I've just been told that Kerio 2.1.5, which was considered to be the
(or one of the) best choice, doesn't "see" (and doesn't intercept...)
fragmented packets, and thus wouldn't be efficient toward an attack
based on fragmented packets (see below)

In these conditions, which FW can be suggested, which would be
simultaneously
- free
- parameterizable
- controlling both IN and OUT (thus, not Win WP FW...)
- efficient (thus, not kerio 2.1.5...)

Thanks for advice

About Kerio issue, this is the very simple test I've been suggested to
do... and whose result is a little bit frightening :
- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
and put this rule in 1st position
- ping whoever_you_want : no answer. OK.
- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
parameter, setting a packet size above MTU obliged ping to fragment)

Even more serious : don't even add any rule, but with systray icon,
have the choice "Stop traffic" (or something like that, my own Kerio is
in french, and I don't know the exact label in english)
Even in this case, "simple" ping doesn't work, but "fragmented" ping
does...

--
Laurent GRENET

Laurent <Laurent.Grenet.Enlevez-Ca [at] Voila.fr> wrote in
news:mn.2c427d530aaf6707.2067 [at] Voila.fr:

> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)
>
> In these conditions, which FW can be suggested, which would be
> simultaneously
> - free
> - parameterizable
> - controlling both IN and OUT (thus, not Win WP FW...)
> - efficient (thus, not kerio 2.1.5...)
>
> Thanks for advice

I'll assume WIN WP FW means Win XP FW.

You can *supplement* Kerio with IPsec.

http://tinyurl.com/48k3m

IPsec can stop inbound and outbound traffic by port, protocol or IP to
*supplement* Kerio.

http://www.analogx.com/contents/articles/ipsec.htm

With the AnalogX IPsec rules implmented, IPsec can be used to *supplement*
Kerio.

Duane :)

Laurent wrote:
> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)

All "software firewalls" for home users are toys, that is all there is to
it. All of them are (marginally) better than nothing, and all have their
good and bad points.

If you switched from Kerio to (for example) Zone Alarm on Sunday, there is
no guarantee that someone wouldn't find a far worse hole in Zone Alarm on
Monday. Rather than flapping about wanting to switch straight away, you
could see how responsive the people behind Kerio are to this problem and
make your choice based on that.

--
--
Rob Moir
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.

On Sat, 05 Mar 2005 18:10:26 +0100, Laurent wrote:

> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)
>
> In these conditions, which FW can be suggested, which would be
> simultaneously
> - free
> - parameterizable
> - controlling both IN and OUT (thus, not Win WP FW...)
> - efficient (thus, not kerio 2.1.5...)
>
> Thanks for advice

You might try Kerio 4.x, which doesn't suffer from the fragmented packet
problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
it's own problems.. I don't know of any software firewall that doesn't
though... :)


--
Kerodo

Post removed (X-No-Archive: yes)

Laurent <Laurent.Grenet.Enlevez-Ca [at] Voila.fr> wrote in
news:mn.2c427d530aaf6707.2067 [at] Voila.fr:

> I've just been told that Kerio 2.1.5, which was considered to be the
> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
> fragmented packets, and thus wouldn't be efficient toward an attack
> based on fragmented packets (see below)
>
> In these conditions, which FW can be suggested, which would be
> simultaneously
> - free
> - parameterizable
> - controlling both IN and OUT (thus, not Win WP FW...)
> - efficient (thus, not kerio 2.1.5...)
>
> Thanks for advice
>
> About Kerio issue, this is the very simple test I've been suggested to
> do... and whose result is a little bit frightening :
> - Create a Kerio rule denying all Input ICMP (anwsers to ping request),
> and put this rule in 1st position
> - ping whoever_you_want : no answer. OK.
> - ping -l 5000 whoever_you_want : damned, you get answer ! (-l
> parameter, setting a packet size above MTU obliged ping to fragment)
>
> Even more serious : don't even add any rule, but with systray icon,
> have the choice "Stop traffic" (or something like that, my own Kerio is
> in french, and I don't know the exact label in english)
> Even in this case, "simple" ping doesn't work, but "fragmented" ping
> does...
>

I would hardly call this a "huge" issue. 2 members of this group tried to
exploit it, and could not, even working together. The only time I know of
that it has been exploited successfully was under lab conditions.

