Kerio 2: Listening state; Opened connections at localhost

Discussion in 'other firewalls' started by Rmus, Oct 10, 2007.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Regarding comments in other Kerio threads about Ports and Kerio's "listening state" as shown in the "Opened Connections at localhost" display:

    First, you don't even need a firewall for inbound protection if you have all ports closed by the OS, as proven by myself and others
    who ran/published tests.

    Not to be recommended, of course, since Services and other applications require open connections. How does Kerio protect you and report all of this?

    I'll use an example of my PIM, IS.exe, which uses Port 8000. Here, it is running, and Kerio shows it "listening":

    kerio-logISlisten.gif
    _________________________________________________________________

    Just because a Port is in a "Listening" state doesn't make it vulnerable, for Kerio watches to see if
    inbound attempts match the rule. Here, a probe to Port 8000 is blocked:

    kerio-log_1.gif
    _________________________________________________________________

    Probes to Ports 8080/8000 are common - they are used by Java2EE. When no application on the OS is
    listening on a Port, Kerio lists "No Owner," as seen above for Port 8080.

    If I close IS.exe, Port 8000 is listed as "No Owner":

    kerio-log_2.gif
    _________________________________________________________________

    I've used a final "Block All" rule in this case. But what if you don't have such a rule? Are you vulnerable?

    Kerio responds in different ways.

    If a Port is in "Listening State" then Kerio alerts:

    kerio-logISalert.gif
    __________________________________________________________________

    If I close IS.exe, then Kerio automatically blocks a probe to an unopened Port, and logs thus:

    kerio-logUnopened.gif
    __________________________________________________________________

    So, you are not vulnerable without a final "Block All" rule. All such a rule does is eliminate the constant
    nagging by probes to your ports in "Listening State;" otherwise, you have to create separate rules for those Ports.

    There is a common perception that Kerio 2 is for advanced users only. I totally disagree. All that is required is a basic knowledge of networking terminology - a mistake that I made at first years ago.

    I've observed people with difficulties in attempting to use Kerio by starting out with someone else's ruleset. This is like copying another's math homework. It won't prepare you for the examination.

    I've been successful with general users and Kerio in basic internet connections. Watching Kerio prompt for rules is very instructive and a wonderful teaching aid.

    As a person "advances" to running a network, P2P and other such stuff, accordingly his knowledge will become more "advanced" as required.

    But you don't have to be a "techie" to use Kerio for basic internet protection.

    -rich
     
    Last edited: Oct 10, 2007
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,186
    Good post.
    Very clear also due to the pictures included among the words.
    Something anyone new to kerio 2.1.5 or a software firewalls in general should read.
    Thanks Rich.
     
  3. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Hmm... this seems to run counter to some of the posts that I previously read on Kerio 2.1.5. o_O :doubt:
     
Loading...
Thread Status:
Not open for further replies.