purelander
Premium
join:2003-07-11
忍
| reply to Kerio
Re: Release of Kerio Personal Firewall 4.0.6
Dear Kerio,
i have simple advices for you that will help you get back on track:
1. focus on firewall, 99% of Kerio users hate all in one app, you fail to know your users' preference.
2. go back to 2.1.5, improve on it so that is passes all the leak tests here:
»perso.wanadoo.fr/jugesoftware/fi···est.html
3. make it lighter, if possible.
if you do the above, Kerio will be perfect.
--
Real knowledge is to know the extent of one's ignorance ~ Confucius |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| All the leaktests or should I say "scaretests" passed on my computer, which uses Kerio 2.15 according to my standards.
Nearly all of them connect to a website using TCP protocol, connecting to something on remote port 80. Excuse ME, but this comes down to browser security rather than a "weakness" in the firewall.
If you're going to use this "leak-tests" (scaretests) get them to connect to a non-standard port on a website instead to properly test your rules.
As for the one which opens IE and gets it to connect, well I always have a rule for IE called deny all, because I never use it so it didn't work.
There is have an allow rule for SVCHOST.EXE if you have already made a DHCP rule before it according to BZ's ruleset, and even if you do you should never allow it to communicate to any address, any port.
As usual, this comes down to YOUR rules, not mind reading by the firewall. (What a silly concept!)
There is no such thing as default security ratings only relative terms of security for your configuration.
Your post is an example at its finest of "scare security" by a person who doesn't seem to know much about security themselves.
[text was edited by author 2003-10-30 04:59:55] |
|
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| reply to Kerio
OK... let's stay focused, educating, not chastising... 
Most leaktests are passable, with sound rules. But the problem is, yes, I like that... "scaretests." Some of them are designed to test things packet filters don't have anything to do with... others are more like nMap scans, and that's mostly relevant with a simple packet filter... I use nMap over the LAN, here, for my own tests. I have yet to test 4.x, personally, like that, but I take a position that I'm not spending a few hours testing something that could still change materially by tomorrow morning  ...
By the way, I haven't had any problems configuring loopback around proxomitron, myself, so long as there are proper denies to compliment the allows. That is, I have to "allow IE out TCP remote 127.0.0.1:8080", or whatever you set up, to your proxy port... it's then critical to follow that with "deny any app out TCP or UDP remote 127.0.0.1:8080". And position those rules carefully. There can't be any inadvertent exceptions above the deny...
I do believe 100% user control of loopback is an absolute requirement for a packet filter... and suggest that any shortcomings in that regard, Kerio or any other firewall, are well-intentioned MS style "oversimplifications at the expense of total granular security" for "idiot proofing". The only legitimate implicit would have to be tied only and directly to the firewall app, to ensure it can't be locked out, but it has to be strict and narrow, only for localhost, etc., and -only- for the firewall...
By the way, nice aside thought, too... for those who don't use IE, it's probably a VERY good idea to block it entirely, and set an alert... any app can be written to call IE to provide an "invisible window" to give it internet access with total transparency, and that isn't configurable in windows... if you don't use IE, it's a natural firewall tunnelling trojan helper app on your system (in fact, one of a few reasons I insist on a proxy filter I can set up this way on localhost is just this, but I digress...) I've characterized that as an architectural flaw in IE and the win32 API, not a "firewall leak." I believe that no app should ever be designed to access anything, anywhere, without telling the user about it in no uncertain terms, and providing a way of limiting or shutting down the feature... but, again, I digress... but this is one of those features that really doesn't help me feel comfortable when MS says, "we're getting serious about security... really... we are... trust us!"
--
Y Ddraig Goch Ddyry Cychwyn
[text was edited by author 2003-10-30 12:59:10] |
|
foyap
join:2003-06-04 |  reply to Kerio
One thing I felt very bad about KPF V.4 is, when I open the advance packet filter and the system security, it will consume 100% of my CPU Usage and it takes about 10 seconds or more to display the page. |
|
madirish
Premium
join:2003-08-04
Cleveland, OH
|  said by foyap:"One thing I felt very bad about KPF V.4 is, when I open the advance packet filter and the system security, it will consume 100% of my CPU Usage and it takes about 10 seconds or more to display the page."
While reading this,running Mozilla,NAV2002,Abtrusion Protector,Web Washer-opened Kerio to advanced filter rules and started Task Manager my cpu usage was 4%.It now takes about a second to open kerio and another second to go to whatever module I want.They are improving some things. |
|
foyap
join:2003-06-04
| Said by madirish"While reading this,running Mozilla,NAV2002,Abtrusion Protector,Web Washer-opened Kerio to advanced filter rules and started Task Manager my cpu usage was 4%.It now takes about a second to open kerio and another second to go to whatever module I want.They are improving some things."
Ya, you are right. But did you try to scroll up and down on your advance filter rule set after you opened it? I found that the display will hang there for about 10 seconds, after you scroll the bar up and down for few time. |
|
madirish
Premium
join:2003-08-04
Cleveland, OH
| Hi foyap.Actually it works pretty smoothly.I can highlight a rule and then use my middle mouse button and scroll up and down.Or I can left click and hold the scroll bar and move up and down very nicely.Other versions were very choppy in movement,but 4.0.6 seems ok. |
|
Paul_C8
join:2003-04-08
Fremont, CA
| reply to Kerio
Bleh, I'm with gwion on this 4.x line. If anyone knows of another firewall still in production that caters better to the kerio 2.x crowd please post. I like kerio 2.1.5, but I'd like it even better if it was still worked on.
