ADMINISTERING INTERNET SHIELD

Page 2 Agenda What can Internet Shield be used for? Administering Internet Shield Firewall configuration Network Quarantine configuration Application Control configuration Intrusion Prevention configuration

Page 3 Internet Shield…What For? Internet Shield protects computers from unauthorized access from the internet, as well as attacks originating from inside the LAN Core protection components and purpose Firewall Restrict traffic based on used protocols and ports Application Control Preventing malicious programs sending information out of the computer (trojan defense) Intrusion Prevention Stops malicious packets aimed on open ports (network attacks)

Page 4 Network Attack: Managed Network Web Server Managed Mobile Host Managed Hosts F-Secure Policy Manager x x Worm traffic Policy traffic

Page 5 Network Attack: Unmanaged Network Web Server Unmanaged Mobile Host Unmanaged Hosts Unmanaged File Server x Worm traffic Trojan traffic VPN tunnel

INTERNET SHIELD ADMINISTRATION INTERFACE

Page 7 Remote Administration The Policy Manager Console offers two different graphical interfaces Anti-Virus Mode Optimized for administering F-Secure Anti-Virus Client Security Advanced Mode Used for deeper product configurations Products other than AVCS have to be administered with this mode Some settings are only available in this mode!

Page 8 Anti-Virus Mode Message view Informative messages e.g. virus definitions update info Management tabs Host configuration and monitoring Operations management Policy domain tab Displays policy domain structure

Page 9 Advanced Mode Message view Informative messages e.g. virus definitions update info Policy properties pane Host configuration and monitoring Operations management Product help Field focus help, if policy properties tab selected Product view pane Provides most common settings Functions differ for selected properties tabs (e.g. policy tab)

Page 10 Anti-Virus Mode Summary Tab Policy Manager section Policy distribution status Virus and spyware definitions status Autoregistration request Internet Shield section Active security level (if host selected) Latest Attack (host or whole domain) Virus protection section Real-time protection status Infections (host or whole domain) Virus definitions status (host or domain) Domain/Host section Displays most important information More detailed for hosts (e.g. UID) Host alert summary

Page 11 Anti-Virus Mode Internet Shield Settings Firewall Security Levels Define security level for host/s Enable/disable/add security levels Configure firewall components (e.g. Network Quarantine) Enable/disable firewall components (e.g. Application Control) Firewall Rules Define rules for existing or added security levels Firewall Services Edit existing or create custom your own custom services Application Control Define rules for unknown applications reported by hosts

FIREWALL CONFIGURATION

Page 13 Internet Shield Security Levels F-Secure Internet Shield provides administrators with predefined security levels Each of them has a set of pre-configured firewall rules Provides a easy and fast way of defining different policies on different domain levels The security levels are created in a way, that they suit most corporations In general, no changes are needed The console provides the possibility to change existing, or create complete new security levels (from scratch)

Page 14 Provided Security Levels There are seven predefined security levels Mobile, Home, Office (default), Strict (disabled), Normal (disabled), Custom (disabled), Network Quarantine “Block all” and “Disabled” (allow all traffic) levels cannot be edited! Network Quarantine is a special security level used by the Intelligent Network Access (INA) feature

Page 15 SECURITY LEVEL RULES Allow Web Browsing Security Levels Structure SERVICES HTTP / Hyper Text Transfer Protocol out HTTPS (SSL) out FTP / File Transfer Protocol out 1 2 3

Page 16 Finetuning Security Levels Define location for sub-domain and host specific rules Only possible on root level! Choose the security level to edit Disable/Enable rules Doesn’t delete the rule! Edit, add or clear (delete) rules Restore or force security levels Choice: Active or all security levels Allow and place user defined rules Recommended to leave “disabled”

Page 17 The auto-selection feature enables the automatic switching between different Internet Shield security levels, based on specific arguments Rules are read from top to down (first rule matching will be applied) Specified arguments (IP address or network) are referring to pre-defined methods (e.g. Default Gateway IP address) Never: Disables the rule (no argument needed) Always: Applies the rule, argument disregarded (used at last rule) Using Security Level Autoselection

