Next-generation firewall for small and medium-sized businesses
Kerio Control is a purpose-built appliance and software that covers the key areas of SMB security. It’s easy to use, requiring only minimal It knowledge. Best of all, it’s priced for the SMB, putting fundamental protection in the hands of every company.
All-in-one next-generation firewall and UTM
Detect threats, block viruses, control traffic and more
According to Verizon, over 40% of cyber attacks target small and medium businesses. Over 20% of those hacked companies had to stop operations, incurring a significant loss of revenue.
Security is a business essential among the technologies you need to be successful. It’s as important to your ongoing success as financial applications, communications and collaboration, and marketing and outreach.
Why do SMBs neglect this business essential? Many SMBs don’t have dedicated security or IT departments. The single IT person in a company may be overwhelmed, and there are simply not enough hours in the day to manage complicated security tools. Secondly, IT security is expensive. While you can’t operate without email or accounting, if money is scarce, it can leave our Internet doors wide open and hope nobody comes in. Unfortunately, this approach can end your business.
Kerio Control offers four key areas of security to cover SMB organizations. It is a firewall that connects you to the Internet, letting you control what traffic is enabled or blocked. It is an intrusion protection service, monitoring traffic for threats and delivering antivirus. It delivers content filtering, letting you monitor the Internet sites people visit for security issues and to manage your bandwidth. And It offers a virtual private network or VPN for your organization made even more secure with difficult-to-hack features, so remote workers can be protected and operate as if they’re inside your firewall. With these four areas covered, Kerio Control secures your SMB from the vast majority of malicious hacking attempts.
Better still, Kerio Control is easy to deploy. The Starter appliance can be plugged in and have basic policies running in less than 30 minutes. It offers all security benefits with a single product, you don’t have to research and buy separate applications.
Kerio Control is value-priced, understanding the pressures SMB’s face as they start and grow. It protects you from malicious attacks, while not bloating the application with unnecessary features.
Kerio Control Feature Summary
Your Router + Firewall for secure Internet connection
- Configure your firewall with easy-to-use traffic rules, controlling in- and outbound communications by URL, application, traffic type and more
- Intrusion detection and prevention using the Snort system constantly monitors inbound and outbound network communications for suspicious activity. Log or block the communications depending on the severity,
- Prevent viruses, worms, Trojans and spyware from entering your network. KerioControl goes beyond just checking files for malicious code; it scans your network traffic for potential attacks
Easy to deploy and manage
- KerioControl may be deployed as a software appliance, a virtual machine, or as a hardware appliance with three options: NG110 – perfect for small businesses, remote and home offices, NG310 – the choice for small businesses planning for growth, NG510/NG511 – ideal for mid-sized businesses
- Access security settings, manage users and bandwidth, and set policies from a customizable web-based interface on your desktop or mobile device
- Manage multiple KerioControl deployments through a centralized web interface
Manage your valuable bandwidth
- Prioritize and monitor network traffic to guarantee high-speed transmission for your most important traffic types. Cap lower priority traffic by setting a bandwidth maximum or guarantee high priority traffic by assigning minimum thresholds
- Distribute Internet traffic across multiple links with Internet Link load balancing, automatically disabling and re-enabling links to ensure continuous Internet access
- Protect your network from bandwidth-hogging web and application traffic such as streaming video or by blocking peer-to-peer networks
- Manage or block access to 100+ continuously updated categories of content and applications with the optional KerioControl Web Filter w/ application awareness
Connect your organization with a secure VPN
- Create secure, high-performance server-to-server connections between your offices running KerioControl with an easy-to-setup VPN technology
- Or, you can create a secure VPN connection to a remote office that doesn’t have KerioControl deployed, using industry-standard VPN protocols
Kerio Control Features In Detail
- High availability
- Flexible deployment
- Next-generation firewall capabilities
- Simple and secure VPN
- Productivity boosting usage reporting
- Unmatched Quality of Service
- Administer quickly and easily - anytime, anywhere
- Industry-leading web, content and application filtering
- Intrusion prevention system
- Centralized administration with MyKerio
High availability/fail-over protection eliminates the risk and cost of connectivity or threat-protection downtime.
