Kerio/Other firewalls

Discussion in 'other firewalls' started by geninblaze, Mar 31, 2005.

Thread Status:
Not open for further replies.
  1. geninblaze

    geninblaze Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    15
    I have a quick question (ima newb) that is, I use McAfee's Firewall Plus 2005. Is that good or bad? What's kerio (i mean like, I know its a firewall but whats so good about it since everyone talks about it). Links please? :rolleyes:
     
  2. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    ya know? a short search woulda given you MUCH more info... this is a really bad-a$$ forum :D
    http://download.kerio.com/archive/
    Select versions 2.1.4, 2.1.5 and 4.1.3 for download.
    If you're on Dialup... you will need 2.1.4 ONLY... it's lightest [and I trust you won't be using Remote Administration if you're on dialup]
    www.dslreports.com ::: HUGE kerio fan club. Navigate into Forums -> Kerio/tiny and search for BlitzenZeus' default replacement rulse [it should be the third sticky]... that's your configuration file...the BEST there is.
    to learn about Kerio... it's help file is the bets.
    Alternate info on Kerio 2.1.4 and 2.1.5... www.geocities.com/yosponge

    For kerio 4... search around this board.

    I gotta run... and my opinion's lengthy.

    v4 :: good firewall for knowledgable newbies... not for "Pros" as it's either heavy or lacks features.
    v2 :: if you're satsified with basic app control... the BEST firewall possible. Doesn't implement SPI. Has a trivial vulnerability. Not supported.
     
  3. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    IMHO , an excellent post !
     
  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    i have been running verison 4 for a while now. i must admit that i am also using outpost though of course not at the same time. i have also used version 2 for a long time. i like version 4 better myself. i like the interface better it is also in my opinion for a newb much easier to understand than version 2. i am only using outpost because of the resources that kerio 4 uses on my machine. usually you will see anywhere between 24-30mb of ram just for kerio version 4. version 2 MUCH lighter but also much more in depth for a newb not recc by me. greta firewall just you will need to learn more rules unless you use someone elses rule set and import it into version 2.
    if you want all the extras like ad blocking and cookie blocking and password protection you will have to use version 4 as version 2 lacks these. and you will also have to use the paid version of 4 as the free one you will not get the extras. but either way the ram usage is still bery high.

    i like kerio 4 very much but would suggest trying outpost also it is very easy to learn while still offering very good protection and as you advance you can get deep into rules.
     
  5. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Hi Z . Was I the one that got you to try Outpost ? Anyway . The 4 version is nice . Everyone talks about how great 2.15 is . Whatever . Much better options are available . As per the original question though , again , No13 told it the way it is . And by the way Z . I have talked about this but , if you missed it , you can knock about 18 megs off of Outpost by simply turning off the logging . Hope that helps . Good luck guys .
     
  6. Arup

    Arup Guest

    I was under the impression from reading the specs on Kerio 2.15 that it does support SPI, correct me if I am wrong.
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    Apparently it has some limited SPI but to what extent I'm not sure. It's nothing like the SPI Kerio 4 has, or others for that matter. But it does have SPI or else you wouldn't be able to specify outbound traffic only for your browser without a force allow for the return inbound responses and so on. Or at least that's my understanding of it.
     
  8. Arup

    Arup Guest

    Kerodo,

    Have you checked out Harden-It TCP/IP stack hardener, it has a nice and easy GUI for doing the job instead of the usual reghack interface.
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,787
    Haven't seen it yet, but I will check it out. Thanks Arup...
     
  10. Arup

    Arup Guest

  11. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    Just ran Harden-It and I sure feel more secure ^_^ (I also ran Secure-It)

    I've put it on my USB Key just in case one of my friends calls me over to fix their computer :)

    Thanks!
     
  12. Arup

    Arup Guest

    Thanks Kye-U, Harden-It implements MS recommended TCP/IP securing strategy but with its own nice GUI and suggestions, makes it much easier and convenient, one word of warning to those using their PC as ICS/NAT Gateway, don't' select the disable NAT in Harden-It.
     
