dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
12432
DavidGGG
join:2007-07-06
Chesterfield, VA

4 edits

DavidGGG

Member

[Kerio 2.x] Kerio 2.1.5 "for Dummies"

I made some small edits to BZ's rules to make Kerio 2.1.5 work in households with children and wives and even for network novices , and it'd be interesting to hear what y'all say about it. I have no local network and run Windows XP Pro SP2. My edits:

RULES:
* Removed alert for "DNS alert" (i e, only logs now) since it triggers quite often (I heard P2P programs sometimes try to use port 53 to fool the local firewall, anyway I don't feel I can make any intelligent choices when these alerts occur, so they are just annoying)
* Removed logging of "NetBios Block" (first occurance) (see comment below)
* Added "Block all inbound (no log)" at the end (see comment below)

SETTINGS:
* Firewall|Advanced|Microsoft Networks: unticked (due to bug - see firewallleaktester.com headline "Kerio crashes after applying Windows Worms Doors Cleaner", posted by BlitzenZeus)
* Firewall|Administration: enabled admin password, since I learned it makes it harder for hackers to take over the computer (also protects against family members..)
* Possibly uncheck "Enable DNS resolving" and/or check "don't resolve domain names" if bittorrent client is used (bug mentioned in uTorrent.com faq which may cause Kerio to use 100% CPU, but it seems to address problem with newer Kerios, not 2.1.5, so maybe it's not necessary)
* Setting Kerio to run as a "service" (not as a mere application) as mentioned in another post in this forum seems like good advice - however, on my PC, Kerio was a service by default. All I had to do was make sure "start Firewall Engine automatically on Windows startup" in the Kerio settings was selected. (Possibly, being logged into Windows as an administrator during Kerio setup helps, should you have a problem with this.)

COMMENTS TO MY RULES CHANGES AND SETTINGS:
The reason for removing the logging of very frequent events is mainly that on my old computer (which was Win98) Kerio actually crashed because the log file size got too big, but I also don't feel I have a need for logging stuff that occurs several times each day which I still don't want to do something about or even read about. Using P2P, the log will get enormeous quickly..

The goal of these changes is to maintain a high level of security and to get hit by Kerio popups very rarely, probably only when some new application is installed, making it comparable to ZA Free or Norton in ease of use and security level. Maybe my grandma and her dog still can't run it 100% perfectly, but if they answer any questions to the best of their knowledge (meaning "yes" if they just installed a new program and "no" otherwise), it will be at least as good as most other firewalls I think (I could visit them once a year and look at the latest entries in the filter settings and maybe optimize them a bit to make it even better).

Regarding rules, I also made sure each used application is allowed for the applicable protocol(s) only, and, for incoming stuff, made sure local port was specified (for P2P programs etc). I also exchanged the Unrestricted DNS" rule by specific rules for my primary and secondary DNS. But that's all part of BZ's recommendations. (Cf. comments below on "leak tests".)

A COUPLE OF RELATED SECURITY CONCERNS:
1. Once (before I had Kerio) I got a trojan as a java plugin in Firefox. I wonder: Would Kerio (or any other firewall) detect this? Being a plugin (i e, a file in a Firefox folder) it does not affect the firefox exe file and thus isn't detected with the MD5 code, right? I have settled my mind on this by disabling java in Firefox (I don't ever use it anyway). And I use Firefox, not IE, mainly, it feels much safer.

2. Firewalls such as Jetico (which are extremely user-unfriendly: asks 100 questions each day, for which the answers can be known only by network/PC experts with 20 yrs experience) have specified more in detail what ports and protocols are to be used by for example e-mail programs in their rules. Will this increase security? To my understanding, e-mail communication starts with my computer's e-mail client sending a request and waiting for the corresponding response, so it should not be vulnerable to any attacks since it never replies when not having asked for the incoming data by itself first. If so, it sounds safe enough to me. I would love it though if someone could explain in detail how this works, and thereby explain why for example e-mail clients and web browsers have just outgoing connections allowed in Kerio and still, evidently, incoming data is let through.

