Message-ID said:
This paragraph implies you still don't understand. Please don't be
offended, that's not an insult. Once the firewall is bypassed the
Excuse the shouting, but please read and respond to the following:
THIS IS WHAT YOU HAVE NOT DEMONSTRATED.
EXACTLY HOW IS THE FIREWALL BYPASSED?
You've still not backed up your claim that Kerio 2.1.5 is "trivial to
bypass." Skipping over that point by saying "Once the firewall is
bypassed" isn't going to cut it.
attacker would still have to get past the OS to do anything useful.
Many people don't use a PFW and are quite safe without one. Look at it
this way, if you uninstalled Kerio would your OS let anyone remotely
log on and have access to your files? No, it wouldn't. Kerio is
mainly a packet filter used to restrict access to certain ports. Let's
say you ran a webserver on port 80 and a mail server on port 25, then
blocked outside access to them with Kerio. An attacker could easily
read your web page if it wasn't password restricted, but the webserver
would only allow access to the files you were serving to the web, not
the OS files. If Kerio was bypassed on port 25 the attacker would be
presented with a login prompt from the mailserver, and would have to
crack the password to get in. To get a directory list you have to
access a service that allows you file access to the remote computer.
Is that explained any better?
Let's see. What you're saying is that IF a firewall is bypassed
(which you have NOT been able to demonstrate thus far - what you're
not responding to is your claim to have DETECTED Kerio does not equate
to being able to BYPASS it) then an attacker really can't do anything
unless, at the same time, I happen to be running software that ALLOWS
certain outsiders to have whatever access to my system that I've
configured the software to allow (which may be limited, and may also
require the outside user or attacker to have certain software
installed on their system as well,) and then the attacker needs to be
able to bypass whatever other security layers I have (maybe MAC or IP
filtering, MD5 checks, and WEP encryption in addition to passwords and
other measures such as script blockers, virus checkers, etc.)
Is THAT what you're saying. OMIGOSH! I'M LITERRALY TERRIFIED BY THE
PROSPECT. I had no idea I was THAT vulnerable! said:
Yes. This is why it's so easy to find machines running Kerio on the
internet. An nmap -f scan of a block of IP addresses will return the
IP's of all the computers running Kerio/Tiny 2.x.
Did you miss the reference to "LOCALHOST?" Knowing my IP address,
which anyone can obtain from mail or news headers is a "risk" but it's
only a "risk" in terms of someone knowing there's an actual computer
or network associated with it rather than being a meaningless series
of numbers. It means NOTHING if I unplug the WAN cord from my cable
modem. Likewise, it means NOTHING to allegedly being able to detect
Kerio if packets originating from the outside are ignored. Again, it
does not demonstrate how Kerio is "trivial to bypass" as you claimed
in the original post.
This output is not faked, if that's what you think. Get some of the
regs in this group to do:
nmap -v -v -f -p 44334 24.0.171.57
and post the output. I'm sure some would oblige if you gave
permission. Any volunteers?
I extend permission to ANY reader of this post to attempt to access my
system and provide evidence that they were able to access a file of
some kind, or write a file to my system. I don't think that's as
"trivial" to accomplish as you allege, and THAT'S the point I've been
making from the start and what you have chosen to ignore. The purpose
of a firewall is to prevent unauthorized access to a system so that no
one can access your data or otherwise do harm. THAT is what I'm
asking you to respond to, and if you cannot demonstrate the risk, then
I don't see a vulnerability.
Quite an honest summary really. The sentence "This usually indicates
that your firewall software or security software is functioning
properly" is a lot better than "Your computer is invisible to the
others on the Internet."
But as they didn't fragment the packets they won't be getting past
Kerio.
Same again. You were not scanned with fragmented packets.
Same again. You were not scanned with fragmented packets.
Nmap is common knowledge, there's nothing difficult about it. I would
expect more from dslreports.
Same again. You were not scanned with fragmented packets.
This is a lie. Nmap -P0 or Hping -R will prove it.
Stealth is ..... best avoided for now.
I can certainly see why you might choose to avoid that discussion as
well as the results. Why you feel nmap results should carry more
weight than major online security sites is beyond me, but having said
that, I repeat, even granting that Kerio can be DETECTED does not
equate to being able to "trivially bypass" it. Let me know when that
sinks in and then please respond specifically to that point.
