Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Bypass<br />
Force Allow<br />
Deny<br />
Allow<br />
Log Only<br />
It is important to remember that if you have a force allow rule and a deny rule at the same<br />
priority the force allow rule takes precedence over the deny rule and therefore traffic matching the<br />
force allow rule will be permitted.<br />
Stateful Filtering<br />
When stateful analysis is enabled, packets are analyzed within the context of traffic history, correctness of<br />
TCP and IP header values, and TCP connection state transitions. In the case of stateless protocols (e.g.<br />
UDP and ICMP) a pseudo-stateful mechanism is implemented based on historical traffic analysis.<br />
A packet is passed through the stateful routine if it is explicitly allowed via static rules.<br />
The packet is examined if it belongs to an existing connection by checking the connection table<br />
for matching end points<br />
The TCP header is examined for correctness (e.g. sequence numbers, flag combination)<br />
Once enabled, the stateful engine is applied to all traffic traversing the interface.<br />
UDP pseudo-stateful inspection, by default, rejects any incoming "unsolicited" UDP packets. If a Computer<br />
is running a UDP server, a force allow rule must be included in the policy to permit access to that<br />
service. For example, if UDP stateful inspection is enabled on a DNS server, a force allow rule permitting<br />
UDP traffic to port 53 is required.<br />
ICMP pseudo-stateful inspection, by default, rejects any incoming unsolicited ICMP request-reply and error<br />
type packets. A force allow must be explicitly defined for any unsolicited ICMP packet to be allowed. All<br />
other ICMP (non request-reply or error type) packets are dropped unless explicitly allowed with static<br />
rules.<br />
Putting it all together to design a <strong>Firewall</strong> Policy<br />
Generally speaking, there are two approaches when defining a firewall policy for a Computer:<br />
Prohibitive: That which is not expressly allowed, is prohibited. Prohibitive policies can be created<br />
by using a combination of allow rules to describe allowed traffic and deny rules to further<br />
restrict permitted traffic.<br />
Permissive: That which is not expressly prohibited, is allowed. Permissive policies can be<br />
created through the exclusive used of deny rules to describe the traffic that should be dropped.<br />
In general, prohibitive policies are preferred and permissive policies should be avoided.<br />
Force allow rules should only be used in conjunction with allow and deny rules to allow a subset of<br />
traffic that has been prohibited by the allow and deny rules. Force allow rules are also required to allow<br />
unsolicited ICMP and UDP traffic when ICMP and UDP stateful are enabled.<br />
Example<br />
Take the example of how a simple firewall policy can be created for a Web server.<br />
© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />
All rights reserved. - 124 -