Bart Bailey a écrit le 06/03/2005 :
> Also do you know where I might be able to test my config for this
> fragpacket vulnerability? some probe site maybe?

You can run the test I describe in the first post of this thread.

--
Laurent GRENET

On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey wrote:

> In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg [at] 40tude.net> posted on
> Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>
>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>it's own problems.. I don't know of any software firewall that doesn't
>>though... :)
>
> Your tone suggests that you know of some problems with EZ Firewall
> better known as the repackaged ZA from Computer Associates.
> Also do you know where I might be able to test my config for this
> fragpacket vulnerability? some probe site maybe?

Sorry, I don't know of any site that can test for it. It's not a config
issue, but a Kerio problem. A site could send you fragmented packets, but
how would it ever know if they went thru your firewall or not? Kerio would
block any response as it should, so as far as a remote site knows,
everything is fine.

It's unlikely that anyone would be able to take advantage of the
vulnerability in any meaningful way. I honestly wouldn't worry about it
much..

--
Kerodo

On Sat, 05 Mar 2005 18:10:26 +0100, Laurent
<Laurent.Grenet.Enlevez-Ca [at] Voila.fr> wrote:

>I've just been told that Kerio 2.1.5, which was considered to be the
>(or one of the) best choice, doesn't "see" (and doesn't intercept...)
>fragmented packets, and thus wouldn't be efficient toward an attack
>based on fragmented packets (see below)
>
>In these conditions, which FW can be suggested, which would be
>simultaneously
>- free
>- parameterizable
>- controlling both IN and OUT (thus, not Win WP FW...)
>- efficient (thus, not kerio 2.1.5...)
>
>Thanks for advice
>
>About Kerio issue, this is the very simple test I've been suggested to
>do... and whose result is a little bit frightening :
>- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
>and put this rule in 1st position
>- ping whoever_you_want : no answer. OK.
>- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
>parameter, setting a packet size above MTU obliged ping to fragment)
>
>Even more serious : don't even add any rule, but with systray icon,
>have the choice "Stop traffic" (or something like that, my own Kerio is
>in french, and I don't know the exact label in english)
>Even in this case, "simple" ping doesn't work, but "fragmented" ping
>does...

Many Kerio users don't seem to care.
Kerio doesn't care.
Use something else seems the best advise.

HiS

On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
<robspamtrap+msnews [at] gmail.com> wrote:

>Laurent wrote:
>> I've just been told that Kerio 2.1.5, which was considered to be the
>> (or one of the) best choice, doesn't "see" (and doesn't intercept...)
>> fragmented packets, and thus wouldn't be efficient toward an attack
>> based on fragmented packets (see below)
>
>All "software firewalls" for home users are toys, that is all there is to
>it. All of them are (marginally) better than nothing, and all have their
>good and bad points.
>
>If you switched from Kerio to (for example) Zone Alarm on Sunday, there is
>no guarantee that someone wouldn't find a far worse hole in Zone Alarm on
>Monday. Rather than flapping about wanting to switch straight away,

When you see packets go through a firewall you put your trust in, a
bit of flapping about is allowed :)

>you could see how responsive the people behind Kerio are to this problem and
>make your choice based on that.
>
>--

They don't seem to care :(

HiS

On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey <me2 [at] privacy.net>
wrote:

>In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg [at] 40tude.net> posted on
>Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>
>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>it's own problems.. I don't know of any software firewall that doesn't
>>though... :)
>
>Your tone suggests that you know of some problems with EZ Firewall
>better known as the repackaged ZA from Computer Associates.
>Also do you know where I might be able to test my config for this
>fragpacket vulnerability? some probe site maybe?

I checked ZA (can't remember which version) and it wasn't vulnerable.

