how-to block ads
|
Lilla1
join:2002-04-22
Fall City, WA
| [Kerio 2.x] Kerio 2.15 w good rules fails 50% of tests at...
Yikes! Kerio 2.1 passes just 50% |
Windows XP with excess services disabled per BlkViper.com
All Windows Critical Updates applied
»www.firewallleaktester.com/tests.htm
I tried several of the tests they indicate that Kerio 2.1 failed. I failed all that I tried. I tried these:
- ToolLeaky. Failed.
- Thermite. Failed.
- CopyCat. Failed.
Is there any way we can improve our Kerio 2.15 rules to get a better score on these test?
Thanks,
Lilla | |
|  
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
2 edits | Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50% Kerio 2x's development has been discontinued for a while, and leaktests usually deal with something other than the firewall features. I don't have time to go through all of the leaktests available, but many of them deal with things a real firewall does not deal with normally, a 3rd party program like a sandbox would have to run that protection. 3rd party sandboxing applications, or programs that have sandboxing built in are the ones that pass the most tests.
I don't see leaktests as an issue from the leaktests I've seen, these are problems in other software like how IE will proxy program communications, and faults in the operating system. Only a true sandbox can prevent all of these from happening, but sandboxing applications are very hard to use correctly, you could even disable your operating system if you were not careful.
I don't loose any sleep over leaktests 
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
| ghost16825
Use security metrics
Premium
join:2003-08-26
2 edits | These leaktests aka scaretests are pure crap
Smells like it ...that's because it is |
PCAudit : dll injection in explorer to port 80 again - Solution: Make sure explorer.exe doesn't have any internet access whatsoever. DNS Cache Client service does not need to be enabled.
AWFT : - test 1 - tricky business almost hangs itself fails to do anything
test 2 - though the web browser to default site (remote port 80) or your choice of site
test 3 - through explorer.exe again, choice of site
test 4 - through browser
test 5 - through browser
test 6 - through browser
Thermite - IE only through port 80 firewall sees it
Copycat - did nothing
Mbtest - crashed itself
Wallbreaker test 1 - IE through.. let me guess port 80 again
test 2 - port 80
test 3 - port 80
(Kerio detects all traffic in IE no matter what)
DNSTest - Sounds like bullshit at it's absolute finest. Tried with DNS Cache disabled. Sent DNS requests to my DNS server. Watch out everyone! Now that's what I call a leak!
Ghost - through IE port 80 again. Kerio picks up IE activity of course.
---------------------------------------------------
Summary:
Kerio sees all this activity really, because they all use the web browser for the dirty work.
explorer.exe should almost never need internet access
DNS Client Service is not necessary, there is very little to gain by using it.
Log, log, log non-standard port ranges/rare remote ports in your browser if you're paranoid. eg. Anything to XXX.XXX.XXX:666 should ring alarm bells.
Accept that anything to remote port 80 is to a web server for a legitimate reason most of the time.
Don't forget that this is all done through a web browser not anything else. Patch all your IE holes if you use it as a web browser.
DNSTest is perhaps the most misleading one of them all. Someone tell me that it isn't ridiculous. | |
| |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | Re: These leaktests aka scaretests are pure crap The hole in IE was built-in, any program can proxy their communications through IE just like software proxy. This is the huge security hole in IE that Microsoft has not fixed in years, and why IE is only permitted to windows update/office update/microsoft sites in general on my computer.
As I've said before Microsoft Security is an oxymoron, their own browser was listed as a security risk by CERT recently also, and people were suggested to use alternative browsers. IE in general is a security risk, if it wasn't for their use of windows/office update, and access to Microsoft beta software I would not be using IE at all, along with it being completely blocked.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
| | | 
paranoidxe
Premium
join:2002-03-29
Ogden, UT
| Re: These leaktests aka scaretests are pure crap Funny...Kerio passed PCAudit just fine on this machine.
Thermite looks like it locally creates the file instead of remotely.
Copycat failed to connect to put c:\exploited.txt on my machine using Kerio 2.1.5..so yet another inaccurate claim.
