Data transmission within the Internet is performed through TCP/IP protocols. These protocols are also used for most of traffic within local networks. The essential protocol is IP (Internet Protocol). Packets of this protocol carry the rest of information (they encapsulate other protocols). Kerio Personal Firewall controls all IP packets — this implies that it is able to catch them, get essential information and then either let them into the system or filter them out. Logs on all events, detected intrusions etc. are provided as well.
Kerio Personal Firewall is based on so called stateful inspection. This means that the firewall decides according to information acquired from the detected packet as well as with respect to information about the previous communication. A log is created for each permitted connection (or a pseudo-connection in case of UDP and ICMP) and the firewall blocks all packets which do not belong to this connection. Stateful inspection of the network communication is more efficient and more secure than packet filtering.
If the Advanced mode is selected during the installation of the Kerio Personal Firewall (see chapter 2.2. Initial Configuration), the firewall works in so called self-taught mode. Anytime unknown network traffic is detected, a dialog will be displayed through which the particular traffic can be permitted or denied, either for the single situation or for any further connections (permanently). If traffic is permitted/denied permanently, a corresponding rule is created automatically and users will not be asked about the particular traffic anymore. For details refer to chapters 5.2. Connection Alert (unknown traffic detection) and 8. Advanced Packet Filter.
Note: The same method is used for checking of running applications (for details, see chapter 13.2. Application Rules).
By modifying rules for applications or advanced packet filter rules, a user (or the administrator) can specify further traffic filtering rules. Only packets meeting required criteria or those that belong to permitted connections (see information on the stateful inspection) are let through the firewall.
Warning dialogs are displayed “Always on Top”. If more than one event (attempts for connection establishment, intrusion attempts, etc.) are detected at a time, they are queued. When the dialog which is currently on top is confirmed, another one is displayed.