Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 4494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Policies - Applications

stauer

Good Morning,

i need your help.

First some facts:

- Company with 100 Clients

- Need only 1 Firewall Policy

- Mode: Block by default

I need to create a Policy.

I want to enable some Programms, which can be used by our employee.

But I don't know how?

Do I have to do this on the tab Checksums, where I can add new applications by Checksum?

 - But is this checksum for all programms like Firefox, or do I have to add for each PC a new checksum?

OR

Do I have to this on the tab Applications, where I can add new applications?

- Do I have to create a Rule for each Programm? Like - Application Firefox allows where the remote adress is 192.168.10.*

I dont know the difference between these two?

Please help me

(sorry for bad englisch, im german^^)

:2196


This thread was automatically locked due to age.
  • 0

    Hello stauer

    (wenn etwas nicht klar ist, senden Sie mir eine Private Message - und nicht vergessen: PM im Profil erlauben, sonst kann ich nicht antworten)

    The question is IMO about two distinct areas: Concepts and Configuration.

    Let's start with concepts:

    You don't have to use checksums, but you can. If you use checksums (and don't use interactive mode) an application is blocked when it's checksum can't be found in the list, otherwise the next step is the check for an application rule. See security implications of configuring applications or the German version Auswirkungen auf die Sicherheit bei der Konfiguration von Anwendungen. The articles contain links to articles for the other options.

    Do not forget that an application's checksum usually changes when it's updated. So if you have enabled automatic updates for Firefox (and you are not using interactive mode) it will be blocked after an update until you add the new checksum to your policy.

    Configuration:

    Basically you have three options (assuming you are using SEC9/SCF2.0)

    1) "Manual configuration" of the policy - you have to have a good knowledge of your needs and also to add a checksum you need access to the executables so that the configuration editor can calculate the checksum - I don't recommend it.

    2) Using interactive mode on a client start the needed and create the required rules (you can first assign a "predefined" rule e.g. Browser and then restrict IP-ranges). Once done export the policy and import it to SEC.

    3) with SEC9 you can use "monitor" mode. You (or someone else) also run the applications on the client, processes and applications are permitted (unless blocked by an already existing rule) but alerts to SEC are generated. You can then use the Event Viewer to create the required rules.

    Please see also the Policy Setup Guide (here in German) and the overview of SCF2 (Überblick)   

    Christian

    :2199
  • 0

    I use configuration mode 3 with SEC9.

    A User trys to open a Program which need access to our or another network.

    After the Programm is blocked i start the Event Viewer on the Server  to search the programm and create a new rule.

    Normally I allow all activity.

    I unchecked the box "Use Checksume to authenticate applications",

    but in Checksume I get howerver a list of applications?

    Is this correct?

    An Example:

    I added Firefox 3.6.2 with a Checksume to the list.

    Can all Clients use Firefox 3.6.2 now??

    If there will be an update for it, do i have to add the new Firefox again? Or Automatically?

    :2203
  • 0

    If use checksums is not checked they are not used for authentication (they are included in a no application rule alert though so that they are available if you later decide to use them).

    The checksum does not depend on the client so it is valid for all clients. Checksums are associated with a filename which is the looked up in the application rules. Thus you can have several checksums for Firefox (e.g. one for 3.6.0 and one for 3.6.2 and so on). There is no mechanism to update the checksums automatically as far as I know.

    Christian

    :2204
  • 0

    Stauer, in order to circumvent the manual addition of checksum every month (most well maintained apps like CCleaner etc. come in monthly update cycles nowadays) i would just use the Sophos Application Control and Authorize FireFox.

    Application Control according to John Stringer includes and controls not only the installable application (C:\Programme\Firefox) _but also_  any portable derivate like FirefoxPortable (http://PortableApps.com )

    :2210
  • 0

    I beg to differ :smileyhappy:

    Not using checksums all applications named firefox.exe can access the network with the rules set up for firefox.exe. This not only covers probably all versions but would include also compromised versions and totally different programs as well.

    "Unknown" applications are permitted by application control whereas firewall using checksums blocks unknown applications. If I wrote a browse-o-matic (which primary function is downloading FakeAV software) and named the executable firefox.exe application control wouldn't care (unless someone snitches on it to Sophos). But SCF using checksums would not apply the rules for the genuine Firefox browser(s).

    Christian

    :2213
Unfiltered HTML