LEAK TESTS:
Which Firewalls are good and not seems to be very hard to get a grip on - opinions are flowing and normal persons don't have the knowledge to argue and end up following any advise they hear - which are often contradictory and misleading. The most accepted way to get a measurement on a Firewall's quality is by using so-called "leak tests" - this should at least be more "scientific" and unbiased, not just a bunch of vague opinions and hearsay. Sounds reasonable, right? Well it's not as great as one might think. A couple of examples to prove my point:

Two of the most well-known collections of leak tests are found at matousec.com and firewallleaktester.com. Look at the judgement on the two popular firewalls Comodo and Look'n'Stop: According to matousec.com, Comodo is best of all firewalls (9475 points of 9625 possible), and Look'n'Stop is "Poor" (only 4800p). Still, according to firewallleaktester.com, Look'n'Stop is the second best firewall (score "74%"; the best score was 85%), and Comodo got only 35%, which is at the lower end of the table. Amazing, don't you think? And one more thing:

One firewall which both testers agree is among the best is Jetico. I've tried it, as I mentioned, and my conclusion is that it requires enormeous amounts of knowledge and patience due to all the overly technical questions it keeps asking - and if you give an incorrect reply to one of these hundreds of questions (and you will), then the firewall may well work like crap. I believe even ZoneAlarm or Norton is better than having Jetico with bad rules.

Kerio 2.1.5 is often dismissed as being "old", and for example ZoneAlarm want you to update their free version regularly - why? I don't think firewalls are prone to getting old, at least the perspective is years, not weeks or months. It's not like anti-virus programs, which should be updated almost daily. For a firewall to get old and need an update or a replacement, someone will have to make a major change to how the internet works - major enough so that a simple rule update can't fix it. And this probably is extremely rare. (IPv6 may be coming up eventually as a problem for Kerio 2.1.5, that's the only thing I've heard that's worth fearing, and that wont happen the next few years, it seems.)

A firewall's classic No.1 task is to filter traffic based on IP, port, protocol and application, and task No.2 I'd say is to try to prevent software already inside your PC from reaching the internet. The leak tests mentioned are all about "task No. 2". But I think much of task No.2 might as well be covered by an anti-virus or adware program, not the firewall.

Kaspersky's anti-virus is known to be very secure, hazzle free and low on resources (and I agree), and it also covers adware better than most, but their firewall isn't rated very high. For fun, I ran all the leak tests at matousec.com while protected by Kerio 2.1.5 combined with Kaspersky Anti-Virus 6.0, and the result was 7475 points, which is at the lowest end of a "very good" verdict, and thereby beating most well-known firewalls such as F-Secure, Outpost Pro, Sunbelt, Look'n'Stop, Norton, MacAfee, ZoneAlarm Free and AVG. I should say that most of the score was due to Kaspersky - as I said before, the "classic task No. 1" performed by Kerio is almost not tested by these leak tests, so if I should try the tests with Kerio alone, the result would be a few hundred points only. (I should also mention that it's sometimes hard to decide if a specific leak test has passed or not, especially if it doesn't even seem to start, but 7475 points is my assessment of what is closest to the truth. Ask me for details if you're interested.) The other firewalls I've considered are Comodo, Kaspersky and Look'n'Stop, but when scrutinizing them more closely, I prefer Kerio 2.1.5 after all.

AM I SAFE NOW?
There ARE drawbacks and security holes with Kerio 2.1.5 (as with all firewalls and internet security programs). For one thing, Kerio doesn't seem to protect itself too well - it is possible to delete or modify all files in the Kerio directory while Kerio is running (except the .exe), which after next reboot will make Kerio fall back on some default configuration and also loose the password. (Kaspersky has some built-in self protection, but I can still alter or delete it's files - shouldn't that be included in "self-protection"?)

On »fileforum.betanews.com/r ··· 3/2/view someone warns that Kerio 2.1.5 will crash the PC if you use it in a P2P application for a long time with >65535 socket open/close (at least on Win2000, but Win2000 is very related to WinXP). Still, I think that test is probably very extreme and nothing to worry about - I have run K2.1.5 for days with P2P with no problems. I only have a 250kbps line though - maybe it could be a problem with faster connections?

Six of the Matousec leak tests weren't stopped by Kerio+Kaspersky (namely Coat, DNStester, Ghost, Runner, Surfer and Wallbreaker). Still, no firewall passes ALL these tests, and some tests test the same thing (for example, if you're vulnerable to the attacker using "Direct Data Exchange", you may fail at least 8 tests due to this, including so-called FPR tests, which will give 8*125=1000 points drop just because of this one flaw.) And the tests are often quite advanced and can seem almost far-fetched - on some of them, it's been commented that "this will never occur in real life". I can believe that sometimes. Still - try running the leak tests yourself, and you will get a creepy feeling when you note the test just managed to send data from your PC to a computer on the internet, and your firewall and anti-virus didn't even notice!

