Firewall (Windows computers)

Advanced EPDR monitors the communications sent and received by each computer on the network, blocking all traffic that matches the rules defined by you. This module is compatible with both IPv6 and IPv4 and includes multiple tools for filtering network traffic:

  • System rules: Describe communication characteristics (ports, IP addresses, protocols, etc.), allowing or denying the data flows that match the configured rules.

  • Program rules: Allow or prevent the programs installed on users’ computers from communicating with other computers.

  • Intrusion detection system: Detects and rejects malformed traffic patterns that can affect the security or performance of protected computers.

Operating mode

This is defined through the option Let computer users configure the firewall:

  • Enabled (user-mode or self-managed firewall): Enables users to manage the firewall protection from the local console installed on their computers.

  • Disabled (administrator-mode firewall): You configure the firewall protection of all computers on the network through settings profiles.

Network types

Laptops and mobile devices can connect to networks with different security levels, from public Wi-Fi networks, such as those in Internet cafés, to managed and limited-access networks, such as those found in companies. You have two options to set the default behavior of the firewall protection: manually select the type of network that the computers in the configured profile usually connect to, or let Advanced EPDR select the most appropriate network type.

Network type Description

Public network

Networks in public places such as airports, Internet cafés, and universities. Computers are not visible to other users on the network and some programs have limited access to the network. Limitations must be established on the way protected computers are used and accessed, especially with regard to file, resource, and directory sharing. Cytomic rules are enabled or disabled according to the administrator’s criteria.

Trusted network

Home or office networks when you know and trust the other users and devices on the network. Computers are visible to other computers and devices on the network. Cytomic rules are not applied, so there are no restrictions on sharing files, resources, or directories.

Detect automatically

The network type (public or trusted) is selected automatically based on the rules you specify. Click the link Configure rules to determine when a computer is connected to a trusted network.

Network types supported by the firewall

Advanced EPDR behaves differently and applies different predetermined rules automatically depending on the type of network selected. These predetermined rules are referred to as ‘Cytomic rules’ in the Program rules and Connection rules sections.

Each network interface on a computer has a specific type of network assigned to it. Computers with multiple network interfaces can have different network types assigned, and different firewall rules for each network interface.

Configuring rules for trusted access

Advanced EPDR enables you to add and configure rules to determine whether a computer is connected to a trusted network. If none of these conditions is met, then the network type selected for the network interface is public network.

To be considered on a trusted network, the computer must be able to resolve a domain previously defined on an internal DNS server. If the computer can connect to the DNS server and resolve the configured domain, then it is connected to the company network, and the firewall assumes the computer is connected to a trusted network.

Next is a configuration example:

  • In this example, the organization’s primary DNS zone is "mycompany.com".

  • Add a Type A record with the "firewallcriterion” name to the primary zone of your organization’s internal DNS server (“mycompany.com”). You do not need to specify an IP address because it is not used to validate the criterion.

  • Based on these settings, "firewallcriterion.mycompany.com" is the domain that Advanced EPDR tries to resolve in order to check that it is connected to the company’s network.

  • Restart the DNS server if required and make sure "firewallcriterion.mycompany.com" is resolved successfully from all segments of the internal network with the tools nslookup, dig, or host.

  • From the Advanced EPDR console, click the link Configure rules to determine when a computer is connected to a trusted network. A dialog box opens. Enter the following data:

    • Criterion name: Type a name for the rule you want to add.. For example “myDNScriterion”.

    • DNS server: Type the IP address of the DNS server in your company network that can resolve DNS requests.

    • Domain: Type the domain to send to the DNS server for resolution. Enter “firewallcriterion.mycompany.com”.

  • Click OK and Save. Click Save again.

  • After the criterion has been configured and applied, the computer tries to resolve the "firewallcriterion.mycompany.com" domain on the specified DNS server every time an event occurs on the network interface (connect, disconnect, IP address change, etc.). If DNS resolution succeeds, the settings assigned to the trusted network are assigned to the network interface used.

Program rules

In this section you can configure program rules to control which programs can communicate with the local network and Internet.

To build an effective protection strategy, follow these steps in the order listed:

  1. Set the default action.

Action Description

Allow

Implements a permissive strategy based on always accepting connections for all programs for which you have not configured a specific rule in step 3. This is the default, basic mode.

Deny

Implements a restrictive strategy based on always denying connections for all programs for which you have not configured a specific rule in step 3. This is an advanced mode, as it requires adding rules for every frequently used program. Otherwise, they will not be allowed to communicate, affecting their performance.

