Kerio 4 Connections Tab

Hi, using Kerio 4, have a question about the connections tab. In the following picture...
http://img250.imageshack.us/img250/7899/connectionscr4.gif

...I've underlined the connections that I do not understand. One is from System, the other LSASS. Both show local point as ALL and remote point as ALL.

Can anyone explain this? They seem quite worrying to me, as I've unticked the option to show local connections, so that can't be it!

 

47 is P2PTP

http://support.microsoft.com/default.aspx/kb/241251
http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol

and 255 is IANA reserved for network broadcast and stuff , should be reserved/invalid for anything else ...

if i'm wrong i'm sure some expert gunna erase me from matrix

 

Hello PetersonSymthe, Welcome to Wilders.

I do not know your full setup, or what connection type, or what is needed on your system setup. So just an overview.

From the protocol 47, yes, this is GRE and used with Tunneling (point to point). There is a setting in open kerio -> Network security-> Predefined-> Virtual Private Network,.. set this to deny in Trusted and Internet.
lsass.exe, this is used for the windows IPsec services and will normally use ports 4500 and isakmp(port 500)

I see you have alg.exe on TCP, do you know what is using this? as it should really not be needed running on your system.(some software can/will use this to download)

I also see you have avp.exe running, this I presume is KAV6. If this is installed, and you have the web-AV active then outbound connections will be running through this, so you would need to tighten rules to fully control the localhost comms.

You may want to take time at looking at "hardening" your system (particularly if you are connected directly to the internet (not behind a router))
We will also need to check your firewall settings if you are using KAV web AV.

 

(ALG)application layer gateway is used for ICS(internet connection sharing), and when running will invisibly redirect/proxy ftp traffic. Another example of this is the dnsclient(dnscache) service does the same thing for all dns requests, you just don't notice it. If either the XP firewall, or internet connection sharing needs to be enabled then alg needs to be running, otherwise you can stop and disable the application layer gateway service without any conflicts in most cases. If you disable the service you need to remember to enable it again to make ICF/ICS work. -- Many programs will invisibly redirect traffic in a proxy, and more commonly anti-malware software is doing it to prevent manual configurations in software.

Lsass deals with security services, and 99% of users can't disable it as its a needed service for local function. There are side effects from disabling the services connected to lsass.

System runs many services, you have netbios, and rpc listening. Netbios is easy to disable in your network adapters, don't disable anything rpc unless you know what your doing, it can have very negative side effects.

All services have dependencies you can look at, even your firewall is run as a service.

I say just let you firewall do its job, and leave them alone before you could cause problems. Windows NT operating systems started as servers, and then became a home OS after 9x had glaring security issues when it came to user security. They just don't include many of the group policy, and real server applications in the home version.

 

In all my setups with ICS (for support issues), I never have alg.exe service enabled, and ICS functions correctly. It is the 3rd party programs that may use this service for ICS.

there is no dependancy in the windows firewall/ICS service shown for alg.exe

I did not mention disabling this service, although I do on my own setup. A lot of firewalls with default rules will allow all comms for this service, when most is not needed.

This would depend on the firewall being used. I have seen too many firewalls with default open rulesets for windows applications, that all service ports are left open.

 

Thanks for the replies.

Disregarding what the services are used for, can you explain what the underlined parts of the screenshot mean, the ALL/ALL lines. This is in Kerio 4, on a fresh install of windows, without ICS/WinXP Firewall, and nothing else installed other than firefox and AOL antivir. I connect to the internet using a Speedtouch 330 modem on ADSL, and am not on a network of any sort.

I have Kerio 4 set up as per instructions to turn it back into as much of a rule based firewall as possible, and am using a download of BZ's excellent ruleset.

I'm just curious as to the parts of that screenshot that I underlined, presumably its just a peculiarity of Kerio 4's connection reporting. On most other connections the local point is specified as localhost, and when a port is listening the remote point is stated as ''-----''. This is what makes me wonder about these two connections, with local and remote points both being stated as ALL, in contrast to the convention I stated previously.

As I have 'predefined' disabled in Kerio, I assume that an 'advanced' rule to block VPN would just be to set port 47 as denied in both directions? Is this necessary?

Also, I presume that reports on sites like http://www.liutilities.com process library that state :

are just a combination of poor wording and disinformation?

Again, my main query is regarding the ALL/ALL report in the screenshot, however thank you both for your help and time.

 

In regards to alg.exe, I can also say that I have it disabled on all my computers and have not experienced any negative effects. However, I do not use ICS, nor do I use the Windows firewall.

If you are familiar with services.msc you can look at the dependancies of all services. This, along with "services" info/recommendations found at a site like http://www.theeldergeek.com can help you learn more about them.