Sign in with
Sign up | Sign in
Your question

Kerio 2.1.5

Last response: in Networking
Share
Anonymous
a b 8 Security
July 5, 2004 11:45:36 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

I often see people in here mention Kerio 2.1.5 as their software
firewall. Is this "old" build particular good or what's the reason for
choosing this over Kerio 4 (or another software firewall)?

/Troels

More about : kerio

Anonymous
a b 8 Security
July 5, 2004 11:45:37 PM

Archived from groups: comp.security.firewalls (More info?)

Taking a moment's reflection, Troels Jensen mused:
|
| I often see people in here mention Kerio 2.1.5 as their software
| firewall. Is this "old" build particular good or what's the reason for
| choosing this over Kerio 4 (or another software firewall)?

Both. Kerio 2.1.5 was a very good build, and very stream lined. Many
people still prefer it to other firewalls because of how bloated the code
has become in them (ad blockers, AV, web filters, etc).
Anonymous
a b 8 Security
July 5, 2004 11:45:37 PM

Archived from groups: comp.security.firewalls (More info?)

"Troels Jensen" <bred085@yahoo.com> wrote in message news:ktgGc.22350$Vf.1155756@news000.worldonline.dk...
> Hi,
>
> I often see people in here mention Kerio 2.1.5 as their software
> firewall. Is this "old" build particular good or what's the reason for
> choosing this over Kerio 4 (or another software firewall)?
>
> /Troels

I have the licence to 4 but don't use it any more, and prefer 2.1.5
simply because it's easier to setup, and imo more versatile. I love
the automatic denial of ownerless packets.
Related resources
Anonymous
a b 8 Security
July 5, 2004 11:45:37 PM

Archived from groups: comp.security.firewalls (More info?)

In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
@yahoo.com says...
> Hi,
>
> I often see people in here mention Kerio 2.1.5 as their software
> firewall. Is this "old" build particular good or what's the reason for
> choosing this over Kerio 4 (or another software firewall)?
>
> /Troels
>
Kerio 2.1.5 is excellent, however it does have one vulnerability that
most people seem to either ignore or not know about. See this link:

http://www.mickeytheman.com/boardnation/Wc6b68755c9123....

I can verify that this fragmented packet vulnerability exists in 2.1.5
and earlier, and that someone could potentially get malicious packets
past the firewall. It might not be that likely to happen, but it's
possible..

I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
which doesn't have this vulnerability. Seems to work great. The only
thing I miss in Kerio 4.x is the lack of logging of packets to unopened
ports..

--
Kerodo
Anonymous
a b 8 Security
July 6, 2004 6:47:02 AM

Archived from groups: comp.security.firewalls (More info?)

Well you consider it a vulnerablity, but has it been proven that its still a
problem considering how old the alert is?

I can't stand 4x, and I still run 2x.

"Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
news:MPG.1b539feb96d91055989697@news.west.cox.net...
> In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
> @yahoo.com says...
>> Hi,
>>
>> I often see people in here mention Kerio 2.1.5 as their software
>> firewall. Is this "old" build particular good or what's the reason for
>> choosing this over Kerio 4 (or another software firewall)?
>>
>> /Troels
>>
> Kerio 2.1.5 is excellent, however it does have one vulnerability that
> most people seem to either ignore or not know about. See this link:
>
> http://www.mickeytheman.com/boardnation/Wc6b68755c9123....
>
> I can verify that this fragmented packet vulnerability exists in 2.1.5
> and earlier, and that someone could potentially get malicious packets
> past the firewall. It might not be that likely to happen, but it's
> possible..
>
> I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
> which doesn't have this vulnerability. Seems to work great. The only
> thing I miss in Kerio 4.x is the lack of logging of packets to unopened
> ports..
>
> --
> Kerodo
Anonymous
a b 8 Security
July 6, 2004 6:47:03 AM

Archived from groups: comp.security.firewalls (More info?)

In article <GooGc.64082$OB3.21182@bgtnsc05-news.ops.worldnet.att.net>,
replytonewsroup@server.com says...
> "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
> news:MPG.1b539feb96d91055989697@news.west.cox.net...
> > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
> > @yahoo.com says...
> >> Hi,
> >>
> >> I often see people in here mention Kerio 2.1.5 as their software
> >> firewall. Is this "old" build particular good or what's the reason for
> >> choosing this over Kerio 4 (or another software firewall)?
> >>
> >> /Troels
> >>
> > Kerio 2.1.5 is excellent, however it does have one vulnerability that
> > most people seem to either ignore or not know about. See this link:
> >
> > http://www.mickeytheman.com/boardnation/Wc6b68755c9123....
> >
> > I can verify that this fragmented packet vulnerability exists in 2.1.5
> > and earlier, and that someone could potentially get malicious packets
> > past the firewall. It might not be that likely to happen, but it's
> > possible..
> >
> > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
> > which doesn't have this vulnerability. Seems to work great. The only
> > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
> > ports..
> >
> > --
> > Kerodo

> Well you consider it a vulnerablity, but has it been proven that its still a
> problem considering how old the alert is?
>
> I can't stand 4x, and I still run 2x.

