Kerio/Other firewalls

I have a quick question (ima newb) that is, I use McAfee's Firewall Plus 2005. Is that good or bad? What's kerio (i mean like, I know its a firewall but whats so good about it since everyone talks about it). Links please?

 

ya know? a short search woulda given you MUCH more info... this is a really bad-a$$ forum
http://download.kerio.com/archive/
Select versions 2.1.4, 2.1.5 and 4.1.3 for download.
If you're on Dialup... you will need 2.1.4 ONLY... it's lightest [and I trust you won't be using Remote Administration if you're on dialup]
www.dslreports.com ::: HUGE kerio fan club. Navigate into Forums -> Kerio/tiny and search for BlitzenZeus' default replacement rulse [it should be the third sticky]... that's your configuration file...the BEST there is.
to learn about Kerio... it's help file is the bets.
Alternate info on Kerio 2.1.4 and 2.1.5... www.geocities.com/yosponge

For kerio 4... search around this board.

I gotta run... and my opinion's lengthy.

v4 :: good firewall for knowledgable newbies... not for "Pros" as it's either heavy or lacks features.
v2 :: if you're satsified with basic app control... the BEST firewall possible. Doesn't implement SPI. Has a trivial vulnerability. Not supported.

 

IMHO , an excellent post !

 

i have been running verison 4 for a while now. i must admit that i am also using outpost though of course not at the same time. i have also used version 2 for a long time. i like version 4 better myself. i like the interface better it is also in my opinion for a newb much easier to understand than version 2. i am only using outpost because of the resources that kerio 4 uses on my machine. usually you will see anywhere between 24-30mb of ram just for kerio version 4. version 2 MUCH lighter but also much more in depth for a newb not recc by me. greta firewall just you will need to learn more rules unless you use someone elses rule set and import it into version 2.
if you want all the extras like ad blocking and cookie blocking and password protection you will have to use version 4 as version 2 lacks these. and you will also have to use the paid version of 4 as the free one you will not get the extras. but either way the ram usage is still bery high.

i like kerio 4 very much but would suggest trying outpost also it is very easy to learn while still offering very good protection and as you advance you can get deep into rules.

 

Hi Z . Was I the one that got you to try Outpost ? Anyway . The 4 version is nice . Everyone talks about how great 2.15 is . Whatever . Much better options are available . As per the original question though , again , No13 told it the way it is . And by the way Z . I have talked about this but , if you missed it , you can knock about 18 megs off of Outpost by simply turning off the logging . Hope that helps . Good luck guys .

 

I was under the impression from reading the specs on Kerio 2.15 that it does support SPI, correct me if I am wrong.

 

Apparently it has some limited SPI but to what extent I'm not sure. It's nothing like the SPI Kerio 4 has, or others for that matter. But it does have SPI or else you wouldn't be able to specify outbound traffic only for your browser without a force allow for the return inbound responses and so on. Or at least that's my understanding of it.

 

Kerodo,

Have you checked out Harden-It TCP/IP stack hardener, it has a nice and easy GUI for doing the job instead of the usual reghack interface.

 

Haven't seen it yet, but I will check it out. Thanks Arup...

 

http://www.yasc.net/

In case you need the link, would be interested in your view.

 

Just ran Harden-It and I sure feel more secure ^_^ (I also ran Secure-It)

I've put it on my USB Key just in case one of my friends calls me over to fix their computer

Thanks!

 

Thanks Kye-U, Harden-It implements MS recommended TCP/IP securing strategy but with its own nice GUI and suggestions, makes it much easier and convenient, one word of warning to those using their PC as ICS/NAT Gateway, don't' select the disable NAT in Harden-It.