HiS

On Sun, 6 Mar 2005 04:05:53 -0800, Kerodo <loopback [at] localhost.com>
wrote:

>On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey wrote:
>
>> In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg [at] 40tude.net> posted on
>> Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>>
>>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>>it's own problems.. I don't know of any software firewall that doesn't
>>>though... :)
>>
>> Your tone suggests that you know of some problems with EZ Firewall
>> better known as the repackaged ZA from Computer Associates.
>> Also do you know where I might be able to test my config for this
>> fragpacket vulnerability? some probe site maybe?
>
>Sorry, I don't know of any site that can test for it. It's not a config
>issue, but a Kerio problem. A site could send you fragmented packets, but
>how would it ever know if they went thru your firewall or not? Kerio would
>block any response as it should, so as far as a remote site knows,
>everything is fine.
>
>It's unlikely that anyone would be able to take advantage of the
>vulnerability in any meaningful way. I honestly wouldn't worry about it
>much..

Hello Kerodo,
I thought you were one of the people that understood the problem.
Kerio is used to block access to services on a computer. If an
attacker routes his packets through fragrouter the attacker has access
to those services. Its that simple.

HiS

On 6 Mar 2005 06:59:07 GMT, elaich <a [at] b.c> wrote:

<snip>
>
>I would hardly call this a "huge" issue. 2 members of this group tried to
>exploit it, and could not, even working together. The only time I know of
>that it has been exploited successfully was under lab conditions.

Someone offered their computer as a target and I declined the offer.

HiS

Hassan I Sahba a écrit le 06/03/2005 :
> When you see packets go through a firewall you put your trust in, a
> bit of flapping about is allowed :)

Yes, it's exactly my feeling...

--
Laurent GRENET

Hassan I Sahba a écrit le 06/03/2005 :
> Many Kerio users don't seem to care.
> Kerio doesn't care.
> Use something else seems the best advise.

Yes, but *what* else was my question...

--
Laurent GRENET

Kerodo a écrit le 06/03/2005 :
> It's unlikely that anyone would be able to take advantage of the
> vulnerability in any meaningful way. I honestly wouldn't worry about it
> much..

I would like to be so confident than you...

--
Laurent GRENET

Post removed (X-No-Archive: yes)

Hassan I Sahba <me [at] privacy.net> wrote in
news:j4vl215952bbilic5rvkg20fufhspsaqll [at] 4ax.com:

> On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
> <robspamtrap+msnews [at] gmail.com> wrote:
>
>>Laurent wrote:
>>> I've just been told that Kerio 2.1.5, which was considered to be the
>>> (or one of the) best choice, doesn't "see" (and doesn't
>>> intercept...) fragmented packets, and thus wouldn't be efficient
>>> toward an attack based on fragmented packets (see below)
>>
>>All "software firewalls" for home users are toys, that is all there is
>>to it. All of them are (marginally) better than nothing, and all have
>>their good and bad points.
>>
>>If you switched from Kerio to (for example) Zone Alarm on Sunday,
>>there is no guarantee that someone wouldn't find a far worse hole in
>>Zone Alarm on Monday. Rather than flapping about wanting to switch
>>straight away,
>
> When you see packets go through a firewall you put your trust in, a
> bit of flapping about is allowed :)
>
>>you could see how responsive the people behind Kerio are to this
>>problem and make your choice based on that.
>>
>>--
>
> They don't seem to care :(
>

Why should the vendor care about outdated software they no longer support?

Duane :)

Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

On Sun, 06 Mar 2005 16:01:39 +0100, Laurent
<Laurent.Grenet.Enlevez-Ca [at] Voila.fr> wrote:

>Hassan I Sahba a écrit le 06/03/2005 :
>> Many Kerio users don't seem to care.
>> Kerio doesn't care.
>> Use something else seems the best advise.
>
>Yes, but *what* else was my question...

Firstly, I'd say a router. Then something like Astaro, Smoothwall or
Monowall. If that's too much bother then whatever PF you prefer.

