firewall - utils.kaspersky.comutils.kaspersky.com/special/ksos2/14_ksos2_firewall_en.pdf1 | 25...

Small Office Security 2

Firewall

1 | 2 5

Kaspersky Small Office Security 2

Table of content Table of content ............................................................................................................................... 1

Firewall ......................................................................................................................................... 2

What is Firewall ......................................................................................................................... 2

Enabling/Disabling Firewall ....................................................................................................... 2

Changing the network status ..................................................................................................... 3

Rules of Firewall ........................................................................................................................ 6

Creating a packet rule ............................................................................................................ 6

Editing packet rules ................................................................................................................ 9

Creating application rules ..................................................................................................... 11

Editing application rules ....................................................................................................... 12

Configuring network service ................................................................................................. 15

Allocating range of IP-addresses ......................................................................................... 15

Changing the rule for a group of applications ....................................................................... 18

Changing the rule priority ..................................................................................................... 20

Extending the range of IP addresses....................................................................................... 21

Configuring notifications of changes in the network ................................................................ 23

Advanced Firewall settings ...................................................................................................... 24

Firewall working features ......................................................................................................... 25

2 | 2 5


Firewall What is Firewall Today computers have become quite vulnerable when on the Internet. They are subjected not only to virus infections but other types of attacks as well that take advantage of vulnerabilities in operating systems and software. KSOS 2 contains a special component, Firewall from the Protection Center component, to ensure your security on local networks and the Internet. Firewall applies rules to all network connections. A Firewall rule is either an allowing or blocking action performed by Firewall once it detects a connection attempt. Protection against various types of attacks is performed on two levels: network and application. Protection on the network level is performed by using global packet filtration rules where network activity is allowed or blocked based on analyzing settings such as:

► packet direction; ► the data packet transfer protocol; ► and the outbound packet port.

A network package is a block of information transferred in the network. As a rule the package consists of the header (package information, such as the creation date, size, recipient and etc), the body (the transferred information itself) and the ending (checking information which guarantees that the package was not changed during the transfer). Protection on the application level is applying application rules for using network resources to the applications installed on your computer. Like the network protection level, the application protection level is built on analyzing data packets for direction, transfer protocol, and what ports they use. However, on the application level, both data packet traits and the specific application that sends and receives the packet are taken into account. Using application rules helps you to configure more specific protection when, for example, a certain connection type is banned for some applications but not for others. Enabling/Disabling Firewall By default, the Firewall is enabled. You can disable the Firewall if needed. To enable or disable the Firewall, perform the following steps:

1. Open the main application window. 2. In the top right part of the window, click the Settings link. 3. In the top part of the Settings window select the Protection Center section.

3 | 2 5


4. In the left part of the Settings window select the Firewall component. 5. In the right part of the window

• Uncheck the Enable Firewall box if you need to disable this component. • Check this box if you need to enable the component.

6. In the Settings window click the Apply button.

Changing the network status KSOS 2 breaks down the entire network space into security zones to make settings and rules more user-friendly, which largely correspond to the subnetworks that your computer belongs to.

4 | 2 5


You can assign a status to each zone, which determine the policy for applying rules and monitoring network activity in that zone:

► Public network (Internet). We recommend that you select this status for networks not protected by any anti-virus applications, firewalls or filters (for example, for Internet cafe filters). Users of such networks are not allowed to access to files and printers located on or connected to your computer. Even if you have created a shared folder, the information in it will not be available to users from networks with this status. If you allowed remote access to the desktop, users of this network will not be able to obtain it. Filtering of the network activity for each application is performed according to the rules for this application. By default, this status is assigned to Internet.

► Local network. We recommend that you assign this status to networks to which users you wish to grant access to files and printers on your computer (for example, for your internal corporate network or home network).

► Trusted network. This status is only recommended for areas that you consider absolutely safe within which your computer will not be subjected to attacks or unauthorized attempts to gain access to your data. If you select this status, all network activity is allowed within this network.

You can specify manually the status of a new network in the notification window which appears once a new network is detected. In order to change the network connection status, perform the following actions:

1. Open the main application window. 2. In the upper right hand corner of the window, click the Settings link. 3. In the upper part of the Settings window, select Protection Center.

4. In the left hand part of the Settings window, select the Firewall component. 5. In the right hand part of the window, click the Settings button.

http://support.kaspersky.com/find?faq_id=4873�

5 | 2 5


6. In the Firewall window, go to the Networks tab. 7. Right-click the required network. 8. Select the required network status from the drop-down list (Public, Local or Trusted). 9. In the Firewall window click the OK button.

10. In the Settings window, click the OK button.

6 | 2 5


Rules of Firewall There are two Firewall rule types, used to control network connections:

► Packet rules are used to create general restrictions on network activity, regardless of the applications installed. Example: if you create a packet rule that blocks inbound connections on port 21, no applications that use that port (an ftp server, for example) will be accessible from the outside.