By the way, replacing the "Unrestricted DNS" rule with specific rules for my primary and secondary DNSes didn't affect any leak test scores. And I tweaked the Kaspersky settings a bit too, which gave me a couple of hundred of the mentioned points (ask me if you want to know more).

So maybe we should all have a sense of being unsecure, and expect our PC:s to be taken over or crashed at any minute? Yes why not - since we're all stupid enough to buy PC:s with Windows on it. But hey. What I think is the number one piece of action to make a PC secure enough is: learn enough basic stuff about how your computer works to feel certain that you don't introduce any virus in the first place. What I mean is:

a) Whenever you input a file to your computer (via e-mail, CD, downloading, whatever), make sure it's trusted before executing/opening it, and if not: virus scan it before opening it. Use Kaspersky's Online Scanner if you don't own an anti-virus program. Some files can never be dangerous (text files and pictures, at least). Files opened by Office programs are safe provided you set the security level within the office programs to warn you if they include VisualBasic macros. You should also make sure file extensions are visible in Windows, so that you may learn which extensions belong to which documents (and specifically avoid opening stuff that has double extensions like .txt.exe, and be wary of .EXE, .COM, .BAT, .CMD, .VBS, .BAS, .JS, .REG, .SHS, .PIF, .SCR, .DLL). I used to believe movies and audio files are safe too, but these are often so-called container files (for exmple .AVI, .MOV and .WAV) and I've seen myself one of them starting a download of an exe file in a browser window (I think it was a .MOV movie but it might have been another type of movie container). PDF:s can contain so much crap these days too that I'd only trust it after having disabled scripts and external links in Adobe Reader first (and why not use Foxit instead of the annoying Acobat/Adobe).

b) Never run Microsoft products without having the latest security updates. For example a couple of years ago Internet Explorer had a vulnerablity which meant that if you browsed a page with a certain kind of JPEG picture on it, the JPEG would cause an overflow, after which IE could be taken over or something (I read Microsofts description of this, but they avoided stating what could happen). That's scary - the only way to protect yourself against that is to update the programs with security updates (especially when they're new and haven't even gotten their first Service Pack yet). After having installed Office 2003 I downloaded no less than 124MB of "security updates and other major fixes", so they seem to have a whole bunch of issues. I also think you should go through the settings of Internet Explorer in detail. And when hit by "Yes and no" popups in a browser, dismiss it by clicking the X in the corner, since I think they can switch placers on Yes and No. And why not replace Internet Explorer and Outlook by something better and safer (like Firefox and The Bat). In addition to Microsoft's programs evidently having a history of low security and bugs, they are also the major targets for hackers and other malevolent people with too much spare time.

This basic security knowledge is more important than both anti-virus and firewalls, I think.

Final reflection: Does a person really need any firewall at all on a home computer (provided it's got a high security level in other respects)? I tried hard to find anyone giving examples on what hazzles might hit you without a firewall, and all of them were either ancient or of type "denial of service/flooding", which is a threat to servers and public or business computers but nothing to worry about for normal people. The only uses I can see for a firewall is slightly aiding the antivirus in a couple of cases, namely (a) if the antivirus lets a trojan through, you might be warned by the firewall (although leaktests prove that if it's gotten as far as that, it can often fool the firewall as well - and to get in that situation, you first have to install the trojan yourself by accident, and then also have a bad antivirus program), and (b) provide some "stealth" to make it harder for an attacker to find their way into your PC (like echo requests and port scans - but as far as I can see, an outside user, however aggressive, can not connect to anything in your PC even if he knows the setting of every port and program unless you have a malicious or badly designed program inside the PC in the first place - and then we're back to square 1: you have to accidentally install a trojan or install some malfunctioning program yourself in order to be attackable).

There's a really interesting discussion on »forum.dvdtalk.com/showth ··· t=423526 between "JustinS" (security expert) and "Dead" (sceptic, moderator) regarding if a firewall is needed at all. At least it makes me feel even more strongly that I surely don't want one of those conflicting, resource hogging and/or user-unfiendly firewalls which are so common. Kerio 2.1.5 for Dummies - that's what I want!