  13. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    hey hollywood yep i tried op because of your wonderfull comment of it and it is growing on me i just wish i would stop bsod'ing with it. tried everything and still once in a while bing bsod. anyhow my outpost with logging on only usually uses about 8mb of ram it will sometimes jump to about 16-17 ive never seen it higher than that though and usually around 6-9 mb. so i like that and as far as actual surfing kerio on my system is soooo slow to use while browsing the web it slows it very much. op i see no effects at all. just as fast as normal. i tried them all i think now
    jetico
    netveda
    tiny
    lns
    8signs
    sygate (was terrible for me)
    woln't use anything from mcafee or nortons
    netop
    blackice
    theres a few other cant think of now
    and went back to a op and kerio combo, not at the same time though. they work fine together as long as not running them at the same time of course i have seen no effects . and i get the bsod with or without kerio i keep it as a good backup in case of a problem with op. i really wish they would fix this seems to be a known issue around most forums including thier own. anyhow didnt mean to jack this thread just my thoughts
     
  14. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Thanks! :D:D

    @geninblaze
    ZoneAlarm, Outpost and Look'n'Stop are possible replacements if you don't wanna muck around with the settings. As similar to Kerio, outpost and LnS have replacement for default configs available.
    www.outpostfirewall.com ---> Paranoid2000's home base.
    And wilders' hosting LnS forum.
    I hate zone alarm, but some people do like it.
    You may be interested in older versions... send out a new post for older versions of ZA. If you can't find them... Try PMs to ZA fans for links to Zone Alarm's museum.
    They are actually supposed to provide MUCH better protection, GUI, stability, are lightweight and easier to use. Series 2.x and 4.5.x are what your target is.
     
  15. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    Sorry about the BSoD deal . Some people have that problem . It is being looked at . I have never ( knock on wood ) had that problem . And SUPER to hear you only use 6-9 WITH logging . Wish I could do that . You might want to try secure it . Nice program . Harden it is being pushed but , unless you are a server I would not fool with it . No need really . But , try , at least , the one . If you feel really special , try both . Good luck
     
  16. Arup

    Arup Guest

    I have applied Harden-It/Secure-It to both my machines, one a Gateway ICS and other is the client. I am running Kerio 2.15 and feel that Secure-It and Harden-It has only made my system even better in handling attacks, I have faced no connection problems whatsoever.
     
  17. Meltdown

    Meltdown Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    299
    Location:
    Babylon
    After running Harden-it, the K-Meleon home page page wouldn't display correctly. Nor could I access any posts on the KM forum. Running Harden-it again to reverse the changes didn't have any effect, and I had to use system restore.
     
  18. Arup

    Arup Guest

    Both the pages you mention works fine here on two of my PC with either Opera or FF, I dont use IE.
     
  19. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    It's quite possible that the SPI internally is exactly the same. It's just that with SPI turned on in 4 you are not prompted for inbound requests (with the same TCP sequence number?? or UDP packets received within a set time frame of sending some outbound??). I believe the implementation is "packet-level" as in the Paranoid2000 definition ( https://www.wilderssecurity.com/showpost.php?p=299171&postcount=27 )

    This is yet another reason why I've been planning to do for some time now an extensive test like http://www.spitzner.net/fwtable.html to see how consumer firewalls actually implement things like SPI.
     
  20. geninblaze

    geninblaze Registered Member

    Joined:
    Jun 17, 2004
    Posts:
    15
    Thanks I've got kerio, works nicely
     
  21. Arup

    Arup Guest

    About Stateful Packet Inspection, some more observations if I may, if enabling NAT/ICS, Jetico needs its Stateful Packet Inspection to be turned off for TCP/UDP as it has no special ICS mode on its' own unlike Kerio, Zone Alarm Pro, NetVeda, Tiny and others. How much impact this has on the overall security remains a question, I had asked Jetico techs on this and their take was that even though SPI was disabled for TCP/UDP, the filtering would take place in kernel level. I have mentioned this before in other posts so I apologize for being redundant, although in this age of routers, NAT/ICS is surely on its way out so the need for a stealth-ed ICS firewall probably wont' be needed anymore.
     
  22. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    I suggest reading some or all of the posts below about NAT/SPI; this might shed some light on why they have done things this way:
    http://www.dslreports.com/forum/remark,12594054
    http://www.dslreports.com/forum/remark,12010843
    http://www.dslreports.com/forum/remark,12005278
     
  23. Arup

    Arup Guest

    Ghost,

    Thanks a lot for the link, quite interesting reading, correct me if I am wrong but there seemed to be no general consensus evolving from all those posts, even though NAT was deemed to be superior in terms of a software based firewall,yet many holes were also found in NAT boxes implementation of protection. As soon as I get a broadband here, I intend to get a nice router from 3Com or Multi-Tech, but for now, I need a good firewall which would do SPI with ICS, am not worried about outbound protection for that matter.
     
Loading...
Thread Status:
Not open for further replies.