► Rules for applications are used to create restrictions on network activity for specific applications. Example: If connections on port 80 are blocked for each application, you can create a rule that allows connections on that port for Firefox only.

Packet rules have higher priority than application rules. If both packet rules and rules for applications are applied to the same type of network activity, this network activity is processed using the packet rules. Besides, you can set a priority for each rule. Creating a packet rule All network connections on your computer are monitored by Firewall. Firewall assigns a specific status to each connection and applies various rules for filtering of network activity depending on that status, thus, it allows or blocks a network activity. Packet rules are used in order to restrict packets transferring regardless applications. You can specify an action performed by Firewall if it detects the network activity:

• Allow • Block • Process according to application rules. The packet rule is not used, but the rule for

the application is used. The Allow or Block rules can be logged. In order to do this, check the Log events box in the Action section. To create a packet rule, for example, to allow remote access to your computer desktop, please do the following:

1. Open the main application window. 2. Go to the Protection Center tab. 3. In the top right part of the window click the Settings link.

7 | 2 5


4. In the left part of the Settings window select Firewall. 5. In the right part of the Settings window click the Settings button.

6. In the Firewall window on the Filtering rules tab select the Packet rules item.

8 | 2 5


7. Click the Add link in the lower part of the window. The Network rule window opens where

you can specify the settings of the creating rule.

9 | 2 5


8. In the Network rule window in the Action section select Allow. 9. Check the Log events box if you want the rule action to be displayed in the report. 10. In the Network service section select the Remote Desktop service. 11. In the Address section select the Any address variant. 12. Click the OK button in the Network rule window. The created rule will appear on the

Filtering rules tab in the list of packet rules. 13. In the Firewall window click the OK button. 14. In the Settings window click the Apply button.

Now any user has remote access to this desktop. Editing packet rules All packet rules (default or created by the user) can be edited. For example, if you want to block remote access to your computer desktop, then edit the Remote Desktop packet rule:

1. In the left part of the Settings window select Firewall and in the right part of the Settings window click the Settings button.

2. In the Firewall window on the Filtering rules tab select the Packet rules item. 3. In the list of packet rules select the Remote Desktop rule. 4. Click the Edit link in the bottom of the window. The Network rule window opens where you

can edit the settings of the selected rule.

10 | 2 5


5. In the Action section instead of the Allow action select Block. 6. In the Address section select the Subnetwork addresses with status variant and in the

drop-down list next to it select Public networks. 7. In the Network rule window click the OK button.

11 | 2 5


8. The made changes will appear in the Firewall window on the Filtering rules tab in the list of packet rules: for the Remote Desktop rule the address in the Address column will change for Public networks.

9. In the Firewall window click the OK button. 10. In the Settings window click the Apply button.

Now only users of local and trusted networks have remote access to your computer desktop. Creating application rules You can modify rules for a whole group or for a certain application 1

Application rules created by a user have a higher priority compared to group application rules.

in group, and also create additional rules for more accurate filtering of network activity.

You can specify an action performed by Firewall if it detects the network activity: • Allow • Block

The Allow or Block rules can be logged. In order to do this, check the Log events box in the Action section. To create a rule for a specific application, for example a rule which would block any network activity of the QIP internet pager out of your local and trusted networks, do the following:


2. In the Firewall window on the Filtering rules tab select the program (for example, QIP 2010).

3. Click the Add link at the bottom part of the window. The Network rule window opens in which you can specify the settings of the created rule.

1 Application rules monitor connections only by TCP and UDP protocols.

12 | 2 5


4. In the Network rule window in the Action section select the Block action. 5. Check the Log events box if you want the rule action to be displayed in the report. 6. In the Network service section select the Any network activity service. 7. In the Address section select Subnetwork addresses with status and in the drop-down

menu select the Public networks item. 8. In the Network rule window click the OK button. The created rule will appear on the

Filtering rules tab in the list of packet rules for QIP 2010. 9. In the Firewall window click the OK button. 10. In the Settings window click the Apply button.

Editing application rules For the default network rules created by the application only the action can be changed. To change the action, please do the following:


2. In the Firewall window on the Filtering rules tab select the necessary application. 3. In the list of rules for the selected application select the rule whose action you want to edit. 4. In the Action column of the selected application right-click the action icon.

13 | 2 5


5. In the context menu select the necessary action. 6. In the Firewall window click the OK button. 7. In the Settings window click the Apply button.

For the network rule created by the user all specified settings can be changed. To change the settings, please do the following:


14 | 2 5


2. In the Firewall window on the Filtering rules tab select the application whose rule

you want to edit. 3. From the list of rules select the rule you want to edit. 4. Click the Edit link at the bottom of the window. In the Network rule window modify

the settings of the selected rule.