I did that with nmap, why insist on more intrusive proof?
NOT TRUE! PLEASE READ MY ABOVE PARAGRAPH AGAIN! You did NOT do that
with nmap. THAT'S what I've been trying to get you to respond to. At
BEST, all you've done is detect that Kerio was running. How about if
I just STIPULATE for the sake of argument that nmap can DETECT Kerio
and conclude that part of the discussion, okay? Now what? What does
it mean in real terms? It DOESN'T mean that Kerio is "trivial to
bypass" (which is what you originally contended and what you FAILED to
respond to in my paragraph above, and what you did NOT do with nmap)
nor does it explain "what it is a potential attacker is able to do
that CAN'T be done to users of other firewalls" (which is the second
relevant point in the above paragraph that you FAILED to respond to,
and which your exercise with nmap obviously DOESN'T explain.)
And why should I when you can easily do it yourself?
Instead of downloading nmap and doing your own checking you put it in
the hands of some of the very people who are trying to sell PFW's.
What do you expect from them? They are not going to tell you what
tools defeat their firewalls, and certainly not let you scan their own
products with them.
Put "free port listener" into your favorite search engine, find one
that logs connections, then install it and open some ports. Configure
Kerio for full "stealth" and block ALL incoming and outgoing TCP, UDP
and ICMP, and log all packets. Then go to a friends house and see for
yourself. When you get home you can compare Kerio's logs to the port
listener logs.
In light of my responses above, the exercise would be pointless. I
do, however, welcome readers of this post to accept the invitation I
extended above, which, again, is to attempt to access my system and
provide evidence that they were able to access a file of some kind, or
write a file to my system. There are some highly skilled participants
in ACF, and if there's a REAL threat, and they can find it and exploit
it, I'd like to know about it. Otherwise it's just so much hype.
That's your choice, but bear in mind that many people read this group,
and Kerio wouldn't know if they were all hammering you with fragments
right now, looking for services that are not open. Kerio can't stop
this and they would be free to run a vulnerability scan on your OS,
which would be blocked by a PFW that can handle fragments correctly.
If you don't believe me try it yourself and see. Or better still start
a new thread and make it a group thing. Then Kerio/Tiny users can all
see for themselves whether their PFW is Pricelessware or not.
If people in this group are prepared to recommend security software
then it's reasonable to expect some basic checking of the software.
I'm not talking a full scan here just 1-5 ports would be sufficient,
nothing an ISP would notice or care about.
How about it? Would you believe other posters in this group?
Ric
The issue of Kerio and packet fragments has been discussed many times
here in ACF, and I doubt long time readers are hearing it for the
first time in this discussion. It hasn't had much impact on the
Pricelessware vote in the past and I doubt it will in the future for
many of the reasons I've mentioned in this thread. It's interesting
to talk about on a theoretical level perhaps, but few consider it to
be a bona fide threat for the average home computer user. On a
government or financial institution network, it might be a different
matter, but most of us FREEWARE users don't need, want or can afford
that level of security, which can STILL be bypassed anyway if the
potential payoff to the outside attacker is worth the effort.
The Ethernet LED on my cable modem blinks constantly. Frankly I'm not
the least bit concerned as to whether this is benign traffic on my
ISPs network or whether someone is actively scanning my ports for
whatever reason they might want to do it. That's why I don't keep
logs unless I have a troubleshooting need, e.g., trying to resolve a
connectivity problem. I only see a need to be concerned if there were
evidence of a credible threat. I'm behind a router anyway, so I use
Kerio mainly to restrict OUTBOUND traffic. On the INBOUND side, it's
just another layer of protection.
On the other hand, I welcome feedback from my invitation above for
others to test any REAL "vulnerabilities" that might exist on my
system. If they find any, I'll thank them for it, but otherwise it
seems to me all you've presented is alarmist rhetoric about a
theoretical risk that has little or no practical application or
credibility.
If you choose to respond, the FIRST thing I will do is see if you
address the SPECIFIC points I've raised (that DETECTING is not
"BYPASSING" and what SPECIFIC risk or risks (in terms of data security
from outside attacks) exist with Kerio 2.1.5 that makes its use
"trivial" as opposed to other firewalls. If you choose NOT to do
that, I see little reason to provide more than a cursory response
acknowledging that you continue to dodge the questions.