Running 2 firewalls: part 2

[elaich]

After failing many tests at firewallleaktester.com running Sygate Free, I
dug into the old 2 firewalls subject again. I am pleased to announce that
I passed 22 of the 23 tests there using a combination of three freeware
programs.

I decided to use good old Kerio 2.1.5, mainly because I am completely
familiar with it, and because of the ability to write detailed, specific
rules.

The first firewall I tried next to Kerio was Outpost Free. Oh oh, bad
combination. BSOD, unexplained crashes.

I then tried Sygate Free next to Kerio. No problems, and Sygate seemed to
pick up a few things that Kerio missed. It may also catch the Kerio
fragmented packets exploit, which I believe to be irreleavant, since it
has never been documented in the wild.

Yet, the combination was not complete. I still failed several of the
tests, mainly the process injection types.

Add System Safety Monitor. This app monitors all attempts to launch
processes, and learns from your answers to the prompts. This was the
ticket to intercept those process injection baddies.

With this combination, here are the results of all 23 tests at
firewallleaktester.com:

LeakTest: Blocked.

TooLeaky: Blocked by Kerio with a notice that Internet Explorer has
changed since I last used it. (I block IE by default, as I use Firefox.)

FireHole: Caught by System Safety Monitor.

Yalta: Blocked.

Outbound: Applies only to LANs. N/A.

PCAudit: Blocked.

AWFT - Test 1: Caught by Sygate, and I was queried.

AWFT - Test 2: Caught by System Safety Monitor.

AWFT - Test 3: Blocked.

AWFT - Test 4: Caught by System Safety Monitor.

AWFT - Test 5: Caught by System Safety Monitor.

AWFT - Test 6: Caught by System Safety Monitor.

Thermite: Blocked by Kerio.

Copycat: Caught by System Safety Monitor.

MBTest: Caught by System Safety Monitor.

Wallbreaker- Test 1: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 2: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 3: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 4: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

PCAudit2: Caught by System Safety Monitor. Failed if allowed.

Ghost: Caught by System Safety Monitor. Blocked by Kerio if allowed.

DNSTester: Failed.

Surfer: Caught by System Safety Monitor. Blocked by Kerio if allowed.


As you can see, the only failure was DNSTester. I'm not sure if this is
even something to be concerned with. I can block it by turning off the
W2K DNS Lookup service, but then I can't surf, so....

I'm very satisfied with this setup, and it runs very cleanly with no
problems. SSM is a pain at first, because it has to learn from your
responses. Yet, it seems very much worth the little initial trouble of
setting it up. And it's all FREE.

 

[REM]

elaich <[email protected]> wrote:

I decided to use good old Kerio 2.1.5, mainly because I am completely
familiar with it, and because of the ability to write detailed, specific
rules.

I'm very satisfied with this setup, and it runs very cleanly with no
problems. SSM is a pain at first, because it has to learn from your
responses. Yet, it seems very much worth the little initial trouble of
setting it up. And it's all FREE.

Very nice report!

May I suggest running the same tests with Kerio 2.1.5 and the XP
firewall with SSM?

The Kerio and XP firewalls work perfectly in tandem. I feel that SSM
will catch anything that gets by these two.

And recall that each of the exploits that you tried must make it onto
your system somehow before they can exploit anything. Using a user
account while on the internet or using the cool freebie linked below
will deny them privilege to establish themselves (IINM):


<http://msdn.microsoft.com/security/.../library/en-us/dncode/html/secure11152004.asp>


SSM is pretty darned tough to defeat if the user has the tolerance to
set it up properly. Grade A tool!

 

[elaich]

May I suggest running the same tests with Kerio 2.1.5 and the XP
firewall with SSM?

Since I'm using W2K, I can't do that.

I'd be wary of that combo since the XP firewall doesn't block outbound.

