F-SECURE ® ANTI-VIRUS CLIENT SECURITY ™ 6: VIRUS AND

advertisement
ADVANCED FUNCTIONALITY &
TROUBLESHOOTING
Agenda
Internet Shield Architecture
Advanced functionality
• IDS vs. packet filter
• Stateful packet filters
• Dynamic firewall rules
• Cisco Network Admission Control (NAC)
Troubleshooting
• Troubleshooting Internet Shield configurations
• Inspecting logfiles
Page 2
PROCESSES AND SERVICES
AVCS Processes
F-Secure Management Agent
• fameh32.exe, fch32.exe, fsih32.exe,
fsnrb32.exe, fsm32.exe, fsma32.exe,
fsmb32.exe, fsguidll.exe
F-Secure Virus & Spy Protection
• fsav32.exe, fsaw.exe, fsgk32.exe,
fsgk32st.exe, fsdfwd.exe, fsqh.exe, fsrw.exe,
fssm32.exe
F-Secure Automatic Update Agent
• fsbwsys.exe, F-Secure Automatic Update.exe
Page 4
Processes: FSMA
fsm32.exe
F-Secure Manager, displays the F- tray icon
fsma32.exe
F-Secure Management Agent (Service)
fsmb32.exe
Message Broker, processes communication between
the different modules of the various products
fsnrb32.exe
Handles the communication between the hosts and the
PMS
fameh32.exe
Alert and Messaging Handler, handles alert and log
forwarding
fch32.exe
Configuration Handler, reads the base policy files and
writes the incremental policy files
fsih32.exe
Installation Handler. Launches ilaunchr.exe during
installations
Page 5
Processes: Virus & Spy Protection
fsav32.exe
Anti-Virus Handler
fsaw.exe
F-Secure Ad-Watch (Browser Control)
fsdfwd.exe
Anti-Virus Firewall Daemon. Redirects e-mails to
the Scanner Manager (Service)
fsqh.exe
Handles object quarantine
fsgk32.exe
Gatekeeper Handler. Receives real-time scan
requests from the Gatekeeper
fsgk32st.exe Gatekeeper Handler Starter (Service)
fsrw.exe
F-Secure Reg-Watch (System Control)
fssm32.exe
Scanner Manager. Manages scanning engines
Page 6
Virus & Spy Protection Services
F-Secure Management Agent Environment
• NET STOP/START FSMA: fameh32.exe, fsaw.exe, fch32.exe, fsih32.exe,
fnrb32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, fsdfwd.exe, fsrw.exe, fsguidll.exe
F-Secure Gatekeeper Environment
• NET STOP/START FSGKHS: fsgk32.exe, fsgk32st.exe, fssm32.exe
F-Secure Automatic Update Environment
• NET STOP/START FSBWSYS: fsbwsys.exe, F-Secure Automatic Update.exe
Page 7
INTERNET SHIELD
ARCHITECTURE
Product Components
Desktop F-Secure Manager
User Interfaces
Firewall
Plug-ins
Services
Management Agent (FSMA)
Firewall Daemon
Email
Scanning Module
Dial-up Control
API Hook
Firewall Engine
Kernel
Packet Filter
IDS
Interceptor
Page 9
Firewall Engine
Fsdfw.sys
• Kernel mode component
• Firewall engine does the actual filtering
based on rules
• Intrusion detection, packet filtering and
application control are all done in
Firewall Engine
• IDS handles the packets before packet filter
• TDI Driver is taking care of connection request
filtering / checking which is needed for application
control
• TCP "listen", TCP "connect", UDP "listen",
UDP "sendto", RAWIP "create“
Page 10
Interceptor
Fsndis5.sys
• Kernel mode component
• Loaded by Firewall Engine (fsdfw.sys)
• Intercepting network traffic in the NDIS
layer
• Main purpose is to hook the network
traffic and forward it to firewall engine
Page 11
Dial-up Control
API Hooking
Fsdc.dll
• DC hooking DLL is injected into the
dialer process.
