AppNote: Understanding Rules in Novell Client Firewall 2.0
Novell Cool Solutions: AppNote
By Gaurav Vaidya
Digg This -
Posted: 18 Feb 2004
Senior Software Engineer
Much appreciation goes to Anumita Biswas from Novell for her help with this AppNote.
Abstract: The way you configure rules and policies define the security provided by any firewall. Generally users and administrators have an understanding of firewall as a list of traffic rules. Novell Client Firewall (NCF) is no different. But NCF provides multiple options to allow or block traffic. Hence it is of critical importance to understand how to interpret configuration options and how NCF processes rules. This Appnote discusses various rules and configuration options available with NCF and the rule precedence to allow or block any traffic.
Table of Contents:
- 1.0 Introduction
- 1.1 Assumption
- 2.0 NCF Rules and Policies
- 2.1 Application Rules
- 2.2 System Rules
- 2.3 Other Rules
- 2.4 NCF Working Modes
- 3.0 Rule Processing in NCF
- 3.1 Internal Rule Representation
- 3.2 Rule Processing Precedence
- 3.2.1 Policy Mode (Stop All or Disabled)
- 3.2.2 Blocked Application
- 3.2.3 Plug-ins
- 3.2.4 Trusted/NetBIOS Zones
- 3.2.5 Global NetBIOS Block Rule
- 3.2.6 Application Rules
- 3.2.7 Global Application or System Rules
- 3.2.8 NCF Policy
- 3.2.2 Blocked Application
- 3.3 When Traffic is Allowed or Blocked
- 4.0 Conclusion
- Application Rules
- System Rules
- Other Rules
- NCF Working Modes
- Priority of Rule
- Action (Allow, Deny, Reject etc.)
- Local Host (domain name or IP address)
- Local Port
- Remote Host (domain name or IP address)
- Remote Port
- Direction (Inbound or Outbound)
- Trusted Zone: Any domain or IP configured as trusted zone is internally interpreted as firewall rule for allowing all the traffic for that particular domain or IP. NCF creates a firewall rule like - "allow all for IP xxx.xxx.xxx.xxx"
- NetBIOS Zone: Any domain or IP configured as trusted zone is internally interpreted as firewall rule for allowing all NetBIOS traffic for that particular domain or IP. NCF creates a firewall rule like - "allow NetBIOS ports for IP xxx.xxx.xxx.xxx"
- Application Rules: Application rules are also used to generate Firewall rules. Partially allowed applications have a set of rules representing all the traffic rules for that application. Trusted applications have corresponding Allow All rule where as blocked applications have Deny All rule.
NCF scans through application rules only if Policy mode is configured either as Allow Most, Block Most or Rule Wizard. If policy mode is either Stop All or Disabled, NCF does not scan through application rules list. Instead, it adds firewall rules as Deny All Traffic, or Allow All Traffic.
- System Rules: All the system rules are directly converted to firewall rules. These rules can be for any protocol.
- ICMP Rules: ICMP rules are configured to specify which ICMP messages NCF should allow and block. Each ICMP message can be allowed or denied for both inbound and outbound directions. Default settings in NCF allow users to ping others, but block all incoming ping requests to NCF machine.
Internet is wild. Viruses, Trojans, sneaking information, and undesirable and illegal contents are only few of the darker inclines of Internet. A Perimeter Firewall alone might not be enough armor against all Internet threats.
One effective way to counter these threats is to handle them at individual workstations. This is called Endpoint security. Protecting the Endpoints is very critical because it is practically impossible to control the actions and behaviors of end users across the entire organization. Some actions and behaviors of end users may result in the breakdown of enterprise security. Endpoint Security protects each individual PC in an enterprise and not just the entry points to the network.
Novell Client Firewall (NCF) is one such solution that controls how users are allowed to use their workstations. Moreover it makes the client computer invisible on the Internet. NCF secures individual workstations by deploying firewall rules and policies at each end node. Most of the other firewalls have single list of rules configured for allowing or discarding traffic. As it appears to the end user, NCF is unlike them. It instead provides enhanced security and ease of configuration by making use of multiple level security configuration. This is achieved through different set of rules for different purposes. How NCF behaves and how secure is the end point largely depends on how the rules and policies are configured.
This Appnote describes the NCF rules and policies in detail. It also explains rule processing within NCF to help end user or administrator securely configure the firewall for end node. Second section describes different NCF rules and policy modes. It explains application rules, system rules and other available options that may take precedence over these rules. It describes how policy mode affects the behavior of NCF. Third section details the internal rule handling and precedence of rule processing in NCF. It describes how each configuration option affects the traffic.
For more detailed description on the configuration options available for Novell Client Firewall refer to NCF Admin Guide: http://www.novell.com/documentation/lg/nbm38/ncf_admin/data/front.html
In this Appnote it is assumed that the reader already uses NCF and knows how to configure different rules and options available for NCF. The purpose here is to explain how each of the different types of rules and options are processed and how to use them together securely.