Wallbreaker fails too if internet explorer is not already setup to use port 80 and allowed access.
PCAudit2 failed as well, I denied it access easily..again when Internet Explorer is NOT setup to access port 80.
I think the Test is pretty bogus myself..the "exploits" it uses seems to only "exploit" the port that is already open on most computers anyway..Port 80.
--
"Its better to look stupid for 5 minutes and ask a question, than to be stupid for the rest of your life."4g63.20m.com (textsource.org) | |
| | | Lilla1
join:2002-04-22
Fall City, WA
| Thank you BlitenZeus for your posts, informative and helpful as always. And thanks again (I cannot say it enough) for the GREAT BZ ruleset you have given us.
Thank you to Ghost, and gkweb for your excellent posts. It's always good to read both sides of an issue. Those tests did scare me pretty good, and reading Ghost's post has quieted my fears about my trusted Kerio 2.15 with BZ ruleset.
I appreciate the discussion in this thread. It has helped me to understand a bit more about security. I am thinking now more about the concept of taking a layered approach to security. The role of the firewall layer vs. the role of the browser layer. This is a something I need to learn more about.
BlitenZeus, I read with interest the limited use you make of IE, and I am now thinking that I might at least consider the idea of adding a 2nd browser.
Which alternate browser would you guys recommend, Opera, Mozilla FireFox, other? I would prefer one that is free.
When people say their IE6 is fully patched, does that mean something beyond Microsoft Critical Updates? So far that is all that I do.
Thanks to all,
Lilla, BZ ruleset groupie | |
| | | |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
1 edit | Re: These leaktests aka scaretests are pure crap Opera is not free, unless you don't mind an adbar you can easily block through Kerio. Otherwise there are open source browsers like Mozilla, and Firefox. Mozilla is a suite with a e-mail client, etc... Firefox is just a pure browser, but its considered beta if you really care. I prefer Firefox, and its been working great for me, however its a bit different so it will take a little bit to get used to from IE.
IE has always had unpatched exploits for it going around, I don't consider it safe for common use unless your willing to disable most, if not all of its features in the name of security. When you restrict too many settings you can't visit many legit websites, but with programs like Firefox you don't have to worry about all of these security exploits trying to install things behind your back so you can leave features enabled without worry. You just need IE for sites that require IE for their proprietary technologies like ActiveX(HacktiveX), and Visual Basic Scripting which are the source of most of their exploits. Basically Windows Update, Office Update, etc...
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. | |
| 
gkweb
join:2003-06-09
76800
| Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50% Hi,
i am the author of the website.
Withouth any offense intended, even if my testing and my website are bashed apparently, I see here many confusion, about what the leaktests are meant to test.
A leaktest is not meant to bypass an overall computer security, but just one feature of one kind of product.
Basically, a leaktests is trying to hijack a fully trusted application.
If you fully trust all of your softwares, and that you allow them any traffic, then a malware trying to hijack one of them should be detected by the personal firewall, blocked, and asked to the user, that isn't too much complicated, and that is precisely what the firewalls _passing_ the leaktests are doing, catching them in a fully trusted environment.
This is in such environment that you can see which firewall detects, and which one does not.
That's the test page at this step :
»www.firewallleaktester.com/tests.htm
To understand what are my criteria, averything explained on the following study :
»www.firewallleaktester.com/documents.htm
(leaktest.pdf)
Then, and I agree here with Ghost, because none of teh firewalls can prevent a trusted application hijacking, because so none can pass them all, you have to tighen up your security to block them, even indirectly.
The leaktests are meant to bypass trusted applications as I said, but if you trust none of your software, then it is a lot harder for them to go throught, but please note that here I am referring to your overall security (not only the firewall) that the leaktests has never claimed to pass. I think I have explained eveything about that there :
»www.firewallleaktester.com/advices.htm
To test the leaktests, as fully explained on the leaktests paper, is not to block everything on his computer, to throw them, and to see what happens, but I won't write again what I have aleady written.