Without high-availability, prime device failure due to a power surge or other cause often leads network administrators to put a simple router in place to re-establish connectivity. There may be lost productivity waiting for this solution. But worse, the network is vulnerable to security threats until the secure gateway is repaired or replaced.
With high-availability, if a crash or failure occurs the second machine jumps into action immediately. Users see no drop of service. The organization has no vulnerability exposure.
To initiate high-availability, new and existing customers:
- Acquire and install a second, same KerioControl appliance or virtual machine
- A single software license will cover the two pieces of hardware
- Customers configure the second device as a clone of the active one
- Configuration settings are easy-to-do and take minutes
- Once configured, the two devices connect through a synching port and all rules and routing are replicated and kept up-to-date between them.
Software. Virtual. Hardware. Your Choice.
KerioControl offers the broadest range of deployment options on the market — and it integrates hassle-free into your existing IT environment.
You can deploy KerioControl as:
- A software appliance on your own hardware
- A virtual appliance in an existing VMware environment
- A turnkey hardware appliance
KerioControl software appliance
We’ve packaged KerioControl software — and a hardened OS — into a single bare-metal ISO image. The advantages? Custom spec your own hardware based on performance needs. And avoid conflicting applications and vulnerable system services.
Add more protection and control with Kerio Antivirus and KerioControl Web Filter.
KerioControl virtual appliance
Drop this virtual machine pre-configured with KerioControl software and a hardened OS into your VMware or Hyper-V environment. Add state-of-the art security to your existing network without requiring new hardware. Consolidate multiple single-purpose servers and applications in a single box. Integrate resources and network adapters into your virtual machine as you need them.
Add more protection and control with Kerio Antivirus and KerioControl Web Filter.
KerioControl hardware appliance
Ensure the performance of KerioControl software with a KerioControl hardware appliance. These performance-optimized boxes enable you to leverage all KerioControl product features in a stable, solid-state package, pre-configured with KerioControl, and a hardened OS. All KerioControl hardware appliances include the added protection and control provided by Kerio Antivirus and KerioControl Web Filter.
KerioControl is an all-in-one Unified Threat Management (UTM) solution providing comprehensive next-generation firewall protection of your network and data. KerioControl includes a next-generation firewall and router, Intrusion Detection and Prevention (IPS), gateway anti-virus, VPN, and web content and application filtering.
- Deep Packet Inspection (DPI)
- Stateful Packet Inspection (SPI)
- Intrusion Detection and Prevention System (IDPS)
- Application awareness
- DHCP server
- DNS forwarding
- NAT mapping (inbound/outbound)
- MAC filtering
- GeoIP filtering
- Zero-configuration networking
- Service Discovery forwarding
- Guest network with captive portal
- 802.1Q VLAN support
- Traffic rules configuration wizard
- Time-based rules
- Connection limits (DoS protection)
- Dynamic DNS
- Customizable routing table
- Reverse proxy
- Simultaneous IPv4 and IPv6 support
- IPv6 network prefix translation
- IPv6 router advertisements
- Multiple IP addresses on a single network interface (multihoming)
Secure your client-to-site connections with Kerio’s high-performance, configuration-free VPN client—or use an industry-standard IPsec VPN client, such as those pre-loaded on mobile devices.
To create secure, high-performance server-to-server connections between offices running KerioControl, use Kerio’s superior, easy-to-setup VPN technology. Or, to create a secure VPN connection to a remote office without KerioControl deployed, use the industry-standard IPsec VPN protocol.
Enable 2-step verification for an extra layer of security on all forms of remote access.
- VPN client for Windows, Mac & Linux
- Split tunneling
- Multiple client-to-site and site-to-site tunnels
- IPsec client-to-site/site-to-site
- L2TP/IPsec for mobile devices
- Persistent connection
- SSL encryption
- VPN tunnel failover
- NAT support
- Automatic or custom routing
- User authentication via directory services
Get detailed usage reporting with KerioControl Statistics. This component lets managers and admins view the Internet and application activities of individual users — from a list of all sites visited, to the specific search terms users enter on search engines and websites.
Use granular usage insights to refine traffic-shaping rules, monitor employee performance, and more. Best of all, these highly granular reports can automatically run on a schedule and be emailed to you, ready for your review — no need to actively pull reports each week.