• RAS API calls are redirected to the DC
hooking DLL
• Allow or deny decision comes
through policy (whitelist) or
through user decision (prompt)
Page 12
Firewall Daemon
Fsdfwd.exe
• User mode component
• Receives alerts and status information directly
from firewall engine
• Reads everything from policy tables
• Reads connection information received from
TDI Driver
• Receives dial requests from the DC DLL and
makes the decision to allow or deny the
operation
• Sends firewall rules (filter) and IDS database to
firewall engine
• Writes ACTION.LOG and DIAL.LOG
Page 13
Firewall Plug-in
Fsdfwpi.dll
• User lnterface component
• IS Plug-in for F-Secure Manager
(fsm32.exe)
• Displays dialogs to the end user (note:
static firewall settings are handled by the
AV main & advanced GUI)
Page 14
ADVANCED FUNCTIONALITY
IDS VS. PACKET FILTER
Packet Filter Limitations
Intrusion Detection Systems are becoming more and more popular
• Packet filters aren’t enough to secure the corporate networks
• While a firewall closes all unused ports, it cannot protect you from
intentionally left open ports
• Closing all ports would affect the corporation’s operational requirements
Example: A corporation leaves open TCP 80, so that HTTP traffic can
reach the web server
• How can the firewall then protect the network against the countless HTTP
based exploits
• This is where IDS comes in…
Page 16
The Anti-Virus for your Network…
Basically, IDS does for your network what Anti-Virus does for your file
system
IDS Solutions
• Signature based engines
• Pre-defined patterns tell the system, what type of network traffic most
commonly correspond to an attack
• Heuristic engines
• The IDS learns over time, what patterns are considered normal for
your network
• Pro: Doesn’t rely on signatures, able to detect unknown patterns
• Contra: Increasing number of false positives
Page 17
Intrusion Detection System (IDS)
IDS engine is divided in 3 parts
• Generic IP engine
• UDP protocol engine
• TCP protocol engine
The system currently alerts on 31 malicous packets (13 IP, 5 UDP, 13
TCP)
• Database selected carefully to avoid false positives
Page 18
Was that Really a Network Worm?
Worm traffic
Firewall Engine
Header
Normal traffic
1
=> TCP <Port>
Packet Filter
Payload
None
Header
IDS
=> TCP <Port>
2
Payload
Worm
Page 19
STATEFUL PACKET FILTERS
Stateful Packet Filter
The firewall keeps a log of all open connections and the current state
of all active connections
Maintains a database of allowed and active IP based connections
• Uses the connection database to check if the datagram is part of an
accepted connection
Works for all IP Protocols (most common TCP, UDP and ICMP)
Page 21
Echo Outbound (Ping):
Static Filter
Host B
Responder
Host A
Initiator
Echo
Echo Reply
Following packet filter rules are needed
• Outbound: allow echo (Protocol: ICMP, Type: 8)
• Inbound: allow echo reply (Protocol: ICMP, Type: 0)
Page 22
Echo Outbound (Ping):
Stateful Filter
Host B
Responder
Host A
Initiator
Echo
Echo Reply
Listen
ICMP, 0
Following packet filter rules are needed
• Outbound: allow echo (Protocol: ICMP, Type: 8)
Page 23
APPLICATION CONTROL
DYNAMIC FIREWALL RULES
Static Rules vs. Dynamic Rules
The Internet Shield stateful packet filter works with two kinds of rules
types
Static rules
• Included in the pre-defined security levels or created by administrators
• Applied to domains or host via security levels (on PMC), always valid!
Dynamic rules
• Created on the host at application launch (not related to security levels)
• Valid as long as the process is running
• Created only for server network applications opening a listening connection
Page 25
Dynamic Firewall Rules
Where to check them...?
Dynamic firewall rules can only be viewed in the Policy Manager
Console
• There is no reporting of such rules back to the Policy Manager Server
• The rules can be viewed from the local advanced user interface or in
specific logfiles (fulldiag.htm)
Static Rules
Dynamic Rules
Page 26
Firewall Dynamic Rules
Placement
Dynamic firewall rules are placed between the second last packet filter
rule and the deny all rule
• The catch rule is not blocking inbound traffic, which matches one of many
dynamic listening rules!
• Block unwanted inbound traffic with specific static rules!
