Embed Size (px)
Citation preview
ADMINISTERING INTERNET SHIELD
Page 2
Agenda
What can Internet Shield be used for?
Administering Internet Shield
• Firewall configuration
• Network Quarantine configuration
• Application Control configuration
• Intrusion Prevention configuration
Page 3
Internet Shield…What For?
Internet Shield protects computers from unauthorized access from
the internet, as well as attacks originating from inside the LAN
Core protection components and purpose
• Firewall
• Restrict traffic based on used protocols and ports
• Application Control
• Preventing malicious programs sending information out of the computer (trojan defense)
• Intrusion Prevention
• Stops malicious packets aimed on open ports (network attacks)
Page 4
Network Attack: Managed Network
Web Server ManagedMobile Host
Managed Hosts F-Secure Policy Manager
x
x
Worm traffic
Policy traffic
Page 5
Network Attack: Unmanaged Network
Web Server UnmanagedMobile Host
Unmanaged Hosts Unmanaged File Server
x
Worm traffic
Trojan traffic
VPN tunnel
INTERNET SHIELDADMINISTRATION INTERFACE
Page 7
Remote Administration
The Policy Manager Console offers two different graphical interfaces
• Anti-Virus Mode
• Optimized for administering F-Secure Anti-Virus Client Security
• Advanced Mode
• Used for deeper product configurations
• Products other than AVCS have to be administered with this mode
• Some settings are only available in this mode!
Page 8
Anti-Virus Mode
Message view• Informative messages• e.g. virus definitions update info
Management tabs• Host configuration and monitoring• Operations management
Policy domain tab• Displays policy domain structure
Page 9
Advanced Mode
Message view• Informative messages• e.g. virus definitions update info
Policy properties pane• Host configuration and monitoring• Operations management
Product help• Field focus help, if policy properties tab selected
Product view pane• Provides most common settings• Functions differ for selected properties tabs (e.g. policy tab)
Page 10
Anti-Virus ModeSummary Tab
Policy Manager section• Policy distribution status• Virus and spyware definitions status• Autoregistration request
Internet Shield section• Active security level (if host selected)• Latest Attack (host or whole domain)
Virus protection section• Real-time protection status• Infections (host or whole domain)• Virus definitions status (host or domain)
Domain/Host section• Displays most important information• More detailed for hosts (e.g. UID)• Host alert summary
Page 11
Anti-Virus ModeInternet Shield Settings
Firewall Security Levels • Define security level for host/s• Enable/disable/add security levels• Configure firewall components (e.g. Network Quarantine)• Enable/disable firewall components (e.g. Application Control)
Firewall Rules• Define rules for existing or added security levels
Firewall Services• Edit existing or create custom your own custom services
Application Control• Define rules for unknown applications reported by hosts
FIREWALL CONFIGURATION
Page 13
Internet Shield Security Levels
F-Secure Internet Shield provides administrators with predefined
security levels
• Each of them has a set of pre-configured firewall rules
• Provides a easy and fast way of defining different policies on different domain levels
The security levels are created in a way, that they suit most
corporations
• In general, no changes are needed
• The console provides the possibility to change existing, or create complete new security levels (from scratch)
Page 14
Provided Security Levels
There are seven predefined security levels
• Mobile, Home, Office (default), Strict (disabled), Normal (disabled), Custom (disabled), Network Quarantine
• “Block all” and “Disabled” (allow all traffic) levels cannot be edited!
• Network Quarantine is a special security level used by the Intelligent Network Access (INA) feature
Page 15
SECURITY LEVEL
RULES
Allow Web Browsing
Security Levels Structure
SERVICES
• HTTP / Hyper Text Transfer Protocol out• HTTPS (SSL) out• FTP / File Transfer Protocol out
1
2
3
Page 16
Finetuning Security Levels
Define location for sub-domain andhost specific rules• Only possible on root level!
Choose the security level to edit
Disable/Enable rules• Doesn’t delete the rule!