- Reporting via KerioControl Statistics
- Automated email reports
- Android, Apple Watch and iOS app (notifications and monitoring)
- Detailed usage reports (web sites, protocols, bandwidth, etc.)
- Traffic categorization (multimedia, messaging, large file transfers, etc.)
- Top visited websites & top users per web category
- Filter reports by individual user, group, or entire network
- Reporting of Google search keywords
- Real-time host activity monitoring
- Traffic charts of users and interfaces
- System Health Monitor
- SNMP monitoring
- Email alerts for firewall events
- External logging to syslog
Easily prioritize and monitor network traffic to guarantee high-speed transmission for the most important traffic types. Internet Link Load Balancing optimizes Internet access by distributing traffic across multiple links. KerioControl monitors link availability, and automatically disables or re-enables links to ensure continuous Internet access.
KerioControl QoS gives you fine-grained control over how much bandwidth each type of network traffic can consume. Cap lower priority traffic by setting a bandwidth maximum, or guarantee high priority traffic by assigning a minimum. KerioControl also uses Internet Link Load Balancing to distribute Internet traffic across multiple links.
Load balancing and QoS features
- Internet link-load balancing
- Policy-based routing
- Automatic connection failover
- Reserve bandwidth for high priority traffic
- Restrict bandwidth for low priority traffic
- User data transfer quotas
- Bandwidth rules based on time intervals, traffic and content rules, traffic type, users, service, DSCP, etc.
Access security settings, manage users and bandwidth and set tra c policies safely and securely from a customizable web-based interface. Manage KerioControl from your desktop or remotely from a tablet device.
Stay in control of all your Kerio deployments from anywhere using MyKerio. Manage multiple KerioControl deployments through a complimentary centralized web interface providing consolidated system information, automatic configuration backup, status monitoring, system notifications and complete remote configuration.
Get notifications straight to your mobile device with the MyKerio app for Android, iPhone and Apple Watch. You can be con dent your Kerio deployments are online and if the status changes, you will be the first to know.
- MyKerio centralized web based management to monitor and manage multiple KerioControl deployments
- Remote web-based administration
- Customizable administration dashboard
- Zero-touch or self-provisioning
- Share configuration (definitions) between appliances
- Configuration export/import
- Backup configuration to MyKerio or FTP server
- Template for user configuration
- Variable level administrative rights
- Automatic software updates
- Web-based debugging tools
- Multi-language support
User authentication features
- Active Directory
- Apple Open Directory
- Local user database
- 2-step verification for remote access
- Proxy authentication for terminal servers
- Kerberos and NTLM authentication
- RADIUS server
- Password guessing protection
KerioControl Web Filter is a security service that allows administrators to allow, deny or limit the applications, websites and Internet services users can access. This powerful filter:
- Protects users and infrastructure by preventing visits to known malicious sites or those that engage in phishing attacks or identify theft.
- Blocks objectionable sites to ensure compliance and shield you from liability.
- Increases productivity by limiting access by application or site content category to a specific time of day, selected users, and specific user locations.
With KerioControl Web Filter, you can block/allow applications or sites by application or site content category rather than specific application or URL. KerioControl Web Filter continually updates its list of thousands of applications and more than 6 billion web pages, placing them into 141+ categories — so you don’t need to continually track changing or new applications or sites.
The KerioControl Web Filter is included in the KerioControl hardware appliance and is also available as an add-on when KerioControl is deployed as a software or virtual appliance.
Content filtering features
- URL categories with whitelist (KerioControl Web Filter)
- Content rules based on time intervals, users, applications, web categories, URL groups, file types, etc.
- Forbidden words filtering
- SafeSearch for search engines
- HTTPS filtering
- Pre-defined and custom URL groups
- Regular expressions in URL rules
- Proxy server with cache
- P2P (peer-to-peer) traffic filtering
- Antivirus filtering
- Customizable denial page
Application awareness features
- Database of common applications (Skype, Facebook, BitTorrent, etc.)
