This step-by-step guide will take you through all settings you need to make in Kerio WinRoute Firewall 5 in order to achieve maximum security for you Internet-connected LAN, including the computer WinRoute 5 is installed on.

This is only a simple guide that should fit most network situations. If you do not require anything else than web access and downloading files from FTP servers, this guide will help you make your network as secure as it can possibly be. Settings can be modified to suit individual requirements. Additional services can be added and more actions can be allowed but it is always recommended not to allow unnecessary communication. Starting with as few things allowed as possible and adding new ones later as they are needed is the path to true security.

1. Install KWF 5 and restart the computer.
2. Login to the Kerio WinRoute Firewall administration console. If this is the first time you installed WinRoute 5 a configuration wizard will be run automatically. In other cases you need to run the wizard manually by clickin on the Wizard button in the Traffic Policy section. In the wizard, select the type and the interface for your Internet connection. On the Outbound Policy page of the wizard (page 5) select HTTP, HTTPS and FTP protocols. This is assuming that email services are provided by a mailserver installed within the local network. WinRoute will take care of the DNS service.





3. When mapping incoming communication, bear in mind that security depends on the stability and robustness of the server, to which mapping is performed. (When the wizard has finished, you can restrict inbound access to be allowed from only selected IP addresses for increased security.) Switch on NAT on the last Wizard page. Switch on logging for the last rule in the Traffic Policy section (the default denying rule). This will enable you to view information about any communication being blocked by it.





4. For the highest level of security possible, apply an appropriate protocol inspector for any communication allowed (see example HTTP service definition). Protocol inspectors can be activated for individual services in the Definitions – Services section.





5. In the HTTP Policy section:
   
   Create the rule displayed on this screenshot:
   
   
   
   This will force all users to log in onto the firewall before connecting to the Internet. This rule should be valid at all times and for all IP addresses (see rge Advanced tab). This rule should be the first from top, as rules are processed from top to bottom.
   
   On the URL Group tab, create a group and place all executable extensions inside it (*.exe, *.com, *.pif, *.bat, *.cmd, *.vbs, *.js).
   
   
   
   Create a denying rule for this group on the URL Rules tab.
   
   
   
   On the Content Rules tab, uncheck all available options.
6. In the FTP Policy section, allow downloading all files except those with forbidden extensions. Set this to be available to authenticated users only. Uploading files will not be allowed





7. Enable anti-virus control in the Antivirus section. If no rule is set for the anti-virus control then all HTTP and FTP traffic is checked by default.
8. Make sure that UPnP support is DISABLED in the Advanced Options section. Using UPnP sacrifices security for ease of use.