Edit, add or clear (delete) rules
Restore or force security levels• Choice: Active or all security levels
Allow and place user defined rules• Recommended to leave “disabled”
Page 17
The auto-selection feature enables the automatic switching between
different Internet Shield security levels, based on specific arguments
• Rules are read from top to down (first rule matching will be applied)
• Specified arguments (IP address or network) are referring to pre-defined methods (e.g. Default Gateway IP address)
• Never: Disables the rule (no argument needed)
• Always: Applies the rule, argument disregarded (used at last rule)
Using Security Level Autoselection
Page 18
Creating Auto-selection Rules
Goal
• Hosts connected to the LAN should automatically use the ”Office” security level, and host outside the LAN should switch to the ”Mobile” security level
Page 19
Office Rule
Priority: 1
Security Level: 40office (security level ID)
Method1: Default Gateway IP Address (most common method)
Argument1: <Gateway IP address>
Method2: Always (default method)
Page 20
Mobile Rule
Priority: 2 (doesn’t automatically increment!)
Security Level: 20office (security level ID)
Method1: Always (last catch rule)
Argument1: No argument needed
Method2: Always (default method)
Page 21
Allow only the needed services, deny all the rest
• In this way the security risk is minimized and well-known
• The drawback is that when new services are needed the firewall must be reconfigured, but this is a small price for the security
The opposite concept, to only deny dangerous services and allow the
rest is not acceptable
• No one can tell with certainty, which services are dangerous or might become dangerous in the future when a new security problem is discovered.
Principles for Designing Firewall Rules
Page 22
Principles for Designing Firewall Rules
1. Deny rules for the most dangerous services or hosts, optionally
with alerting
2. Allow rules for much-used common services and hosts
3. Deny rules for specific services you want alerts about, e.g. trojan
probes, with alerting
4. More general allow rules
5. Deny everything else
Page 23
Proper Alerting
Proper alerting can only be done by having proper granularity in the
rule set: one rule for each type of alert you want
• “Broad” rules will generate a lot of alerts, any important information may be lost in large volumes of useless noise
If you really want alerts on the last rule (deny everything else) then it
might be a good idea to have deny rules without alerting before it that
drop high-volume traffic with little interest
A bad decision would be to alert on network broadcasts in a corporate
LAN
Page 24
Good Practice
Allow only the needed services, deny the rest
Keep it simple and efficient
For normal workstations, deny all inbound traffic
For optional security measures, deny services that transfer
confidential information (password etc) over the network
• Deny POP, IMAP, SMTP, FTP, Telnet etc to 0.0.0.0/0
Page 25
Example: Simple Ruleset
Outbound traffic
• First rule allows outbound TCP & UDP to everywhere (for example web browsing is possible)
• Protocols used during web browsing
• TCP port 80 (HTTP)
• TCP or UDP port 53 (DNS)
Bi-directional traffic
• Second rule drops all other traffic
Page 26
Basic Desktop Policy
Managed host
x
Inbound traffic
Outbound traffic
TCP, UDPICMP
Page 27
Basic Desktop Policy
Page 28
Port Description
135 RPC (Remote Procedure Call)
DCOM (Distributed Component Object)
Allows remote computer to send commands to another
computer. Used by services like DNS (Domain Name
System)
137,138 & 139 Windows Networking using SMB over NBT (Netbios)
(Windows NT and 9X)
445 Windows Networking using SMB directly over TCP
(Windows 2000 and later)
SMB over Netbios...Still needed?
Page 29
Windows Networking Rules
Page 30
More Strict Destop Policy
Managed host
x
DNS Server
Mail Server
File Server
DMZ194.197.29.0/24
LAN10.10.10.0/24
.53.110.139
Inbound traffic
Outbound trafficExternal (allowed)
External (denied)
Internal (allowed) TCP
SMTPPOP, IMAP
SMTPPOP, IMAP
SMB DNS
Page 31
More Strict Desktop Policy
NETWORK QUARANTINECONFIGURATION
Page 33
Who Is Connecting To My Network?
