To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Computer Protection Firewall rules and 0.0.0.0 addresses

AndyF-PM
AndyF-PM W/ Alumni Posts: 12 Junior Protector
in WithSecure Elements Endpoint Protection
During migration of PSB Workstation profiles to Computer Protection, firewall rules using 0.0.0.0/0 were inadvertantly migrated as 0.0.0.0
 
[Before migration - PSB Workstation Firewall Profile]
  • Outbound TCP / UDP Traffic - Allow - Outbound - Remote IP Address: Any remote host (0.0.0.0/0)
[After migration - Computer Protection Firewall Profile]
  • Outbound TCP / UDP Traffic - Allow - Outbound - Remote IP Address: 0.0.0.0
 
With this setting in place, outbound communication can not be performed.
 
The correct value to use for "Any remote host" in Computer Protection is to change the "0.0.0.0" to an empty value in the Computer Protection firewall rule.
 
As the use of "Any remote host" can make the system open to the internet depending on the actual rule used, and F-Secure has no knowledge of the customer's intention for the rule, we will not change these rules in a programmatic way. We do not wish to be responsible for making a customer's environment insecure.
 
Customers are advised to review their own Computer Protection profiles, and make the appropriate changes to rules containing 0.0.0.0 to suit their environment and wishes. The use of "any remote host" in firewall rules should be carefully considered to ensure it is only used where absolutely necessary.
 
 

Comments

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    > As the use of "Any remote host" can make the system open to the internet depending on the actual rule used

     

    If this only affects Outbound connections, as the examples you quoted show, then where is the risk? As far as I remember F-Secure PSB's default workstion profile actually allows all outbound connections going to all addresses.

     

    Since this problem was centrally created, it should be fixed centrally and the PSB "Security as a Service" is about automation. I feel bad about the issue being shoveled onto end users. It would be better to set the missing /0 centrally and provide the affected customers with a po-up warning / explanation upon PSB portal account login.

     

    Thanks for your attention, Best Regards:

    Tamas Feher, Hungary.

This discussion has been closed.

Categories