My point isn't to scare anyone and to say that you can't do anything about it, on the contrary, I am trying to show the weaknesses on a particular firewall component, and to bring solutions, such as the sandboxes, again explained on both the advices page and on the pdf document.
I think that before the criticism of a test page, it's better to read the link provided just under the table which explain the test criteria, and then to take a look at the whole site to see quickly that me and Ghost aren't saying necessarely opposite args.
I do not whish to start a war or a flame, I just wanted to defend my tests results, to explain them. I respect all of you, everyone is entitled to is own opinion, and after all that is explained, even after to have read all the link above, you can still disagree, but I hope this time you'll see that we have just different point of view and criteria, and that it is not someone who is out of his mind (me) and someone else who is right.
I try to help as much as I can people, and I am sorry if you feel that I wanted to attack anyone or any software.
Best regards,
gkweb. | |
| | ghost16825
Use security metrics
Premium
join:2003-08-26
| Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50% Hard to believe, but my attack really wasn't intended to be on your website gkweb, but on the author of the application DNSTest and perhaps some of the other leaktest authors.
I thought the definition of "leaktest" was something which bypassed a firewall completely, completely unseen by the firewall regardless of whether such traffic was allowed or not. Sure, if there's anything which does such a thing call it a leaktest and make sure it is publicised everywhere. (Some of the raw sockets type tests maybe). But suggesting massive security implications for everyone (as your website makes it out to be) - surely this is misleading. Most exploit implicit firewall rules and it would probably be more factual to try and describe in depth how these programs work and then let users decide how serious it is. This would be better than simply agreeing that the sky is falling and giving most of these authors kudos which they do not deserve. | |
| 
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| Damn! Firewalls are FIREWALLS. They should be, anyway. We don't expect our spreadsheet to open DBF files, do we??? WHY do so called "experts" try and tell us we ought to expect our "packet filter" to block cookies, for Christ's sake? Pile of crap, put bluntly. Windows mentality (make it all simple, all under one roof, no matter HOW much you have to eviscerate it doing so) carried from the sublime to the ridiculous. By the way, not jumping you, guys ... I'm jumping these Beotian IDIOTS who define a firewall as a "security suite, one shot kills all." They're frankly morons, in my eyes. They comprehend what's going on as well as I comprehend the atomic structure of my coffee. Just pour a cup and enjoy - install this and solve all your security, privacy and erectile dysfunction problems with one simple pill. Bullshit.
And yes, if the shoe fits, for those sites that keep reciting, "we see a cookie, your firewall should stop that" WEAR IT. You're boobs, guys. That's crap, and you're boobs, and what upsets me is you're propagandizing the community to believe (innocently enough) crap purveyed by boobs. A "firewall", at base, is a packet filter. And it's as much characterized by its limitations as by its capabilities. As far as I'm concerned, those sites that create "FUD" over idiotic stuff like cookies and browser headers and such are working against us. NOT with us. They're creating an expectation that's inelegant, interdependent, and highly fallible. And those who demonstrate OS and app flaws that bypass firewalls without offering any real help defeating the problem aren't "on our side;" they're jerks, and they're helping the other side with their "your firewall's worthless" bullshit. And that's exactly and all their case is... BULL... uh, you get it  ...
The "win32 mystery package just click here and it does it" metaphor's the most hurtful metaphor ever circulated about computing. If I can't verify what something does and how, I call it etherware, not "phenomenal and revolutionary."
Again, not jumping anyone here... I'm jumping the idiot contingent out there who spread fear, uncertainty and doubt, and offer nothing whatsoever useful thereafter, and try and portray themselves as "contributing" to the security community... they don't contribute, they're the problem. Nothing like perpetuating ignorance to compound any problem.
Welcome to the BBR Kerio/Tiny forum... grab a candle, the good folks here hand around MATCHES later on, so you can light them. We don't give away fish, we teach fishing, here. Wet a line with us... welcome aboard...
I just had to get that off my chest... thanks for listening.
