Click here to load reader

ADMINISTERING INTERNET SHIELD. Page 2 Agenda What can Internet Shield be used for? Administering Internet Shield Firewall configuration Network Quarantine

  • View
    217

  • Download
    0

Embed Size (px)

Text of ADMINISTERING INTERNET SHIELD. Page 2 Agenda What can Internet Shield be used for? Administering...

  • Slide 1
  • ADMINISTERING INTERNET SHIELD
  • Slide 2
  • Page 2 Agenda What can Internet Shield be used for? Administering Internet Shield Firewall configuration Network Quarantine configuration Application Control configuration Intrusion Prevention configuration
  • Slide 3
  • Page 3 Internet ShieldWhat For? Internet Shield protects computers from unauthorized access from the internet, as well as attacks originating from inside the LAN Core protection components and purpose Firewall Restrict traffic based on used protocols and ports Application Control Preventing malicious programs sending information out of the computer (trojan defense) Intrusion Prevention Stops malicious packets aimed on open ports (network attacks)
  • Slide 4
  • Page 4 Network Attack: Managed Network Web Server Managed Mobile Host Managed Hosts F-Secure Policy Manager x x Worm traffic Policy traffic
  • Slide 5
  • Page 5 Network Attack: Unmanaged Network Web Server Unmanaged Mobile Host Unmanaged Hosts Unmanaged File Server x Worm traffic Trojan traffic VPN tunnel
  • Slide 6
  • INTERNET SHIELD ADMINISTRATION INTERFACE
  • Slide 7
  • Page 7 Remote Administration The Policy Manager Console offers two different graphical interfaces Anti-Virus Mode Optimized for administering F-Secure Anti-Virus Client Security Advanced Mode Used for deeper product configurations Products other than AVCS have to be administered with this mode Some settings are only available in this mode!
  • Slide 8
  • Page 8 Anti-Virus Mode Message view Informative messages e.g. virus definitions update info Management tabs Host configuration and monitoring Operations management Policy domain tab Displays policy domain structure
  • Slide 9
  • Page 9 Advanced Mode Message view Informative messages e.g. virus definitions update info Policy properties pane Host configuration and monitoring Operations management Product help Field focus help, if policy properties tab selected Product view pane Provides most common settings Functions differ for selected properties tabs (e.g. policy tab)
  • Slide 10
  • Page 10 Anti-Virus Mode Summary Tab Policy Manager section Policy distribution status Virus and spyware definitions status Autoregistration request Internet Shield section Active security level (if host selected) Latest Attack (host or whole domain) Virus protection section Real-time protection status Infections (host or whole domain) Virus definitions status (host or domain) Domain/Host section Displays most important information More detailed for hosts (e.g. UID) Host alert summary
  • Slide 11
  • Page 11 Anti-Virus Mode Internet Shield Settings Firewall Security Levels Define security level for host/s Enable/disable/add security levels Configure firewall components (e.g. Network Quarantine) Enable/disable firewall components (e.g. Application Control) Firewall Rules Define rules for existing or added security levels Firewall Services Edit existing or create custom your own custom services Application Control Define rules for unknown applications reported by hosts
  • Slide 12
  • FIREWALL CONFIGURATION
  • Slide 13
  • Page 13 Internet Shield Security Levels F-Secure Internet Shield provides administrators with predefined security levels Each of them has a set of pre-configured firewall rules Provides a easy and fast way of defining different policies on different domain levels The security levels are created in a way, that they suit most corporations In general, no changes are needed The console provides the possibility to change existing, or create complete new security levels (from scratch)
  • Slide 14
  • Page 14 Provided Security Levels There are seven predefined security levels Mobile, Home, Office (default), Strict (disabled), Normal (disabled), Custom (disabled), Network Quarantine Block all and Disabled (allow all traffic) levels cannot be edited! Network Quarantine is a special security level used by the Intelligent Network Access (INA) feature
  • Slide 15
  • Page 15 SECURITY LEVEL RULES Allow Web Browsing Security Levels Structure SERVICES HTTP / Hyper Text Transfer Protocol out HTTPS (SSL) out FTP / File Transfer Protocol out 1 2 3
  • Slide 16
  • Page 16 Finetuning Security Levels Define location for sub-domain and host specific rules Only possible on root level! Choose the security level to edit Disable/Enable rules Doesnt delete the rule! Edit, add or clear (delete) rules Restore or force security levels Choice: Active or all security levels Allow and place user defined rules Recommended to leave disabled
