flip
    redir

    suffice it to say my puter did not crash and for each test i received the message....Your system successfully defended itself from this attack!

    All in all a very creditable performance from kerio.
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Kerio 2.1.5 is great, except for one flaw which has been discussed at length in previous threads.. It allows fragmented packets thru without blocking or logging.
     
  6. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Hi Kerodo - yes i read your link to the discussion on the subject - i guess all firewalls have their strong and weak points - as far as the free firewalls go i think kerio 2.1.5 is good enough for the time being. :)
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    It is surely one of my favorites too.. And with a router, there's no problems at all. I still use it from time to time here myself...
     
  8. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i concluded the tests by running the trojan test....

    We have scanned your computer' ports used by the most dangerous and widespread trojan horses. Here is the description of possible ports' statuses:

    "Stealthed"(by a firewall) -Means that your computer is invisible to others on the Internet and protected by a firewall or other similiar software;
    "Closed" (non-stealthed) - means that this port is closed, but your computer is visible to others on the Internet that can be potentially dangerous;
    "Open" - Means that this port is ready to establish (or has already established) a connection with remote address. It also means that your computer is vulnerable to attacks and could have been already hacked or infected by a trojan/backdoor.

    Trojan:................Port.............Status

    Infector...............146.............stealthed
    RTB666................623.............stealthed
    Net-Devil.............901..............stealthed
    Net-Devil.............902..............stealthed
    Net-Devil.............903..............stealthed
    Subseven............1243.............stealthed
    Duddies Trojan.....1560.............stealthed
    Duddies Trojan.....2001.............stealthed
    Duddies Trojan.....2002.............stealthed
    Theef.................2800.............stealthed
    Theef.................3000.............stealthed
    Theef.................3700.............stealthed
    Optix..................5151.............stealthed
    Subseven............6776.............stealthed
    Theef.................7000.............stealthed
    Phoenix II............7410.............stealthed
    Ghost.................9696.............stealthed
    GiFt...................10100............stealthed
    Host Control........10528............stealthed
    Host Control........11051............stealthed
    NetBus...............12345............stealthed
    NetBus...............12346............stealthed
    BioNet................12348............stealthed
    BioNet................12349............stealthed
    Host Control........15094............stealthed
    Infector..............17569............stealthed
    NetBus................20034...........stealthed
    MoonPie..............25685............stealthed
    MoonPie..............25686............stealthed
    Subseven............27374............stealthed
    BO.....................31337............stealthed
    Infector..............34763............stealthed
    Infector..............35000............stealthed
    GiFt...................123................closed

    We have determined there are no open Trojans' ports on your system. But following ports we scanned are non-stealthed: 123.

    Although these ports are non-stealthed, they are not open, so your system is not infected. However, having non-stealthed ports on your system means your computer can be "seen" over the Internet. This makes your system a potential target for remote attacks.

    Recommendation:
    The absence of a Trojan horse on your system does not mean this problem cannot happen, of course. Anti-virus and/or anti-Trojan (we recommend Tauscan or PestPatrol) software should be installed and used on your system. If you already use this type of software on your system, its virus definitions (virus database) should regularly be updated. If you have a firewall, check if it is set to make all your computer ports stealthed.

    (nearly the perfect score on all the tests - just port 123 closed instead of stealthed - i wonder why just that port? and how does one stealth it?)
     
    Last edited: Sep 9, 2005
  9. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    well in conclusion kerio took everything that pcflank could throw at it and finished the bout a worthy winner :D
     
  10. Anonymous111

    Anonymous111 Guest

    @toploader -

    Look at this page:

    http://www.seifried.org/security/ports/0/123.html

    quote:

    Firewalling recommendations: Allow port 123 inbound to known public time servers only, incoming traffic that is part of an established connection should also be allowed. Outgoing connections should be allowed, although it may be advisable to block and force systems to use an internal NTP server(s) in order to ensure synchronization.

    Attack detection: Inbound NTP traffic to anything but known time servers is most likely an attack.

    end of quote

    so I guess this is a good explanation on that port ;.)
     
  11. yogishree

    yogishree Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    871
    Location:
    Chhattisgarh-India
    I get the same results regularly with Kerio 2.1.5. I get excellent results with GRC's tests also.

    This is definitely an issue and widely accepted as such . However I really do not know as to what an extent home-users , like most of us , are affected by this. But let us do remember that PCFlank's tests include at least 6 tests dealing with different types of malformed/invalid fragmented packets and if the system continues to show "stealthed" after these tests then , maybe , we don't have much to worry on this account.
    :)
     
  12. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    ok there has been much talk about leaky firewalls on this forum so i downloaded the GRC leaktest and executed it.

    kerio 2.1.5 immediately notified me that it was trying to connect to the GRC site and gave me the choice to permit or deny - i chose deny and leaktest confirmed it was unable to connect. i then repeated the test this time choosing permit to allow leaktest to connect just to confirm that it was kerio that was stopping it.

    result - kerio's outbound protection passes the GRC leaktest.
     
    Last edited: Sep 9, 2005
  13. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Last edited: Sep 8, 2005
  14. Anonymous111

    Anonymous111 Guest

    You're welcome - and thanks for the test ;-)
     
  15. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
  16. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    GRC - Shields Up - File Sharing Test....

    Attempting connection to your computer. . .
    Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!


    Your Internet port 139 does not appear to exist!
    One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.

    Unable to connect with NetBIOS to your computer.
    All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
     
  17. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
  18. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Certainly one of my favorite firewalls, but noticed that after checking the firewall log one time after running this test that only 2 log entries were listed. When I run the same test now using CHX-I, I get 13 entries in the log(5+2+2+2+2).
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Noway, can you post screenshots to compare the results?

    thanks,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  20. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    I just installed Kerio 2.1.5 and disabled CHX-I, ran the test with Kerio and made the following screenshot. Logging on all TCP/UDP/ICMP was enabled
    in Kerio for this test, including "Log Packets Addressed to Unopened Ports".


    [​IMG]
     

    Attached Files:

  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It looks like you have other packets including ACK (Acknowledgemant code) set to log in CHX.

    If you check "Log suspicious packets" in Kerio you do the same. (Kerio calls them "attacks") - see image below.

    I just checked it to get an example. I normally keep it unchecked because it bloats the log.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

    Last edited: Sep 27, 2005
  22. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Thanks for the fix!! I'll keep that option checked next time I try Kerio.
     
Thread Status:
Not open for further replies.