Types of default actions supported by the firewall for the programs installed on computers

  1. Enable or disable Cytomic rules.

This only applies if the computer is connected to a public network.

  1. Add rules to define the specific behavior of your applications.

Edit controls for connection rules

You can change the order of the program rules, as well as adding, editing, or removing them by using the Up (1), Down (2), Add (3), Edit (4),and Delete (5) buttons on the right. Use the checkboxes (6) to select the rules you want to apply each action to.

Complete the following fields to create a rule:

  • Description: Type a description of the new rule.

  • Program: Select a program you want to configure connection options for.

  • Connections allowed for this program: Select an option to specify whether to allow or deny connections for the program:

Field Description

Allow inbound and outbound connections

The program can connect to the local network and Internet. Also, other programs or users can connect to it. There are certain types of programs that need these permissions to work correctly: file sharing programs, chat applications, Internet browsers, etc.

Allow outbound connections

The program can connect to the local network and Internet, but does not accept inbound connections from other users or applications.

Allow inbound connections

The program accepts connections from programs or users from the local network and Internet, but is not allowed to establish outbound connections.

Deny all connections

The program cannot connect to the local network or Internet.

Communication modes for allowed programs

  • Advanced permissions: Specify parameters of the traffic you want to allow or deny.

Field Description

Action

Defines the action that Advanced EPDR takes when the examined traffic matches the rule.

  • Allow: Allows the traffic.

  • Deny: Blocks the traffic. It drops the connection.

Direction

Sets the traffic direction for connection protocols such as TCP.

  • Outbound: Traffic from the user’s computer to another computer on the network.

  • Inbound: Traffic to the user’s computer from another computer on the network.

Zone

Applies only if the zone matches the zone configured in Network types. Rules whose Zone is set to All are applied at all times irrespective of the network type configured in the Firewall settings.

Protocol

Establish the layer 3 protocol for the traffic generated by the program you want to control:

  • All

  • TCP

  • UDP

IP

  • All: The rule does not take into account the connection source and target IP addresses.

  • Custom: Specify the source or target IP address of the traffic to control. You can enter multiple addresses, separated by commas (,). To specify a range, use a hyphen (-). From the drop-down menu, select if the IP addresses are IPv4 or IPv6. You cannot mix different types of IP addresses in the same rule.

  • Ports: Specify the communication port. Select Custom to enter multiple ports, separated by commas (,). To specify a range, use a hyphen (-).

Advanced communication options for allowed programs

Connection rules

Connection rules define traditional TCP/IP traffic filtering. Advanced EPDR extracts the values of fields in the headers of each packet sent and received by protected computers and checks them against the predefined rules and any custom rules you create If the traffic matches any of the rules, the solution takes the specified action.

Connection rules affect the entire system (regardless of the process that manages them). They have priority over program rules that control the connection of programs to the Internet and local network.

To build an effective strategy to protect the network against dangerous and unwanted traffic, follow these steps in the order listed:

  1. Specify the firewall’s default action in the Program rules section.

Action Description

Allow

Implements a permissive strategy based on always accepting all connections for which you have not configured a specific rule in step 3. This is the default, basic configuration mode: All connections for which there is not an existing rule are automatically accepted.

Deny

Implements a restrictive strategy based on always denying all connections for which you have not configured a specific rule in step 3. This is an advanced mode: All connections for which there is not an existing rule are automatically denied.

Types of default actions supported by the firewall for the programs installed on users’ computers

  1. Enable or disable Cytomic rules.

This only applies if the computer is connected to a public network.

  1. Add rules that describe specific connections along with the associated action.

Edit controls for connection rules

You can change the order of the firewall connection rules, as well as adding, editing, or removing them by using the Up (1), Down (2), Add (3), Edit (4), and Delete (5) buttons to their right. Use the checkboxes (6) to select the rules you want to apply each action to.

The order of the rules in the list is not random. They are applied in descending order. If you change the position of a rule, you also change its priority.

The following is a description of the fields found in a connection rule:

Field Description

Name

Type a name for the rule.

Description

Type a description of the traffic filtered by the rule.

Direction

Sets the traffic direction for connection protocols such as TCP.

  • Outbound: Outbound traffic.

  • Inbound: Inbound traffic.

Zone

The rule only applies if the value specified here matches the network type configured in Network types. If you select All, then the rule applies at all times, regardless of the network type configured.