Page 18 Creating Auto-selection Rules Goal Hosts connected to the LAN should automatically use the ”Office” security level, and host outside the LAN should switch to the ”Mobile” security level

Page 19 Office Rule Priority: 1 Security Level: 40office (security level ID) Method1: Default Gateway IP Address (most common method) Argument1: Method2:Always (default method)

Page 20 Mobile Rule Priority: 2 (doesn’t automatically increment!) Security Level: 20office (security level ID) Method1: Always (last catch rule) Argument1: No argument needed Method2: Always (default method)

Page 21 Allow only the needed services, deny all the rest In this way the security risk is minimized and well-known The drawback is that when new services are needed the firewall must be reconfigured, but this is a small price for the security The opposite concept, to only deny dangerous services and allow the rest is not acceptable No one can tell with certainty, which services are dangerous or might become dangerous in the future when a new security problem is discovered. Principles for Designing Firewall Rules

Page 22 Principles for Designing Firewall Rules 1.Deny rules for the most dangerous services or hosts, optionally with alerting 2.Allow rules for much-used common services and hosts 3.Deny rules for specific services you want alerts about, e.g. trojan probes, with alerting 4.More general allow rules 5.Deny everything else

Page 23 Proper Alerting Proper alerting can only be done by having proper granularity in the rule set: one rule for each type of alert you want “Broad” rules will generate a lot of alerts, any important information may be lost in large volumes of useless noise If you really want alerts on the last rule (deny everything else) then it might be a good idea to have deny rules without alerting before it that drop high-volume traffic with little interest A bad decision would be to alert on network broadcasts in a corporate LAN

Page 24 Good Practice Allow only the needed services, deny the rest Keep it simple and efficient For normal workstations, deny all inbound traffic For optional security measures, deny services that transfer confidential information (password etc) over the network Deny POP, IMAP, SMTP, FTP, Telnet etc to /0

Page 25 Example: Simple Ruleset Outbound traffic First rule allows outbound TCP & UDP to everywhere (for example web browsing is possible) Protocols used during web browsing TCP port 80 (HTTP) TCP or UDP port 53 (DNS) Bi-directional traffic Second rule drops all other traffic

Page 26 Basic Desktop Policy Managed host x Inbound traffic Outbound traffic TCP, UDP ICMP

Page 27 Basic Desktop Policy

Page 28 PortDescription 135 RPC (Remote Procedure Call) DCOM (Distributed Component Object) Allows remote computer to send commands to another computer. Used by services like DNS (Domain Name System) 137,138 & 139Windows Networking using SMB over NBT (Netbios) (Windows NT and 9X) 445Windows Networking using SMB directly over TCP (Windows 2000 and later) SMB over Netbios...Still needed?

Page 29 Windows Networking Rules

Page 30 More Strict Destop Policy Managed host x DNS Server Mail Server File Server DMZ /24 LAN / Inbound traffic Outbound traffic External (allowed) External (denied) Internal (allowed) TCP SMTP POP, IMAP SMTP POP, IMAP SMB DNS

Page 31 More Strict Desktop Policy

NETWORK QUARANTINE CONFIGURATION

Page 33 Who Is Connecting To My Network? It is in the interest of every corporation to prevent unauthorized hosts from connecting to the company network Virus infections in data networks have become an increasingly serious problem Physically guarding network sockets is not going to be the solution An automated system is needed, checking the host protection before granting network access Anti-Virus protection status (e.g. real-time protection check) Firewall protection status (e.g. packet filter status check)

Page 34 Policy Manager Network Security Policy Manager Server provides two different solutions Network Admission Control (NAC) Solution developed by Cisco Systems Supported by Anti-Virus Client Security 6.x No centralized management Network Quarantine (a.k.a. Intelligent Network Access INA) Solution developed by F-Secure Complete integration in Internet Shield Centralized management possible

