Mixed Clients V13/V14 - Firewall - How to / best practice ?

Rob-K
Rob-K W/ Alumni Posts: 33 Junior Protector

Hi,

 

what to do in an mixed environnement with clients which are running 13.11. I have Office file and printer sharing as active profile and we have the Windows Firewall disabled by policy for the domain.

 

FSCS14 run the firewall only when the Windows firewall is up and active. 

FSCS13 run their own firewall and Windows firewall is disabled by GPO - if I enable it again i assume - both firewalls will be active and there might be conflicts, because the Windows firewall is in unconfigured state with the standard windows settings ...

 

What are the best practices for that stituation / for migration

 

Best regards

Robert

Comments

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 205 Moderator

    Hello @Rob-K

     

    Its a good question but as we have no other options or feature available in the Policy Manager 14. So, running both CS 13.x and CS 14.x on same environment are not a good idea, because when a GPO is applied to the domain level, it affects all the users and computers belonging to that particular domain.  That being said, GPOs don't flow from parent to sub-domain.

     

    The best pratice is upgrading the latest version of Client Security 14  to all the users machine before swith to Group Policy Object (GPO) to manage the firewall settings through Policy Manager.  Moreover, the F-Secure's firewall profiles provide an additional security layer on top of the Windows Firewall user rules and other domain rules. The F-Secure firewall profiles or rules are not applied if Windows Firewall is off. Therefore, we recommend that you always keep the firewall on.

     

    Ofcourse, there is alternate way to manage the older version. For that, you need to create a new domain for those using older version Client Secuirty 13.x.

  • Rob-K
    Rob-K W/ Alumni Posts: 33 Junior Protector

    uhmmm .. not good - we have over 1200 clients with 13.11 running. Many notebooks and also desktop pcs ...

    As far as I understand your post it will result in a security gap until Windows firewall is active and V14 is operational.

     

    when I start upgrading the clients to v14 the GPO with windows firewall is off is still in place ... so all clients which get v14 will have no firewall active. Worst case .. a field guy connects via vpn to the network gets the new F-Secure Clientsecurity and disconnects again. After a reboot his PC is no longer protected. I can not control when he access the network again (we have subsidiarys in China, US, Canada and all over Europe).

     

    bad bad bad ...

     

    an other question ... my rules and services that I have created for 11.xx, 12.xx and 13.xx ... will they be automatically adapted to V14 or do I need to recreate them again?

     

    You say that the FSCS Firewall Profile will bring a additional security advantage - In fact I am not so sure - what advantage does it bring to me - I can also use GPO to configure the advanced firewall settings ...

     

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 205 Moderator

    Hello @Rob-K,

     

    Currently, the recommended path is to set the Windows Firewall as Not Configured in by GPO, so that there are no conflicts caused when upgrading to latest version of Client Security 14.  But as soon as change the settings in GPO, the firewall automatically turned on after installing Client Security 14.00, unless explicitly disabled in the policies.

     

    About mixed environment of older and new version of CS, sorry for my ignorance , our Policy Manager ver14 provides management for both new and old versions of the firewall settings. May I ask you to check the page 80 and 81 from admin guide.

     

    The additional security layer on top of the Windows Firewall user rules and other domain rules meant are:

     

    • Network services list is now treated as a global dictionary, which is the same for all Policy Manager administrators.
    • Network services list is now treated as a global dictionary, which is the same for all Policy Manager administrators. Internet Shield's Application control feature is no longer supported in Client Security 14.00 and is superseded by a new version of Application control. To better reflect the nature of the old Application control, it is renamed to Network access control.

     

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout

    One part of the question has not been answered:

    "an other question ... my rules and services that I have created for 11.xx, 12.xx and 13.xx ... will they be automatically adapted to V14 or do I need to recreate them again?"

  • farmersLSD
    farmersLSD W/ Alumni Posts: 26 Security Scout

    I had to re-create mine, but maybe there is a way to import/copy?  Someone from F-Secure would need to explain that.  I had to create new services and new rules, but I just opened a Policy Manager Windows next to my VM and then copied the setting over with them side by side.

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    Just don't try to simply copy  what you had. Use the chance to revamp the firewall settings.
    The whole thing is so new that a clear path is not that easy atm.

    The biggest difficulty is to understand two things:
    1) there are no longer rulesets of the same name that "belong" to a subdomain. Now all rulesets "only exist once on root level. So if your rulesets differed in a V13-subdomain you need to create a clone for V14. BUT as a clone is an independant ruleset not inheriting anything keep their number small, otherwise you wil have a lot of changes to copy when some of the common rules change.