  • Slide 17
  • Page 17 The auto-selection feature enables the automatic switching between different Internet Shield security levels, based on specific arguments Rules are read from top to down (first rule matching will be applied) Specified arguments (IP address or network) are referring to pre-defined methods (e.g. Default Gateway IP address) Never: Disables the rule (no argument needed) Always: Applies the rule, argument disregarded (used at last rule) Using Security Level Autoselection
  • Slide 18
  • Page 18 Creating Auto-selection Rules Goal Hosts connected to the LAN should automatically use the Office security level, and host outside the LAN should switch to the Mobile security level
  • Slide 19
  • Page 19 Office Rule Priority: 1 Security Level: 40office (security level ID) Method1: Default Gateway IP Address (most common method) Argument1: Method2:Always (default method)
  • Slide 20
  • Page 20 Mobile Rule Priority: 2 (doesnt automatically increment!) Security Level: 20office (security level ID) Method1: Always (last catch rule) Argument1: No argument needed Method2: Always (default method)
  • Slide 21
  • Page 21 Allow only the needed services, deny all the rest In this way the security risk is minimized and well-known The drawback is that when new services are needed the firewall must be reconfigured, but this is a small price for the security The opposite concept, to only deny dangerous services and allow the rest is not acceptable No one can tell with certainty, which services are dangerous or might become dangerous in the future when a new security problem is discovered. Principles for Designing Firewall Rules
  • Slide 22
  • Page 22 Principles for Designing Firewall Rules 1.Deny rules for the most dangerous services or hosts, optionally with alerting 2.Allow rules for much-used common services and hosts 3.Deny rules for specific services you want alerts about, e.g. trojan probes, with alerting 4.More general allow rules 5.Deny everything else
  • Slide 23
  • Page 23 Proper Alerting Proper alerting can only be done by having proper granularity in the rule set: one rule for each type of alert you want Broad rules will generate a lot of alerts, any important information may be lost in large volumes of useless noise If you really want alerts on the last rule (deny everything else) then it might be a good idea to have deny rules without alerting before it that drop high-volume traffic with little interest A bad decision would be to alert on network broadcasts in a corporate LAN
  • Slide 24
  • Page 24 Good Practice Allow only the needed services, deny the rest Keep it simple and efficient For normal workstations, deny all inbound traffic For optional security measures, deny services that transfer confidential information (password etc) over the network Deny POP, IMAP, SMTP, FTP, Telnet etc to 0.0.0.0/0
  • Slide 25
  • Page 25 Example: Simple Ruleset Outbound traffic First rule allows outbound TCP & UDP to everywhere (for example web browsing is possible) Protocols used during web browsing TCP port 80 (HTTP) TCP or UDP port 53 (DNS) Bi-directional traffic Second rule drops all other traffic
  • Slide 26
  • Page 26 Basic Desktop Policy Managed host x Inbound traffic Outbound traffic TCP, UDP ICMP
  • Slide 27
  • Page 27 Basic Desktop Policy
  • Slide 28
  • Page 28 PortDescription 135 RPC (Remote Procedure Call) DCOM (Distributed Component Object) Allows remote computer to send commands to another computer. Used by services like DNS (Domain Name System) 137,138 & 139Windows Networking using SMB over NBT (Netbios) (Windows NT and 9X) 445Windows Networking using SMB directly over TCP (Windows 2000 and later) SMB over Netbios...Still needed?
  • Slide 29
  • Page 29 Windows Networking Rules
  • Slide 30
  • Page 30 More Strict Destop Policy Managed host x DNS Server Mail Server File Server DMZ 194.197.29.0/24 LAN 10.10.10.0/24.53.110.139 Inbound traffic Outbound traffic External (allowed) External (denied) Internal (allowed) TCP SMTP POP, IMAP SMTP POP, IMAP SMB DNS
  • Slide 31
  • Page 31 More Strict Desktop Policy
  • Slide 32
  • NETWORK QUARANTINE CONFIGURATION
  • Slide 33
  • Page 33 Who Is Connecting To My Network? It is in the interest of every corporation to prevent unauthorized hosts from connecting to the company network Virus infections in data networks have become an increasingly serious problem Physically guarding network sockets is not going to be the solution An automated system is needed, checking the host protection before gra

Search related