To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

FW rules from 13 to 14

Askoik
Askoik Posts: 27 Security Scout

Business need:

100 workstations of which 20 has USB-printers, sharing them to other users, so

incoming "windows networking" is disabled on 80 wks and enabled on 20 wks.

 

Solution in ver 13:

Root level (80 wks) -> disabled

Separate subdomain "Printshares" (20 wks) -> enabled

 

Solution in ver 14??

Inheritance seems to be different. If I enable a rule in subdomain, it will be enabled also in root level. Could someone explain, how to separate these 80 vs. 20 workstations?

 

On ver 13 we had last rule line "block all" and now we don't know, should we create similar rule into ver 14 also? If we don't have this line, "windows networking" will be enabled on all 100 wks, which is not safe.

 

Seems that our own "windows networking" rule (made in PMC ver 14 rule set) is not working at all. Maybe Microsoft have made their own rules, which are on higher preference than those coming from Policy Manager? How should we live and understand with two rule sets "F-secure" vs. "Microsoft" ??

 

Do you have any FAQ Guide named like "Deep understanding of Firewall ver 14"  ??

   ;-)

 

Comments

  • Vad
    Vad Posts: 1,069 Cybercrime Crusader
    Hello Askoik,

    - You can have different profiles for 80 and 20 clients.
    - To minimize effect of Microsoft rules you can check the checkbox "Ignore all firewall rules that are not listed in this profile".

    Best regards,
    Vad

  • MJ-perComp
    MJ-perComp Posts: 669 Firewall Master

    In V13 we had ruleset with a hirarchical management.
    But Admins tend to organize their systems by departments and not by technical needs.
    Thus having a special rule on one system in each department was a mess as this rule had to be added to an extra subdomain in that department or to special single hosts in that department. A change to these rules had to be done in various places.

    In V14 Profiles we introduced. All profiles ar bound to the root of your tree.
    (I have to admit that knowing the old cncept leads to misconfiguration as the profiles are visible in each subdomain, at least until you have understood this new concept.)

    So your experience is correct any change to a profile in global. To assign a different setup to a subdomain or host you need a different profile, which is done by cloning an existing one.

    As mentioned, these profiles are no longer hirarchical, the clone is independant from it's original.

    Now you can add your special rule to the new profile and choose that profile on the subdomain or host.

    Any change done to the profile will automatically change the settings for all systemes using tha profile, means only one change for all host with the same technical setup even if they are located in different subdomains/departments.

    While I think this concept is better than the old I would have loved to see the profiles still be hirarchical.

    Nevertheless I recommend to move away from USB-printes to network printers to be able to close this huge secuity gap. If your special printers do not have a LAN-interface you better buy a LAN2USB-prinserver, which are available on Amazon or eBay starting at 12€. These one-time-expenses will add a lot to your IT-Security!


    Matthias

This discussion has been closed.

Categories