 

[Chrissy Cruiser]

As you can see, the only failure was DNSTester. I'm not sure if this is
even something to be concerned with. I can block it by turning off the
W2K DNS Lookup service, but then I can't surf, so....

Would this help?

http://accs-net.com/hosts/DNSKong.html

 

[Chrissy Cruiser]

After failing many tests at firewallleaktester.com running Sygate Free, I
dug into the old 2 firewalls subject again. I am pleased to announce that
I passed 22 of the 23 tests there using a combination of three freeware
programs.

I decided to use good old Kerio 2.1.5, mainly because I am completely
familiar with it, and because of the ability to write detailed, specific
rules.

The first firewall I tried next to Kerio was Outpost Free. Oh oh, bad
combination. BSOD, unexplained crashes.

I then tried Sygate Free next to Kerio. No problems, and Sygate seemed to
pick up a few things that Kerio missed. It may also catch the Kerio
fragmented packets exploit, which I believe to be irreleavant, since it
has never been documented in the wild.

Yet, the combination was not complete. I still failed several of the
tests, mainly the process injection types.

Add System Safety Monitor. This app monitors all attempts to launch
processes, and learns from your answers to the prompts. This was the
ticket to intercept those process injection baddies.

With this combination, here are the results of all 23 tests at
firewallleaktester.com:

LeakTest: Blocked.

TooLeaky: Blocked by Kerio with a notice that Internet Explorer has
changed since I last used it. (I block IE by default, as I use Firefox.)

FireHole: Caught by System Safety Monitor.

Yalta: Blocked.

Outbound: Applies only to LANs. N/A.

PCAudit: Blocked.

AWFT - Test 1: Caught by Sygate, and I was queried.

AWFT - Test 2: Caught by System Safety Monitor.

AWFT - Test 3: Blocked.

AWFT - Test 4: Caught by System Safety Monitor.

AWFT - Test 5: Caught by System Safety Monitor.

AWFT - Test 6: Caught by System Safety Monitor.

Thermite: Blocked by Kerio.

Copycat: Caught by System Safety Monitor.

MBTest: Caught by System Safety Monitor.

Wallbreaker- Test 1: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 2: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 3: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 4: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

PCAudit2: Caught by System Safety Monitor. Failed if allowed.

Ghost: Caught by System Safety Monitor. Blocked by Kerio if allowed.

DNSTester: Failed.

Surfer: Caught by System Safety Monitor. Blocked by Kerio if allowed.

As you can see, the only failure was DNSTester. I'm not sure if this is
even something to be concerned with. I can block it by turning off the
W2K DNS Lookup service, but then I can't surf, so....

I'm very satisfied with this setup, and it runs very cleanly with no
problems. SSM is a pain at first, because it has to learn from your
responses. Yet, it seems very much worth the little initial trouble of
setting it up. And it's all FREE.

This is great, what a good job, e.

I use WinPatrol, is SSM a better alternative?

I went back to Kerio 2.15 for the same reasons you did but I did like the
look and feel of Sygate.

Could you post your rule sets?

 

[elaich]

I use WinPatrol, is SSM a better alternative?

Haven't tried it. I'll give it a shot.

I went back to Kerio 2.15 for the same reasons you did but I did like
the look and feel of Sygate.

Basically, I disallow all ICMP, IGMP, UDL, and then write specific allow
rules for my trusted apps.

There is one rule that needs to be at the very bottom of any Kerio
ruleset.

Block All - all protocols, all ports, all everything. That catches
anything that gets by the other rules. I always set that to alert
status, because I want to know right then if anything triggers that
rule.

 

[Lewis C]

After failing many tests at firewallleaktester.com running Sygate Free, I
dug into the old 2 firewalls subject again. I am pleased to announce that
I passed 22 of the 23 tests there using a combination of three freeware
programs.

I decided to use good old Kerio 2.1.5, mainly because I am completely
familiar with it, and because of the ability to write detailed, specific
rules.