As far as those leak t6ests, there are no known in the wild exploits based on them (and they've been around at least as long as I've been at BBR), they're totally addressable by sandboxing (e.g.: Tiny, properly configured), and they for the most part demonstrate inexcusable security flaws in windows, not in our firewalls. Firewalls tend to not address that kind of stuff, because it isn't exactly supposed to be possible in a properly hardened OS... uh... as far as windows goes, I would STILL like an answer from MS as to why IE can be so easily hijacked by any app that wants it to traverse a firewall so easily??? Anyone at MS want to address this question? I call this "feature" the ultimate in moronical design. But it's still there, has been forever, has no user or admin control whatsoever, and is completely ignored by virtually everyone... It's irresponsible, idiotic and ridiculous, and the only thing MORE irresponsible is the way people gloss it over within the security community; a firewall shouldn't have to stop that sort of thing - it never should happen.
As far as DLL injection and all that, well, that's application layer sandboxing, not network layer firewalling... so the ball's back in the court of those leak testers. If they have the "MaD sKIllZ" to be doing those borderline-cracker leaktests, why don't they "like, contribute something, dudes", and devote as much time PATCHING holes in the hull as they spend POINTING at 'em and demanding someone else fix 'em... Big favor... demonstrate the holes in my OS and firewall. What I want is a FIX, not a demo, though...
... of course, we are sometimes given to believe that smug arrogance is the hallmark of some security type hackers. Guess we couldn't expect any more, then, from these dopes.
Give a man a fish and he eats for a day. Teach fishing and he eats for life.
I call on these so-called "whitehats" to prove their hats aren't really a dull grey, and start teaching some fishing, damnit. Stop telling me why they don't bite on my bait and tell me what you use... or just shut up and sit down; any jackass can kick down a barn; it takes master carpenters to build one.
--
Semper Eadem
Enjoy every sandwich... Warren Zevon | |
| Lilla1
join:2002-04-22
Fall City, WA
1 edit | Interesting Article by LockerGnome: Why You Should Dump IE
»tinyurl.com/2grga
He used FireFox too! And used IE in same limited way that BZ uses it.
Lilla | |
| |
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | Re: [Kerio 2.x] Article: Why You Should Dump IE Just check out this thread, this is where the article was born.
»Browser Security Issues | |
| Lilla1
join:2002-04-22
Fall City, WA
| BZ, interesting link, thanks.
I am posting this using Mozilla Firefox, it's v0.9.1
Initial impression is good. I'm doing OK so far. Got some learning to do though.
I disabled Java, and left JavaScript enabled, as you said.
- SpywareBlaster says Mozilla Firefox is not installed. I created a user.js profile (empty) but no change. Will have to figure out what's wrong there.
- When I save a webpage (like this one), it doesn't offer to save as .mht (single file) like IE6, I'll miss that. Having two files adds a lot of clutter. Oh well, not a biggie.
- I've adjusted my Kerio 2.15 rules in the manner you outlined.
Thanks for all the pointers,
Lilla | |
| | | | NJH
join:2004-04-23
| said by Lilla1  :
BZ, interesting link, thanks.
I am posting this using Mozilla Firefox, it's v0.9.1
Initial impression is good. I'm doing OK so far. Got some learning to do though.
Lilla
Now you have a great browser, have a look at some extensions, particularly Adblock and its forum for suggestions on filters. | |
| Lilla1
join:2002-04-22
Fall City, WA
| I found the answer to my question, SpywareBlaster is working on a fix to the matter of not recognizing Firefox .9, should be out soon per...
»www.wilderssecurity.com/showthre···=firefox
BZ, thanks the the tips.
I've never installed Java in IE so won't need it in FireFox either.
I don't care about themes & such. It looks just fine to me already. A clean classic look. | |
|
gkweb
join:2003-06-09
76800
2 edits | Just to point out few things :
@gwion
edited : Is your post against me or is it general ?
Firstly, I seem to not be understood, I am not telling everyone that a firewall, unlike it has been said I was saying should block cookies, spam, and other related stuff, I am against this idea, and again, I have written it on my site and the sudy I have written.
