User manual ESET PERSONAL FIREWALL

[. . . ] This manual describes how to deploy the Personal firewall in a network environment, as well as instructions on remote management of the Personal firewall using ERA. Why install a Personal firewall on client computers, when there is a central firewall on the company's server?There are several reasons: · APersonalfirewallcaneliminateattacksfromwithinthelocalnetwork(e. g. , aninfectedguestnotebook connecting to the corporate network). · APersonalfirewallallowstheadministratortoeffectivelylimitcommunicationinordertodecreasenetwork traffic, which may be an issue for remote locations or WAN connections (e. g. , a rule could be created to block all instant messaging applications and only allow the use of local SMTP servers). [. . . ] Task 2: Client computers need to use DNS services within the local network. These services mustn't be accessible from outside the network (i. e. , from the Internet), because the server is also an Internet gateway for the network. Solution 2: Createanewrulenamed"DNSforclientcomputers", usingthefollowingparameters: General tab - Direction: IN, Action: ALLOW, Protocol: UDP. 2. . 3 Strict rules & security levels The administrator can select one of the following scenarios for deployment of the ESET Smart Security Personal 8 firewall: · LeaveAutomatic filtering mode enabled on the Personal firewall and redefine the Trusted zone, if necessary. With this configuration, users will not be prompted to select a protection mode if they connect to a new network (e. g. , with mobile devices such as notebooks). Keep in mind that outgoing communication will not be completely filtered. · SelecttheInteractive filtering mode in the Personal firewall. This mode is not suitable for inexperienced users, since any new communication not specified by a rule will prompt to create one. · SwitchtothePolicy-based filtering modeinthePersonalfirewallandcreatemore"lenient"rules. Forexample, all SMTP, HTTP and POP3 communication would be allowed, regardless of the application establishing them. · SelectthePolicy-based filtering mode in the Personal firewall with additional rules which dictate that certain networking services can only be used by specific applications or processes. For example, communication for the process firefox. exe will be allowed only on remote ports 80 (HTTP) and 443 (HTTPS); Outlook Express only on ports 25, 110, 143 and limited to the IP addresses where the company's email servers are located, etc. Thislastscenarioisthemostcomplexandmayrequirefine-tuningofsomerules, butitalsooffersthehighestlevel of security. For example: Malicious code which is not recognized by the resident antivirus protection attacks a computer. The code creates a local SMTP server and sends spam messages on behalf of a remote web server from a predefined public IP address. This type of infiltration will be automatically blocked in the last scenario, because SMTP communication is enabled only for Outlook Express and HTTP traffic only for Mozilla Firefox. 2. . 4 Rule configuration strategy in large networks If you wish to set the most strict level of network access for client computers, use Policy-based filtering mode, because it allows no user intervention. 2 The successful deployment of Policy-based mode requires thorough preparation, as blocking of legitimate applications must be avoided. There are several methods for deploying Policybased mode: · Definerules"fromscratch"anddirectlyinstallESETSmartSecuritywithPolicy-basedmodeturnedon. The risk is that you may forget to specify rules for some applications and their communication will be automatically blocked. Double click on any item (or mark it and select the button Edit) to obtain dialog showing its detailed settings. The rule below allows communication for the email client Windows Mail. 10 Item Name Direction Action Protocol Log Notify user Local port Application Remote port Remote address Meaning/defines name of rule direction of communication (In, Out, Both) action to be executed (deny, allow, ask) protocol select this option to log the activity connected with the rule (see the chapter on logging) displays a message when the rule is applied source communication port (or group of ports) the name of the application/process to which the rule applies target communication port (or group of ports) target IP address (or IP address range, or subnet) NOTE: The rule order is not important. If no such rule exists, communicationisblocked. Morespecificruleshavepriorityoverlessspecific(compare"denycommunication forFTPclient"and"allowFTPcommunication"). Most of these can be applied if Policy-based filtering mode is activated: 11 Requirement Direction Protocol Local port Application Remote port Remote address Note Enable updates for client computers with ESS Out TCP ekrn. exe 80, 2221 port 80 for Internet updates, port 2221 if updating from local update server (e. g. , from ERA) Enable communication of ESS with ERA Server (client-side rule) Enable communication of ERA Console with ERA Server Out TCP ekrn. exe 2222, 2224 port 2224 can be used for remote installation / uninstallation. IP addresses of your email servers remote address can be filled in if you want very strict protection Out TCP console. exe 2223 Send and receive email Out TCP Process of your email client 25 (SMTP), 110 (POP3), 143 (IMAP) 80 (HTTP), 443 (HTTPS), or proxy server port 21 (FTP), 1024 to 65535 21 (FTP) Web browsing Out TCP Web browser process FTP client server FTP client server (active) Alternative to the previous rule Remote desktop access to other PC Microsoft Live Messenger Out TCP FTP client passive FTP mode (recommended) Out TCP TCP & UDP FTP client In FTP client 20 (FTP-data) IP address of FTP server the IP address of the FTP server must be specified!browse the process browse the process in Remote address you can specify IP addresses from which the web should be accessible (or specify them in Trusted zone) Out TCP mstsc. exe 3389 Out TCP msnmsgr. [. . . ] If you were to push out the . xml configuration created using the steps above, only the Personal firewall settings would be modified on client computers3. 3 Remember that there are several methods of installing a new . xml configuration: as part of a configuration task in ERA, as a configuration assigned to a remote install package, or by using the Import feature directly from the ESET Smart Security user interface. 16 4. . Summary Let's summarize the most important points regarding deployment of the ESET Smart Security Personal firewall: · ThemaximumlevelofprotectionisprovidedthroughPolicy-basedmode, thoughthismethodoftenrequiresfinetuning of rules and zones. · TheESETPersonalfirewallautomaticallyblocksanycommunicationwhichisnotpermittedbyarule. Thisistrue for all modes except for Interactive filtering mode, which prompts the user to perform an action. · IfyouaredeployingthePersonalfirewall, werecommendthatyouconfigureatleastoneTrustedzone(Home network), regardless of the filtering mode. [. . . ]