- Categories of applications
- Real-time and detailed reporting of application activity
- Content rules per applications by user, host or time interval (permit or deny)
- Bandwidth rules per application (restrict or reserve)
You can selectively block more than 141 application and web content categories with KerioControl Web Filter including:
- PORNOGRAPHY / NUDITY
- Child Abuse Pictures
- Auctions & Marketplaces
- Marketing Services
- Online Ads
- Online Shopping
- Products Reviews & Price Comparisons
- SOCIETY / EDUCATION / RELIGION
- Abortion – Pro Choice
- Abortion – Pro Life
- Atheism & Agnosticism
- Educational Institutions
- Educational Materials & Studies
- Gay, Lesbian or Bisexual
- Government Sponsored
- Legislation, Politics & Law
- Nature & Conservation
- Non–traditional Religion & Occult
- Philanthropic Organizations
- Physical Security
- Retirement Homes & Assisted Living
- Sex Education & Pregnancy
- School Cheating
- CRIMINAL ACTIVITIES
- Command & Control Centers
- Criminal Skills
- Piracy & Copyright Theft
- Hate Speech
- ENTERTAINMENT / CULTURE
- Architecture & Construction
- Cartoons, Anime & Comic Books
- Entertainment News & Celebrity Sites
- Entertainment Venues & Events
- Kids’ Pages
- Photo Sharing
- Television & Movies
- Web–based Greeting Cards
- INFORMATION / COMMUNICATION
- Community Forums
- Contests & Surveys
- Image Search
- Instant Messenger
- Internet Phone & VOIP
- Login Screens
- Mobile Phones
- Online Information Management
- Portal SItes
- Reference Materials & Maps
- Search Engines
- Text Messaging & SMS
- Web–based Email
- INFORMATION TECHNOLOGY
- Content Servers
- Information Security
- Personal Storage
- Remote Access
- Software, Hardware & Electronics
- Technology (general)
- Web Hosting, ISP & Telco
- Illegal Drugs
- Astrology & Horoscopes
- Fashion & Beauty
- Fitness & Recreation
- Food & Restaurants
- Hobbies & Leisure
- Home & Office Furnishings
- Home, Garden & Family
- Literature & Books
- Nutrition & Diet
- Parks, Rec Facilities & Gyms
- Pets & Animals
- Self–help & Addiction
- Social & Affiliation Organizations
- Sport Fishing
- Sport Hunting
- PRIVATE HOMEPAGES
- Personal Pages & Blogs
- Private IP Addresses
- FINANCE / INVESTMENT
- Finance (general)
- Online Financial Tools & Quotes
- Online Stock Trading
- Real Estate
- Health & Medical
- Supplements & Compounds
- Phishing / Fraud
- Malware Call–home
- Malware Distribution Point
- Spyware & Questionable Software
- GENERAL BUSINESS
- Advocacy Groups & Trade Associations
- Businesses & Services (general)
- Shipping & Logistics
- Child Inappropriate
- Lingerie, Suggestive & Pinup
- Sex & Erotic
- DOWNLOAD SITES
- File Repositories
- Streaming & Downloadable Audio
- Streaming & Downloadable Video
- Torrent Repository
- No Content Found
- JOB SEARCH
- MOTORIZED VEHICLES
- SOCIAL NETWORKING
- PROFESSIONAL NETWORKING
- PAY TO SURF
IPS in KerioControl
KerioControl, a Unified Threat Management solution, incorporates a signature based packet analysis architecture known as Intrusion Detection and Prevention (IPS), which transparently monitors inbound and outbound network communication to identify suspicious activity. Depending on the severity of the activity, KerioControl can log and block the communication. New signatures are regularly added to the rules database to defend against emerging threats.
The system is designed to protect servers behind the firewall from unauthorized connections, typically originated by an Internet bot or hacker trying to exploit an available service. The IPS is also designed to protect network users from unknowingly downloading malicious content or malware, or to mitigate the effects of a compromised system.
In many deployments, servers are placed behind the firewall, and only those services being hosted can receive connections. Depending on the type of service hosted (e.g. SQL server) the firewall may not have the ability to inspect the actual conversation taking place between a client and the server. The firewall is primarily responsible for ensuring that the connection is established, without allowing any other type of backdoor access to other services available on the server. What this type of configuration does not address is the potential threat of a request or command that exploits a vulnerability in the server software.
Perhaps the best-known incidence of this type of attack occurred in 2001, where a worm was developed to attack systems running the web server software, Microsoft Internet and Information Server. Labeled “Code Red”, the worm was programmed to send a series of commands through the HTTP service that would cause a buffer overflow in the memory space of the server software. This allowed the attacker to inject and execute arbitrary code on the server. Part of this code included the ability to rapidly redistribute itself by affecting other servers running the Microsoft IIS software. This specific attack resulted in a denial of service to the affected server.
