Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1. First enable stateful inspection for TCP, UDP, and ICMP using a global stateful configuration with<br />
these options enabled.<br />
2. Add a <strong>Firewall</strong> Rule to allow TCP and UDP replies to requests originated on the workstation. To do<br />
this create in incoming allow rule with the protocol set to "TCP + UDP" and select the Not<br />
checkbox and the Syn checkbox under Specific Flags. At this point the policy only allows TCP<br />
and UDP packets that are replies to requests initiated by a user on the workstation. For example,<br />
in conjunction with the stateful analysis options enabled in step 1, this rule allows a user on this<br />
computer to perform DNS lookups (via UDP) and to browse the Web via HTTP (TCP).<br />
3. Add a <strong>Firewall</strong> Rule to allow ICMP replies to requests originated on the workstation. To do this,<br />
create in incoming allow rule with the protocol set to "ICMP" and select the Any Flags checkbox.<br />
This means that a user on this computer can ping other workstations and receive a reply but<br />
other users will not be able to ping this computer.<br />
4. Add a <strong>Firewall</strong> Rule to allow incoming TCP traffic to port 80 and 443 with the Syn checkbox<br />
checked in the Specific Flags section. This means that external users can access a Web server<br />
on this computer.<br />
At this point we have a basic firewall policy that allows solicited TCP, UDP and ICMP replies and external<br />
access to the Web server on this computer all other incoming traffic is denied.<br />
For an example of how deny and force allow rule actions can be used to further refine this profile<br />
consider how we may want to restrict traffic from other computers in the network. For example, we may<br />
want to allow access to the Web server on this computer to internal users but deny access from any<br />
computers that are in the DMZ. This can be done by adding a deny rule to prohibit access from servers in<br />
the DMZ IP range.rule<br />
5. Next we add a deny rule for incoming TCP traffic with source IP 10.0.0.0/24 which is the IP<br />
range assigned to computers in the DMZ. This rule denies any traffic from computers in the DMZ<br />
to this computer.<br />
We may, however, want to refine this policy further to allow incoming traffic from the mail server which<br />
resides in the DMZ.<br />
6. To do this we use a force allow for incoming TCP traffic from source IP 10.0.0.100. This force<br />
allow overrides the deny rule we created in the previous step to permit traffic from this one<br />
computer in the DMZ.<br />
Important things to remember<br />
All traffic is first checked against <strong>Firewall</strong> Rules before being analyzed by the stateful inspection<br />
engine. If the traffic clears the <strong>Firewall</strong> Rules, the traffic is then analyzed by the stateful<br />
inspection engine (provided stateful inspection is enabled in the stateful configuration).<br />
Allow rules are prohibitive. Anything not specified in the allow rules is automatically dropped.<br />
This includes traffic of other frame types so you need to remember to include rules to allow other<br />
types of required traffic. For example, don't forget to include a rule to allow ARP traffic if static<br />
ARP tables are not in use.<br />
If UDP stateful inspection is enabled a force allow rule must be used to allow unsolicited UDP<br />
traffic. For example, if UDP stateful is enabled on a DNS server then a force allow for port 53 is<br />
required to allow the server to accept incoming DNS requests.<br />
If ICMP stateful inspection is enabled a force allow rule must be used to allow unsolicited ICMP<br />
traffic. For example, if you wish to allow outside ping requests a force allow rule for ICMP type 3<br />
(Echo Request) is required.<br />
A force allow acts as a trump card only within the same priority context.<br />
If you do not have a DNS or WINS server configured (which is common in test environments) a<br />
force allow incoming UDP port 137 rule may be required for NetBios.<br />
When troubleshooting a new firewall policy the first thing you should do is check the <strong>Firewall</strong> Rule<br />
logs on the Client Plug-in. The <strong>Firewall</strong> Rule logs contain all the information you need to determine<br />
what traffic is being denied by <strong>Firewall</strong> elements that have been defined so that you can further refine<br />
your policy as required.<br />
© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />
All rights reserved. - 125 -