So my basic idea is that (contradictory to what some of the grumpier guys usually say) starting out with a good rules set and selection of settings, and having a quite basic home PC with broadband/ADSL, it's not very hard to make Kerio 2.1.5 work fine. Despite the labels "rule based" and "application based", and telling newbies to stick to the latter, Zone Alarm Pro, for instance, requires at least the same amount of work & knowledge during the "learning phase" (which can last for a while..). The goal isn't to be 100% secure - noone is. The goal is to have a high security level, comparable to other professional firewalls/security suites.

If you have a LAN or something, then you can't do like I did. If I were you, I'd read the FAQ by Gwion (et al.) at »Security to be able to modify the rules. Actually, reading this FAQ is good for any Kerio user, to get the basic knowledge to a higher level. And of course reading the Kerio help file.

So. If you don't agree, or have additional comments, I hope you post it here. But if you think I'm wrong on the probably controversial subjects of the general need of a firewall or the idea to use Kerio when you're (almost) a "Dummie", then be very specific and give examples with full details.

/David
ghost16825
Use security metrics
Premium Member
join:2003-08-26

1 recommendation

ghost16825

Premium Member

Firstly, consider posting your ruleset, with addresses blanked out if you prefer.
said by DavidGGG:

* Firewall|Administration: enabled admin pwd, since I learned it makes it harder for hackers to take over the computer
Well, somewhat. It prevents 2 of the known 9 or was it 7 Win32 API ways of terminating an application. (Try the termination tool available from »www.diamondcs.com.au yourself)
said by DavidGGG:

* Possibly uncheck "Enable DNS resolving" and/or check "don't resolve domain names" if bittorrent client is used (bug mentioned in uTorrent.com faq which may cause Kerio to use 100% CPU, but it seems to address problem with newer Kerios, not 2.1.5, so maybe it's not necessary)
Yes, no need to resolve domain names, although they may make logs easier to interpret.
said by DavidGGG:

2. Firewalls such as Jetico ... Will this increase security?
Yes, somewhat. Restriction on port numbers is good in that decreases the attack surface a little. Keep in mind that the firewall filters only up to Layer 4 of the OSI layer, it knows nothing about data.

Regarding DNS:
You may or may not wish to specify allowed DNS addresses per application, instead of as a global rule. This means applications not in your ruleset will not be able to do DNS resolving. But this means (no. of applications X 2 for primary/secondary DNS servers) rules need to be added, and Kerio 2x seems to perform rule matching on a top down basis, leading to a performance hit.

Regarding incoming/outgoing rules:

Incoming and Outgoing refers to connection initiated by your machine to some external one (outgoing) or initiated by an external machine (incoming). For the TCP handshake, Kerio 2x does not ask questions regarding the ACKnowledgement, as the answer to this is derived from your response to the previous SYNchronize part of the handshake.

Regarding Leaktests:

Leaktests are often a misleading form of firewall testing. Often, they are really testing some kind of Host Intrusion Prevention system/mechanism rather than any filtering of network traffic. Second, often they like to pretend that most home consumer firewalls can filter at layers above Layer 4 of the OSI layer then shout 'ah-ha' when the firewall doesn't filter out the data. See data tunneling using recursive DATA queries.
»[Kerio 2.x] Kerio 2.15 w good rules fails 50% of tests at...

Regarding software firewall environments:

Firstly, part of the problem is that most users run under Windows as root/admin with full privileges. Firewalls need to withstand termination attempts, make sure that permission pathways are authenticated (allow/deny window communication), and if the firewall wants to allow Layer 4 traffic on a per application basis, these applications need to be verified. (Some firewalls also try and verify dlls associated in some way with the application as well, but MD5 hashing only works if you have a baseline. dlls also change frequently, making this kind of verification useless due to high false positives).

Widespread use of root privileges is the main reason why more security apps are implementing root-kit-like methods of operation/installation and host intrusion prevention mechanisms. (After all admin/root does mean full privileges). Furthermore, this has led more software firewall vendors away from the purpose of actually filtering network traffic (no-one filters above Layer 4 on the OSI model)

If you're after additional ways to secure your systems may I suggest two holistic approaches that have stood the test of time. They are the concept of least privilege and reduction of the attack surface.

Regards,

ghost16825 (former maintainer of the now dead open source Ghost Personal Firewall project)
DavidGGG
join:2007-07-06
Chesterfield, VA

DavidGGG

Member

Thanks for the comments, Ghost.