The first firewall I tried next to Kerio was Outpost Free. Oh oh, bad
combination. BSOD, unexplained crashes.

I then tried Sygate Free next to Kerio. No problems, and Sygate seemed to
pick up a few things that Kerio missed. It may also catch the Kerio
fragmented packets exploit, which I believe to be irreleavant, since it
has never been documented in the wild.

Yet, the combination was not complete. I still failed several of the
tests, mainly the process injection types.

Add System Safety Monitor. This app monitors all attempts to launch
processes, and learns from your answers to the prompts. This was the
ticket to intercept those process injection baddies.

With this combination, here are the results of all 23 tests at
firewallleaktester.com:

LeakTest: Blocked.

TooLeaky: Blocked by Kerio with a notice that Internet Explorer has
changed since I last used it. (I block IE by default, as I use Firefox.)

FireHole: Caught by System Safety Monitor.

Yalta: Blocked.

Outbound: Applies only to LANs. N/A.

PCAudit: Blocked.

AWFT - Test 1: Caught by Sygate, and I was queried.

AWFT - Test 2: Caught by System Safety Monitor.

AWFT - Test 3: Blocked.

AWFT - Test 4: Caught by System Safety Monitor.

AWFT - Test 5: Caught by System Safety Monitor.

AWFT - Test 6: Caught by System Safety Monitor.

Thermite: Blocked by Kerio.

Copycat: Caught by System Safety Monitor.

MBTest: Caught by System Safety Monitor.

Wallbreaker- Test 1: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 2: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 3: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

Wallbreaker- Test 4: Caught by System Safety Monitor. Blocked by Kerio if
allowed.

PCAudit2: Caught by System Safety Monitor. Failed if allowed.

Ghost: Caught by System Safety Monitor. Blocked by Kerio if allowed.

DNSTester: Failed.

Surfer: Caught by System Safety Monitor. Blocked by Kerio if allowed.


As you can see, the only failure was DNSTester. I'm not sure if this is
even something to be concerned with. I can block it by turning off the
W2K DNS Lookup service, but then I can't surf, so....

I'm very satisfied with this setup, and it runs very cleanly with no
problems. SSM is a pain at first, because it has to learn from your
responses. Yet, it seems very much worth the little initial trouble of
setting it up. And it's all FREE.

Thanks for the great report. Does the three layer combination affect
your performance at all? Network or CPU?

Thanks,

LewisC

-----------------------------------------------------------
Lewis R Cunningham

Author, ItToolBox Blog: An Expert's Guide to Oracle
http://blogs.ittoolbox.com/oracle/guide/

Topic Editor, Suite101.com: Oracle Database
http://www.suite101.com/welcome.cfm/oracle

Sign up for courses here:
http://www.suite101.com/suiteu/default.cfm/416752
-----------------------------------------------------------

 

[Aaron]

Yes, being using SSM for a while. But the last beta will time out in Dec
05. And unlike in the past where this will be replaced by a newer beta,
the author has apparantly sold the rights to a commercial company, so it
won't be free after that.

There is a way around that, remove the firewall rule that allows app to
have access to UDP 53. That will cause every app that needs to do a DNS
lookup(basically all apps that connect outbound) to prompt for
permission.

Thanks for the great report. Does the three layer combination affect
your performance at all? Network or CPU?

SSM is pretty light in my experience. It's about 3Mb VM now on my system.

 

[Chrissy Cruiser]

Basically, I disallow all ICMP, IGMP, UDL, and then write specific allow
rules for my trusted apps.

There is one rule that needs to be at the very bottom of any Kerio
ruleset.

Block All - all protocols, all ports, all everything. That catches
anything that gets by the other rules. I always set that to alert
status, because I want to know right then if anything triggers that
rule.

Thanks for the BLOCK ALL rule, can you lock this to bottom and is the above
your rule sets for both Sysgate and Kerio (inc BLOCK ALL)?