ADMINISTERING
INTERNET SHIELD
Agenda
What can Internet Shield be used for?
Administering Internet Shield
• Firewall configuration
• Network Quarantine configuration
• Application Control configuration
• Intrusion Prevention configuration
Page 2
Internet Shield…What For?
Internet Shield protects computers from unauthorized access from
the internet, as well as attacks originating from inside the LAN
Core protection components and purpose
• Firewall
• Restrict traffic based on used protocols and ports
• Application Control
• Preventing malicious programs sending information out of the
computer (trojan defense)
• Intrusion Prevention
• Stops malicious packets aimed on open ports (network attacks)
Page 3
Network Attack: Managed Network
Worm traffic
Managed
Mobile Host
Web Server
x
Policy traffic
x
Managed Hosts
F-Secure Policy Manager
Page 4
Network Attack: Unmanaged Network
Worm traffic
Unmanaged
Mobile Host
Web Server
Trojan traffic
VPN tunnel
x
Unmanaged Hosts
Unmanaged File Server
Page 5
INTERNET SHIELD
ADMINISTRATION INTERFACE
Remote Administration
The Policy Manager Console offers two different graphical interfaces
• Anti-Virus Mode
• Optimized for administering F-Secure Anti-Virus Client Security
• Advanced Mode
• Used for deeper product configurations
• Products other than AVCS have to be administered with this mode
• Some settings are only available in this mode!
Page 7
Anti-Virus Mode
Management tabs
• Host configuration and monitoring
• Operations management
Policy domain tab
• Displays policy domain structure
Message view
• Informative messages
• e.g. virus definitions update info
Page 8
Advanced Mode
Policy properties pane
• Host configuration and monitoring
• Operations management
Product view pane
• Provides most common settings
• Functions differ for selected
properties tabs (e.g. policy tab)
Product help
• Field focus help, if policy
properties tab selected
Message view
• Informative messages
• e.g. virus definitions update info
Page 9
Anti-Virus Mode
Summary Tab
Policy Manager section
• Policy distribution status
• Virus and spyware definitions status
• Autoregistration request
Domain/Host section
• Displays most important information
• More detailed for hosts (e.g. UID)
• Host alert summary
Virus protection section
• Real-time protection status
• Infections (host or whole domain)
• Virus definitions status (host or domain)
Internet Shield section
• Active security level (if host selected)
• Latest Attack (host or whole domain)
Page 10
Anti-Virus Mode
Internet Shield Settings
Firewall Security Levels
• Define security level for host/s
• Enable/disable/add security levels
• Configure firewall components (e.g. Network Quarantine)
• Enable/disable firewall components (e.g. Application Control)
Firewall Rules
• Define rules for existing or added security levels
Firewall Services
• Edit existing or create custom your own custom services
Application Control
• Define rules for unknown applications reported by hosts
Page 11
FIREWALL CONFIGURATION
Internet Shield Security Levels
F-Secure Internet Shield provides administrators with predefined
security levels
• Each of them has a set of pre-configured firewall rules
• Provides a easy and fast way of defining different policies on different
domain levels
The security levels are created in a way, that they suit most
corporations
• In general, no changes are needed
• The console provides the possibility to change existing, or create
complete new security levels (from scratch)
Page 13
Provided Security Levels
There are seven predefined security levels
• Mobile, Home, Office (default), Strict (disabled), Normal (disabled),
Custom (disabled), Network Quarantine
• “Block all” and “Disabled” (allow all traffic) levels cannot be edited!
• Network Quarantine is a special security level used by the Intelligent
Network Access (INA) feature
Page 14
Security Levels Structure
1
SECURITY LEVEL
2 RULES
Allow Web Browsing
3 SERVICES
• HTTP / Hyper Text Transfer Protocol
• HTTPS (SSL)
• FTP / File Transfer Protocol
out
out
out
Page 15
Finetuning Security Levels
Choose the security level to edit
Define location for sub-domain and
host specific rules
• Only possible on root level!
Edit, add or clear (delete) rules
Restore or force security levels
• Choice: Active or all security levels
Disable/Enable rules
• Doesn’t delete the rule!