Generally, Firewall is a function of rules and policies configured on it. Without rules and policies, firewall deployment does not make much sense. What rules are configured defines the security the firewall offers. While configuring NCF, user broadly sees different sets of rules and modes:
Any network traffic on the system is related to one or the other application installed on the system. Application rules are configured and used for allowing traffic for such specific applications. Application rules provide three levels of trust for each application as shown in the figure below.
Figure 1: Application Rules dialog box in NCF
Blocked Application: These applications are not trusted at all. If any application is configured in Blocked Application list, all the traffic for these applications are blocked.
Partially Allowed: In this case, a specific set of traffic rules is configured for each application and traffic is allowed only as per the configured rules. As shown in Figure2, these rules are created based on protocol, traffic direction, port and address (both local and remote), and time interval. For any matching traffic, a set of actions is also defined to deny, allow, reject, report, run application or activate stateful inspection for the rule. Application rules for partially allowed application can only be configured for TCP and UDP. For any other protocol, System Rules should be used.
Figure 2: Rules dialog box for Partially Allowed and System Rules
Trusted Application: If any application is added in Trusted Application list, all the traffic for this application are trusted and allowed irrespective of any parameter (protocol, port, direction or timing settings).
System Rules are configured as different set of rules from Application Rules. System Rules are also called Global Application Rules. System Rules are used for all the traffic on system irrespective of the application associated with the traffic. All the options for configuring new global application rules are similar to rules for partially allowed application as shown in Figure 2. The only difference is that unlike Application Rules that can be configured only for the protocols TCP and UDP, System Rules support many different IP protocols like ICMP, IGMP, ESP, SKIP, AH and OSPF.
Apart from Application and System Rules there are other configuration options in NCF that do not appear as rule list for the end user. But here lies the catch, NCF treats the entire configuration as a global list of rules and processes them in a pre-defined sequence (as described in Rule Processing in NCF section). This internal list of rules will be referred to as Firewall Rules in this document. It is critical to understand each and every option in NCF configuration. These other configuration options are:
Plug-ins: One of the unique features of NCF, Plug-ins process traffic at all layers. Traffic is filtered from the highest application level (e.g. active content filtering) to the lowest (e.g. attack detection). Default installation of NCF provides six Plug-ins: one DNS Caching Plug-in and five others for filtering traffic.
Figure 3: NCF Plug-Ins
For filtering web related traffic, NCF provides three Plug-ins: Active Content Filtering, Advertisement Blocking and Content Filtering. To protect the system from attacks and port scanning, NCF has the Attack Detection Plug-in while it provides another Plug-in for filtering e-mail attachments. All these Plug-ins can be enabled/disabled and can be configured for various parameters.
LAN Settings (Trusted / NetBIOS Zone): NCF provides option to configure address (domain name, network/host address or address range) as Trusted or NetBIOS zone. If an address is configured as NetBIOS Zone, all the NetBIOS traffic for the zone is allowed. If an address is configured as Trusted Zone, all traffic from the client is allowed.
ICMP Rules: For configuring ICMP traffic rules, separate set of configuration options are available. It provides options for controlling various ICMP types, for both outbound and inbound traffic.
Figure 4: System Level filtering options for ICMP and LAN settings
LAN settings and ICMP rules options available in system level filtering options are shown in the above figure.
Once you install NCF a window tray icon representing the mode in which NCF currently runs is displayed. You can configure NCF in 5 different modes for providing different levels of security as explained in the below table:
Table 1: NCF Policy Modes
As discussed previously, configuration of rules on the firewall decides the security level. NCF provides multiple options for rule configurations. These rules and options have a particular order while deciding whether the traffic is to be blocked or permitted. This section describes the internal rule processing in NCF and the of rule precedence.
Almost all firewalls filter traffic as per the set of configured rules. Rule set is created by defining:
(1) parameters to match the traffic
(2) action for matched traffic
(3) priority of each rule
NCF is no exception and it also filters traffic based on rules. The rules are represented as combinations of the following parameters:
Note: NCF also has option for defining rules based on time, but it is not being considered here.
As far as the end user or administrator of NCF is concerned, they have option to configure:
(1) Application Rules
(2) System Rules
(3) Trusted / NetBIOS zones
(4) Policy modes
But as discussed earlier, for all processing purposes, NCF uses only singe rule list (Firewall Rules). All the above configurable options (except Plug-ins) are used to generate Firewall Rules, described as follows:
Previous section described how options and rules are internally converted into the firewall rules. But having a set of rules is not enough; the rules should be prioritized. NCF sets the rule priority according to specific rule precedence:
3.2.1 Policy Mode (Stop All or Disabled)
Configuring NCF policy as Stop All denies all the traffic irrespective of any other rule or option settings. Similarly configuring NCF policy as Disabled allows all traffic irrespective of any configuration at NCF.
3.2.2 Blocked Application
If any application is configured as Blocked Application, no associated traffic is allowed. Effectively this configuration holds higher priority than a Trusted Zone.
Implication: Assume that IEXPLORER.EXE (Internet Explorer) is configured as Blocked Application and an IP xx.xx.xx.xx is configured as trusted zone. Even in this case Internet Explorer cannot be used to connect to trusted zone.
