Firewall settings

The Firewall module provides bidirectional stateful firewall protection. It prevents denial of service attacks and provides coverage for all IP-based protocols and frame types as well as filtering for ports and IP and MAC addresses.

The Firewall section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:

This article includes references to the Deep Security Virtual Appliance, which is not available with Deep Security as a Service.

General

Firewall

You can configure this Policy or Computer to inherit its Firewall On/Off state from its parent Policy or you can lock the setting locally.

Firewall Stateful Configurations

Select which Firewall Stateful Configuration to apply to this Policy. If you have defined multiple Interfaces for this Policy (above), you can specify independent configurations for each interface.

Port Scan (Computer Editor only)

Does not apply to Deep Security as a Service

Last Port Scan: The last time that the Deep Security manager ran a port scan on this computer.

Scanned Ports: The ports that were scanned during the most recent port scan.

Open Ports: Listed beneath the IP address of the local computer will be a list of ports that were found to be open.

The Scan For Open Ports and the Cancel Port Scan buttons let you initiate or cancel a port scan on this computer. Deep Security Manager will scan the range of ports defined in Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General > Open Ports > Ports to Scan.

Regardless of the ports configured to be scanned, Deep Security Manager will always scan the Agent/Appliance's listening port number for heartbeat connections from the Manager.

Assigned Firewall Rules

Displays the firewall Rules that are in effect for this Policy or computer. To add or remove Firewall Rules, click Assign/Unassign This will display a window showing all available Firewall Rules from which you can select or de-select Rules.

From a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). window, you can edit a Firewall Rule so that your changes apply only locally in the context of your editor, or you can edit the Rule so that the changes apply globally to all other Policies and Computers that are using the Rule.

To edit the Rule locally, select the Rule and click Properties () or right-click the Rule and click Properties.

To edit the Rule globally, right-click the Rule and click Properties (Global).

Interface Isolation

Interface Isolation

You can configure this Policy or Computer to inherit its Interface Isolation enabled/disabled state from its parent Policy or you can lock the setting locally.

Before you enable Interface Isolation make sure that you have configured the interface patterns in the proper order and that you have removed or added all necessary string patterns. Only interfaces matching the highest priority pattern will be permitted to transmit traffic. Other interfaces (which match any of the remaining patterns on the list) will be "restricted". Restricted Interfaces will block all traffic unless an Allow Firewall Rule is used to allow specific traffic to pass through.

Interface Patterns

When Interface Isolation is enabled, the firewall will try to match the regular expression patterns to interface names on the local computer.

Deep Security uses POSIX basic regular expressions to match interface names. For information on basic POSIX regular expressions, see
http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap09.html#tag_09_03

Only interfaces matching the highest priority pattern will be permitted to transmit traffic. Other interfaces (which match any of the remaining patterns on the list) will be "restricted". Restricted Interfaces will block all traffic unless an Allow Firewall Rule is used to allow specific traffic to pass through.

Selecting Limit to one active interface will restrict traffic to only a single interface (even if more than one interface matches the highest priority pattern).

Reconnaissance

Reconnaissance Scans

The Reconnaissance page allows you to enable and configure traffic analysis settings on your computers. This feature can detect possible reconnaissance scans that attackers often use to discover weaknesses before beginning a targeted attack.

  • Reconnaissance Scan Detection Enabled: Turn the ability to detect reconnaissance scans on or off.
  • Computers/Networks on which to perform detection: Choose from the list the IPs to protect. Choose from existing IP Lists. (You can use the Policies > Common Objects > Lists > IP Lists page to create an IP List specifically for this purpose.)
  • Do not perform detection on traffic coming from: Select from a set of IP Lists which computers and networks to ignore. (As above, you can use the Policies > Common Objects > Lists > IP Lists page to create an IP List specifically for this purpose.)

For each type of attack, the agent/applianceThe Deep Securty Agent and Deep Security Virtual Appliance are the components that enforce the Deep Security policies that you have defined. Agents are deployed directly on a computer. Appliances are used in VMware vSphere environments to provide agentless protection. They are not available with Deep Security as a Service. can be instructed to send the information to the Deep Security Manager where an Alert will be triggered. You can configure the Manager to send an email notification when the Alerts are triggered. (See Administration > System Settings > Alerts. The Alerts are: "Network or Port Scan Detected", "Computer OS Fingerprint Probe Detected", "TCP Null Scan Detected", "TCP FIN Scan Detected", and "TCP Xmas Scan Detected.") Select Notify DSM Immediately for this option.

For the "Notify DSM Immediately" option to work, the Agents/Appliances must be configured for Agent/Appliance initiated or bidirectional communication in Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > General.) If enabled, the Agent/Appliance will initiate a heartbeat to the Deep Security Manager immediately upon detecting the attack or probe.

Once an attack has been detected, you can instruct the Agents/Appliances to block traffic from the source IPs for a period of time. Use the Block Traffic lists to set the number of minutes.

  • Computer OS Fingerprint Probe: The Agents/Appliances will recognize and react to active TCP stack OS fingerprinting attempts.
  • Network or Port Scan: The Agents/Appliances will recognize and react to port scans.
  • TCP Null Scan: The Agents/Appliances will refuse packets with no flags set.
  • TCP SYNFIN Scan: The Agents/Appliances will refuse packets with only the SYN and FIN flags set.
  • TCP Xmas Scan: The Agents/Appliances will refuse packets with only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).
"Network or Port Scans" differs from the other types of reconnaissance in that it cannot be recognized by a single packet and requires Deep Security to watch traffic for a period of time.
The Agent/Appliance reports a computer or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Normally an Agent/Appliance computer will only see traffic destined for itself, so a port scan is by far the most common type of probe that will be detected. However, if a computer is acting as a router or bridge it could see traffic destined for a number of other computers, making it possible for the Agent/Appliance to detect a computer scan (ex. scanning a whole subnet for computers with port 80 open).

Detecting these scans can take several seconds since the Agent/Appliance needs to be able to track failed connections and decide that there are an abnormal number of failed connections coming from a single computer in a relatively short period of time.

The statistical analysis method used in computer / port scan detection is derived from the "TAPS" algorithm proposed in the paper "Connectionless Port Scan Detection on the Backbone" published by Sprint/Nextel and presented at the Malware workshop, held in conjunction with IPCCC, Phoenix, AZ, USA in April, 2006.
Deep Security Agents running on Windows computers with browser applications may occasionally report false-positive reconnaissance scans due to residual traffic arriving from closed connections.

Advanced

Events

Set whether to generate Events for packets that are "Out of Allowed Policy". These are packets that have been blocked because they have not been specifically allowed by an Allow Firewall Rule. Setting this option to Yes may generate a large number of Events depending the Firewall Rules you have in effect.

Events

Firewall Events are displayed the same way as they are in the main Deep Security Manager window except that only Events relating to this Policy or specific computer are displayed.