Adding the IPS layer
Keeping server software updated is critical to protecting server applications from this type of threat. Application vendors regularly update their software to patch security vulnerabilities. In some cases however, it may not be possible to update to the latest version of the software or the vendor may not yet have a fix for an emerging threat. Adding an Intrusion Prevention System provides an extra layer of security to protect against threats such as the Code Red worm.
The IPS maintains a local database of signatures, which it uses to identify known types of attacks. Without interpreting the communication between a client and server, an IPS system can generate a signature of the network connection, and search for this signature in its local database. This type of architecture is highly effective at combating the threat of a worm or other server based attack.
Other types of server attacks include password guessing or brute force, distributed denial of service, port scans or session hijacking. These types of attacks generally involve attempts to obtain information about the server software, such as the version and developer. With this information, the attacker can research vulnerabilities in the server software and attempt to gain unauthorized access to the system, or perform malicious actions to prevent the server from properly functioning. In all of these cases, the IPS will notify the administrator of this suspicious activity, and block any communication if it is known to cause harm to those servers protected by the firewall.
Mitigating the effects of Trojans, Worms, Spyware and other Malware
Aside from the exploitation of available services to vulnerable applications, there are other ways to exploit an operating system. One of the more common approaches used by an attacker is to piggyback an application on top of free software. The user is deceived into installing malware through the installation of another application, or by simply accessing a website which runs a client side script to install the malware. These types of applications may not be apparent to the user, but can be programmed to expose sensitive corporate information found on the infected computer. They can also degrade the performance of a computer, or cause other applications to fail. As these programs may appear to be legitimately installed, they may not be identified by antivirus software.
An Intrusion Prevention System is instrumental in identifying systems that are infected by these types of applications. The IPS can identify that the user is inadvertently attempting to download an unwanted application and can close the connection, preventing the file from successfully reaching the end user’s computer. In case a previously infected computer is brought onto the network, the IPS can also identify and block the activity of the installed malware. The IPS in KerioControl thus works in tandem with the firewall and content filtering capabilities to prevent the spread of malware on the network.
Ensure the performance of KerioControl software with the KerioControl Box Hardware Appliance. This performance-optimized box enables you to leverage all KerioControl product features in a stable, solid-state package, pre-configured with KerioControl and a hardened OS. All KerioControl Box hardware appliances include the added protection and control provided by Kerio Antivirus and KerioControl Web Filter.
(1) Location. Typically, an Intrusion Detection System resides at the location of the network that receives a broadcast of all network activity. The IPS must reside on a gateway router or firewall, which is responsible for the transport of IP traffic between different network segments and the Internet. As a perimeter based firewall, KerioControl implements “network-based” Intrusion Prevention. In other words, any traffic routed through the firewall, between the protected networks and the Internet, will be protected by KerioControl’s IPS.
(2) Packet Analysis. At the core of its scanning technology, KerioControl integrates a packet analyzer based on Snort. Snort is an open source IDS/IPS system that transparently scans all network communication, and provides a framework for incorporating custom rules. More information is available at www.snort.org.
(3) Database. KerioControl implements a set of rules maintained by a community sponsored project called Emerging Threats. Each rule is digitally signed to ensure the authenticity of updates, preventing any type of tampering. The rules are based on many years of contributions from industry professionals, and are continuously updated. More information is available at www.emergingthreats.net.
KerioControl’s Intrusion Prevention System offers three different actions, depending on the severity of the potential attack:
- Low severity intrusions: no action
- Medium severity intrusions: log only
- High severity intrusions: log and drop
These are the default settings, however the action may be adjusted according to the needs of the organization. Severity is based on qualifications built into the rule. High severity rules have the greatest probability of being an actual attack on the network. An example would be the detection of network activity from a Trojan application. Medium category events are defined as suspicious and potentially harmful, but have a possibility of being legitimate activity, for example, a connection over a standard port, using a non standard protocol. A low severity threat may be considered suspicious activity that does not pose any immediate harm, for example, a network port scan.