Page 27
Firewall Dynamic Rules
Operation
Host C
4
X
2 Listen TCP 110 <= 0.0.0.0/0
Host A
Host B
3
1 POP3 Server
Page 28
CISCO NETWORK
ADMISSION CONTROL
System Components
NAC is built from components of Cisco and various third party vendors
(e.g. F-Secure)
Cisco components
• Cisco Trust Agent (CTA)
• Cisco IOS Network Access Device (NAD)
• Access Control Server (ACS)
F-Secure components
CTA
FS Plug-in
ACS
• Policy Manager Console
• Cisco NAC support plug-in
NAD
Page 30
Cisco Trust Agent (CTA)
One of the core components of the
NAC system
• Must be installed on each client,
whose policy state is to be validated
before permitting network access
• Can be rolled out with PMC
• Checks Anti-Virus Client Security for
the following posture validation
attributes
Page 31
F-Secure Plug-in for Cisco NAC
Used by the Cisco Trust Agent, when
checking the posture validation attributes
of Anti-Virus Client Security
• Posture validation attributes are
• Virus definitions update status
• Real-time scanning protection status
• Firewall protection status
• Installed at the same time as CTA is
installed
• Intelligent or policy based installation
with PMC
Page 32
Cisco Network Access Device (NAD)
The NAD permits or denies network access
• Begins the client posture validation
• Typically a Cisco router
Page 33
Cisco Access Control Server (ACS)
ACS is responsible for obtaining and evaluating the posture validation
attributes
• Determines the overall system posture
• Provides the appropriate network access policy to the NAD, based on the
system posture
ACS configuration example
• Healthy: Full network access granted
• Checkup: Outdated virus definitions => usually no access restrictions
• Quarantine: Outdated virus definitions during outbreak => access
restrictions
• Unknown: No Cisco Trust Agent installed => access restrictions
Page 34
TROUBLESHOOTING
Typical Connection Problems
Application Level (Application connection control)
• Application was by mistake denied from establishing connections
• Acting as client (e.g. Internet Explorer)
• Acting as server (e.g. nslookup)
Firewall Level (NDIS Layer)
• Firewall blocks or allows all or certain connections
• Second Firewall is installed (e.g XP firewall, overblocking traffic)
• Firewall allows certain traffic, even though you have no specific allow rules
• Remember the Application Control dynamic rules
• Create specific static deny rules (or use pre-defined security levels)
Page 36
Analyzing Internet Shield Problems
Recommended ways to analyze Internet Shield problems are
1. Locally: Using the AVCS user interface
2. Remotely: Using Internet Shield web interface or console
2
1
Page 37
Local Troubleshooting
Firewall Rules
Static rules (outbound and inbound)
• Any rules blocking traffic?
• Any rules allowing unnecessary
inbound traffic?
Dynamic rules
• Any applications running, which allow
unwanted inbound traffic?
Page 38
Local Troubleshooting
Firewall Settings
Trusted Interface
• Make sure that this setting is locked
(PMC => Advanced interface)
• If adapters are trusted, all traffic
passes unfiltered!
Suspicious traffic alerting
• Don’t enable alerting of illegal
packets (will create unnecessary
alerts, increasing the size of your
commdir)
• Can be used for debugging purposes
on specific hosts
Page 39
Local Troubleshooting
Application Control Rules
Application Connection Control list
• Listing all connection rules
• Separate row for server and
client applications
• To avoid wrong user decisions,
configure Application Control as
follows
• First create a detailed application
list (using test computers)
• After that, deny all new, unknown
connections (client and server
applications!)
Page 40
Local Troubleshooting
Main Logfiles
Two main log files
• Action log; All firewall actions
• Packet log; All packets (header +
payload)
Page 41
Remote Troubleshooting
Internet Shield Web Interface
HTTP interface, providing you with the following
information
• Firewall Rules
• Active security level
• FW rules (grey: enabled, white: disabled)
• Services
• Pre-defined and custom services
• Firewall alerts
• Including detailed information
All information seen in the web interface is in
real-time!
• Compared to the console, where you always have
a certain delay
Page 42
Example: Remote Troubleshooting
Remote administration often works
best when combining different
tools
• Problem: Security Level on host
doesn’t change (eventhough
setting is final and forced down)
• Using remote web interface
tells you the current active level
• Solution: Currently selected
security level is not enabled,
therefore even forcing setting
change doesn’t work
• Enable it and distribute the
policies
Page 43
Testing Firewall Configurations
Problem: You don’t know if the security level holds up against different
kind of network attacks
• Select a host which currently has the security level in question active
• Run a full portscan (e.g. using nmap portscan tool)
• Only target that specific host
• Never run portscans in production networks! (unless you are responsible for
the network)
Page 44
Example: RPC Port Scan
Portscan Tool: nmap (available at www.insecure.org)
Type of scan: RPC scan (Remote Procedure Call related ports)
Security Level: Custom (no static rules, active dynamic rules!)
Page 45
F-Secure Diagnostics Tool
FSDIAG.EXE
Diagnostics tool included in the
installation package
• Collects important system information
(eg. logfiles) to an archive on the local
disk
Access points
• C:\Program Files\F-Secure\Common\
fsdiag.exe
• Fsdiag.tar.gz in the same directory
Page 46
Analyzing FSDIAG
System information
• osver.log
AVCS internal alerts
• logfile.log
• hardware.log
• netstart.log
• system.evt
Network information
Firewall overview
• fulldiag.htm
Virus definitions update information
• ipconfig.log
• header.ini
• route.log
• daas.log
Conflicting Software
• appliation.evt
• reg_run.log
Page 47
Summary
Internet Shield Architecture
Advanced functionality
• IDS vs. packet filter
• Stateful packet filters
• Dynamic firewall rules
• Cisco Network Admission Control (NAC)
Troubleshooting
• Troubleshooting Internet Shield configurations
• Inspecting logfiles
Page 48
Download