5. Modify the necessary settings. 6. In the Network rule window click the OK button. 7. In the Firewall window click the OK button.

15 | 2 5


8. In the Settings window click the Apply button. Configuring network service When creating any network rule you should specify the network service. Settings characterizing the activity of the network for which a rule is created are described by the network service. You can select type of the network activity from the list or create a new type. Network service includes the following parameters:

• Name. Preferably use the names which would explicitly describe the rule. For example, DNS over TCP.

• Protocol. Firewall restricts connections via TCP, UDP, ICMP, ICMPv6, IGMP and GRE 2

• Direction. Firewall controls connections with the following directions:

protocols. If protocol ICMP or ICMPv6 was selected as the protocol, you can specify the type and the code of the ICMP packet.

o Inbound. A rule is applied to data packets received by your computer. o Inbound (stream). The rule is for network connections created from another

computer. o Inbound/Outbound. The rule is for inbound and outbound data packets and data

streams regardless the direction. o Outbound. A rule is applied to data packets transferred from your computer. o Outbound (stream). The rule is only for network connections created by your

computer. • Remote and Local ports. You can specify ports which are used by your and remote

computers for TCP and UDP protocols. These ports will be controlled by Firewall. Allocating range of IP-addresses While creating the rule's conditions you can specify the network service and the network address. You can use an IP address as the network address or specify the network status. In the latter case the addresses will be copied from all networks that are connected and have the specified status at this moment. You can select one of the following statuses:

• Any address – the rule will be applied to any IP address; • Subnetwork addresses with status – the rule will be applied to IP addresses of all

networks that are connected and have the specified status at the moment: o Trusted networks o Local networks o Public networks

2 TCP, UDP, ICMP, ICMPv6, IGMP, GRE are protocols (sets of rules) of the data transfer in the network. ICMP-packet —is a packet which contains the error message about the error or any other exceptional situation which occurred during the data transfer. The fields code and type of the ICMP-packet correspondingly contain the type and code of the occurred situation.

16 | 2 5


• Addresses from group – the rule will be applied to IP addresses included into the

specified range. Select one of the existing group of addresses. If no range of IP addresses in any group satisfies you, create a new one.

For this perform the following steps: 1. At the bottom part of the section click on the Add link. 2. In the Network addresses window specify the addresses which would belong to the group.

17 | 2 5


A method to allocate IP-addresses using Classless Inter-Domain Routing (CIDR) 3

CIDR uses Variable Length Subnet Mask (VLSM) whereas in Class Inter-Domain Routing the mask length is strictly set by 0,1,2 or 3 bytes.

has been implemented in KSOS 2.

For example, let’s take a record of the range of IP-addresses as 10.96.0.0/11. In this case the subnet mask will look as 11111111 11100000 00000000 00000000, or as 255.224.0.0 in a decimal view. 11 bits of the IP-address are allocated to the number of network; the other 21 bits (32-11= 21) of the full address are allocated to the local address in the network. To sum up, 10.96.0.0/11 is a range of addresses from 10.96.0.1 to 10.127.255.255. Remember, when defining CIDR-addressing in the networks of the IP-protocol version 4 (IPv4) in any case the rule will be applied to the whole network. To convert IP-addresses into CIDR Kaspersky Lab experts recommend using any web site which provides free service of converting IP-addresses to CIDR-addressing (for example, the web site http://ip2cidr.com/

).

3 CIDR (Classless InterDomain Routing, CIDR) is the method of IP-addressing which allows managing the range of IP-address flexibly, without rigid frames of the Class Inter-Domain Routing. CIDR allows using the end resource of IP-addresses economically, thus enhancing efficiency of KSOS 2.

18 | 2 5


Changing the rule for a group of applications Firewall analyzes the activity of each application running on your computer. Depending on the threat rating, every application is included to one of the following groups:

• Trusted 4

• Low Restricted

. Trusted applications are applications with digital signatures of trusted vendors and applications signatures of those are included to the trusted applications database. Activities of such applications are monitored by Proactive Defense and File Anti-Virus.

5

• High Restricted

. Low restricted applications are applications which are without digital signatures of trusted vendors and which are not included to the trusted applications database. Nevertheless, the low risk rating is assigned to such applications..

6

• Untrusted

. High restricted applications are applications without digital signatures and which are not included to the trusted applications database. The high risk rating is assigned to such applications.

7

You can modify rules for a whole group.

. Untrusted applications are applications without digital signatures and which are not included to the trusted applications database. Very high risk rating is assigned to such applications.

