Upload
drusilla-wilkins
View
228
Download
0
Embed Size (px)
Citation preview
FEATURES & FUNCTIONALITY
Page 2
Agenda
Main topics
• Packet Filter Firewall
• Application Control
• Other features
Page 3
Requirements
Supported platfroms
• Windows 2000 Professional (with SP4 or higher) and Windows XP (Professional and Home Edition, with SP1 or higher)
• Also installs on Longhorn Beta
Minimum requirements
• Intel Pentium compatible hardware
• 128 MB (Windows 2000), 256 MB (Windows XP)
• 256 MB or more recommended (depending on the installed components)!
• 50 MB free hard disk space
• Internet connection recommended
PACKET FILTER FIREWALL
Page 5
IP Filtering for Workstations
Protects data on mobile workstations and desktops
against network worms and cracking
Intercepts IP packets at the NDIS (Network Device
Interface Specification) layer
• Allowed incoming packets are forwarded to the TCP/IP stack
• Allowed outgoing packets are sent out through the network interface
ApplicationApplication
PresentationPresentation
SessionSession
TransportTransport
NetworkNetwork
DataLinkDataLink
PhysicalPhysical
Page 6
Filtering Rules
Filtering traffic based on rules
• Rules for inbound, outbound or bi-directional traffic
• There is no need of allowing inbound traffic to any workstations
Administrator can define what traffic is allowed from one network segment to another or between corporate departments
• Also, it is possible to define filtering rules for host-to-host or host-to-network connections
Page 7
Predefined Rules
Rules are bundled into six Security
Levels
• Block all
• Mobile
• Home
• Office
• Custom
• Network quarantine
Page 8
Predefined Services
F-Secure predefined
approximately 100 services
• IP Protocols
• ICMP, TCP, UDP
• Application level protocols
• HTTP, HTTPS, DNS, SMB, etc.
Page 9
User Definable Services
New services can be defined
according to IP Protocol
• For TCP/UDP protocols
• Initiator and responder port number or range
• For ICMP
• Type and codes
• Allow broadcasts for UDP and ICMP
• yes/no
Page 10
SECURITY LEVEL
RULES
Allow Web Browsing
Security Levels Structure
SERVICES
• HTTP / Hyper Text Transfer Protocol out• HTTPS (SSL) out• FTP / File Transfer Protocol out
1
2
3
Page 11
Intrusion Detection System (IDS)
Analyses the payload and the header information of an IP packet to
detect different kind of intrusion attempts
• Monitors inbound traffic
• Inspects single packets only, not full stream or TCP/IP sequence
• System alerts on 31 malicous packets; most common operating system fingerprinting attempts (nmap, CyberCop), port scans and network worms
• Database selected carefully to avoid false positives
• Patterns are updated when software is updated
IDS engine is divided in to generic IP engine (13 packets), UDP
protocol engine (5 packets) and TCP protocol engine (13 packets)
Page 12
Internet Connection Sharing
Possibility of sharing the internet connection with other local computers
• Needs at least two network interfaces
Define the internal network card as a ”Trusted interface”
• No filtering, everything passes through the defined network interface
Important: Trusted interface should be disabled for the whole domain!
• Set “Allow Trusted Interface = disabled” (mark as final!)
X
APPLICATION CONTROL
Page 14
Application Control
Decides what products can and what cannot be used to connect to
the internet, manipulate or launch other programs
Application controls
Connection Control
Manipulating Control
Launching Control
What is controlled
External connection attempts
Code injections
Application launches
Page 15
Application Connection Control
Protection against malicious
programs that try to open
connections from the local
machine to an outside host
• Detects outbound connection attempts and inbound listening attempts
• Prompts the user to allow this connection before opening it
Application controls
Connection Control
Manipulating Control
Launching Control
Page 16
Application Launching Control
Protection against malicious
programs that try to launch
other application instances
• Disabled by default
Application controls
Connection Control
Manipulating Control
Launching Control
Page 17
Application Manipulation Control
Detects applications trying to
inject code into the memory
space of running applications
• Disabled by default
Application controls
Connection Control
Manipulating Control
Launching Control
Page 18
Executable Decisions
Permanent Application control decisions regarding a certain program
are always tied to the executable
• Binary change detection uses a hash function (SHA-1 checksum)
• If a program is updated, Internet Shield will prompt for a new decision
• Policy Manger is pre-configured with a whitelist of most critical windows and F-Secure services (e.g. allowing AUA connections)
Page 19
Dynamic Rules
Application connection control creates dynamic rules to the firewall packet filter rulebase
• Creates dynamic inbound rules for allowed applications
• Checks for existing outbound static rules before opening the connection to prevent timeouts
• Tied to the executable
Rules visible in the rulebase
• Rules only in use when the executable is running
• Rules added juts before the last deny rest rule
Page 20
Central Administration
Policy Manager supports central administration for Application
Connection Control
• PMC application rules overwrite user defined rules
• Applications cannot be added manually (need to be reported by the hosts)
• All new application connections can be reported to FSPMC (except system and boot time services)
OTHER FEATURES
Page 22
Dial-up Control
Protection against malicous dialing attempts (monitors dialup
processes, e.g. RAS API)
• Maintains a list of allowed or denied numbers
• Limited central management (user decisions are not reported to the PMC!)
Hang-up control
• Only allowed applications can close an active connection.
Page 23
Alerting
Internet Shield alerts are divided into two groups
• Packet filter alerts (only create a log entry if so defined in the rule)
• Log only (blue alert)
• Log and pop-up (red alert)
• Intrusion alerts (yellow alert)
Page 24
Logging
Extended logging capabilities
• All firewall actions
• All alerts
Packet logging
• Packet logging will grab all frames from all network devices and store them to a file
• Useful for debugging
• Needs to be activated with a specific policy!
Page 25
Summary
Main topics
• Packet Filter Firewall
• Application Control
• Other features