 

hey hollywood yep i tried op because of your wonderfull comment of it and it is growing on me i just wish i would stop bsod'ing with it. tried everything and still once in a while bing bsod. anyhow my outpost with logging on only usually uses about 8mb of ram it will sometimes jump to about 16-17 ive never seen it higher than that though and usually around 6-9 mb. so i like that and as far as actual surfing kerio on my system is soooo slow to use while browsing the web it slows it very much. op i see no effects at all. just as fast as normal. i tried them all i think now
jetico
netveda
tiny
lns
8signs
sygate (was terrible for me)
woln't use anything from mcafee or nortons
netop
blackice
theres a few other cant think of now
and went back to a op and kerio combo, not at the same time though. they work fine together as long as not running them at the same time of course i have seen no effects . and i get the bsod with or without kerio i keep it as a good backup in case of a problem with op. i really wish they would fix this seems to be a known issue around most forums including thier own. anyhow didnt mean to jack this thread just my thoughts

 

Thanks!

@geninblaze
ZoneAlarm, Outpost and Look'n'Stop are possible replacements if you don't wanna muck around with the settings. As similar to Kerio, outpost and LnS have replacement for default configs available.
www.outpostfirewall.com ---> Paranoid2000's home base.
And wilders' hosting LnS forum.
I hate zone alarm, but some people do like it.
You may be interested in older versions... send out a new post for older versions of ZA. If you can't find them... Try PMs to ZA fans for links to Zone Alarm's museum.
They are actually supposed to provide MUCH better protection, GUI, stability, are lightweight and easier to use. Series 2.x and 4.5.x are what your target is.

 

Sorry about the BSoD deal . Some people have that problem . It is being looked at . I have never ( knock on wood ) had that problem . And SUPER to hear you only use 6-9 WITH logging . Wish I could do that . You might want to try secure it . Nice program . Harden it is being pushed but , unless you are a server I would not fool with it . No need really . But , try , at least , the one . If you feel really special , try both . Good luck

 

I have applied Harden-It/Secure-It to both my machines, one a Gateway ICS and other is the client. I am running Kerio 2.15 and feel that Secure-It and Harden-It has only made my system even better in handling attacks, I have faced no connection problems whatsoever.

 

After running Harden-it, the K-Meleon home page page wouldn't display correctly. Nor could I access any posts on the KM forum. Running Harden-it again to reverse the changes didn't have any effect, and I had to use system restore.

 

Both the pages you mention works fine here on two of my PC with either Opera or FF, I dont use IE.

 

It's quite possible that the SPI internally is exactly the same. It's just that with SPI turned on in 4 you are not prompted for inbound requests (with the same TCP sequence number?? or UDP packets received within a set time frame of sending some outbound??). I believe the implementation is "packet-level" as in the Paranoid2000 definition ( https://www.wilderssecurity.com/showpost.php?p=299171&postcount=27 )

This is yet another reason why I've been planning to do for some time now an extensive test like http://www.spitzner.net/fwtable.html to see how consumer firewalls actually implement things like SPI.

 

Thanks I've got kerio, works nicely

 

About Stateful Packet Inspection, some more observations if I may, if enabling NAT/ICS, Jetico needs its Stateful Packet Inspection to be turned off for TCP/UDP as it has no special ICS mode on its' own unlike Kerio, Zone Alarm Pro, NetVeda, Tiny and others. How much impact this has on the overall security remains a question, I had asked Jetico techs on this and their take was that even though SPI was disabled for TCP/UDP, the filtering would take place in kernel level. I have mentioned this before in other posts so I apologize for being redundant, although in this age of routers, NAT/ICS is surely on its way out so the need for a stealth-ed ICS firewall probably wont' be needed anymore.

 

I suggest reading some or all of the posts below about NAT/SPI; this might shed some light on why they have done things this way:
http://www.dslreports.com/forum/remark,12594054
http://www.dslreports.com/forum/remark,12010843
http://www.dslreports.com/forum/remark,12005278

 

Ghost,

Thanks a lot for the link, quite interesting reading, correct me if I am wrong but there seemed to be no general consensus evolving from all those posts, even though NAT was deemed to be superior in terms of a software based firewall,yet many holes were also found in NAT boxes implementation of protection. As soon as I get a broadband here, I intend to get a nice router from 3Com or Multi-Tech, but for now, I need a good firewall which would do SPI with ICS, am not worried about outbound protection for that matter.