Custom rules for individual applications have a higher priority than the rules inherited from a group. If you create an allowed rule for a whole group of applications and a prohibited rule for a certain application from this group, then any network activity of a certain application will be restricted according to a rule for this application, because it has a higher priority level. In order to change rules for a group of applications, for example, if you want that low restricted programs would have unrestricted rights to the network activity within the local networks, perform the following actions:

1. In the left part of the Settings window, in the Rules for application groups section click the Configure rules button.

4 Applications of that group are allowed to perform any network activity irrespectively of the network status. 5 Applications of that group are allowed to perform any network activity in non-interactive mode. If you are using the interactive mode, a notification will be displayed on the screen using which you can allow or block a connection, or create an application rule using the Wizard. 6 Applications of that group are not allowed to perform network activity in non-interactive mode. If you are using the interactive mode, a notification will be displayed on the screen using which you can allow or block a connection, or create an application rule using the Wizard. 7 Any network activity is prohibited for the applications of that group.

19 | 2 5


2. In the Network rules for groups of applications window click the «+» icon in the header

of the Networks column.

3. Select the Low Restricted applications group. 4. For the selected applications group under Local networks right-click the action icon of the

network rule. 5. In the context menu select the Allow action. 6. In the Network rules for groups of applications window click the OK button.

20 | 2 5



Now all programs from the Low Restricted group have unrestricted rights to the network activity within the local networks. Changing the rule priority The priority of a rule is determined by its position on the list of rules. The first rule on the list has the highest priority. Each packet rule created manually will be added to the end of the list of packet rules. Application groups are integrated by the name of the program and rule priority applies to a definite group only. Manually created rules for applications have a higher priority, than the rules inherited from the group. To change the rule priority, please perform the following actions:

1. In the left part of the Settings window in the Firewall section click the Settings button. 2. In the Firewall window on the Filtering rules tab select a rule and move it to the necessary

position in the list using the Move up and Move down links. 3. In the Firewall window click the OK button.

21 | 2 5



Extending the range of IP addresses Each network matches one or more ranges of IP address. If you connect to a network, access to subnetwork of which is performed via a router, you can manually add subnetworks accessible through it. Example: You are connecting to the network in an office of your company and wish to use the same filtering rules for the office where you are connected directly and for the offices accessible over the network. Obtain network address ranges for those offices from the network administrator and add them. To extend the range of network address, please perform the following:

1. In the left part of the Settings window select the Firewall component and in the right part of the window click the Settings button.

2. In the Firewall window on the Networks tab select an active network connection and click the Edit link.

22 | 2 5


3. In the Network connection window on the Properties tab in the Additional subnetworks

section click the Add button. 4. In the IP address window specify an IP address or an address mask.

5. Click the OK button. 6. In the Networks connections window click the OK button. 7. In the Firewall window click the OK button. 8. In the Settings window click the OK button.

23 | 2 5


Configuring notifications of changes in the network Network connection settings can be changed during the work. You can receive notifications of the following modifications in the settings:

► network connection; ► changes in matches between MAC address and IP address, which occurs for example,

when a computer is assigned a new IP address by the DHCP service; ► changing MAC address, which occurs when the network adapter is changed.

To enable notification about changes to network connection settings, please perform the following:


2. In the Firewall window on the Networks tab select an active network connection and click the Edit link.

3. In the Network connection window go to the Additional tab. 4. Check the boxes for the events about which you wish to receive notifications. 5. Click the OK button in the Network connection window.

24 | 2 5


6. In the Firewall window click the OK button. 7. In the Settings window click the Apply button.

Advanced Firewall settings You can specify additional settings of the Firewall operation:

► Allow active FTP mode. Active mode suggests that to ensure connection between the server on the client computer a port to which the server will connect will be opened on the client computer (unlike the passive mode when the client connects to the server). The mode allows to control which exactly port will be opened. The mechanism works even if a blocking rule was created. By default, active FTP mode is allowed.

► Block connections if there is no possibility to prompt for action (application interface is not loaded). This setting allows to avoid disruption of the Firewall operation when the interface of KSOS 2 is not loaded. This is the default action.

► Do not disable Firewall until the system totally stops. This setting allows to avoid disruption of the Firewall operation until the system is completely stopped. This is the default action.

By default all settings are enabled. To modify advanced Firewall settings, please perform the following:


2. In the Firewall window on the Filtering rules tab click the Additional button.

25 | 2 5


3. In the Additional window check or clear the boxes next to the necessary settings. 4. In the Additional window click the OK button.

5. In the Firewall window click the OK button. 6. In the Settings window click the OK button.

Firewall working features When working with the Firewall component you should remember about the following peculiarities:

► Firewall rules do not influence Network Attack Blocker; ► For the zone Local network ICMP packages are always allowed.

firewall - utils.kaspersky.comutils.kaspersky.com/special/ksos2/14_ksos2_firewall_en.pdf1 | 25...

Documents