HiS

On Sun, 06 Mar 2005 18:50:15 GMT, Duane Arnold <notme [at] notme.com>
wrote:

>Hassan I Sahba <me [at] privacy.net> wrote in
>news:j4vl215952bbilic5rvkg20fufhspsaqll [at] 4ax.com:
>
>> On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
>> <robspamtrap+msnews [at] gmail.com> wrote:
>>
>>>Laurent wrote:
>>>> I've just been told that Kerio 2.1.5, which was considered to be the
>>>> (or one of the) best choice, doesn't "see" (and doesn't
>>>> intercept...) fragmented packets, and thus wouldn't be efficient
>>>> toward an attack based on fragmented packets (see below)
>>>
>>>All "software firewalls" for home users are toys, that is all there is
>>>to it. All of them are (marginally) better than nothing, and all have
>>>their good and bad points.
>>>
>>>If you switched from Kerio to (for example) Zone Alarm on Sunday,
>>>there is no guarantee that someone wouldn't find a far worse hole in
>>>Zone Alarm on Monday. Rather than flapping about wanting to switch
>>>straight away,
>>
>> When you see packets go through a firewall you put your trust in, a
>> bit of flapping about is allowed :)
>>
>>>you could see how responsive the people behind Kerio are to this
>>>problem and make your choice based on that.
>>>
>>>--
>>
>> They don't seem to care :(
>>
>
>Why should the vendor care about outdated software they no longer support?
>
>Duane :)

I'd have thought that was obvious Duane. They have/had a security
reputation to think about.

HiS

Hassan I Sahba <me [at] privacy.net> wrote in
news:4iqm215aknr8gne3tjp1ebdi3ecsdhd52i [at] 4ax.com:

> On Sun, 06 Mar 2005 18:50:15 GMT, Duane Arnold <notme [at] notme.com>
> wrote:
>
>>Hassan I Sahba <me [at] privacy.net> wrote in
>>news:j4vl215952bbilic5rvkg20fufhspsaqll [at] 4ax.com:
>>
>>> On Sat, 5 Mar 2005 23:18:47 -0000, "Robert Moir"
>>> <robspamtrap+msnews [at] gmail.com> wrote:
>>>
>>>>Laurent wrote:
>>>>> I've just been told that Kerio 2.1.5, which was considered to be
>>>>> the (or one of the) best choice, doesn't "see" (and doesn't
>>>>> intercept...) fragmented packets, and thus wouldn't be efficient
>>>>> toward an attack based on fragmented packets (see below)
>>>>
>>>>All "software firewalls" for home users are toys, that is all there
>>>>is to it. All of them are (marginally) better than nothing, and all
>>>>have their good and bad points.
>>>>
>>>>If you switched from Kerio to (for example) Zone Alarm on Sunday,
>>>>there is no guarantee that someone wouldn't find a far worse hole in
>>>>Zone Alarm on Monday. Rather than flapping about wanting to switch
>>>>straight away,
>>>
>>> When you see packets go through a firewall you put your trust in, a
>>> bit of flapping about is allowed :)
>>>
>>>>you could see how responsive the people behind Kerio are to this
>>>>problem and make your choice based on that.
>>>>
>>>>--
>>>
>>> They don't seem to care :(
>>>
>>
>>Why should the vendor care about outdated software they no longer
>>support?
>>
>>Duane :)
>
> I'd have thought that was obvious Duane. They have/had a security
> reputation to think about.
>
> HiS
>

And what did the vendor tell you about what they were going to do about
the situation? I think they indicated that the product was not being
supported and they were NOT going to do anything about it. The vendor
doesn't care about it. And I don't think it's going to hurt their
reputation about a product they no longer support one bit. In other
words, it's a *moot* point. The vendor has moved on to a new product they
are now supporting and Kerio 2.15 is *dead* as far as the vendor is
concerned.

Duane :)

Bart Bailey a écrit le 06/03/2005 :
> In Message-ID:<mn.32a47d535e4a7abd.2067 [at] Voila.fr> posted on Sun, 06 Mar
> 2005 11:16:31 +0100, Laurent wrote: Begin
>
>> Bart Bailey a écrit le 06/03/2005 :
>>> Also do you know where I might be able to test my config for this
>>> fragpacket vulnerability? some probe site maybe?
>>
>> You can run the test I describe in the first post of this thread.
>
> Seems to have disappeared from my spool, but I think it involved me
> having to do some deliberate crippling action to my config in order to
> create a non-standard config. If that's the case, I have no worries,
> thanks.

Here is the very simple test :

About Kerio issue, this is the very simple test I've been suggested to
do... and whose result is a little bit frightening :
- Create a Kerio rule denying all Input ICMP (anwsers to ping request),
and put this rule in 1st position
- ping whoever_you_want : no answer. OK.
- ping -l 5000 whoever_you_want : damned, you get answer ! (-l
parameter, setting a packet size above MTU obliged ping to fragment)

Even more serious : don't even add any rule, but with systray icon,
have the choice "Stop traffic" (or something like that, my own Kerio is
in french, and I don't know the exact label in english)
Even in this case, "simple" ping doesn't work, but "fragmented" ping
does...

--
Laurent GRENET

On Sun, 06 Mar 2005 21:34:06 GMT, Duane Arnold <notme [at] notme.com>
wrote:
<snip>

>And what did the vendor tell you about what they were going to do about
>the situation? I think they indicated that the product was not being
>supported and they were NOT going to do anything about it. The vendor
>doesn't care about it.

Exactly. Why can't they tell people to stop using it. Because that
would mean admitting it was vulnerable for years? People are
forgetting this is a 6 year old vulnerability. It wasn't fixed, fair
enough, it was free. It wasn't announced, not good enough.

> And I don't think it's going to hurt their reputation about a product they no
>longer support one bit.

Too late.

> In other words, it's a *moot* point. The vendor has moved on to a new
>product they >are now supporting and Kerio 2.15 is *dead* as far as the
> vendor is concerned.
>
>Duane :)

HiS

Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

Post removed (X-No-Archive: yes)

Just for records, does Kerio let fragmented TCP packets pass as well as
fragmented ICMP?

"Hassan I Sahba" <me [at] privacy.net> wrote in message
news:gp2n21d89khehfdtloiq94cmrrt2580343 [at] 4ax.com...
> On Sun, 06 Mar 2005 21:34:06 GMT, Duane Arnold <notme [at] notme.com>
> wrote:
> <snip>
>
> >And what did the vendor tell you about what they were going to do about
> >the situation? I think they indicated that the product was not being
> >supported and they were NOT going to do anything about it. The vendor
> >doesn't care about it.
>
> Exactly. Why can't they tell people to stop using it. Because that
> would mean admitting it was vulnerable for years? People are
> forgetting this is a 6 year old vulnerability. It wasn't fixed, fair
> enough, it was free. It wasn't announced, not good enough.
>
> > And I don't think it's going to hurt their reputation about a product
they no
> >longer support one bit.
>
> Too late.
>
> > In other words, it's a *moot* point. The vendor has moved on to a new
> >product they >are now supporting and Kerio 2.15 is *dead* as far as the
> > vendor is concerned.
> >
> >Duane :)
>
> HiS

On Sun, 06 Mar 2005 13:01:52 +0000, Hassan I Sahba wrote:

> On Sun, 6 Mar 2005 04:05:53 -0800, Kerodo <loopback [at] localhost.com>
> wrote:
>
>>On Sat, 05 Mar 2005 22:33:28 -0800, Bart Bailey wrote:
>>
>>> In Message-ID:<1kq5lb1cf8y2u.13llr6r6rtjvs.dlg [at] 40tude.net> posted on
>>> Sat, 5 Mar 2005 21:12:12 -0800, Kerodo wrote: Begin
>>>
>>>>You might try Kerio 4.x, which doesn't suffer from the fragmented packet
>>>>problem and can import Kerio 2.x rules. Be aware though that Kerio 4.x has
>>>>it's own problems.. I don't know of any software firewall that doesn't
>>>>though... :)
>>>
>>> Your tone suggests that you know of some problems with EZ Firewall
>>> better known as the repackaged ZA from Computer Associates.
>>> Also do you know where I might be able to test my config for this
>>> fragpacket vulnerability? some probe site maybe?
>>
>>Sorry, I don't know of any site that can test for it. It's not a config
>>issue, but a Kerio problem. A site could send you fragmented packets, but
>>how would it ever know if they went thru your firewall or not? Kerio would
>>block any response as it should, so as far as a remote site knows,
>>everything is fine.
>>
>>It's unlikely that anyone would be able to take advantage of the
>>vulnerability in any meaningful way. I honestly wouldn't worry about it
>>much..
>
> Hello Kerodo,
> I thought you were one of the people that understood the problem.
> Kerio is used to block access to services on a computer. If an
> attacker routes his packets through fragrouter the attacker has access
> to those services. Its that simple.