Allow and place user defined rules
• Recommended to leave “disabled”
Page 16
Using Security Level Autoselection
The auto-selection feature enables the automatic switching between
different Internet Shield security levels, based on specific arguments
• Rules are read from top to down (first rule matching will be applied)
• Specified arguments (IP address or network) are referring to pre-defined
methods (e.g. Default Gateway IP address)
• Never: Disables the rule (no argument needed)
• Always: Applies the rule, argument disregarded (used at last rule)
Page 17
Creating Auto-selection Rules
Goal
• Hosts connected to the LAN should automatically use the ”Office” security
level, and host outside the LAN should switch to the ”Mobile” security level
Page 18
Office Rule
Priority:
1
Security Level:
40office (security level ID)
Method1:
Default Gateway IP Address (most common method)
Argument1:
<Gateway IP address>
Method2:
Always (default method)
Page 19
Mobile Rule
Priority:
2 (doesn’t automatically increment!)
Security Level:
20office (security level ID)
Method1:
Always (last catch rule)
Argument1:
No argument needed
Method2:
Always (default method)
Page 20
Principles for Designing Firewall Rules
Allow only the needed services, deny all the rest
• In this way the security risk is minimized and well-known
• The drawback is that when new services are needed the firewall must be
reconfigured, but this is a small price for the security
The opposite concept, to only deny dangerous services and allow the
rest is not acceptable
• No one can tell with certainty, which services are dangerous or might
become dangerous in the future when a new security problem is
discovered.
Page 21
Principles for Designing Firewall Rules
1. Deny rules for the most dangerous services or hosts, optionally
with alerting
2. Allow rules for much-used common services and hosts
3. Deny rules for specific services you want alerts about, e.g. trojan
probes, with alerting
4. More general allow rules
5. Deny everything else
Page 22
Proper Alerting
Proper alerting can only be done by having proper granularity in the
rule set: one rule for each type of alert you want
• “Broad” rules will generate a lot of alerts, any important information may
be lost in large volumes of useless noise
If you really want alerts on the last rule (deny everything else) then it
might be a good idea to have deny rules without alerting before it that
drop high-volume traffic with little interest
A bad decision would be to alert on network broadcasts in a corporate
LAN
Page 23
Good Practice
Allow only the needed services, deny the rest
Keep it simple and efficient
For normal workstations, deny all inbound traffic
For optional security measures, deny services that transfer
confidential information (password etc) over the network
• Deny POP, IMAP, SMTP, FTP, Telnet etc to 0.0.0.0/0
Page 24
Example: Simple Ruleset
Outbound traffic
• First rule allows outbound TCP & UDP to everywhere (for example
web browsing is possible)
• Protocols used during web browsing
• TCP port 80 (HTTP)
• TCP or UDP port 53 (DNS)
Bi-directional traffic
• Second rule drops all other traffic
Page 25
Basic Desktop Policy
Inbound traffic
TCP, UDP
ICMP
Outbound traffic
Managed host
x
Page 26
Basic Desktop Policy
Page 27
SMB over Netbios...Still needed?
Port
Description
135
RPC (Remote Procedure Call)
DCOM (Distributed Component Object)
Allows remote computer to send commands to another
computer. Used by services like DNS (Domain Name
System)
137,138 & 139
Windows Networking using SMB over NBT (Netbios)
(Windows NT and 9X)
445
Windows Networking using SMB directly over TCP
(Windows 2000 and later)
Page 28
Windows Networking Rules
Page 29
More Strict Destop Policy
Inbound traffic
Outbound traffic
SMTP
POP, IMAP
External (allowed)
External (denied)
Internal (allowed)
TCP
File
Server
Managed host
LAN
10.10.10.0/24
SMB
Mail
Server
DNS
Server
SMTP
POP, IMAP
DNS
.110
.53
DMZ
194.197.29.0/24
x
.139
Page 30
More Strict Desktop Policy
Page 31
NETWORK QUARANTINE
CONFIGURATION
Who Is Connecting To My Network?