My ruleset is essentially the same as BlitzenZeus', with the differences I stated; other, uninteresting additions are due to my applications, so posting this would just be confusing. BZ's rules seem to be the de facto standard (at least as a starting point), and I think that's good. My post is not about posting a brand new rules set, it's about minor tweaking of BZ's rules and settings to make Kerio useful in a normal home, and to be able to install it on my friends PCs without having to come back for frequent updating. For instance, imagine what damage my 6 year old son can do with no password or Kerio pop-ups coming up ever so often. So the core of my post is the "Rules" and "Settings" parts; the rest is just justifications and concerns really, and also I thought that if a real "Dummy" reads my post, it's good to mention what is needed apart from Kerio to get decent security.

I can appreciate the general concept of "least privilege and reduction of attack surface". Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server?

And thanks for explaining how "incoming/outgoing" works. But now that I understand it, I feel that the Jetico approach doesn't add much security by specifying ports and stuff - getting in contact with for instance Firefox from the outside surely is impossible since Kerio blocks all incoming data which isn't initiated by Firefox itself. Of course, specifying ports etc diminishes the risk of Firefox being hijacked somehow, I guess. But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol?

The post "Kerio fails on 50%.." was interesting, lots of opinions flowing there. I tried the "WindowsWormsDoorsCleaner" as well, got "red light" on the top 3 lines, but Kerio already does the same job by blocking these ports so it's not necessary to run this application for Kerio users.

I know you are one of the most experienced persons in this forum, and I'm happily noting that you don't really attack my basic idea that Kerio may be used for "Dummies" (at least Dummies with some basic knowledge, or when the installation is done by a friend who has this basic knowledge).
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825

Premium Member

said by DavidGGG:

Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server?
Well surprisingly, no. Most self replicating worms like to use some kind of 'random' component. It is much more difficult to ensure high chance of success in connecting to some generated IP than some generated DNS name. For example, some worms have a database of high level domains, and then generate some kind of address ending eg. »highleveldomain.com/zass ··· 345k.htm

Furthermore, the widespread nature of DNS has made many allow DNS traffic without any type of filtering (and no home software firewall is able to perform filtering at the Application level of the OSI layer). It's possible to do all kinds of interesting things by playing around with the DNS protocol (see Dan Kaminsky's research). We've yet to see widespread usage of these techniques by malware in the wild, but they are becoming more common.
said by DavidGGG:

But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol?
The common answer is laziness and the concept of standard (IANEA registered) port numbers. Say for example, someone creates a parasitic bot that attaches itself to Firefox and attempts connects to an IRC server. Unless, the server operator has set up the IRC daemon differently, the default port the bot will connect to will be 6667.
DavidGGG
join:2007-07-06
Chesterfield, VA

2 edits

DavidGGG

Member

Seems like the only process that ever contacts the DNS server on my XP machine is svchost, so it's easy to allow only svchost. I'll do that, and log if any program fails to connect to the DNS server (but so far it hasn't happened). Still, what I know about svchost is that DLLs run through it. So why can't a virus use svchost as well? Anyway, it's a bit safer now I guess.

Regarding specifying port numbers for the web browser: Wouldn't that be a pain in the butt? Just by reading the port numbering standard, it seems I should allow 80, 81, 443, 591, 8008 and 8080, and then also 20, 21, 989 and 990 for ftp, and probably more stuff when connecting to secure sites or other protocols which I don't know much about, and even if I got all that right, it happens from time to time I want to follow a link to a site with a specified, non-standard port number. Seems like a never ending story trying to set up all possible ports. Or maybe you or someone else with lots of experience actually have a proper list of ports that you recommend?!

I also read something about Dan Kaminsky's tricks with DNS (suppose you mean »www.doxpara.com/bo2004.ppt). Seems DNS servers are a way to send at least small amounts of data. There are security holes everywhere in my damned computer, arent there! Good thing I just limited my DNS rule to two IPs and one application...!

A couple of updates to my original post:
a) I've moved a couple of my P2P programs up above the rule that blocks port 53, since some seem to make use of it to bypass some local firewall (!). So my advice would be to check the log while running P2P and if attempts are made on port 53 by P2P programs, you might want to move the rules up, to increase connectivity.
b) I read some more about container files, and it seems sound files are probably also always safe (.WAV, .MP3 etc), since apparently they can hold only sound (what a brilliant idea - just sound in sound files!) and some tags.
Jarmo P
join:2003-11-12
Finland

4 edits

Jarmo P to DavidGGG

Member

to DavidGGG
DavidGGG, nice thread and an excellent post.