So it doesn't really encourage me to continue the discussion with people who don't even read my site, but just add free critisism. I am the first in my site to say that a firewall is before all a vanilla packet filter (yes if you read it, that is exactly the term i am using...), so saying to me what i am myself saying is meant to ... ?
Then, everything else you are saying, again, I am saying it, just take a look at the "advices" page on my site.
edited : sorry if your post isn't toward me, I have difficulties to understand who is the target
@Ghost
Sorry to have misunderstood you :-/
quote:
I thought the definition of "leaktest" was something which bypassed a firewall completely, completely unseen by the firewall regardless of whether such traffic was allowed or not. Sure, if there's anything which does such a thing call it a leaktest and make sure it is publicised everywhere.
A leaktest targetting IE and passing yes by port 80 will it not be allowed and unseen ?
Anyway, you have necessarely applications on your side allowed to do a kind of traffic, and the leaktests just show
that these allowances can be hijacked, the fact it is often IE targetted is just because it is more easy to do, the leaktests aren't malwares, they are proof of concept, a real malware would be tricker of course.
quote:
(Some of the raw sockets type tests maybe). But suggesting massive security implications for everyone (as your website makes it out to be) - surely this is misleading.
Without offense intended, I disagree here. I have seen a lot of people having firewalls and AV and being overwhelmed by a lot of spyware coming from nowhere, and being unnoticed by the firewall, while a very simple sandboxe (Process Guard Free ?) would alert you of a single executabel trying to launch.
So I don't see that it is "surely" misleading, just a matter of point of view.
quote:
Most exploit implicit firewall rules and it would probably be more factual to try and describe in depth how these programs work and then let users decide how serious it is.
again, I am trying to achieve that too, I know tehre is may be a lot of things to read on my site and you didn't read everything, I can understand, but I can tell I am trying to do that too. Page "categories" and also in the pdf document.
quote:
This would be better than simply agreeing that the sky is falling and giving most of these authors kudos which they do not deserve.
About the author who may not deserve all kudos, I won't disagree because may be few didn't try anything else than to attack the firewalls, and to make advertise for themselve, but that is not fortunaly the case of all of them.
Then, where did I say the sky is falling ?
What I try to achieve, is just at least to make people aware of existing exploits which are, even if you might don't know it (not you as *you*, you as *everyone*) used for many in the wild.
Once people are aware of potential vulnerabilities, many not used many other used, then they can at least tighen up their security just by tighen up their filtering rules and their firewall settings, this is a part of my "advices" page. Then for those who want to do more, I show a way to do it.
Again, I'm sorry to be blind, but I don't see what's wrong when helping people, I just provide information, then people can be aware of, and it is not what matters most that people agree with my tests or not, at least they are aware of the potential danger, and I have achieved my goal.
No the sky isn't falling, that's not what i am trying to show, I am just trying to say that the sky is not completly blue, it's not a dreamworld where you can connect and enjoy the internet without a bare minimum security.
Believe it or not, I am not a bad guy saying bullshit, trying to make advertise, and to mislead people for some obscur dark interest or anything else... just trying to expose what is not obvious, and what even spyware that people see everyday can use to trick them, I just want to help, i'm sorry that it isn't obvious.
And while I can accept (of course !) people disagreing, it's difficult on the other hand to understand aggressive people which find the purpose of their life to attack me and to be so direspectedfull (not you Ghost!), and I must admit
this is sometimes discouraging 
regards,
gkweb. | |
| | ghost16825
Use security metrics
Premium
join:2003-08-26
| Re: [Kerio 2.x] Kerio 2.15 w good rules fails 50% said by gkweb :
Without offense intended, I disagree here. I have seen a lot of people having firewalls and AV and being overwhelmed by a lot of spyware coming from nowhere, and being unnoticed by the firewall, while a very simple sandboxe (Process Guard Free ?) would alert you of a single executabel trying to launch.
So I don't see that it is "surely" misleading, just a matter of point of view.