It is in the interest of every corporation to prevent unauthorized
hosts from connecting to the company network
• Virus infections in data networks have become an increasingly serious
problem
Physically guarding network sockets is not going to be the solution
• An automated system is needed, checking the host protection before
granting network access
• Anti-Virus protection status (e.g. real-time protection check)
• Firewall protection status (e.g. packet filter status check)
Page 33
Policy Manager Network Security
Policy Manager Server provides two different solutions
Network Admission Control (NAC)
• Solution developed by Cisco Systems
• Supported by Anti-Virus Client Security 6.x
• No centralized management
Network Quarantine (a.k.a. Intelligent Network Access INA)
• Solution developed by F-Secure
• Complete integration in Internet Shield
• Centralized management possible
Page 34
Using Network Quarantine
Network Quarantine is disabled by default
• Very simple to enable (Firewall Security Levels/Network Quarantine)
• Monitors two host conditions
• Virus definitions update status (age, default settings 4 days)
• Real-time scanning status
• If one of the conditions applies, then the host is quarantined (security level
switches to “Network Quarantine”)
Page 35
Example: Host Access Restrictions
Network traffic is restricted
• Reason: Real-time scanning is
disabled
• Solution: Re-enable real-time
scanning
Important: Administrators should
restrict changes to system critical
settings!
Page 36
Network Quarantine Security Level
Access limited to F-Secure Update
Servers
• Automatic Update Server/s
• Automatic Update Proxy/ies
• F-Secure Root Update Server
Network access will be granted
once the computer has
• Re-activated real-time scanning
• Updated the virus definitions
Page 37
APPLICATION CONTROL
CONFIGURATION
Application Control Features
Application Connection Control
• Monitors applications sending and receiving information (client and server
applications)
• Protects from trojans sending out confidential information (trojan defense)
• Component supports complete remote administration (all settings)
Enhanced features
• Memory write protection (application manipulation control)
• Process creation protection (application launch control)
• No central management
• Feature enabling or disabling as only PMC setting
Page 39
Application Connection Control Operation
Application traffic
Policy traffic
F-Secure Policy Manager
Managed Hosts
x
x
x
Page 40
Rules Wizard
Connection Properties
At first, you have to define the
connection properties
• Act as client (outbound, connecting)
• Act as server (inbound, listening)
It makes no sense to allow inbound
connections for client applications
(e.g. Internet Explorer)
Page 41
Rules Wizard
User Messages
As a second step define, how the
application connection policy is informed
to the end user
• No message (completely transparent)
• Default message (defined in MIB tree)
• Customized message
Page 42
Rules Wizard
Target Domain Selector
New application instances cannot be
created manually on the PMC
• They are informed by the managed
hosts (reporting needs to enabled!)
• Not all the hosts might report the same
applications
• Still you might want to force certain host
applications to the whole domain
The rules Wizard has a domain target
selector
• Simple and fast to create company wide
application control rules
Page 43
Creating the Application List
1. Create a test environment representing your production computers
(operating systems, service packs, applications, etc.)
2. Import these hosts to the centrally managed domain
3. Define rules for the reported applications
4. Distribute the policies
Page 44
Configuration Tips
Key settings
1. Action on Unknown Applications = Deny
(inbound and outbound)
2. Report to Administrator = Report
3. Application Control Enabled = Yes
4. Memory Write Protection Enabled = No
5. Process Creation Protection Enabled = No
Page 45
INTRUSION PREVENTION
Recommended Configuration
Intrusion Prevention is enabled by default
• Similar to Network Quarantine, IDS configuration is really simple
• Action on malicious packet: Log without dropping packet (default)
• Alert severity: Warning (default)
• Detection sensitivity: 100 % (default)
Page 47
Detection Sensitivity
Possibility of adjusting the detection sensitivity has two main purposes
• Reducing the amount of alerts (false positives)
• Improving the performance of the managed hosts
Using values reduces the amount of false positives
• 10 %: Maximum network performance, minimum alerts
• 50 %: Only malicious patterns are verified and reported
• 100 %: All existing patterns are verified and reported
Page 48
Monitoring Network Attacks
Possible network attacks can be monitored with several user
interfaces
• Anti-Virus Client Security user interface
• Policy Manager Console
• Internet Shield web interface
Most common way is to use the Policy Manger Console
• Possibility of monitoring the whole policy domain, rather than a specific
host
Page 49
Example: Host Intrusion
Portscan on specific host
• Local user interface reports alerts
• 4 different static firewall rule hits (red)
• 1 intrusion alert (Fin scan, yellow)
Page 50
Monitoring Network Attacks
Using Policy Manger Console
Most recent attack visible in the Anti-Virus Mode Summary tab
• Direct link to Internet Shield status information (affected host/s, attack
time, etc.)
Page 51
Summary
What can Internet Shield be used for?
Internet Shield remote administration
• Firewall configuration
• Network Quarantine configuration
• Application Control configuration
• Intrusion Prevention configuration
Page 52