how-to block ads
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to DavidGGG
Re: [Kerio 2.x] Kerio 2.1.5 "for Dummies"
Firstly, consider posting your ruleset, with addresses blanked out if you prefer.
said by DavidGGG  :* Firewall|Administration: enabled admin pwd, since I learned it makes it harder for hackers to take over the computer Well, somewhat. It prevents 2 of the known 9 or was it 7 Win32 API ways of terminating an application. (Try the termination tool available from »www.diamondcs.com.au yourself)
said by DavidGGG :* Possibly uncheck "Enable DNS resolving" and/or check "don't resolve domain names" if bittorrent client is used (bug mentioned in uTorrent.com faq which may cause Kerio to use 100% CPU, but it seems to address problem with newer Kerios, not 2.1.5, so maybe it's not necessary) Yes, no need to resolve domain names, although they may make logs easier to interpret.
said by DavidGGG :2. Firewalls such as Jetico ... Will this increase security? Yes, somewhat. Restriction on port numbers is good in that decreases the attack surface a little. Keep in mind that the firewall filters only up to Layer 4 of the OSI layer, it knows nothing about data.
Regarding DNS:
You may or may not wish to specify allowed DNS addresses per application, instead of as a global rule. This means applications not in your ruleset will not be able to do DNS resolving. But this means (no. of applications X 2 for primary/secondary DNS servers) rules need to be added, and Kerio 2x seems to perform rule matching on a top down basis, leading to a performance hit.
Regarding incoming/outgoing rules:
Incoming and Outgoing refers to connection initiated by your machine to some external one (outgoing) or initiated by an external machine (incoming). For the TCP handshake, Kerio 2x does not ask questions regarding the ACKnowledgement, as the answer to this is derived from your response to the previous SYNchronize part of the handshake.
Regarding Leaktests:
Leaktests are often a misleading form of firewall testing. Often, they are really testing some kind of Host Intrusion Prevention system/mechanism rather than any filtering of network traffic. Second, often they like to pretend that most home consumer firewalls can filter at layers above Layer 4 of the OSI layer then shout 'ah-ha' when the firewall doesn't filter out the data. See data tunneling using recursive DATA queries.
»[Kerio 2.x] Kerio 2.15 w good rules fails 50% of tests at...
Regarding software firewall environments:
Firstly, part of the problem is that most users run under Windows as root/admin with full privileges. Firewalls need to withstand termination attempts, make sure that permission pathways are authenticated (allow/deny window communication), and if the firewall wants to allow Layer 4 traffic on a per application basis, these applications need to be verified. (Some firewalls also try and verify dlls associated in some way with the application as well, but MD5 hashing only works if you have a baseline. dlls also change frequently, making this kind of verification useless due to high false positives).
Widespread use of root privileges is the main reason why more security apps are implementing root-kit-like methods of operation/installation and host intrusion prevention mechanisms. (After all admin/root does mean full privileges). Furthermore, this has led more software firewall vendors away from the purpose of actually filtering network traffic (no-one filters above Layer 4 on the OSI model)
If you're after additional ways to secure your systems may I suggest two holistic approaches that have stood the test of time. They are the concept of least privilege and reduction of the attack surface.
Regards,
ghost16825 (former maintainer of the now dead open source Ghost Personal Firewall project) | |
DavidGGG
join:2007-07-06
Chesterfield, VA
| Thanks for the comments, Ghost.
My ruleset is essentially the same as BlitzenZeus', with the differences I stated; other, uninteresting additions are due to my applications, so posting this would just be confusing. BZ's rules seem to be the de facto standard (at least as a starting point), and I think that's good. My post is not about posting a brand new rules set, it's about minor tweaking of BZ's rules and settings to make Kerio useful in a normal home, and to be able to install it on my friends PCs without having to come back for frequent updating. For instance, imagine what damage my 6 year old son can do with no password or Kerio pop-ups coming up ever so often. So the core of my post is the "Rules" and "Settings" parts; the rest is just justifications and concerns really, and also I thought that if a real "Dummy" reads my post, it's good to mention what is needed apart from Kerio to get decent security.