Yes, I've verified that it's still happening here in 2.1.5. I actually
stumbled upon it by accident.

Here's how you can see it if you're so inclined. In my area, the
Messenger spammers are using this exploit to try to get thru firewalls
that are vulnerable to it.

I first noticed outbound ICMP type 3 packets that were going to
addresses other than my DNS Servers. This is an indication that UPD
packets are getting thru the firewall inbound somehow. This, in fact,
is the result of the fragmented packet getting thru. What the spammers
are doing is sending a fragmented packet and then another packet to port
1026 immediately after the fragmented packet. Kerio 2.x accepts the
fragmented packet AND the packet immediately following it, ignoring all
your rules.

I installed Sygate 5.5 and could see the two packets coming in
(fragmented and the packet following the fragmented one). Only Sygate
was smart enough to block the 2nd packet, as it should and as Kerio
should, but isn't.

What you should do is enable logging in 2.1.5 of outbound ICMP type 3
and see if you see any packets going out to addresses other than your
ISP's DNS Servers. If you do, then it's happening on your machine also.
It may not happen to some people if the spammers are not hitting your IP
range. Some people insist that it's not happening to them.

I don't know much about the technical details of this fragmented packet
exploit, but I've seen it reported in some Linux related arena's also.

I don't really love Kerio 4.x that much either, but I find I can use my
Kerio 2.x rules in Kerio 4 and Kerio 4 is safer in that it's not
vulnerable to this exploit. They have apparently fixed this problem in
version 4.xx. Kerio 4 has some bugs still, and I wouldn't dream of
trying any of the current beta's, but I'm using 4.0.16 here with fairly
good results with my Kerio 2.x rule set. I much prefer Kerio 2.1.5
also, but the vulnerability bothers me, so I use Kerio 4.

To each his own I guess...

--
Kerodo
Anonymous
a b 8 Security
July 6, 2004 7:02:39 AM

Archived from groups: comp.security.firewalls (More info?)

Curious, you confirmed it still existed, how? Will it bypass standard rules
with associated ports, any port, and rules that block all tcp/ip protocols?

"Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
news:MPG.1b539feb96d91055989697@news.west.cox.net...
> In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
> @yahoo.com says...
>> Hi,
>>
>> I often see people in here mention Kerio 2.1.5 as their software
>> firewall. Is this "old" build particular good or what's the reason for
>> choosing this over Kerio 4 (or another software firewall)?
>>
>> /Troels
>>
> Kerio 2.1.5 is excellent, however it does have one vulnerability that
> most people seem to either ignore or not know about. See this link:
>
> http://www.mickeytheman.com/boardnation/Wc6b68755c9123....
>
> I can verify that this fragmented packet vulnerability exists in 2.1.5
> and earlier, and that someone could potentially get malicious packets
> past the firewall. It might not be that likely to happen, but it's
> possible..
>
> I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
> which doesn't have this vulnerability. Seems to work great. The only
> thing I miss in Kerio 4.x is the lack of logging of packets to unopened
> ports..
>
> --
> Kerodo
Anonymous
a b 8 Security
July 6, 2004 7:02:40 AM

Archived from groups: comp.security.firewalls (More info?)

In article <jDoGc.64119$OB3.40885@bgtnsc05-news.ops.worldnet.att.net>,
replytonewsroup@server.com says...
> Curious, you confirmed it still existed, how? Will it bypass standard rules
> with associated ports, any port, and rules that block all tcp/ip protocols?
>
Yep, please see my other post where I try to explain it. It bypasses
all rules and gets in directly thru the firewall internal rules. It's
basically a bug in the way Kerio handles fragmented packets...
--
Kerodo
Anonymous
a b 8 Security
July 6, 2004 7:20:40 AM

Archived from groups: comp.security.firewalls (More info?)

Well, I will see if I can reproduce this at all on my system, I'm very
familiar with how Kerio 2x works, and I've just setup monitoring of outbound
icmp 3 with my dns servers filtered from the results. I will try to post back
tomorrow to confirm, or deny your results from my system as I should get at
least one fragmented packet in that time frame.

"Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
news:MPG.1b53b5e376db18bd989698@news.west.cox.net...
> In article <GooGc.64082$OB3.21182@bgtnsc05-news.ops.worldnet.att.net>,
> replytonewsroup@server.com says...
>> "Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
>> news:MPG.1b539feb96d91055989697@news.west.cox.net...
>> > In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
>> > @yahoo.com says...
>> >> Hi,
>> >>
>> >> I often see people in here mention Kerio 2.1.5 as their software
>> >> firewall. Is this "old" build particular good or what's the reason for
>> >> choosing this over Kerio 4 (or another software firewall)?
>> >>
>> >> /Troels
>> >>
>> > Kerio 2.1.5 is excellent, however it does have one vulnerability that
>> > most people seem to either ignore or not know about. See this link:
>> >
>> > http://www.mickeytheman.com/boardnation/Wc6b68755c9123....
>> >
>> > I can verify that this fragmented packet vulnerability exists in 2.1.5
>> > and earlier, and that someone could potentially get malicious packets
>> > past the firewall. It might not be that likely to happen, but it's
>> > possible..
>> >
>> > I perfected my rules in Kerio 2.x and then imported them into Kerio 4,
>> > which doesn't have this vulnerability. Seems to work great. The only
>> > thing I miss in Kerio 4.x is the lack of logging of packets to unopened
>> > ports..
>> >
>> > --
>> > Kerodo
>
>> Well you consider it a vulnerablity, but has it been proven that its still
>> a
>> problem considering how old the alert is?
>>
>> I can't stand 4x, and I still run 2x.
>
> Yes, I've verified that it's still happening here in 2.1.5. I actually
> stumbled upon it by accident.
>
> Here's how you can see it if you're so inclined. In my area, the
> Messenger spammers are using this exploit to try to get thru firewalls
> that are vulnerable to it.
>
> I first noticed outbound ICMP type 3 packets that were going to
> addresses other than my DNS Servers. This is an indication that UPD
> packets are getting thru the firewall inbound somehow. This, in fact,
> is the result of the fragmented packet getting thru. What the spammers
> are doing is sending a fragmented packet and then another packet to port
> 1026 immediately after the fragmented packet. Kerio 2.x accepts the
> fragmented packet AND the packet immediately following it, ignoring all
> your rules.
>
> I installed Sygate 5.5 and could see the two packets coming in
> (fragmented and the packet following the fragmented one). Only Sygate
> was smart enough to block the 2nd packet, as it should and as Kerio
> should, but isn't.
>
> What you should do is enable logging in 2.1.5 of outbound ICMP type 3
> and see if you see any packets going out to addresses other than your
> ISP's DNS Servers. If you do, then it's happening on your machine also.
> It may not happen to some people if the spammers are not hitting your IP
> range. Some people insist that it's not happening to them.
>
> I don't know much about the technical details of this fragmented packet
> exploit, but I've seen it reported in some Linux related arena's also.
>
> I don't really love Kerio 4.x that much either, but I find I can use my
> Kerio 2.x rules in Kerio 4 and Kerio 4 is safer in that it's not
> vulnerable to this exploit. They have apparently fixed this problem in
> version 4.xx. Kerio 4 has some bugs still, and I wouldn't dream of
> trying any of the current beta's, but I'm using 4.0.16 here with fairly
> good results with my Kerio 2.x rule set. I much prefer Kerio 2.1.5
> also, but the vulnerability bothers me, so I use Kerio 4.
>
> To each his own I guess...
>
> --
> Kerodo
Anonymous
a b 8 Security
July 6, 2004 7:20:41 AM

Archived from groups: comp.security.firewalls (More info?)

In article <cUoGc.64165$OB3.8082@bgtnsc05-news.ops.worldnet.att.net>,
replytonewsroup@server.com says...

> Well, I will see if I can reproduce this at all on my system, I'm very
> familiar with how Kerio 2x works, and I've just setup monitoring of outbound
> icmp 3 with my dns servers filtered from the results. I will try to post back
> tomorrow to confirm, or deny your results from my system as I should get at
> least one fragmented packet in that time frame.

Very good.. The only way I was able to see this is because the messenger
spammers were using it here. You may or may not see the same thing
there, depending upon whether you're getting hit by the spammers as well
or not. Hopefully you'll see it also. I was seeing at least a few per
day here..

In my opinion, the vulnerability isn't THAT big of a deal, but I believe
that it does exist. I ran Kerio 2.1.5 for a long time here. Someone
would have to deliberately target your IP address, and then know that
you were vulnerable to this exploit, and then hand craft packets to get
thru the firewall to hit specific ports, and so on. The odds of that
happening to someone are very remote I think.. For all practical
purposes, you could probably run 2.1.5 without worrying much.

At any rate, I'm using Kerio 4 here despite it's other limitations..
Please let us know if you can verify that outbound type 3 is happening
there also.


--
Kerodo
Anonymous
a b 8 Security
July 6, 2004 10:45:57 PM

Archived from groups: comp.security.firewalls (More info?)

I've gotten no icmp 3 outbound packets to other than my dns servers, and you
would think I would have gotten one at least by now.

