Re: Kerio PFW 2.14 - Safe?

From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 09/10/04

• Next message: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Previous message: Jose Maria Lopez Hernandez: "Re: IP address spoofing"
• In reply to: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Next in thread: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Reply: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 10 Sep 2004 18:28:46 +0000

Peter Boulton wrote...

> Anyone care to attempt a summary? Here's my one for everyone to contradict:

Hey... you asked for it. ;)

> 1) Unclear on whether Kerio 2.14/5 offers stateful packet inspection,
> but the docs claim it does.

If Kerio 2.14/5 states it's stateful, it's pretty clear it is. Stateful
inspection is a type of inspection... a general descriptive term with a
few "should do this" rules, not a hard wired design parameter governed
by a set of "must examine bit x of third byte in field y" blueprints.
Each firewall peddler is free to develop their own specific methods of
watching the state of a connection, a general philosophy about how much
weight that flavor of inspection is given compared to "dumb" packet
filtering, and what to do with the information stateful inspection
uncovers.

Stateful inspection is also completely useless without, and greatly
influenced by, the rules set the firewall applies. Seeing packets of
type 'X' leave your machine tells you absolutely nothing at all about
what caused those packets to exist. It's every bit as possible that a
stateful inspection method detected an incoming request a non-stateful
inspector would have completely missed, as it is is that a "dumb" packet
filter just replied to something *it* saw. Inspection methods have
nothing at all to do with security policies outside the fact that they
provide more information for that policy to consider, and the buzz words
"stateful" and "stealth" have no relationship at all. Don't be mislead
into confusing them.

> 2) Assuming your Kerio 2.14/5 rules are appropriate, the vulnerability
> of your system is not noticeably worse than with more modern software
> firewalls.

It could be theoretically better. Any attack against a firewall itself
is likely to be version specific, and would almost have to be at least
brand specific. If you assume the attacks you'll encounter today will be
against more common and modern firewalls, in theory you could be safer
with an older or off color firewall. Assuming all else is equal of
course. Not much has changed about the "core" functionality of TCP/IP
over the years. There's very little a newer firewall van do that an
older one can not, other than be more prepared to deal with known
specific threats that didn't previously exist. This is largely a
policy/rules thing that can be configured if the firewall itself isn't
utterly useless to begin with.

> 3) If you are running a router/NAT + up to date av with Kerio 2.14/5
> then any additional risks from Kerio 2.14/5 are largely theoretical.

If you're running NAT with everything properly configured and
maintained, Kerio 2.14/5 is basically irrelevant. So is the most recent
version of Zone Alarm, the time tested ipchains, or any software
firewall running on a workstation behind NAT. The "can't get here from
there" philosophy applies. With the notable exception that you suspect
an attack from within your own network of course. ;)

> Is this right, or am I just stirring it again? Hope the former, as I'm
> still happily running Kerio 2.14/5!

For all intents and purposes you should be. You're likely every bit as
safe from intrusion as the guy who has the shiny new copy of
"HckerKnocker 3000" sitting there handing him a fluffy GUI with nice
dithered edges, or the geek with the 386DX266 and a terminal only
installation *nix/ipchains. Again, assuming everything is set up and
configured properly of course...

And yes, you're stirring. <grin>

-- 
The surest way to corrupt a youth is to instruct him to hold in
higher regard those who think alike than those who think
differently."
                                                   -- Nietzsche

• Next message: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Previous message: Jose Maria Lopez Hernandez: "Re: IP address spoofing"
• In reply to: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Next in thread: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Reply: Peter Boulton: "Re: Kerio PFW 2.14 - Safe?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] Firewalls that generate new packets.. ... behind the firewall then it's a layer-7 problem for the service ... regexp match causes packet drop ... is exactly why I used the term "placebo" for "stateful ... inspection"; accupuncture patients report the same degree ... (Firewall-Wizards) Re: statefull inspection FW and hackers ... various connections from rogue unwanted packets. ... I remember when Checkpoint used "Stateful Inspection" as a marketing ... term and claimed to be the company with the only commercial firewall ... (Security-Basics) Re: Kerio PFW 2.14 - Safe? ... > If Kerio 2.14/5 states it's stateful, ... > Stateful inspection is also completely useless without, ... the rules set the firewall applies. ... (comp.security.firewalls) Re: Kerio PFW 2.14 - Safe? ... > assuming type I'd have to say that my gut feeling about the "design ... It does seem convincing if Kerio actually says it's stateful. ... It's my favorite firewall. ... (comp.security.firewalls) Re: [fw-wiz] Evolution of Firewalls ... Stateful inspection, deep packet inspection, application protection, ... headers and application data streams for attacks and blocking them. ... Our team is currently debating if Stateful Deep Inspection firewall ... (Firewall-Wizards)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint