Kerio Personal Firewall 2
After doing some reading and online searching, I decided to install Kerio
Personal Firewall on my laptop, which I open as a server sometimes. Here
are some basic features of the system that I am going to work on for this
assignment.
I picked up Kerio, because it is free for home use and is simple to use. KPF is designed by the same group who developed Tiny Personal Firewall, a popular firewall for home and small business security. KPF was developed later than TPF, and was supposed to include improved securities.
Installing
and Experimenting With KPF
The installation of KPF is as straightforward as any other software installation
that we are familiar with. The user just needs to go to KPF's site (http://www.kerio.com/us/kerio.html)
to select that package that matches the operating system in use and download.
But before starting to install KPF, beginners like me, who are new to
firewall, could find installation and configuration manual on the site
too. The following window would prompt up when KFP is first installed.
As
soon as KPF was installed, I could clearly see the traffic that coming
in and going out between my system and the outside world. This was, by
itself, a learning process for me and gave me a whole new vision over
my connection with the Internet. Since there are three levels of security,
from hight (denying all activities), to medium (asking for permission
for any activity), to low (allowing all activities), and by default it
is set at medium, I was then exposed to a learning mode completely. At
the very beginning, the process of identifying incoming traffic and making
decisions on allowing or denying could be bothering for freshman like
me, especially with the "never-ending" prompting windows. But
as rules were built up little by little, I was able to move back to normal
online activities without being asked to find out the sources of the traffic,
and at the same time knowing that my system was being guarded.
Security
Evaluation Criteria, Test Findings, and Recommendations
Since I am new to firewall, the testing procedure was built upon my impression
on some basic functions of firewall in guarding simple systems. So what
I am concerned here are: how does the firewall control incoming and outgoing
traffic; could the administrator set up rules/filters for traffic; could
the administration of this firewall be protected; are there logs for reviewing;
and could this firewall do automatic updates.
Standard I.
How does the firewall check and control traffic?
To put it simple, KPF does its guarding work by interacting with the user:
it asks for permission for any kind of activities; it helps the user to
create filter rules based on the action of asking for persmission for
single activities; and it allows advanced users to add filter rules by
themselves.
As I mentioned before, basically there are three security levels of KFP,
high, medium, and low. The following window shows how they are displayed
and presented to the user.
When KFP is set at high level, the firewall automatically deny all connections from the local system to the Internet when they do not match the defined rules. When at the low security level, the firewall allows all network activities, acting just like there is no firewall protection. KFP is by default set at the medium level, which means everytime there is a connection request, it asks the user for permission.
For outgoing request, the firewall tells the IP, and the domain name (if there is), of the remote site my system is trying to connect to. And as a user, I will decide if I would allow this connection or not. This is the same for incoming request, while the firewall shows the source of the request and wait for the user's decision. Sometimes, the decision is simple to make especially when I know where I am heading towards. But to some commercial sites, permitting connection could be troublesome, because it seems to me that connection to the very one site I want is not actually only one connection. To open that site, I need to give several permission, including some to the ads on that page. Since I am quite new to all kinds of protocols, it is hard for me to distinguish them.
This could be even more confusing when incoming request prompts up. The following window records the traffic coming from a friend of mine, who tried to connect to one of my online folders through HTTP. I could easily identify it and allow the connection.
But sometimes there are incoming requests from unknown sources, which confuse me a lot. Some of them are from 152.2.***. I understand that this is from UNC, but do not know further the purpose of this request. I deny sometimes and permit at other times, not knowing what is exactly happening to my system.
It would be too troublesome if I need to check and allow the permission everytime I want to check my mail. And reasonably KFP allows me to set up rules to some particular sites upon the decisions I make on a single request. The following windows show the setting-up steps:
On the same window that asking for permission, there is also a checkbox for "Create appropriate filter rule and don't ask me again". Checking this box, I would be led to another window that helps me save my setting for this site for future use, so that I do not need to give permissions or deny them anymore. This is a very good learning process for me.
When the rule is created, it is reflected in a section called "Filter Rules", where users could review the firewall rules set on this system.
The above window captures the very first two rules, Messenger and Mozzila, I set up when KFP was installed. Rules before them are defult filter rules set by the this firewall system. By clicking the "Add" button at the bottom of this list of rules, more advanced users could set up rules completely by themselves.
Therefore, in terms of checking and controlling network activities, KFP satisfies fundamental requirements, including asking for permission when connecting and assisting to create filter rules.
Standard II. Does the firewall have and function to authorize administrative
actions?
To ensure full security, we not only need to run the firewall, but also
need to make sure that only authorized person could have access to its
configuration. KFP has the Authentication section that fulfills this task.
By clicking the Authentication tab to administration. This means password will be required for any administration actions taken. Here we can choose to run KFP either on local computer (localhost) or from a remote site (remote computer). By choosing localhost here, I made sure that only people physically sitting in front of my computer would have access to administer this program.
Standard
III. Does the firewall allow logging configuration?
The answer to this question is yes. I can have a full control over what
to be logged, where to store the file, as well as setting up password
for reviewing the log file. Basic log setting is performed in the Firewall
Configuration window, Miscellaneous tab in the Firewall Logging section.
The
filter.log file is used for logging Kerio Personal Firewall actions on
the local
computer. It is created in a directory where Personal Firewall is installed
and in my case, it is under D:\ProgramFiles\Kerio\Personal Firewall. It
is created upon the first record. Filter.log is a text file where each
record is placed on a new line. And it basically looks like this:
Generally
I think Kerio Personal Firewall could be a good start for building up
home security, with its learning mode in setting up filter rules and simple
user interface. At the same time, it provides sufficient protect for a
simple home computing system, as far as I can tell.
References
Home
Computer Security
http://www.cert.org/homeusers/HomeComputerSecurity/#4
Personal
Firewall Software Reviews
http://www.firewallguide.com/software.htm