Makes me almost want uninstall Comodo cause it looses application rules from time to time and to go back to kerio 2.1.5 and install my old good ruleset back.
quote:
* Removed logging of "NetBios Block" (first occurance) (see comment below)
Since you have no local network, you can stop Netbios over TCP/IP and also file and printer sharing and being a client in microsoft networks, from Windows control panel/network connections. This way you should not normally see too many logs from that rule. So this rule logging is useful as a diagnostic that your system allows too much and also if you are interested on port scans from internet. I am not saying that your computer is allowing that, but only in general if that rule normally is often matched.

I don't have that final block all incoming rule at the end of my rules too.

Thanks for your experiments in leaktests. It was as I was expecting, very low pass rate. Of course only without an AV. An Av detecting with signatures does not add any security to real outbound threats that are not viruses/trojans/other known malware. Only if there is some behavioral type detection in an AV should it be counted into those tests. Then again I never considered leaktest passing to be important to a safe user.
My current Hips/Cips are PG free and Prevx 2, and they should add some leaktest protection, though I have never bothered to try those tests. And propably Prevx 2 would also detect some of those with "signatures" instead behaviour, so those passes should be eliminated to have meaningful test results.

The only thing that is actually bothering me a bit is the thing that I have no router and possibility of an inbound DOS or other attack crashing my system or passing something in.

Kerio 2.1.5 sure is a fun firewall I like more than any other.
Whether kerio can be given to a dummy I don't know, but in day to day usage once it is configured it is so easy and light.
DavidGGG
join:2007-07-06
Chesterfield, VA

4 edits

DavidGGG

Member

Thanks for the positive remarks, Jarmo! I'll insert my replies to your post in the text below.

When I think about it, there's a broad range of "Dummies" I guess - maybe I can divide us into two groups: (1) The ones who are satisfied with a firewall comparable to ZA Free and don't want to mess with details unless it adds much to the security level (or don't know how), and (2) those who don't mind tinkering a bit with numerous settings as long as it's not too advanced, gives a noteable security increase and doesn't make my PC user-unfriendly. Myself, I'm somewhere in between. But also, for a person like me or you to install Kerio 2.1.5 on a friend's PC, it would be good to keep it closer to the first case, to avoid me having to put up a tent outside my friends house, offering instant & frequent support..

Case 1: "Aiming at ZA Free Level": Let's first look at outbound connections. It's not easy to get information on how ZA works in detail I think, but from what I've read (e.g. »Applications connecting out ---> ), when you in ZA answer yes to if a certain application shall be allowed, then all it's (outbound) communication is allowed, to/from any port and IP. And that, to me, sounds very similar to the rule you get in Kerio 2.1.5 if you for Kerio popups answer "permit + create rule" when an application tries to connect (MD5 ID + protocol & direction). And regarding inbound connections: Using BZ's rules as a starting point, I have never had to add any rules for inbound connections, with one exception: P2P programs. And for these, it's obvious what you have to do: Read in the help/faq for the P2P program how to find out what port(s) it listens to, then add inbound rule for this port & app, with applicable protocol (or both TCP and UDP specified, if you can't find exact information).

I think that Kerio 2.1.5 with this approach probably is as secure as ZA Free, and more or less as easy to handle. I can also mention that after having installed at least 100 programs on WinXP, I am surprised how few problems there have been with Windows - almost PnP all the time - with a few exceptions, and the worst problems, I've had with ZA Free (tried on two PCs), ZA Pro (tried on one PC, and I think it's harder for a novice to use than Kerio 2.1.5 as described here) and Norton ISS (tried on one PC for a long time). The problems have been quite severe, like unwanted blocking, resource hogging, strange and repeated questions, uninstall problems, etc.

"Case 2", I think, is all about details, and where to draw the line - because you really can go on forever with those rules and settings. The following comments are only for those who think they belong to "Case 2:":

- One thing that I rule out myself is specifying IP addresses in rules, for applications generally. To me, this will just be asking for endless popups - just because I note some application uses a certain IP one time, I can't know that this IP should be valid for all eternity or even for a day. Ports have a standard (at least it's supposed to follow the IANA standard), but IP addresses may change at any time. In »[Kerio 4.x] Rule for GMail someone attempted specifying IPs for his e-mail client, and he was suggested to lose the IP numbers in his rules by a person (Graham1), so obviously at least one person thinks like me on this. The only rules for which I have specified IP myself is DNS servers, and allowing time servers (i e automatic update of the system clock - double click the Windows clock and look at the rightmost tab, if you don't know about this).