I talked about it on several forums and after a lot of consideration most
folks came to the conclusion (and convinced me also) that it's harmless.
What possible harm can come if my machine allows a few packets in? There's
no response outbound because Kerio blocks it effectively, so there can be
no concurrent connection of any kind. Even if I got a fragmented packet to
a listening port, and it got thru, what would that program do with it?
Probably nothing.. And to top it off, someone would have to know you're
running Kerio and specifically target your machine with fragmented packets
and how likely is that to happen to the ordinary Joe out there? What's
somebody gonna do, bombard me with a million fragmented packets?

Psychologically, it's irritating that Kerio has that problem, but
realistically, it's probably meaningless.

--
Kerodo

> no concurrent connection of any kind. Even if I got a fragmented packet to
> a listening port, and it got thru, what would that program do with it?
> Probably nothing.. And to top it off, someone would have to know you're

You are aware that many worms did exploit network vulnerablities in
windows services? Some services were taken over just by a single simple
UDP packet exploiting a buffer overflow. These vulnerablities have been
patched by Microsoft but you don't know what is still to come. I would
say if a firewall can be tricked just by fragmenting packets (which the
sender can easily do) what is this firewall worth?

Gerald

Post removed (X-No-Archive: yes)

On Mon, 07 Mar 2005 18:10:51 +0900, Gerald Vogt wrote:

>> no concurrent connection of any kind. Even if I got a fragmented packet to
>> a listening port, and it got thru, what would that program do with it?
>> Probably nothing.. And to top it off, someone would have to know you're
>
> You are aware that many worms did exploit network vulnerablities in
> windows services? Some services were taken over just by a single simple
> UDP packet exploiting a buffer overflow. These vulnerablities have been
> patched by Microsoft but you don't know what is still to come. I would
> say if a firewall can be tricked just by fragmenting packets (which the
> sender can easily do) what is this firewall worth?
>
> Gerald

I didn't know that a single UDP packet could do anything.. IF that's the
case then yes, I guess it might be a problem.

My solution was to just not run Kerio 2 anymore. I've moved on to better
things..

Thanks for the info though. That's interesting..

--
Kerodo

S. Pidgorny <MVP> a écrit le 07/03/2005 :
> Just for records, does Kerio let fragmented TCP packets pass as well as
> fragmented ICMP?

I'm not able to run such a test by my own.
According to what I've read on this forum, the answer is YES.
It is suggested to use fragroute to do the test, but unfortunately, my
skills aren't enough to do such a test.

But actually, you're right. Your question is the most important !

--
Laurent GRENET

On Mon, 07 Mar 2005 18:10:51 +0900, Gerald Vogt wrote:

>> no concurrent connection of any kind. Even if I got a fragmented packet to
>> a listening port, and it got thru, what would that program do with it?
>> Probably nothing.. And to top it off, someone would have to know you're
>
> You are aware that many worms did exploit network vulnerablities in
> windows services? Some services were taken over just by a single simple
> UDP packet exploiting a buffer overflow. These vulnerablities have been
> patched by Microsoft but you don't know what is still to come. I would
> say if a firewall can be tricked just by fragmenting packets (which the
> sender can easily do) what is this firewall worth?
>
> Gerald

Gerald, just for the sake of argument, what are the odds of this actually
happening though? They wouldn't be able to scan your ports to see what's
open, and they'd have to specifically target your machine for some reason,
out of all the machines out there. Why would anyone send a UDP packet to
my machine, especially if they couldn't see the result of their evil
doings?

--
Kerodo

Bart Bailey a écrit le 07/03/2005 :
> OK, thanks for re-posting, it looks like a fault that's Kerio coding
> specific, and not a general vulnerability to the way Kerio or perhaps
> other firewalls handle fragmented packet arrival.

I'm not talking about FW in a general way.
But, for Kerio 2.1.5, it seems to be a big vulnerability !

--
Laurent GRENET

Kerodo a écrit le 07/03/2005 :
> My solution was to just not run Kerio 2 anymore. I've moved on to better
> things..

Which one, please ?

--
Laurent GRENET