    2) In windows firewall rules have no order. All rules that match will fire!
    Example: 
    deny 10.10.10.15/32
    allow 10.10.10.0/24  does not work as access will be granted by seond rule.
    For that reason the new "office LAN" ruleset no longer has deny rules.
    Note the "Unknown outbound connections" is [block]!

     

    Clean up and rethink your rulesets - keep them small and simple.

    Nevertheless it would be interesing to see WHAT services you created beside those that already exist.

    M.

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout

    After Windows Fierewall will be enabled all Windows Firewall native rules will begin work. Is it possible in some way to ignore the native Windows Firewall rules. What means option "Ignore all firewall rules that are not listed in this profile" in F-Secure Firewall Settings? How set Firewall rules on different policy subdomains, then we use same services, but different remote hosts?

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    1) "Ignore all firewall rules that are not listed in this profile" is exactly what you want. Windows FW rules are ignored (could be worded more clearly).
    2) That is exactly what I meant: "keep it simple, concentrate on the inbound traffic to the hosts".
    Why do you want to limit the outbound traffic to a specific target? You should rather block the unwated traffic on the target system (server).
    If you still want to do that work you need to clone the FW profile and assign different profiles to different subdomains. But it will not add any security and leave the server open for a rogue system.
    Rethink your concept

    M.

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout

    Our AD domain has main office and 10 branche offices. Main office and every branch office have own set of IP subnets. In PM 13.00 we set firewall profile with base set of firewall rules and at subdomain level add firewall rules specifc for the IP set of every branch office (File and printer sharing, RDP, Ping, etc.). What can we do in PM 14.00?

    picture

  • Rob-K
    Rob-K W/ Alumni Posts: 33 Junior Protector

    hi,

     

    as far what i have seen ... you still can have different settings in the firewall profile depending on the policy domain in the policy manager.

     

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    Nope.

    There are two views. The one is for V14 with profiles that reside on Root level, the other of V13 and earlier that reside on subdomain level.

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    @M_M  schrieb:

    Our AD domain has main office and 10 branche offices. Main office and every branch office have own set of IP subnets. In PM 13.00 we set firewall profile with base set of firewall rules and at subdomain level add firewall rules specifc for the IP set of every branch office (File and printer sharing, RDP, Ping, etc.). What can we do in PM 14.00?

    picture


    As I mentioned this is a pretty useless setup.
    If you need printer and filesharing (e.g. sharing a local USB-printer from your PC), this can be limited to <mynetwork> and would automatically be limited to the subnet the Host is in.

    IMHO your rulesets are way to complex with only little (if any) security benefit. In a common Windows Domain environment you would not want that anyone could access any host (not even in the same network).


    Return to the standard Office profile and find out what is not working.

    Most likely Remote Management and PING to the host is the most needed, but that should NOT be allowed to "any" or "myNetwork" but to precisely those systems that have the helpdesk function.


    In the end you should be able to have the same ruleset for all standard hosts which translates into one new V14 profile and maybe one profile for helpdesk systems, which should NOT allow remote Access from any other systems.

     
    Blocking unwatned traffic on the WAN is the task of the firewalls and routers.

  • Rob-K
    Rob-K W/ Alumni Posts: 33 Junior Protector

    Hello Matthias,

     

    you are wrong - I tried it yesterday in my setup! I have different settings on the root level and on the lower policy domain - and I am on the tab for V14 and not V13! You can create some standard rules, that are valid for all lower sub policy domains and then add addidtional rules for the lower policy domains - at least it works in my settings!

     

    BTW - your mentioned mynetwork is in my config pretty useless, because we use different ip ranges for clients, servers, lan and wifi - that is a pretty normal setting for larger networks.

     

    That mynetwork thing works within using a single subnet for all clients and servers but not on larger networks

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    you are wrong - I tried it yesterday in my setup! I have different settings on the root level and on the lower policy domain - and I am on the tab for V14 and not V13! You can create some standard rules, that are valid for all lower sub policy domains and then add addidtional rules for the lower policy domains - at least it works in my settings! 

    you can not change any rule unless you create a clone. And that clone is available in all other subdomains in the same momet. The clone gets activated for that subdomain when you create it, but it is linked to root, independant from anything defined before.


    And no, we have exactly that setup with "myNetwork" in many places. As Outbound traffic is always allowed you can reach all systems that allow inbound traffic (like servers).

     

    But this discussion is way beyond what we can do via community. This is a task for a consultant.