- Regarding specifying port numbers: My own conclusion is that I don't generally feel I ever have to specify ports for any outbound applications (see "case 1" above), and I won't for web browsers (see above, July 8th). However, I must confess that for my POP3 e-mail client, I recently did specify port numbers, since it's so easy - the port numbers used are mentioned in the setup inside the e-mail client (25, 110, 587 and/or 995 most likely) and it will not change, unless I change it myself, manually, in the e-mail program (I did, however, allow both TCP and UDP even though my client doesn't use both as far as I've seen, since IANA specifies both may be used). By the way, "The Bat" (which I couldn't help recommending before) was great a few years ago, but after thinking about it, today I think Thunderbird is better, and free too. However, I did get some Kerio pop-ups with these settings, because of Thunderbird update trying to contact Mozilla on ports 80 and 443, so I allowed these ports as well. I specified these ports partly as an experiment, to see if it works, and partly since I feel I have a good grip on what ports an e-mail client may use and whether it may change; I'll probably allow any port when installing Kerio on a friends machine though, since I don't feel it tightens security by much.

I got a message from ghost16825 tipping me that »[Kerio 2.x] My Kerio 2.1.5 rules based on BZ's please critique contains a good rules set with ports well thought through, and specifically a discussion on ftp ports. Read this if you want to dig deeper. Regarding destination ports to allow for a browser, they allow [80-81,443] for HTTP/HTTPS, [21,5001-65535] for ftp and 1755 for MMS (Microsoft Media Streaming). Well I'm no expert, but 8008 and 8080 are also http alternates, and possibly 591, according to IANA, so I think they should probably be added. And regarding ftp, this thread doesn't allow port 20, and they say that for "passive" FTP, port 20 does not need to be allowed, but you might on occasion be doing "active" FTP, and then it should be allowed. There is also a protocol called ftps (secure ftp) which uses ports 989 and 990. So I would allow 20, 989 and 990 to make sure ftp works. Regarding MMS, IANA list a whole bunch of other streaming protocols (ports 537, 554, 1790, 4117, 8554) plus one for video conferencing, one for looking at CAD 3D models, etc. So depending on what you do with your browser, you might need to add some more ports in the rules, it seems. And one of the participants in the referred thread has the opinion that one should allow any remote port for ftp. My conclusion is that I will by default allow any port for browsers, and avoid using IE which I read is more often hijacked. If I was to experiment on this, I would allow all mentioned ports, and after that rule, I would be sure to put a rule which alerts me if attempts are made to use a different port by the browser, to make sure I notice if I missed a port.

And I can't help believing that outbound rules are of secondary importance for several reasons, the main one being that you must have accidentally installed trojan or adware yourself for it to be an issue, and if you are clumsy enough to do that, you might as well install a virus which erases the entire HD, so the main issue is: Do not install viruses - if you do, you're lucky the PC works at all! On the other hand, trojans are a relatively common kind of virus, and making the safety net fine-meshed is of course good. But I think my point of view gives a nice balance and might prevent paranoia from evolving without limits..

- Regarding Block all incoming rule: I think probably "case 1 dummies" as well as frequent P2P users may want to keep this rule, with logging turned off, whereas "case 2 dummies" without P2P might want to keep this rule, but with logging turned on.

- Regarding Netbios: Jarmo, you're right I don't need netbios since I have no LAN. But I can't find a way to make Windows stop attempting outbound connections from port 137, which causes very frequent hits on the first Netbios rule. So I still disable logging. (The only option I can think of is blocking all outgoing for svchost as a rule at the end, but that's not an improvement, I think.) Shutting down "Client for MS Networks" and "File and Printer Sharing" is ok by me I suppose, but I don't know what it adds in security.

Finally, a few details I thought I'd mention:

• If you don't know how to see if Kerio runs as a service: Go to "Control Panel | Administrative Tools | Services": Kerio should be in this list. I'm running as an administrator in XP Pro though - might look different if you don't. By the way, this site lists almost all possible processes on a PC, so you can check what a specific service does, or check the tasks in your process list (found by pressing ctrl+alt+del once). Also useful if you think you might have a virus or adware/spyware.