But is this due to the same "leaktest" techniques? I do not think so. But enough of this flame thread going back and forth. I will agree to disagree I guess. One thing I will give you credit for is your Windows Doors Cleaner app; that is a very, very good idea. I'm quite surprised no-one has done it sooner.
Anyhow, take care. | |
| Lilla1
join:2002-04-22
Fall City, WA
4 edits | NJH, yes I am happy to be using Firefox too now. I feel like I came late to the party. Thanks for the tips, I will followup on your suggestions.
BZ, as you suggested. I will submit a suggestion to FireFox to add save as .mht (single file).
* So far all visits to Microsoft Updates page have been in the range 207.46.134.30 - 207.46.249.157,
Question: Is it OK to generalize and use 207.46.0.0-207.46.255.255
Currently I am building the address range based upon information gather from each Microsoft Update page visit, but it does get tedious, especially because I use this ruleset on two computers. So, if a generalized range (shown above) will do, I'll use it instead.
Thanks, Lilla | |
| | | | | Lilla1
join:2002-04-22
Fall City, WA
| Re: [Kerio 2.x] Locking down IE6, and using Firefo said by BlitzenZeus :
Lilla, if you have not seen it yet, The Department of Homeland Security has joined CERT in saying that people should not use IE for security risks.
»Dept of Homeland Security: "Don't use IE"
I've seen it, and worse, I placed an online order at unityelectronics.com on Jun 25, it was a secure site as indicated by the lock on IE6. While I was entering my personal information including credit card information I received more than one prompt from IE that I was being directed away from the secure site, do you want to continue.
I first tried to place the order during the morning. When I received the prompt I was suspicious and quite and did not place the order.
That night, I decided I really needed to get the order placed so I returned to the site and tried again. The same thing happened with the prompts about being redirected, I decided to answered no, and see what happened. What happened was that I was not redirected, and the order processing continued in a normal manner. So I placed the order and it arrived a few days later.
I just today wrote a letter to unityelectronics.com and asked them if there site was compromised by the security alert for IE and gave them a link to an article about it.
We will see what they say.
I'm wondering if I should contact my credit card company and see if they think it would be wise to issue a new number.
I am quite concerned about this. Any thoughts?
Lilla | |
| Lilla1
join:2002-04-22
Fall City, WA
1 edit | gkweb,
I downloaded the program on your site titled
WindowsWormsDoorsCleaner. I am using it. It provides a handy way to verify that assure secure settings are set and have not somehow become reset. Even novice users can use it so I will install it on family computers. I like the way this tool links to the Microsoft article that supports each lock down.
Thank you,
Lilla | |
| Lilla1
join:2002-04-22
Fall City, WA
| below is Microsofts latest recommendations for using IE6. I was doing most, but not all. Now I am doing all. The item below is the one I was not doing before. I want IE6 to be as safe as possible for those times when I will use it to visit the sites that require it. For other sites I will be using Firefox.
They now recommend setting Internet Zone to High and adding sites that require ActiveX like Windows/Office Update to Trusted Sites Zone.
Increase Your Browsing and E-Mail Safety
4 Steps to Help Ward Off Hackers and Attackers
Published: October 3, 2003 | Updated: June 11, 2004»www.microsoft.com/security/incid···ngs.mspx
the article above is referenced in the article below
Microsoft - What you should know about Download_Ject: »www.microsoft.com/security/incid···ect.mspx
I do not have either of the two files they mention so I feel a bit better.
Lilla | |
| Lilla1
join:2002-04-22
Fall City, WA
2 edits | I reran the leaktests at www.firewallleaktester.com/test
after I installed Firefox and added a rule to allow IE access Windows/Office Update sites only.
Kerio 2.15 w BZ ruleset + FireFox passed 6/7 tests that I ran, and the one I didn't pass doesn't count as explained below. I ran these tests... Remember with IE I failed these same tests, now I'm back and passing them with Firefox...