You said that it bypassed all your rules, well that is something that would
have to be tested with different, even special configurations to pin point
where how it exactly happens, and it sounds like it was assumed on the
situation. If you move your icmp rules below a series of rules, one blocking
all inbound udp to any port, and one blocking all inbound any protocol. Those
blocking rules would both be logging, and then you would try to see if you
still get those icmp 3 outbound packets. However your rules before this must
not interfere with the configuration either, and if you run your configuration
with the gateway option enabled that could have been the problem.

Either way, I can't say why its happening on your system, but I will not
assume that its the vulnerbility without more proof. It needs to be
reproduceable, and it could be something your rules allowed, which is highly
possible due to the way the udp allow rules work.

Anyway, take care.

"Kerodo" <kerodonospamkenny@hotmail.com> wrote in message
news:MPG.1b53bdfd10d4887d98969a@news.west.cox.net...
> In article <cUoGc.64165$OB3.8082@bgtnsc05-news.ops.worldnet.att.net>,
> replytonewsroup@server.com says...
>
>> Well, I will see if I can reproduce this at all on my system, I'm very
>> familiar with how Kerio 2x works, and I've just setup monitoring of
>> outbound
>> icmp 3 with my dns servers filtered from the results. I will try to post
>> back
>> tomorrow to confirm, or deny your results from my system as I should get at
>> least one fragmented packet in that time frame.
>
> Very good.. The only way I was able to see this is because the messenger
> spammers were using it here. You may or may not see the same thing
> there, depending upon whether you're getting hit by the spammers as well
> or not. Hopefully you'll see it also. I was seeing at least a few per
> day here..
>
> In my opinion, the vulnerability isn't THAT big of a deal, but I believe
> that it does exist. I ran Kerio 2.1.5 for a long time here. Someone
> would have to deliberately target your IP address, and then know that
> you were vulnerable to this exploit, and then hand craft packets to get
> thru the firewall to hit specific ports, and so on. The odds of that
> happening to someone are very remote I think.. For all practical
> purposes, you could probably run 2.1.5 without worrying much.
>
> At any rate, I'm using Kerio 4 here despite it's other limitations..
> Please let us know if you can verify that outbound type 3 is happening
> there also.
>
>
> --
> Kerodo
Anonymous
a b 8 Security
July 6, 2004 10:45:58 PM

Archived from groups: comp.security.firewalls (More info?)

In article <FrCGc.203746$Gx4.174023@bgtnsc04-news.ops.worldnet.att.net>,
replytonewsroup@server.com says...
> I've gotten no icmp 3 outbound packets to other than my dns servers, and you
> would think I would have gotten one at least by now.
>
> You said that it bypassed all your rules, well that is something that would
> have to be tested with different, even special configurations to pin point
> where how it exactly happens, and it sounds like it was assumed on the
> situation. If you move your icmp rules below a series of rules, one blocking
> all inbound udp to any port, and one blocking all inbound any protocol. Those
> blocking rules would both be logging, and then you would try to see if you
> still get those icmp 3 outbound packets. However your rules before this must
> not interfere with the configuration either, and if you run your configuration
> with the gateway option enabled that could have been the problem.
>
> Either way, I can't say why its happening on your system, but I will not
> assume that its the vulnerbility without more proof. It needs to be
> reproduceable, and it could be something your rules allowed, which is highly
> possible due to the way the udp allow rules work.
>
> Anyway, take care.

Well, that's interesting. However, just because a vulnerability isn't
being exploited doesn't mean that it doesn't exist.. Based on what I
saw here, I'm convinced that it's a problem, and I've gone to Kerio 4
which doesn't have that problem using the same identical rule set that I
used in Kerio 2.1.5. I think you're IP just isn't being hit by the
messenger spammers, that's all, so you can't see it happening in real
time.

Anyway, you must do as you see fit. The odds that someone would exploit
the vulnerability are admittedly slim. I've gone with Kerio 4 because I
feel more secure that way.

Thanks for trying though... perhaps someone else will see it also...

--
Kerodo
Anonymous
a b 8 Security
July 10, 2004 12:37:48 PM

Archived from groups: comp.security.firewalls (More info?)

Can someone post a link where i can get KPF 2.1.5

Thanks

Bill D


In article <ktgGc.22350$Vf.1155756@news000.worldonline.dk>, bred085
@yahoo.com says...
> Hi,
>
> I often see people in here mention Kerio 2.1.5 as their software
> firewall. Is this "old" build particular good or what's the reason for
> choosing this over Kerio 4 (or another software firewall)?
>
> /Troels
>
July 24, 2004 4:35:51 PM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 5 Jul 2004 20:01:30 -0700, in comp.security.firewalls
Kerodo <kerodonospamkenny@hotmail.com> wrote:

>What you should do is enable logging in 2.1.5 of outbound ICMP type 3

And how would one do that, exactly?
!