Kerio 2 and CHX-I

Are you seeing anything in your CHX-I logs that Kerio misses?

 

I see stuff in my CHX-1 logs that my router misses. How 'bout that?

 

I'd say it's time for a new router then...

So far, I see a few tidbits here in my CHX logs. a few port 110 things that apparently Kerio let in, but CHX says they're "invalid sequence no.". Aside from that, and the frag'd packets, nothing much else...

 

Time for the ball peen hammer

 

Yeah....

 

I'm not seeing much ^_^

What I'm seeing are probably fragmented packets.

 

Yeah, same here...

 

Hi all!
Kye-U--
Since you are behind Win2k, I can understand that you wouldn't be effected by the memory leaks or slow downs. Like I said previously in my earlier posts, I am using WInXP Pro SP2. So, it is most likely a driver conflict. (assuming of course). I don't have that issue with ZAP! I have read a lot of posts over at the DSL/Broadband forums, that users are reportsing issues with BSOD's and other problems behind kerio 2.15 and SP2(XP PRO).
Kerodo-
Kerio also uses SPI for packet filtering (not as good or thorough as CHX-I)But uses it all the same. That could be the reason for the invalid sequence handlers (or your router is also SPI, if you use one). How do you have your rules set up? If you want to test it from behind a router, just place yourself on a DMZ and check both logs and see how and when the traffic is being filtered- Which ruleset is doing it first? if the rule doesn't exist for Kerio, CHX-I will catch it and so forth. I for one will stick to Zap, just for the fact that it shows you more info then LNS does on the applications or it's components...

CU
Jazzie

 

Jazzie - I don't use a router here.. just straight cable. I'm doing pretty well with Kerio and CHX-I, but that CHX-I with ZA combo sounds interesting. That way you're using CHX-I to the max benefit, with a little app control also. Sounds good.

I've also got half a mind to just run CHX-I by itself and skip the app control altogether.. Maybe next week...

 

I'm using Windows XP Professional SP2

No BSOD for me here with Kerio 2.1.5

 

Kerio 2.15 has run for weeks without conflicts here, XP Pro SP2, no BSOD's.

 

The only firewall I've EVER had a bsod with was Outpost, and that was because I still had Kerio installed (even though disabled) when I installed it, so it was user error...

 

I didn't get any BSOD's either when running Kerio 2.15 and CHX-I. The only thing I experienced is memory leaks and Lag. There are some people that reported BSOD'S while playing games and such (memmory usage).. I also had a chance to try Sygate (free) version. I wasn't successfuly able to disable the firewall and have only app filtering, which I expected anyways! But, had to try... ZA & ZAP work very well, so does Alert Wall... For me, the use of Kerio also makes for, 'double filtering' (first by Kerio, then by CHX-I, same goes for using Sygate) Which to me, is OK (over-kill) I only want traffic filtered through CHX-I and that's all. Besides, the app control is ZA&ZAP is by far better! But, to each his/her own! If you like Kerio and it is working for you, super! Maybe someone would have adverse effects with ZA or ZAP on thier system while using CHX-I in tandem.

CU
Jazzie

 

Running ZA is a lot of resources just to get app filtering. I wonder how it does under heavy usage with multiple P2P connections.

 

If you are reffering to Bit Torrent, forget it! ZA is not heavy on recources (at least on my end!) But, like I said before, feel free to test it!!! I for one, won't be caught using Bit Torrent, ever! It is either one to one (p2p) or nothing. IRC is the way to go!

ZA would only react on the initial client anyways wanting to connect, after that, CHX-I would do all filtering!

CU
Jazzie

 

Jazzie1,

Perhaps you have mastered IRC, but from the research I have done IRC is generally considered to be risky either due to possible misconfiguration or scripting problems. Kaspersky lists Mirc 3.16 as "not a virus, Riskware". They have had complaints about this from IRC users, yet have stood firm. If I recall correctly, the enterprise version of McAfee AV is set up to block default IRC ports out of the box (assuming that module is active).

With regard to bittorrent, as I have mentioned before, it is now being used as a mainstream method of distributing larger software upgrades. These include many Linux ISO images and X-Plane flight simulation software, to name a few.

Although you mention some have had a problem with bittorrent, I have yet to see any mention of that anywhere other than from you, and as a regular bittorrent user I am on the lookout for any possible exploit. Perhaps you can provide a better explanation of where the vulnerability lies in bittorrent, or some links to third party information discussing why IRC is safer than bittorrent.

