Home page logo

basics logo Security Basics mailing list archives

Re: Kerio Personal Firewall
From: flur <flur () flurnet org>
Date: Wed, 20 Nov 2002 04:05:36 -0500

This is more a technicality then a security problem but i forsee it causing problems. Adding rules requires a password, but allowing and denying individual connections does not.. I dont understand the logic. I've tested this on version 2.1.4.

KPF determines applications by path and filename, when applications are changed it notices the md5 checksum difference and reports it. Clicking yes gives your application permission to transmit to any ip and any port, because the admin probably created the rule using defaults. You can use the client component of KPF to view all applications listening and connected, src/dest ips & ports etc.

In conclusion, i'd like to recommend Kerio either remove the password protection altogether or fix the defaults to detect hosts, or at least port to restrict the potential damage and require a password to execute binaries with changed md5s (ideally the admin should be able to over-ride this check for certain binaries). Also make it ask for a password when connections are made where rules don't exist.

PS: Is this material worthy of bugtraq or a vendor report?

At 12:41 PM 11/18/2002 -0600, you wrote:
Hello list,
I am trying to configure Kerio Personal Firewall and this firewall
allows me to specify explicitly which service is allowed inbound/outbound
connection thru either TCP/UDP including the exact port numbers and IP range to
respond to.

My question is: Is there a software/utility that will tell me exactly which
service/application is currently listening on exactly which TCP/UDP port number?

"netstat -a" only lists the active listening ports but doesnt tell me which
service/application is listening on that port for incoming packets.

I would like to "lock down" the server as much as possible by specifying
exactly which port and service a connection is allowed. Thanks in advance.



____________________ __ _
~FluRDoInG                        flur () flurnet org
KEY ID 0x8C2C37C4 (pgp.mit.edu) RSA-CAST 2048/2048
1876 B762 F909 91EB 0C02  C06B 83FF E6C5 8C2C 37C4

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]