Kerio 2.1.5 vs. Kerio 4xx

One would think that keeping the firewall updated with the latest, greatest version would result in better protection. Yet there are people who continue using older firewall software.

I realize that a firewall is a firewall and the whole point is to monitor and grant or deny permission to communicate. It seems like there would really be no way to improve on such a simple concept. Either a program communicates or it doesn't, or it communicates wherever you say it can.

So with respect to firewall-specific demands, is there anything that KPF

4.x does that's better than 2.1.5? How important is the monitoring of applications and its attempts to launch other apps? I'm thinking about downgrading to 2.1.5 because while there were fewer features, the older version just seems much simpler to use.


Reply to
Loading thread data ...

Well, it buggers up my (otherwise pretty stable) Win98SE system much better! 2.1.5 was pathetic in this regard - I never even noticed it was there, except when someone tried to access my PC.

Very important, if you really want to screw things up and see lots of lovely blue screens!


Reply to
Angus Rodgers

I like Kerio 2.1.5 much better than 4.1.x in general. However, 2.1.5 IS subject to the recently mentioned fragmented packet exploit. It seems that it lets fragmented packets thru the firewall without logging or otherwise blocking them. IF that's not a concern to you, then 2.1.5 would be the way to go. 4.1.x is still very buggy, with terrible logging and other problems, however, 4.1.x is not subject to the fragmented packet problem.

Tough choice..

Reply to

That seems to be questionable. The fragmented packet exploit is verified for Kerio 4.0.0. through 4.1.1, but I haven't seen anything definitive about Kerio

2.x. Many people have interpreted the statement "affects Kerio 4.1.1. and prior" to mean all versions of Kerio, including 2.x, but it could also just mean prior Kerio 4.x builds. Considering how different Kerio 4.x is from Kerio 2.x and considering how popular Kerio 2.1.5 is and how long it has been in use without this flaw showing up, I have my doubts. It needs to be tested, but I am not in a position to do so.
Reply to
"Crash" Dummy

How about two computers across the internet? I have Kerio 2.1.5 installed on a W2K machine connected directly to a broadband modem, no router. I am also running a HTTP server behind the firewall. I can play victim for a prearranged attack. I will just need to know it's coming and what to look for so I can set up the system and the logs.

Reply to
"Crash" Dummy

Maybe, but it's a fact.

I've tested 2.1.5 and it let through every fragmented packet I sent it. 4.1.1 doesn't seem to be vulnerable, at least not to this:

formatting link
While Tiny 2.? and Kerio 2.1.5 fell to the first frag attack, 4.1.1 survived all 21 attacks available using fragrouter. ZoneAlarm free, Jetico and XP firewall SP2 were also tested but not found to be vulnerable.

I think the problem is that as Kerio haven't announced the vulnerability people are dubious.

So, who's up for testing? You will need a LAN with 3 computers. An attacker using any OS, a Linux machine to run fragrouter and a Windows machine to run Kerio. It's quite easy to do. Full instructions can be provided. Anyone?


Reply to
Hassan I Sahba

I think you're confusing 2 separate exploits. The original one I was referring to is the one that Hassan tested extensively a few weeks ago. This is also the one I originally brought up 8 or 9 months ago. Fragmented packets are able to get right thru Kerio 2.1.5 and earlier, both TCP and UDP apparently.

The 2nd one is the one that effects Kerio 4.0-4.1.1. That's another problem altogether, just recently brought up in various forums and here I think...

At any rate, it appears from this thread that you guys are about to test it out, so good luck... :)

Reply to
Kerodo Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.