- copycat
- ghost
- tooleaky
- thermite
- wallbreaker
- DNStester. I failed the DNStester test. I run with DNS Client service disabled. See Ghost's comments about "DNStest", where he said this test is contacting ISP DNS, so it's not really a relevent test.
The rules I added look like this...
Rule: IE - Ms Windows/Office Update (ActiveX)
Protocol: TCP (Out)
Local ports: 1024-5000
Remote address: 207.46.134.30-207.46.249.157
Remote ports: 80-81,443
Application: iexplore.exe
Permit
Rule: Firefox - web browser
Protocol: TCP (Out)
Local ports: 1024-5000
Remote address: any
Remote ports: 80-81,443
Application: firefox.exe
Permit
I have not blocked IE to non-microsoft sites because some sites are designed for IE and don't work/look right in other browsers. If I want to access a particular site using IE (other than the Microsoft sites I defined in my rule, see above) I must click Permit when prompted by the firewall.
Also, IE Internet Zone is set to High (default is Medium); sites that require ActiveX (Windows Update, Office Update) are entered as a trusted site. This is per latest Microsoft recommended settings for IE security.
So far I have installed just two firefox extensions:
1) IE VIEW - adds "Open Link Target in IE" and "View this page in IE" to Firefox context menu.
2) Shortcut - adds "Create Shortcut" on desktop to firefox context menu
QUESTON: In Firefox settings I can enable or disable Java, but I haven't installed Java, so I'm thinking this setting should be grayed out. Is this something that's due to being a beta? Or, is Java bundled with Firefox?
Lilla
Kerio 2.15 + BZ ruleset + Firefox rules!
BZ ruleset groupie | |
| | slinky_2
join:2003-12-07
Baltimore, MD
| Re: [Kerio 2.x] Kerio 2.15 w BZ rules + Firefox good discussion here,
comments by ghost are spot on
on the other hand gkweb makes a good point that a trusted AP can act as a security hole
Lilla proves that more than half the battle is getting rid of IE.
My view re: leak tests - they are good for simulating your level of vulnerability, but are not realistic since they require downloading and running the .exe - it would be nice if someone could devise a test which acts more like the silent drive by trojans, to inform rather than destroy.
layered defense - is the best way to go
1) ditch IE in favor of alternative browser (Opera or Firefox 0.9 beta or above)
2) Use correctly configured firewall (k2.1.5 excellent choice)
3) Process control - PG or AP for Win2k & above (kernel level protection) or SSM ("user-mode" style hooking) for those unable to run either PG or AP.
SS&D 1.3 - immunization may help also. Tea timer may also help to monitor/protect the registry.
beta Prevx may be a new Ap to watch as it develops for Win2k & above:
»https://www.prevx.com/prevxenterprise/en···ures.htm | |
| | |
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| Re: [Kerio 2.x] Kerio 2.15 w BZ rules + Firefox Sorry, missed that sub discussion... Yes. I'm running KMeleon, now, through Proxomitron, Kerio as my firewall, and NAT at the gateway. Nice layered approach, without going overboard. I would love to be running Tiny, for the app layer features, but it won't run on NT, and I have no reason whatsoever to upgrade the OS just to accomodate a firewall, albeit an enhanced one that's very good with these exotic exploits.
I would only add that I fully agree; the leaktests generally require the running of an untrusted app, and if it proves anything, what it proves most emphatically is that "if an app can run on your system, or you can be coerced to run it, without first having been verified in some way for trust, you're dead in the ater and all bets are off." That's a point we have to reinforce again and again in people's minds. You can have all the nifty security software on earth, but if you don't practice good general computer hygene, and good system and app configuration, you're more vulnerabnle, not less vulnerable, because you have a nice shot of false security coursing through you.
A well documented leak test is by all means a favor to the community; one we dealt with, though, was so poorly documented or explained that we ended up reverse engineering the damn thing to get a "documentable" test out of it. Turned out it was precisely what we thought it was, a DLL injection routine. Using that reverse engineered, recompiled leak test, we were able to do some great tests on Kerio and Tiny and a few other apps... but, standing alone, it was pretty much useless for anything except creating a general, abstract sense of fear, uncertainty and doubt. Perhaps that helps explain some of that latent frustration I feel when I see a few of these things ...
