Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's

Author	All Replies
ghost16825 Use security metrics Premium join:2003-08-26 1 edit	reply to Lilla1 Re: [Kerio 2.x] My Kerio 2.1.5 rules based on BZ's I have to say this is one of the better rulesets I have seen. There's not very much to criticise in it. Regardless, now that you seem pretty happy with it, it's important to see where the weakest parts are even if there's nothing you can do to restrict the rule further. Here's my suggestions: 1. Being on a dialup it is highly unlikely you need DHCP through svchost for the connection to work properly. (Perhaps only if you have a local are network). This isn't a security risk but there's no point having it there if it's not needed. Disable DHCP Client through Services and specify primary and alternate addresses in your connection instead of selecting "Get DNS addresses automatically" in your connection properties. (This causes DHCP Client to start Automatically) 2. Some people end their local port range at 4999 instead of 5000. (1024-4999) because of SSDP Discovery Service. (Incoming->5000). Do so if it makes you feel any safer. 3. See if you can come up with a list of IP addresses for Spybot. 4. Just a preference of mine: For your browser rules I would create a rule which includes remote ports which you encounter all the time without fail: Browser Allow TCP Out 1024-5000 Any address 80,21,443 (Perhaps 8080 and 81 as well if you encounter these on a daily basis) And then a logged rule underneath: Outside of Browser rules TCP Out 1024-5000 Any address 81-65535 or the much safer suggested 5001-65535 allow log OR Two rules: Outside of Browser rules common TCP Out any address 81,8080 log Outside of Browser rules TCP Out any address 5000-65535 alert and log To get SYSTEM rules take off come of your Windows specific rules, (local port 135,1025-1026,5000) and visit grc.com and do the shields up test. You should get a SYSTEM alert in their somewhere. If this doesn't work you may need to turn on a useless Windows Service which you don't need to get an effect. I would take off your local port range for explorer(block) and perhaps make it both UDP/TCP both directions, just for the sake of it. Looking at your rules the biggest weakness is a trojan attaching itself to an application with any address port 80 and sending data to port 80 of the attacker's computer. That said, everyone's probably vulnerable to such a thing and there's little you can do about it; you probably have a better chance of winning the lotto than this occuring if you practise safe computing. In the future if you decide to implement some kind of local proxy filtering (eg. Proxomitron) just be aware that localhost filtering (eg localhost:8080 out allow followed by localhost:8080 in deny) just doesn't work in Kerio 2.15/4
	to forum · permalink · 2004-02-22 19:07:05 · (locked)
Lilla1 join:2002-04-22 Fall City, WA 1 edit	said by ghost16825 : I have to say this is one of the better rulesets I have seen. There's not very much to criticise in it. Regardless, now that you seem pretty happy with it, it's important to see where the weakest parts are even if there's nothing you can do to restrict the rule further. I'm delighted that you like my rule set (work in progress), I give credit to BZ's wonderful rule set. I endevor to follow the lead of those that understand firewalls, because most of it is greek to me. said by ghost16825 : Some people end their local port range at 4999 instead of 5000. (1024-4999) because of SSDP Discovery Service. (Incoming->5000). Do so if it makes you feel any safer. I used 1024-5000 because that's what BZ uses in his rule set, and because I have disabled UPnP and SSDP. Still I suppose I could use 1024-4999 as an added safety net. Below is some discussion that relates to this: BZ 2003-09-22 00:32:21 Q: I notice on your rule set that you have ports 135, 445 and 500?? for xp services block. Is it 500 or 5000? BZ: Its 500, and 5000(UPnP) is easily turned off, it’s not even as huge as a threat as it was made out to be. However you could add 5000 to that list, but once you do the task below, it won't be listening anymore. You don't even need those services. Start -> Run: services.msc In the properties of these services, stop, and disable them. SSDP Discovery Protocol, and Universal Plug n' Pray. said by ghost16825 : 3. See if you can come up with a list of IP addresses for Spybot. Good idea. Done. said by ghost16825 : I would take off your local port range for explorer(block) and perhaps make it both UDP/TCP both directions, just for the sake of it. Good idea. Done. Thanks for all the ideas you gave me, some I am still thinking about. Lilla
Lilla1 join:2002-04-22 Fall City, WA 1 edit	to forum · permalink · 2004-02-23 14:42:33 · (locked)


Thursday, 10-Dec 06:14:18	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF