how-to block ads
|
DavidGGG
join:2007-07-06
Chesterfield, VA
| reply to ghost16825
Re: [Kerio 2.x] Kerio 2.1.5 "for Dummies"
Thanks for the comments, Ghost.
My ruleset is essentially the same as BlitzenZeus', with the differences I stated; other, uninteresting additions are due to my applications, so posting this would just be confusing. BZ's rules seem to be the de facto standard (at least as a starting point), and I think that's good. My post is not about posting a brand new rules set, it's about minor tweaking of BZ's rules and settings to make Kerio useful in a normal home, and to be able to install it on my friends PCs without having to come back for frequent updating. For instance, imagine what damage my 6 year old son can do with no password or Kerio pop-ups coming up ever so often. So the core of my post is the "Rules" and "Settings" parts; the rest is just justifications and concerns really, and also I thought that if a real "Dummy" reads my post, it's good to mention what is needed apart from Kerio to get decent security.
I can appreciate the general concept of "least privilege and reduction of attack surface". Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server?
And thanks for explaining how "incoming/outgoing" works. But now that I understand it, I feel that the Jetico approach doesn't add much security by specifying ports and stuff - getting in contact with for instance Firefox from the outside surely is impossible since Kerio blocks all incoming data which isn't initiated by Firefox itself. Of course, specifying ports etc diminishes the risk of Firefox being hijacked somehow, I guess. But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol?
The post "Kerio fails on 50%.." was interesting, lots of opinions flowing there. I tried the "WindowsWormsDoorsCleaner" as well, got "red light" on the top 3 lines, but Kerio already does the same job by blocking these ports so it's not necessary to run this application for Kerio users.
I know you are one of the most experienced persons in this forum, and I'm happily noting that you don't really attack my basic idea that Kerio may be used for "Dummies" (at least Dummies with some basic knowledge, or when the installation is done by a friend who has this basic knowledge). | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| said by DavidGGG  :Still, I can not see how specifying DNS server per application helps - any vicious application trying to contact the internet surely already knows the IP address it wants, and has no use for my DNS server? Well surprisingly, no. Most self replicating worms like to use some kind of 'random' component. It is much more difficult to ensure high chance of success in connecting to some generated IP than some generated DNS name. For example, some worms have a database of high level domains, and then generate some kind of address ending eg. »highleveldomain.com/zassd345k.htm
Furthermore, the widespread nature of DNS has made many allow DNS traffic without any type of filtering (and no home software firewall is able to perform filtering at the Application level of the OSI layer). It's possible to do all kinds of interesting things by playing around with the DNS protocol (see Dan Kaminsky's research). We've yet to see widespread usage of these techniques by malware in the wild, but they are becoming more common.
said by DavidGGG :But I have to allow TCP and port 80 at the very least, and why would a hijacker use a different port or protocol? The common answer is laziness and the concept of standard (IANEA registered) port numbers. Say for example, someone creates a parasitic bot that attaches itself to Firefox and attempts connects to an IRC server. Unless, the server operator has set up the IRC daemon differently, the default port the bot will connect to will be 6667. | |
DavidGGG
join:2007-07-06
Chesterfield, VA
2 edits | Seems like the only process that ever contacts the DNS server on my XP machine is svchost, so it's easy to allow only svchost. I'll do that, and log if any program fails to connect to the DNS server (but so far it hasn't happened). Still, what I know about svchost is that DLLs run through it. So why can't a virus use svchost as well? Anyway, it's a bit safer now I guess.
Regarding specifying port numbers for the web browser: Wouldn't that be a pain in the butt? Just by reading the port numbering standard, it seems I should allow 80, 81, 443, 591, 8008 and 8080, and then also 20, 21, 989 and 990 for ftp, and probably more stuff when connecting to secure sites or other protocols which I don't know much about, and even if I got all that right, it happens from time to time I want to follow a link to a site with a specified, non-standard port number. Seems like a never ending story trying to set up all possible ports. Or maybe you or someone else with lots of experience actually have a proper list of ports that you recommend?!
I also read something about Dan Kaminsky's tricks with DNS (suppose you mean »www.doxpara.com/bo2004.ppt). Seems DNS servers are a way to send at least small amounts of data. There are security holes everywhere in my damned computer, arent there! Good thing I just limited my DNS rule to two IPs and one application...!
A couple of updates to my original post:
a) I've moved a couple of my P2P programs up above the rule that blocks port 53, since some seem to make use of it to bypass some local firewall (!). So my advice would be to check the log while running P2P and if attempts are made on port 53 by P2P programs, you might want to move the rules up, to increase connectivity.
b) I read some more about container files, and it seems sound files are probably also always safe (.WAV, .MP3 etc), since apparently they can hold only sound (what a brilliant idea - just sound in sound files!) and some tags. | |
|