In addition to a rules database comprised of network behavior signatures, KerioControl maintains a database of IP Addresses, which are explicitly denied any type of access through the firewall. The IP Addresses included in this database are known to be the origin of some form of attack. In many cases, these IP Addresses were assigned to legitimate companies, but have become repurposed for illegitimate activities, such as spam distribution. This database of IP Addresses is pulled from various Internet sources, and managed by organizations such as Dshield and Spamhaus. These lists are stored locally and updated automatically.
False Positives and Exceptions
Intrusion Detection technology is not foolproof. Similar to anti-spam solutions, it is normal to encounter a small percentage of false positives. In other words, legitimate network communication that matches the signatures of suspicious activity can be misidentified. It is therefore necessary to provide a simple method for making exceptions to the signature database.
How to fine-tune the IPS
- Review the Security log. Any communication blocked by the IPS engine is reported to the “Security” log. The details of each event, including the “rule ID” are provided in the log. If a user reports a connection problem in a specific application that uses a permitted protocol, it is worth reviewing the security log for the potentially misidentified intrusion.
- Verify that the application is not compromised. If the communication of an application is blocked by the IPS, the application should be examined to ensure it has not become compromised and it is in fact behaving legitimately.
- Create exceptions. If an exception should be made to the signature database, the rule ID taken from the log event can be added to the “Ignored Signatures” dialog in the advanced settings of the IPS management interface.
Just like viruses, new threats are identified daily. It is therefore necessary to ensure that the signature database is updated regularly. KerioControl’s IPS engine checks for updates once every day, but also can be set to check hourly.
The community surrounding emergingthreats.net contributes newly added rules, or signatures. Kerio contributes to the ongoing maintenance of these signatures, while encouraging administrators using the IPS in KerioControl to participate in the community effort to identify new attacks and assist in the development of new rules. More information can be found at www.emergingthreats.net.
Inherent IPS Rules
The built-in deep packet inspection of KerioControl acts as an additional layer of defense by transparently monitoring specific protocols to ensure the communication does not violate the specification. It also filters malicious content that may not be recognized by the signature database. In addition to the blacklists and signature databases, KerioControl combines a number of automatic features to fortify its intrusion prevention capabilities:
- Peer-to-peer blocker. When enabled, the firewall will monitor connections over certain ports to identify and block activity of known P2P applications, which heavily contribute to the spread of malware.
- Blocking illegal binary data in HTTP. As part of its packet inspection, the firewall will prevent the illegal use of binary data in HTTP connections.
- GDI+JPEG vulnerability filter. A specifically designed JPEG image file can cause a buffer overflow in un-patched Windows Operating Systems, allowing the execution of arbitrary code (MS04-028). KerioControl identifies and blocks the transfer of this specific file through Email and Web protocols.
- Ongoing ICSA Labs certification testing. As part of ICSA (International Computer Security Association) Labs certification, KerioControl must continuously pass a number of security audits, such as TCP syn flooding, FTP bounce, Man-in-the-middle attacks, and other evolving threats.
Intrusion Prevention is a highly sophisticated technology, based on a large set of varying rules. Every network is unique, and a so-called “intrusion” may be subject to interpretation. The IPS built into KerioControl is designed to identify and block attacks as accurately as possible, while maintaining an optimal level of network performance.
Intrusion Prevention System features
- Snort-based packet analyzer
- Emerging threats rules database
- IP blacklist database
- Multiple security levels
- False positives exception handling
MyKerio simplifies the management of multiple Kerio Connect, KerioControl and Kerio Operator deployments through a centralized web interface providing consolidated system information, automatic configuration backup, status monitoring, system notifications and complete remote configuration.
With single sign on capability, MyKerio establishes an encrypted communication channel to your deployments, allowing you to apply and share configuration settings remotely and securely without any prior configuration.
As a cloud based service with 24/7 availability, MyKerio remotely monitors your deployments, allowing you to view network, licensing, or system critical events the moment they occur.
Mobile monitoring and notifications
Get notifications straight to your mobile device with the MyKerio app for Android or iPhone/Apple Watch. You can be confident your appliances are online and if the status changes, you will be the first to know.
Rapid Remote Deployment
Deploy KerioControl hardware appliances with self-provisioning in MyKerio. Avoid the expense and hassle of on-site administration and save time by setting up and configuring appliances remotely.