Re: Kerio PFW 2.14 - Safe?

From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 09/12/04 

Date: Sun, 12 Sep 2004 08:30:22 +0000

Kerodo wrote...

Sorry for the lag. :(

>> I learned a long time ago to not assume too much. ;) But if I were the
>> assuming type I'd have to say that my gut feeling about the "design
>> philosophy" of modern versions of ZA lean towards a pretty, but dumbed
>> down user interface. If I had to assume, I'd conclude ZA simply doesn't
>> tell you about everything as a matter of "not alarming the unwashed
>> masses" or whatever. Again, that's just my opinion/assumption/whatever.
>
> Yes, you're probably right. That's pretty scary though, to think that
> ZA isn't really showing you everything in the logs.

Naaa... it's not scary at all. If you want your adrenaline level raised,
stand in the network stream with a packet sniffing tool and get a feel
for what none of them tell you. Then consider the fact that most packet
sniffing tools don't tell you everything either.

Please *don't* take this personally, but for a lot of people a typical
horror story script begins with the line "A user opened his log file and
saw...". ;) This thread is an example of that plot. The bottom line is
that the outgoing packets you describe should be sent "by law". The
general guidelines that govern such things dictate that the appropriate
response be sent to any request, and anything contrary to that can
potentially break something. In this light, Zone Alarm's assumed
behavior of not replying is the real problem, not Kerio's. Kerio is
doing everything right except failing to obscure normal and expected
network activity from the average user's field of vision. It's only
common sense to reply when the name server you've been using asks
something, and if all is as it appears I'd have to say that ZA's alleged
dropping of those packets is broken behavior.

> Of course there is
> some stuff I probably don't care to see, but something like outbound
> type 3 ought to be shown. [...]

I totally disagree. Logging normal activity at normal levels is about as
useful and informative as measuring the tread life of your car's tires
with a dashboard light that blinks every time they complete a rotation.
Common sense dictates only abnormal or cumulative activity is
relevant... an odometer reading that surpasses Firestone's estimation of
tread life, or a firewall that gives "someone tapped port whatever a
bazillion times in the last 10 minutes" alerts.

>> Don't take this the wrong way, but I'd say my above assumption would
>> have a little more basis in fact than an assumption that contradicted a
>> software's literal statements. If Kerio 'X' says it's stateful it most
>> likely is, and any observed behavior that appears to contradict this
>> would likely be a product of rules, or reporting philosophy. The only
>> way to know for sure would be to stand between the firewall and the
>> outside world and observe the actual traffic itself. There's simply too
>> many "what if's" for anything else to be more than speculation.
>
> It does seem convincing if Kerio actually says it's stateful.

I don't even know that much for sure. I'm really speaking in general
terms here, from the perspective of someone who has probably tried every
software firewall under the sun, but doesn't currently use any of them
and is too lazy to research the specifics of the questioned version. ;)
It could be Kerio's claims are total BS, but I rather doubt it.

> I myself am currently running Kerio 2.1.5, stateful or not, simply
> because I like it best and feel most comfortable with the interface and
> the rules. It's my favorite firewall.

A tool you know and use well is better than the tool you don't
understand or misuse... even if the latter is a better tool. :)

I'm a big Outpost fan myself. Even though it reeks of "stealth" snake
oil, I like it's thorough logs. Which I suppose makes me a hypocrite.

<grin> 

-- 
What the world needs is not dogma but an attitude of scientific 
inquiry combined with a belief that the torture of millions is 
not desirable, whether inflicted by Stalin or by a Deity imagined
in the likeness of the believer.
                                              -- Bertrand Russell

Relevant Pages

  • Re: Kerio 2.1.5 vulnerability
    ... > So it seems any packet with the fragment bit set goes straight through ... > the firewall, and kerio only logs plain SYN packets. ... Nice one Kerio. ... I am the one who originally wrote about the fragmented packet ...
    (comp.security.firewalls)
  • Re: Kerio 2.1.5
    ... packets are getting thru the firewall inbound somehow. ... is the result of the fragmented packet getting thru. ... Kerio 2.x accepts the ...
    (comp.security.firewalls)
  • Re: Huge security hole in Kerio 2.1.5
    ... That's an ICMP packet that generally does that. ... The firewall let's fragmented packets through, ... If the UDP packet targets a Windows ... normal let's say slammer UDP packet that would go through your Kerio ...
    (comp.security.firewalls)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)