Security Basics mailing list archives

Re: Kerio Personal Firewall

From: flur <flur () flurnet org>
Date: Wed, 20 Nov 2002 04:05:36 -0500

This is more a technicality then a security problem but i forsee it causingproblems. Adding rules requires a password, but allowing and denyingindividual connections does not.. I dont understand the logic. I've testedthis on version 2.1.4.

KPF determines applications by path and filename, when applications arechanged it notices the md5 checksum difference and reports it. Clicking yesgives your application permission to transmit to any ip and any port,because the admin probably created the rule using defaults. You can use theclient component of KPF to view all applications listening and connected,src/dest ips & ports etc.

In conclusion, i'd like to recommend Kerio either remove the passwordprotection altogether or fix the defaults to detect hosts, or at least portto restrict the potential damage and require a password to execute binarieswith changed md5s (ideally the admin should be able to over-ride this checkfor certain binaries). Also make it ask for a password when connections aremade where rules don't exist.


PS: Is this material worthy of bugtraq or a vendor report?

At 12:41 PM 11/18/2002 -0600, you wrote:

Hello list,
I am trying to configure Kerio Personal Firewall and thisfirewall
allows me to specify explicitly which service is allowed inbound/outbound
connection thru either TCP/UDP including the exact port numbers and IPrange to
respond to.

My question is: Is there a software/utility that will tell me exactly which
service/application is currently listening on exactly which TCP/UDP portnumber?
"netstat -a" only lists the active listening ports but doesnt tell me which
service/application is listening on that port for incoming packets.

I would like to "lock down" the server as much as possible by specifying
exactly which port and service a connection is allowed. Thanks in advance.

Regards,

chchin



____________________ __ _
~FluRDoInG                        flur () flurnet org
                            http://www.flurnet.org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

Current thread:

Kerio Personal Firewall Chee%2dHeng Chin (Nov 19)
- Re: Kerio Personal Firewall Steve Cooper (Nov 21)
- Re: Kerio Personal Firewall JM (Nov 21)
- Re: Kerio Personal Firewall Chew Yean Tai - FOS (Nov 21)
  - Re: Kerio Personal Firewall dwarkeeper (Nov 26)
- Re: Kerio Personal Firewall flur (Nov 21)
- Re: Kerio Personal Firewall SFDC Admin (Nov 22)
- Re: Kerio Personal Firewall Alexandros Papadopoulos (Nov 22)
- Re: Kerio Personal Firewall kevin (Nov 25)
  - Re: Kerio Personal Firewall alaskan (Nov 26)
- Re: Kerio Personal Firewall Pablo Gietz (Nov 25)
- <Possible follow-ups>
- RE: Kerio Personal Firewall Steve Payne (Nov 21)
  - RE: Kerio Personal Firewall James Taylor (Nov 25)
- RE: Kerio Personal Firewall herakel (Nov 21)
- RE: Kerio Personal Firewall Heilman Sgt Marshall S (Nov 21)
- RE: Kerio Personal Firewall Zimin, Alex (Nov 22)

(Thread continues...)