In a more positive sense, I recall a firewall killer app that worked against some versions of Kerio, and it was, in fact, pretty transparent... and served to help remind us anything running on the local system can be terminated... that doesn't discredit Kerio, by the way, just keeps us on our toes, and makes a good case for that "AlwaysSecure" registry flag, if you're really paranoid, or just reminds us to be vigilant, overall...
Which, in the end, is why I feel we do need open discussion of vulnerabilities, demonstrations, and assistance tweaking our configurations and rules, overall. But we need them in the spirit of finding solutions, not in the spirit of simply exposing problems. If anything, by the way, my original post was a challenge, meant to goad more good code hacks out there to take a positive role in improving the state of security consciousness, and improving our configurations and software. Building, not tearing down. Like all things, we have to tear down before we can build... but let's never just stop at the end of the razing... that's time to start the "raising".
--
Semper Eadem
There struts Hamlet, there is Lear,That's Ophelia, that Cordelia;Yet they, should the last scene be there,The great stage curtain about to drop,If worthy their prominent part in the play,Do not break up their lines to weep. | |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| My post is entirely general. When we test things, we do the community a favor; my greatest gripe is when the testing isn't accompanied by explanations. Or where the explanations are made in such a rhetorical style as to create the idea in people's heads that they should expect a "firewall" to contemplate any and every possible security breach. I'm really not up to date with the content of any of the test sites, right now; I run my own tests on LAN with nMap and Ethereal and a few other apps... so I certainly don't mean to call anyone specific onto the carpet, much less point any accusations at anyone in the thread. I want to make clear, too, that nobody is supposed to be flaming anyone in this forum, and that's a reminder. Civility's my cardinal rule, in here.
What I'm suggesting is that I've seen a lot of sites that purport to test security, then regard it as sufficient to place a snip like, "your firewall should/could be blocking this", without further explanation of how the word "firewall" is being used, what the test is testing, how dangerous the threat is, why it's included...
When I test firewalls to post in the forum, I tend to take a long time explaining what I did, why I did it, and what I think can be done about it. That's my major problem with the online testing process, in general.
It's a somewhat frustrating issue for me; there are quite a lot of test sites, and I apologize if I painted with a broad brush; not intended. But my frustration comes partly from a series of leaktests I tried sometime back which exploited operating system flaws, and then, as a form of "explanation", essentially were forward enough to say, "your firewall stinks... that's what this proves... why bother running it?" --- or some variation on those lines. That made me furious; anyone with enough time and skill to code the test had the time and skill to explain what they did, how it was accomplished, and what exactly the author thinks should be done about it. Trashing a perfectly useful PC firewall because it didn't block an application layer exploit isn't a reasonable or useful suggestion. And the net result was a F.U.D. outbreak.
Then, there are the sites I've run across that blame firewalls for letting in cookies, letting out headers, and all that. They don't discuss proxies, filters or configuring browsers. They just tersly blame the firewall, and the result... sigh... is Kerio 4.x.
Again, my sincere apologies if I wasn't clear enough in stating that I was expressing a generic frustration; if you're promoting good "computer hygene", you're performing a service. I've spent a lot of time testing the firewalls I'm interested in, and I've done so solely for my own research and satisfaction, and I've shared most of my observations and suggestions in extreme detail with my fellow users, here. I find it so frustrating to see some people demonstrate the obvious skill to create the model exploit, but lacking the consideration or sense of responsibility to explain what they're doing, why and how.
I would rather, in fact, thank you most kindly for visiting our thread. You do quite evidently feel a sense of responsibility, judging from your posts, and I wish you well in your endeavors.
--
Semper Eadem
There struts Hamlet, there is Lear,That's Ophelia, that Cordelia;Yet they, should the last scene be there,The great stage curtain about to drop,If worthy their prominent part in the play,Do not break up their lines to weep. | |
| | | |
|