Plug-ins receive all network data after rule processing is completed. Effectively, priority of Plug-ins is highest because they take the final decision irrespective of firewall rules for allowing any traffic. If traffic is allowed even after processing rules and checking policy mode, they are checked against Plug-in configuration. Plug-ins like Attack Detection require analyzing traffic at the lowest level to protect against attacks, whereas Advertisement Blocking and Content Filtering plug-ins have to check and block HTTP traffic even if HTTP traffic is allowed through firewall rules. If plug-ins do not specifically block the traffic, the traffic is allowed as shown in the figure below.
Figure 5: Processing Plug-ins
Implication: Assume that Internet Explorer is configured as trusted application and web proxy is configured as trusted zone. If content filtering blocks any site, the site will not be allowed.
3.2.4 Trusted/NetBIOS Zones
Trusted or NetBIOS zone settings are at a higher level than application or system rules. As shown in Figure 6, NCF allows configuration of zones and marks them either as Trusted (to allow all traffic) or NetBIOS (to allow all the NetBIOS traffic). If either source or destination IP address lies within a network/subnet pair marked as Trusted, traffic will be permitted. If marked as NetBIOS, only traffic to and from NetBIOS ports on those addresses will be permitted (ports 137-139 and 445 on TCP and 137-138 on UDP). These rules are applied irrespective of Application or System rules.
Implications: Since Trusted / NetBIOS zone has higher precedence, other rule settings like partially allowed application rules & system rules affect the traffic for these zones. For example, even if xx.xx.xx.xx is configured as trusted zone and a system rule denies all TCP traffic for xx.xx.xx.xx, the traffic is allowed.
Figure 6: Trusted / NetBIOS Zone Setting
3.2.5 Global NetBIOS Block Rule
Due to the vulnerabilities of NetBIOS, Windows OS is directly susceptible to a large number of threats. Hence to provide enhanced security, NCF blocks NetBIOS traffic which does not belongs to the zone marked as NetBIOS. There is no separate rule configuration for Global NetBIOS Block Rule but this rule is active by default. This rule states that traffic to NetBIOS ports (137-139 & 445 on TCP and 137-138 on UDP) is blocked.
Implication: Any NetBIOS traffic not for/from (source/destination) zone marked as NetBIOS is blocked by NCF even if there exists a firewall rule allowing NetBios traffic.
3.2.6 Application Rules
Application Rules are at higher precedence than System Rules. After checking for Trusted and NetBIOS zone, NCF scans through all Application Rules (of the concerned application) to match the traffic. If a match is found, corresponding firewall rule is generated and traffic is allowed.
Implications: By having Application Rules at higher precedence than System Rules and policy, traffic is allowed or denied for a particular application even if there exists a System Rule opposite to it. For instance, if you have IEXPLORER as partially allowed application and HTTP traffic is denied in system rules, then HTTP traffic from Internet Explorer will be allowed since Application Rules are at higher precedence.
3.2.7 Global Application or System Rules
These rules are applied to any traffic irrespective of application to which the traffic is related. That is why they are also called Global Application Rule. Moreover if traffic is neither of type TCP or UDP, it will always reach this step since rules for protocols other than TCP and UDP can only be set as System Rule. System Rules are at higher precedence than policy modes.
3.2.8 NCF Policy
If none of the rules (from Zones, Application or System) have matched the traffic then decision is taken based on NCF policy. In Allow Most mode, traffic is allowed and given to Plugins for processing. In Block Most mode, traffic is blocked. And in Rule Wizard mode user is prompted to take the action.
Following are the instances when traffic is Blocked, in the order of precedence:
1) If application associated with traffic is configured as Blocked Application
2) If Traffic under processing is NetBIOS traffic and either of source or destination IP is not marked as Trusted/NetBIOS zone
3) If traffic is specifically denied by configuring a Deny or Reject application or traffic rule
4) If traffic does not match any of the firewall rules and NCF policy is Block Most
5) If any of Plug-in settings does not allow traffic
Following are the instances when traffic is Allowed, in the order of precedence.
1) If traffic under consideration is NetBIOS and its source or destination IP matches zone marked as NetBIOS
2) If source or destination for traffic falls under trusted zone
3) If application generating traffic is configured as trusted application or if partially allowed application rule matches the traffic
4) If traffic match with system rules
5) If traffic does not match any of the firewall rules and NCF policy is Allow Most
The crucial point here is, for all the cases allowing traffic is subject to Plug-ins setting. If plug-in blocks the traffic finally, then it is not allowed (as shown in Figure 5).
NCF allows multiple configuration options for end users and administrators. But NCF treats whole configuration as a single set of Firewall Rules and processes traffic as per these rules and Plug-ins. Understanding the rule configuration and the precedence of rules is very critical for secure configuration of NCF. Incorrect understanding of NCF rules leads to wrong configuration, which can make systems vulnerable to severe Internet threats. The information in this AppNote is derived strictly from test scenarios. In real user scenarios, you may experience deviations from these results. Novell does not recommend deploying monitoring directly in a production network. You should always verify monitoring on a simulated test network before you deploy anything in a production environment.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com