Page 35 Using Network Quarantine Network Quarantine is disabled by default Very simple to enable (Firewall Security Levels/Network Quarantine) Monitors two host conditions Virus definitions update status (age, default settings 4 days) Real-time scanning status If one of the conditions applies, then the host is quarantined (security level switches to “Network Quarantine”)

Page 36 Example: Host Access Restrictions Network traffic is restricted Reason: Real-time scanning is disabled Solution: Re-enable real-time scanning Important: Administrators should restrict changes to system critical settings!

Page 37 Network Quarantine Security Level Access limited to F-Secure Update Servers Automatic Update Server/s Automatic Update Proxy/ies F-Secure Root Update Server Network access will be granted once the computer has Re-activated real-time scanning Updated the virus definitions

APPLICATION CONTROL CONFIGURATION

Page 39 Application Control Features Application Connection Control Monitors applications sending and receiving information (client and server applications) Protects from trojans sending out confidential information (trojan defense) Component supports complete remote administration (all settings) Enhanced features Memory write protection (application manipulation control) Process creation protection (application launch control) No central management Feature enabling or disabling as only PMC setting

Page 40 Application Connection Control Operation Managed Hosts F-Secure Policy Manager Application traffic Policy traffic x x x

Page 41 Rules Wizard Connection Properties At first, you have to define the connection properties Act as client (outbound, connecting) Act as server (inbound, listening) It makes no sense to allow inbound connections for client applications (e.g. Internet Explorer)

Page 42 Rules Wizard User Messages As a second step define, how the application connection policy is informed to the end user No message (completely transparent) Default message (defined in MIB tree) Customized message

Page 43 Rules Wizard Target Domain Selector New application instances cannot be created manually on the PMC They are informed by the managed hosts (reporting needs to enabled!) Not all the hosts might report the same applications Still you might want to force certain host applications to the whole domain The rules Wizard has a domain target selector Simple and fast to create company wide application control rules

Page 44 Creating the Application List 1.Create a test environment representing your production computers (operating systems, service packs, applications, etc.) 2.Import these hosts to the centrally managed domain 3.Define rules for the reported applications 4.Distribute the policies

Page 45 Configuration Tips Key settings 1.Action on Unknown Applications = Deny (inbound and outbound) 2.Report to Administrator = Report 3.Application Control Enabled = Yes 4.Memory Write Protection Enabled = No 5.Process Creation Protection Enabled = No

INTRUSION PREVENTION

Page 47 Recommended Configuration Intrusion Prevention is enabled by default Similar to Network Quarantine, IDS configuration is really simple Action on malicious packet: Log without dropping packet (default) Alert severity: Warning (default) Detection sensitivity: 100 % (default)

Page 48 Detection Sensitivity Possibility of adjusting the detection sensitivity has two main purposes Reducing the amount of alerts (false positives) Improving the performance of the managed hosts Using values reduces the amount of false positives 10 %: Maximum network performance, minimum alerts 50 %: Only malicious patterns are verified and reported 100 %: All existing patterns are verified and reported

Page 49 Monitoring Network Attacks Possible network attacks can be monitored with several user interfaces Anti-Virus Client Security user interface Policy Manager Console Internet Shield web interface Most common way is to use the Policy Manger Console Possibility of monitoring the whole policy domain, rather than a specific host

Page 50 Example: Host Intrusion Portscan on specific host Local user interface reports alerts 4 different static firewall rule hits (red) 1 intrusion alert (Fin scan, yellow)

Page 51 Monitoring Network Attacks Using Policy Manger Console Most recent attack visible in the Anti-Virus Mode Summary tab Direct link to Internet Shield status information (affected host/s, attack time, etc.)

Page 52 Summary What can Internet Shield be used for? Internet Shield remote administration Firewall configuration Network Quarantine configuration Application Control configuration Intrusion Prevention configuration