I can appreciate the general concept of "least privilege and reduction of attack surface". Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server?
And thanks for explaining how "incoming/outgoing" works. But now that I understand it, I feel that the Jetico approach doesn't add much security by specifying ports and stuff - getting in contact with for instance Firefox from the outside surely is impossible since Kerio blocks all incoming data which isn't initiated by Firefox itself. Of course, specifying ports etc diminishes the risk of Firefox being hijacked somehow, I guess. But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol?
The post "Kerio fails on 50%.." was interesting, lots of opinions flowing there. I tried the "WindowsWormsDoorsCleaner" as well, got "red light" on the top 3 lines, but Kerio already does the same job by blocking these ports so it's not necessary to run this application for Kerio users.
I know you are one of the most experienced persons in this forum, and I'm happily noting that you don't really attack my basic idea that Kerio may be used for "Dummies" (at least Dummies with some basic knowledge, or when the installation is done by a friend who has this basic knowledge). | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| said by DavidGGG :Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server? Well surprisingly, no. Most self replicating worms like to use some kind of 'random' component. It is much more difficult to ensure high chance of success in connecting to some generated IP than some generated DNS name. For example, some worms have a database of high level domains, and then generate some kind of address ending eg. »highleveldomain.com/zassd345k.htm
Furthermore, the widespread nature of DNS has made many allow DNS traffic without any type of filtering (and no home software firewall is able to perform filtering at the Application level of the OSI layer). It's possible to do all kinds of interesting things by playing around with the DNS protocol (see Dan Kaminsky's research). We've yet to see widespread usage of these techniques by malware in the wild, but they are becoming more common.
said by DavidGGG :But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol? The common answer is laziness and the concept of standard (IANEA registered) port numbers. Say for example, someone creates a parasitic bot that attaches itself to Firefox and attempts connects to an IRC server. Unless, the server operator has set up the IRC daemon differently, the default port the bot will connect to will be 6667. | |
DavidGGG
join:2007-07-06
Chesterfield, VA
2 edits | Seems like the only process that ever contacts the DNS server on my XP machine is svchost, so it's easy to allow only svchost. I'll do that, and log if any program fails to connect to the DNS server (but so far it hasn't happened). Still, what I know about svchost is that DLLs run through it. So why can't a virus use svchost as well? Anyway, it's a bit safer now I guess.
Regarding specifying port numbers for the web browser: Wouldn't that be a pain in the butt? Just by reading the port numbering standard, it seems I should allow 80, 81, 443, 591, 8008 and 8080, and then also 20, 21, 989 and 990 for ftp, and probably more stuff when connecting to secure sites or other protocols which I don't know much about, and even if I got all that right, it happens from time to time I want to follow a link to a site with a specified, non-standard port number. Seems like a never ending story trying to set up all possible ports. Or maybe you or someone else with lots of experience actually have a proper list of ports that you recommend?!
I also read something about Dan Kaminsky's tricks with DNS (suppose you mean »www.doxpara.com/bo2004.ppt). Seems DNS servers are a way to send at least small amounts of data. There are security holes everywhere in my damned computer, arent there! Good thing I just limited my DNS rule to two IPs and one application...!
A couple of updates to my original post:
a) I've moved a couple of my P2P programs up above the rule that blocks port 53, since some seem to make use of it to bypass some local firewall (!). So my advice would be to check the log while running P2P and if attempts are made on port 53 by P2P programs, you might want to move the rules up, to increase connectivity.
b) I read some more about container files, and it seems sound files are probably also always safe (.WAV, .MP3 etc), since apparently they can hold only sound (what a brilliant idea - just sound in sound files!) and some tags. | |
|
