Table of contents

Firewall settings

The Firewall module provides bidirectional stateful firewall protection. It prevents denial of service attacks and provides coverage for all IP-based protocols and frame types as well as filtering for ports and IP and MAC addresses.

The Firewall section of the Computer or Policy editor has the following tabbed sections:

General

Firewall

You can configure this policy or computer to inherit its firewall On and Off state from its parent policy or you can lock the setting locally.

Firewall Stateful Configurations

Select which firewall stateful configuration to apply to this policy. If you have defined multiple Interfaces for this policy, you can specify independent configurations for each interface. For more information on creating a stateful configuration see Define stateful configurations.

Assigned Firewall Rules

Displays the firewall rules that are in effect for this policy or computer. To add or remove firewall rules, click Assign/Unassign This displays a window showing all available firewall rules from which you can select or deselect rules.

From a Computer or Policy editor window, you can edit a firewall rule so that your changes apply only locally in the context of your editor, or you can edit the rule so that the changes apply globally to all other policies and computers that are using the rule.

To edit the Rule locally, right-click the rule and select Properties.

To edit the Rule globally, right-click the rule and select Properties (Global).

For more information on creating firewall rules, see Create a Firewall rule.

Interface Isolation

You can configure this policy or computer to inherit its Interface Isolation enabled or disabled state from its parent policy or you can lock the setting locally.

Before you enable Interface Isolation, make sure that you have configured the interface patterns in the proper order and that you have removed or added all necessary string patterns. Only interfaces matching the highest priority pattern are permitted to transmit traffic. Other interfaces (which match any of the remaining patterns on the list) are restricted. Restricted Interfaces block all traffic unless an Allow Firewall Rule is used to allow specific traffic to pass through.

To configure the Interface Isolation policy:

  1. On the Interface Isolation tab, select Enable interface isolation.
  2. Configure the Interface Patterns.
  3. Click Save.

Interface Patterns

When Interface Isolation is enabled, the firewall tries to match the regular expression patterns to interface names on the local computer.

Workload Security uses POSIX basic regular expressions to match interface names.

Only interfaces matching the highest priority pattern are permitted to transmit traffic. Other interfaces (which match any of the remaining patterns on the list) are restricted. Restricted Interfaces block all traffic unless an Allow firewall rule is used to allow specific traffic to pass through.

Selecting Limit to one active interface restricts traffic to only a single interface (even if more than one interface matches the highest priority pattern).

Reconnaissance

The Reconnaissance page allows you to enable and configure traffic analysis settings on your computers. This feature can detect possible reconnaissance scans that attackers often use to discover weaknesses before beginning a targeted attack.

Reconnaissance scans do not work in TAP mode. Reconnaissance scans can only be detected on IPv4 traffic.

To enable reconnaissance protection, you must also enable the Firewall and Stateful Inspection on the Computer or Policy editor > Firewall > General tab. You should also go to the Computer or Policy editor > Firewall > Advanced tab and enable the Generate Firewall Events for packets that are 'Out of Allowed Policy' setting. This generates firewall events that are required for reconnaissance.

When setting up Reconnaissance scans, you have the following options:

  • Reconnaissance Scan Detection Enabled: Enable or disable detection of reconnaissance scans. The default is that all scans are enabled in report mode with notifications. If you want to disable the notifications or switch from the report mode to a temporary blocking mode, select Yes from the list and make your changes.

  • Computers/Networks on which to perform detection: Select from the list the IPs to protect. Select from existing IP Lists. You can use the Policies > Common Objects > Lists > IP Lists page to create an IP List specifically for this purpose.

  • Do not perform detection on traffic coming from: Select from a set of IP Lists which computers and networks to ignore. You can use the Policies > Common Objects > Lists > IP Lists page to create an IP List specifically for this purpose.

For each type of attack, the agent can be instructed to send the information to Workload Security where an alert will be triggered. You can configure Workload Security to send an email notification when the alerts are triggered. For more information, see Administration > System Settings > Alerts. Select Notify DSM Immediately for this option.

For the Notify DSM Immediately option to work, the agents must be configured for agent-initiated or bidirectional communication in Computer or Policy editor > Settings > General. If enabled, the agent initiate a heartbeat to Workload Security immediately upon detecting the attack or probe.

Once an attack has been detected, you can instruct the agents to block traffic from the source IPs for a period of time. Use the Block Traffic field to set the number of minutes.

The alerts are:

  • Computer OS Fingerprint Probe: The agent detects an attempt to discover the computers OS.
  • Network or Port Scan: The agent reports a network or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Typically, an agent computer only sees traffic destined for itself, so a port scan is the most common type of probe that will be detected. The statistical analysis method used in computer or port scan detection is derived from the TAPS algorithm proposed in the document "Connectionless Port Scan Detection on the Backbone" presented at IPCCC in 2006.
  • TCP Null Scan: The agent detects packages with no flags set.
  • TCP SYNFIN Scan: The agent detects packets with only the SYN and FIN flags set.
  • TCP Xmas Scan: The agent detects packets with only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).

Network or Port Scans differs from the other types of reconnaissance in that it cannot be recognized by a single packet and requires Workload Security to watch traffic for a period of time. The agent reports a computer or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Normally an agent computer will only see traffic destined for itself, so a port scan is by far the most common type of probe that will be detected. However, if a computer is acting as a router or bridge it could see traffic destined for a number of other computers, making it possible for the agent to detect a computer scan (for example, scanning a whole subnet for computers with port 80 open).

Detecting these scans can take several seconds since the agent needs to be able to track failed connections and decide that there are an abnormal number of failed connections coming from a single computer in a relatively short period of time.

Agents running on Windows computers with browser applications may occasionally report false-positive reconnaissance scans due to residual traffic arriving from closed connections. For information on how to handle reconnaissance warnings, see Warning: Reconnaissance Detected.

Advanced

Events

Set whether to generate events for packets that are Out of Allowed Policy. These are packets that have been blocked because they have not been specifically allowed by an Allow firewall rule. Setting this option to Yes may generate a large number of events depending on the firewall rules you have in effect.

Firewall Events

Firewall events are displayed the same way as they are in the main Workload Security console window except that only events relating to this policy or specific computer are displayed.