--
"It's a damn poor mind that can only think of one way to spell a word." - Andrew Jackson |
|
Curley
join:2002-04-10
Michigan
| Hi Paul,
You might want to take a look at Look'n'Stop's firewall. »www.looknstop.com/En/index2.htm
There forums can be found here: »www.wilderssecurity.com/index.php?board=13 |
|
hsandor
@vnet.hu
| reply to gwion
Hello,
I would like to reply to the post:
-Quote-------------------------------------------------
By the way, I haven't had any problems configuring loopback around proxomitron, myself, so long as there are proper denies to compliment the allows. That is, I have to "allow IE out TCP remote 127.0.0.1:8080", or whatever you set up, to your proxy port... it's then critical to follow that with "deny any app out TCP or UDP remote 127.0.0.1:8080". And position those rules carefully. There can't be any inadvertent exceptions above the deny...
------------------------------------------------------
I known this ruleset all too well. Well! Where is the Allow Inbound on 8080 for Proxomitron ?! Yeah, that's right, it's not necessary! Maybe you denied that one already. Try Denying Proxomitron altogether, both directions. Guess what happens! You should get an alert that Proxomitron is accepting Inbound communication from 127.0.0.1:1025. But NO! You do not get this alert, Proxomitron connects to your browser happily, communicates, retrieves the address to load, and then get caught when it's connecting Outbound.
What this means? Sorry to repeat myself, but it seems that everybody is so sure of himself, they do not bother to actually read the problem:
Every application can accept Inbound connections from localhost if the Outbound end of the communication was Allowed. Yes, even if the accepting application was explicitely denied from any communication whatsoever!
This seemingly minor vulnerability can easily be exploited to steal private info, and leak it into the internet, withouth ever being caught by Kerio. I can elaborate if anybody is interested.
Yours,
HSandor |
|
HSandor
@vnet.hu
| reply to ghost16825
Hello ghost16825!
Have no illusions. Tooleaky, Yalta and the other leaktest can be easily adopted to use other browsers: Mozilla, Opera, whatever! And detecting your default browser is a piece of cake. So You can block IE to stop the demo, but trojans can readily implement firewall passing communication trough your favourite browser. Or will you block all browsers?!
Yours,
HSandor |
|
Paul_C8
join:2003-04-08
Fremont, CA
| reply to Curley
said by Curley  :
Hi Paul,
You might want to take a look at Look'n'Stop's firewall. »www.looknstop.com/En/index2.htm
There forums can be found here: »www.wilderssecurity.com/index.php?board=13
Thanks Curly, looks interesting.
--
"It's a damn poor mind that can only think of one way to spell a word." - Andrew Jackson |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to Kerio
Did you check BZ's default ruleset? If you believe it is flawed you should tell him. Could what you're talking about be caused by allowing localhost inbound? On my ruleset, I have only specified localhost outbound, with Proxo outbound as well.
As for those comments about leaktests some of them aren't about strict firewall functions rather application blocking and dll injection. I still believe a software firewall should mimic its physical equivalent to some degree. A physical firewall is a layer which is resistant to fire, preserving the rest of the house and giving you TIME rather than anything else. A software firewall should stick to stopping traffic at entrances rather than the corridors which lead to these entrances. The firewall should only interrogate traffic going through the main entrance rather than stopping traffic that is connected to the main entrance somehow.
These "leaktests" don't worry me because I only accept that outbound traffic goes to a remote port 80 or 443. If it is trojan which wants my browser to go to a http link or a secure site I do not care. That is a risk I am willing to take.
Probably Kerio 2.15's main weakness if you can call it that is inbound malformed packets.
To me, the ideal Kerio firewall would keep the rule method, add the ability to add more than one custom group, and be tied to a snort ids. With the ids you should be able to specify for each of the signatures what takes priority; your rules or the ids signature. |
|
Curley
join:2002-04-10
Michigan | reply to Kerio
You're Welcome Paul. |
|
bookshelf
join:2003-11-06
Rancho Palos Verdes, CA | are you guys using the new version or the old version 2.1.6? |
|
Mplus
join:2002-04-07
France | and what about the others?
And...
is TPF5.1 better or worse than
1. Kerio 2.1.5
2. Kerio 4
Looking to hear from you
Itsme |
|
lawrenceong
join:2003-11-30
Dollard-Des-Ormeaux, QC
| reply to Kerio
Re: Release of Kerio Personal Firewall 4.0.6
Hello,
I was wondering if someone can help me with KPF 4.0.6. I downloaded the newest version and am using it on Windows 98. With Web filtering enabled, no matter which button I uncheck, the computer will hang when it tries to download a .zip or .exe. I'm unsure if it hangs on other types of files, as these are the only ones I tested...
Any advise?
thanks,
Lawrence |
|
madirish
Premium
join:2003-08-04
Cleveland, OH
| Hi lawrenceong welcom!
Kerio has a problem with its web filtering.I'm using the current version-4.0.8 and added servers to the exception,urls and the like.Sometimes everything works as it should then "bam" something screws up.I am not using the web filter now,using a local proxy(web washer) and everything is back to normal.I think the best thing for you to do is uncheck web filtering for now(maybe use a proxy instead)it ain't right. |
|
lawrenceong
join:2003-11-30
Dollard-Des-Ormeaux, QC | thanks madirish.
that's what i did and everything seems to run fine now...
lawrence |
|