• A spooky thing happened last week! I've had Windows auto-update disabled for months; still, yesterday svchost suddenly tried to contact first 207.46.20.252:80 and then 207.46.20.93, both owned by Microsoft (Kerio popped up). Later it tried 207.46.253.157:443, then 207.46.211.250:80. MS owns 207.46.0.0 - 207.46.255.255 so I blocked that whole range. Googling makes me conclude this probably is win update after all, despite disabling it. To disable it "even more", I tried adding a register value as described in »www.windowsitpro.com/Art ··· 649.html. After that, it seemed to have gone quiet for a day, then I saw it in the log again, and later, it attempted a different IP which made me block the range 64.4.0.0-64.4.63.255 as well. BUT... »[Kerio 4.x] Rule for GMail makes me conclude that Bill G has even more IP addresses up his sleeve. So instead, I looked at the services list again, and disabled "Automatic Updates" there. Hopefully, this will help. While I was there, I also disabled "Remote Registry" and "Netmeeting Remote Desktop Sharing", since I don't use them and they sound like major security risks (and they are, according to what I read). "Network DDE" and Network DDE DSDM" were already disabled, otherwise I'd disabled them myself, after having seen leak tests take advantage of them (see above). And according to »www.answersthatwork.com/ ··· st_a.htm , you can also set "Application Layer Gateway" (ALG.exe) to manual and stop it, since it's only needed if you use Windows' Firewall. (Note: The leak tests above I ran before I made these changes to how services are run.)

• I have a couple of unimportant rules handling Windows annoyances: a) at startup, svchost.exe announces to 239.255.255.250:1900 that my PC is present at the LAN; since I have no LAN, I simply block this too (even though I read that this cannot be seen on the internet but is blocked by hardware), and b) I block helphost.exe, since all it seems to do is look for answers over the internet when I perform a search within Windows Help (most people probably allow this - I feel it's of no use, I just want local help or I'll browse myself). (Note: I also set the service "Help and Support Services" to "Manual start" and followed the instructions at »www.answersthatwork.com/ ··· st_h.htm to make the Windows help stop adding a "Tip of the day" from the internet; this also fixes a known Windows bug which may make helpsvc.exe use 90% of the CPU.) As I said, unimportant stuff - still, if you should get puzzled why these connection attempts occur, now you know - you have to set a rule to either allow or deny, and I'm a denying type of guy when it comes to Microsoft.

• Regarding Foxit/Adobe: I actually keep both, but use Foxit primarily, since for some reason, sometimes Foxit gives sharper text, and sometimes Adobe does (annoying as it still is, big time, and super-sized).

• I don't have any stock in Kaspersky and I could actually live without an antivirus (at least when I can scan selected files with a free internet tool). What antivirus is best is very hard to say, and I will NOT go into that here, I'll just conclude that reading reviews at av-comparatives.org doesn't make it clear: A program which is top-rated one month is barely acceptable next month. AVG is an example of a free program which (sometimes) does well in tests, but I haven't tried it myself. A couple of things I do like about Kaspersky though, besides it's fairly silent and low on resources (compared to F-Secure for instance), is that it's also good at spyware/adware (something AVG Free isn't), and it monitors some suspicious behaviour like messing with the register.

• Regarding danger opening multimedia containers: Just so you don't think I was dreaming it, and with danger for my PC's health, I managed to find the malicious file I mentioned, and I can now say for sure that it's a .MOV container file (i e, a Quicktime movie), and what it does is that when I start viewing it, my web browser gets launched as well, with 2 open tabs, and I get the popup "you've chosen to download and install NNN.exe - press ok/abort". I opened it in notepad, and found 2 html tags containing links to the internet, one of them being <http://www.NNN.com/NNN.exe>. So it's apparent that QuickTime allows html tags and in these, one can put a link to an executable file on the internet - even though I've been unable to find any warning or info regarding this. Virus scanning such a file gives no alarm. Of course, it's impossible to "sneak" a virus into your PC this way - it's pretty obvious, when the browser starts by itself and you get the question "do you want to install NNN.exe". I ran a complete virus scan after that, and Kaspersky detected an exe file in my browser's cache which contained a Trojan, but that probably doesn't mean anything.
It'd be interesting to get more information on exactly which multimedia container files may contain html links, etc. If you're interested (or don't believe me), I can e-mail the .MOV file to you..

• Regarding PeerGuardian (PG2): According to »www.winmxworld.com/forum ··· 3.0.html it blocks close to 1,000,000,000 sites when using the default block lists from bluetack; this includes churches, colleges, entire ISPs, P2P networks etc, and still it doesn't block what it should, they say. From what I've read, it sounds like it does more harm than good, but I haven't investigated it further.


So. Unless someone posts a really interesting remark, I don't think I have anything to add. //David