It is in the interest of every corporation to prevent unauthorized
hosts from connecting to the company network
• Virus infections in data networks have become an increasingly serious problem
Physically guarding network sockets is not going to be the solution
• An automated system is needed, checking the host protection before granting network access
• Anti-Virus protection status (e.g. real-time protection check)
• Firewall protection status (e.g. packet filter status check)
Page 34
Policy Manager Network Security
Policy Manager Server provides two different solutions
Network Admission Control (NAC)
• Solution developed by Cisco Systems
• Supported by Anti-Virus Client Security 6.x
• No centralized management
Network Quarantine (a.k.a. Intelligent Network Access INA)
• Solution developed by F-Secure
• Complete integration in Internet Shield
• Centralized management possible
Page 35
Using Network Quarantine
Network Quarantine is disabled by default
• Very simple to enable (Firewall Security Levels/Network Quarantine)
• Monitors two host conditions
• Virus definitions update status (age, default settings 4 days)
• Real-time scanning status
• If one of the conditions applies, then the host is quarantined (security level switches to “Network Quarantine”)
Page 36
Example: Host Access Restrictions
Network traffic is restricted
• Reason: Real-time scanning is disabled
• Solution: Re-enable real-time scanning
Important: Administrators should
restrict changes to system critical
settings!
Page 37
Network Quarantine Security Level
Access limited to F-Secure Update
Servers
• Automatic Update Server/s
• Automatic Update Proxy/ies
• F-Secure Root Update Server
Network access will be granted
once the computer has
• Re-activated real-time scanning
• Updated the virus definitions
APPLICATION CONTROL CONFIGURATION
Page 39
Application Control Features
Application Connection Control
• Monitors applications sending and receiving information (client and server applications)
• Protects from trojans sending out confidential information (trojan defense)
• Component supports complete remote administration (all settings)
Enhanced features
• Memory write protection (application manipulation control)
• Process creation protection (application launch control)
• No central management
• Feature enabling or disabling as only PMC setting
Page 40
Application Connection Control Operation
Managed Hosts F-Secure Policy Manager
Application traffic
Policy traffic
xxx
Page 41
Rules WizardConnection Properties
At first, you have to define the
connection properties
• Act as client (outbound, connecting)
• Act as server (inbound, listening)
It makes no sense to allow inbound
connections for client applications
(e.g. Internet Explorer)
Page 42
Rules WizardUser Messages
As a second step define, how the
application connection policy is informed
to the end user
• No message (completely transparent)
• Default message (defined in MIB tree)
• Customized message
Page 43
Rules WizardTarget Domain Selector
New application instances cannot be
created manually on the PMC
• They are informed by the managed hosts (reporting needs to enabled!)
• Not all the hosts might report the same applications
• Still you might want to force certain host applications to the whole domain
The rules Wizard has a domain target
selector
• Simple and fast to create company wide application control rules
Page 44
Creating the Application List
1. Create a test environment representing your production computers
(operating systems, service packs, applications, etc.)
2. Import these hosts to the centrally managed domain
3. Define rules for the reported applications
4. Distribute the policies
Page 45
Configuration Tips
Key settings
1. Action on Unknown Applications = Deny
(inbound and outbound)
2. Report to Administrator = Report
3. Application Control Enabled = Yes
4. Memory Write Protection Enabled = No
5. Process Creation Protection Enabled =
No
INTRUSION PREVENTION
Page 47
Recommended Configuration
Intrusion Prevention is enabled by default
• Similar to Network Quarantine, IDS configuration is really simple
• Action on malicious packet: Log without dropping packet (default)
• Alert severity: Warning (default)
• Detection sensitivity: 100 % (default)
Page 48
Detection Sensitivity
Possibility of adjusting the detection sensitivity has two main purposes
• Reducing the amount of alerts (false positives)
• Improving the performance of the managed hosts
Using values reduces the amount of false positives
• 10 %: Maximum network performance, minimum alerts
• 50 %: Only malicious patterns are verified and reported
• 100 %: All existing patterns are verified and reported
Page 49
Monitoring Network Attacks
Possible network attacks can be monitored with several user
interfaces
• Anti-Virus Client Security user interface
• Policy Manager Console
• Internet Shield web interface
Most common way is to use the Policy Manger Console
• Possibility of monitoring the whole policy domain, rather than a specific host
Page 50
Example: Host Intrusion
Portscan on specific host
• Local user interface reports alerts
• 4 different static firewall rule hits (red)
• 1 intrusion alert (Fin scan, yellow)
Page 51
Monitoring Network AttacksUsing Policy Manger Console
Most recent attack visible in the Anti-Virus Mode Summary tab
• Direct link to Internet Shield status information (affected host/s, attack time, etc.)
Page 52
Summary
What can Internet Shield be used for?
Internet Shield remote administration
• Firewall configuration
• Network Quarantine configuration
• Application Control configuration
• Intrusion Prevention configuration