 

Jazzie - Tried your CHX-I/ZAP combo today and it does indeed work very well. I'm using an older (hopefully lighter) version of ZAP 2.6.362, without all the extra bloat/features. Turned the firewall off and app control works well. Still, even so, ZAP is using a total of 15 megs of ram (8 for the gui and 7 for the service).

The question I have now is, do I really need any app control at all? I'm still debating on this one, but I have a feeling I might opt for no app control and just run CHX-I alone now.

Am also trying out Treewalk DNS and finding it very interesting. Works well with CHX-I, and seems to solve some DNS problems I had been having (slow lookups, slow ISP DNS servers). Pretty nice product. Uninstalls cleanly, restoring services and removing folders/files and so on. Treewalk uses about 6 megs of ram, not too bad for improved DNS lookups and caching..

 

K-

Let me throw a bit on the app control fire:

Chances are if you have an app that phones home, you can deal with it some way other than a firewall, often with a host file entry.

If you want to plug all outbound leaks as a last ditch way of detecting a trojan that gets past an AV, remember, you had to do something to let that trojan on, and there are lots of other ways to find it. When was the last time your system got infected by something an AV did not detect and you did not realize it immediately? In my case, the answer to that question is never.

There are several ways around firewalls other than fooling the firewall into thinking an authorized application is trying to communicate. The most powerful would be installation of a communications driver as Stephan explained. There is also outright termination, which seems simple enough. There are script based mouse/keyboard exploits to answer yes to each warning. Several firewalls resist the script attack if there is a password on the settings.

I often see posts that go like this: someone asks if they need a software firewall. They are behind a NAT. They get an answer that what the software firewall brings to the table is outbound application control.

Not one mention is made about the possibility software firewall making any improvement in security apart from application filtering. The packet filtering side of things is assumed to be the same across the board, because that is hard to test, but any amateur can do leak tests and see a difference there.

To the extent that trojan writers are going for the low hanging fruit, those systems with no firewall or the SP2 default, then application filtering might offer some comfort. But somehow, I think these are the same trojans that an AV will catch right off. The determined sneaks will probably use the communications driver strategy, because it can beat anything, unless there are measures in effect to prevent its installation. And once you have prevention, the whole leak thing becomes irrelevant

 

Well, I'm running CHX-I now, with no app control, and loving it.. I guess that just about sums up my present feelings about it...

 

Kerodo-

Thanks for trying out the ZAP and CHX-I combo. But I must say, that 15 megs is quite high!! Mine is 7 Megs for the service and 2 for the client. So, that is acceptable. If you tried the most recent version, you just had to turn off all you didn't want. Plus, you can't set the application control to high in the free version. But since you are without an application filter at the momment, it doesn't matter!!!

Driver--

I understand what you are talking about having an malicious programs installing itself (protocol driver) onto your system and communicating at will without any notice to the application at hand. I for one ONLY use a form of application control, because I want some (any) control on what calls out. Not that I am infactuated with leak tests. I have a good AV/AT combo and practice good common sense on where to surf and what to open! Apps calling home was only a small concern...
The only reason I use ZAp is, that the component control and the advanced application filtering is one of the best I seen in a personal firewall (seen and tried them all) at the momment. It really works well. (At least Pro version does on set on high filtering) I just didn't like zap because the way it handled packet filtering (CHX-I does that now) And it is a bloatware product!
(ZA) So in the end I am happy with it's workings as being an app filter only...

CU
Jazzie

 

Next time I'll try the latest ZA Pro. I have a license and might as well use it. Maybe that one will use less ram. Right now I'm satisfied with CHX-I alone though. For the moment anyway...

 

I have been following this thread with interest for some time. For what it's worth I happen to think that the current emphasis on passing leaktest is overrated. Prevention is the key element of security in my opinion. That means having a good AV and firewall. I am using CHX-I alone and it is one hell of a good packet filter .. thanks to Stefan for that.. it meets my needs by keeping out the would be hacker. The greatest vulnerability is you yourself and your surfing habits. Be aware and be safe.

Kerodo ... CHX-I rocks!

 

Great minds think alike.

 

So, what was the final verdict? Can CHX-I be successfully used, when properly configured, to enhance security when used in conjunction with Kerio 2.1.5? Or is that just asking for trouble?

Phil

 

CHX with proper ruleset remains the tightest SPI incoming firewall out there, combine it with Kerio or older ZA 4Plus and you have yourself the best security.