Protocol

Select the traffic protocol. The options vary for the protocol you select:

  • TCP, UPD, TCP/UDP: Define TCP and/or UDP rules, including local and remote ports.

    • Local ports: Select the connection port used on the user’s computer. Select Custom to enter multiple ports separated by commas (,) or a range separated with a hyphen (-).

    • Remote ports: Select the connection port used on the remote computer. Select Custom to enter multiple ports separated by commas (,) or a range separated with a hyphen (-).

  • ICMP services: Create rules that describe ICMP messages, indicating their type and subtype.

  • ICMPv6 services: Create rules that describe ICMP messages over IPv6, indicating their type and subtype.

  • IP Types: Select the higher-level protocols you want to apply the rule to.

IP addresses

Specify the source or target IP address of the traffic to control. You can enter multiple addresses, separated by commas. To specify a range, use a hyphen (-).

From the drop-down menu, select if the IP addresses are IPv4 or IPv6. You cannot mix different types of IP addresses in the same rule.

MAC addresses

Specify the source or target MAC address of the traffic to control.

Settings options for connection rules

The source and target MAC addresses included in packet headers are overwritten every time the traffic goes through a proxy, router, etc. The data packets reach their destination with the MAC address of the last device that handled the traffic.

Block intrusions

The intrusion detection system (IDS) enables you to detect and reject malformed traffic specially crafted to impact the security and performance of protected computers. This traffic can cause malfunction of user programs, lead to serious security issues, and allow remote execution of applications by hackers, data theft, etc.

The following is a description of the types of malformed traffic supported and the protection provided:

Field Description

IP Explicit Path

Rejects IP packets that contain an explicit source route field. These packets are not routed based on their target IP address. Routing information is defined beforehand.

Land Attack

Stops denial-of-service attacks that use TCP/IP stack loops. Detects packets with identical source and target addresses.

SYN Flood

This attack type launches TCP connection attempts to force the targeted computer to commit resources for each connection. The protection establishes a maximum number of open TCP connections per second to prevent saturation of the computer under attack.

TCP Port Scan

Detects if a host tries to connect to multiple ports on the protected computer in a specific time period. The protection filters both the requests to open ports and the replies to the malicious computer. The attacking computer is unable to obtain information about the status of the ports.

TCP Flags Check

Detects TCP packets with invalid flag combinations. It acts as a complement to the protection against port scanning. It blocks attacks such as “SYN&FIN” and “NULL FLAGS”. It also complements the protection against OS fingerprinting attacks as many of those attacks are based on replies to invalid TCP packets.

Header Lengths

  • IP: Rejects inbound packets with a IP header length that exceeds a specific limit.

  • TCP: Rejects inbound packets with a TCP header length that exceeds a specific limit.

  • Fragmentation Overlap: Checks the status of the packet fragments to be reassembled at the destination, which protects the system against memory overflow attacks due to missing fragments, ICMP redirects masked as UDP, and computer scanning.

UDP Flood

Rejects UDP streams to a specific port if the number of UDP packets exceeds a preconfigured threshold in a particular period.

UDP Port Scan

Protects the system against UDP port scanning attacks.

Smart WINS

Rejects WINS replies that do not correspond to requests sent by the computer.

Smart DNS

Rejects DNS replies that do not correspond to requests sent by the computer.

Smart DHCP

Rejects DHCP replies that do not correspond to requests sent by the computer.

ICMP Attack

  • Small PMTU: Detects invalid MTU values used to generate a denial-of-service attack or slow down outbound traffic.

  • SMURF: Attacks involve sending large amounts of ICMP (echo request) traffic to the network broadcast address with a source address spoofed to the victim’s address. Most computers on the network will reply to the victim, which multiplies traffic flows. The solution rejects unsolicited ICMP replies if they exceed a certain threshold in a specific time period.

  • Drop Unsolicited ICMP Replies: Rejects all unsolicited and expired ICMP replies.

ICMP Filter Echo Request

Rejects ICMP echo request packets.

Smart ARP

Rejects ARP replies that do not correspond to requests sent by the protected computer to avoid ARP cache poisoning scenarios.

OS Detection

Falsifies data in replies to the sender to trick operating system detectors. It prevents attacks on vulnerabilities associated with the operating system. . This protection complements the TCP Flag Checker.

Supported types of malformed traffic
Do not block intrusions from the following IP addresses:

Enables you to exclude certain IP addresses and/or IP address ranges from the detections made by the firewall.