     

    Matthias

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout

    Support staff hosts resides in different branch offices and different IP subnets.

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    There is a tricky way to create a subdomain related profile:

    1) create  admin accounts for every subdomain that you want to have their own profile and limit access to that subdomain.
    2) logon as a subdomain admin and create a clone.


    This clone is now bound to that subdomain only.

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout

    But is there an option to add only a rule to a subdomain?

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    You have to create default profile for the root domain, specify common rules (shared between all branch offices). Then for each branch office clone the default profile and add office-specific rules. But notice that further root profile changes will not update clones.

    After that assign just created clones to related domains.

    All these configurations are made in CS14 firewall tab.

    What comes to migration from CS13 to CS14, Windows firewall can coexist with F-Secure firewall so there are no risks to enable it for CS13 hosts (unless there are conflicting rules). So we recommend:

    • Configure CS14 profiles in the policy domain tree
    • Enable (or Undefine) Windows Firewall in GPO
    • Start upgrading clients to CS14

     

    Regards,

    Alexander

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    To create a subdomain only visible/usable rule you have to login as a sub-domain administrator.
    Apart from that there is no way to limit a rule to a subdomain as Alexander confirmed my previos post.

    If you are a root admin all clones that you create (on which ever level) are visable and usable in all other subdomain.

    Again highlithing Alexander's note: "But notice that further root profile changes will not update clones."

    So after the cloning they are independant.

     

    @A-Grinkevitchplease correct your post. GPO should set the Windows Firewall to UNDEFINED, otherwise V13 would switch it on too which is unwanted.

  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Indeed, sub-domain admin should clone profile himself to be able to edit it, but it will be visible, usable and editable for other sub-domain admins of this scope and root admins in sub-domain scope. So dropped my a bit confusing 'PS' from previous post 😊

     

    As for GPO, both undefined and enable are acceptable. Do not see any reason why having two Firewalls up is unwanted, especially if we are talking about short transition period…

     

    Regards,

    Alexander

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout
    Is there a way to move up or down the rules in the firewall profile, or it does not matter now ?
  • A_Grinkevitch
    A_Grinkevitch W/ Partner, W/ Staff, W/ Product Leadership Posts: 169 W/ Product Leadership

    Hi, with CS 14 we moved to windows firewall where rules have no order. All matching will apply.

     

  • M_M
    M_M W/ Alumni Posts: 25 Security Scout

    Don't understand logic of the new firewall. We need allow inbound trafic from remote MS SQL server to subnet hosts. We create network service "MSSQL"

    Name    Protocol Initiator port Responder ports

    MSSQL TCP (6)    >1023                 1433

     

    We create firewall rule "Allow inbound MSSQL" in firewall profile:

    Services     Remote hosts

    <= MSSQL  SQL server IP address

     

    When we look at Windows firewall settings, we find rule with:

    Direction   Local address   Remote address   Local Port   Remote Port

    Inbound     Any                       SQL server             1433               1024-65535

                                                         IP address

     

    This is the wrong situation. What would happen if we create the rule in a bi-directional (<=>) direction?

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master

    First of all there is NO need to define anythin on the Client side if you want to access a Windows SQL-Server. The standard Office profile has a Allow All TCP/UDP Outbound rule, that covers that.

    Nevertheless you certainly have to allow inbound traffic on the server's Firewall (not managed by F-Secure)

     

    "inbound" and "outbound" are always from the point of view, where the local firewall is installed. So a Client is connecting to a service that is outbound.

    you want to remote adminster a User's windows system:
    your system has and outbound connection (covered by the allow all outbound TCP/UDP), but
    the user's windows box has an "inbound" connection.

    The rule is always the same. initiator (local) ports: >1023; receiver (remote) port: 1433

  • joanne3422
    joanne3422 W/ Alumni Posts: 1 Security Scout

    The best pratice is upgrading the latest version of Client Security 14  to all the users machine before swith to Group Policy Object (GPO) to manage the firewall settings through Policy Manager.  Moreover, the F-Secure's firewall profiles provide an additional security layer on top of the Windows Firewall user rules and other domain rules.

  • MJ-perComp
    MJ-perComp W/ Alumni Posts: 669 Firewall Master
    Sorry, but no.
    1) Best practice is to switch Firewall setting in GPO to "undefined" before rolling out F-Secure.
    2) F-Secure V14 does not provide an "extra layer on top of Windows Firewall", as it replaces Windows Rules. But F-Secure gives a way better control on the rules.
    M.
This discussion has been closed.