A.4 Firewall Policy

The following instructions assume that you are on the Configure Firewall Settings page in the Create New Firewall Policy Wizard or (see Section 9.0, Creating Security Policies) or that you are on the Details page for an existing Firewall policy (see Section 13.0, Editing a Policy’s Details).

The Firewall policy lets you determine the firewall settings applied to a device.The firewall settings control a device’s network connectivity by allowing or blocking ports, protocols, and network addresses (IP and MAC).

Watch a video that demonstrates how to create a Firewall policy.

A.4.1 Default Behavior

Specify the default behavior for ports and protocols. The default behavior is applied to all ports and protocols unless it is overridden by a port/protocol rule or an Access Control List.

Select one of the following behaviors:

  • Stateful: Blocks all unsolicited inbound network traffic. Allows all solicited inbound network traffic and all outbound network traffic.

  • Open: Allows all inbound and outbound network traffic. Because all network traffic is allowed, a device’s identity is visible on all ports.

  • Closed: Blocks all inbound and outbound network traffic. Because all network identification requests are blocked, a device’s identity is concealed on all ports.

    If you select this option, you should enable the ZENworks Server ACL and ARP ACL (see Section A.4.4, Standard Access Control Lists) to ensure that the device can communicate with ZENworks Servers to receive content (policies, bundles, and so forth) and upload report data.

  • Inherit: Inherits this setting value from other Firewall policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Firewall policies assigned to the user’s groups, folders, or zone.

A.4.2 Disable Windows Firewall and Register Endpoint Security Management Firewall in Windows Security Center

Select Yes to turn off the Windows Firewall and register the Endpoint Security Agent as the firewall provider in the Windows Security Center. This ensures that the Firewall policy’s settings and the Windows Firewall settings do not conflict and generate unexpected results.

Select Inherit to inherit this setting value from other Firewall policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting value is inherited from any Firewall policies assigned to the user’s groups, folders, or zone.

Please be aware of the following when using this option:

  • On Windows devices that are members of a domain, the GPO setting Turn On Security Center (Domain PC's Only) must be enabled. If the setting is not enabled and you apply a Firewall policy that disables the Windows Firewall, the Endpoint Security Agent is unable to turn off the Windows Firewall; the result is that both the Windows and Endpoint Security firewalls are active.

  • This setting disables only the Windows Firewall. If the device has other (third-party) firewalls active, those firewalls are not disabled and could conflict with the Endpoint Security firewall. We recommend that you disable any other firewalls.

A.4.3 Port/Protocol Rules

The port/protocol rules let you override the default behavior assigned to ports and protocols. A rule identifies one or more ports or protocols and the behavior to be applied to the ports and protocols.

For example, assume that you want to block streaming media. You would create a Streaming Media rule and close ports 554, 1755, 7070, and 8000 (the common Microsoft and RealMedia streaming media ports) to TCP communication.

The following table provides instructions for managing the policy’s port/protocol rules:

Task

Steps

Additional Details

Create a new rule

  1. Click Add > Create New.

  2. Fill in the following fields:

    Name: Specify a unique name for the rule. The name must be different than any other rule. For information about valid characters, see Naming Conventions in ZENworks Control Center.

    Description: This information is optional. You can provide text that helps identify the purpose, membership, creator, or owner of the rule.

    Default Behavior: Select one of the following behaviors:

    • Stateful: All unsolicited inbound network traffic is blocked. All outbound network traffic is allowed.

    • Open: All inbound and outbound network traffic is allowed

    • Closed: All inbound and outbound network traffic is blocked

    Port/Protocol Types: Specify the ports and protocols to add to the rule. To do so, click New, select the port type (TCP, UDP, or TCP/UDP) or the protocol type (Ether or IP). For TCP, UDP, and TCP/UDP, specify the starting and ending ports, then click OK to add the port to the rule. For Ether and IP, specify the starting and ending ether type or protocol type, then click OK to add the protocol to the rule.

    If you want to define a single port or protocol rather than a range, enter only a starting number.

    Define Another Rule: Select this option to create another port/protocol rule after you finish with this one.

  3. Click OK to save the rule.

 

Copy an existing rule from another policy

  1. Click Add > Copy Existing.

  2. Select the Firewall policies whose lists you want to copy.

  3. Click OK.

All rules included in the other Firewall policies are copied. If necessary, you can edit the copied rules after they are added to the list.

Import a rule from a policy export file

  1. Click Add > Import.

  2. Click to display the Select File dialog box.

  3. Click Browse, select the export file, then click OK.

  4. Click OK to add the rules to the list.

All rules included in the export file are imported. If necessary, you can edit the imported rules after they are added to the list.

For information about exporting rules, see Export a rule.

Enable or disable a rule

  1. Locate the rule in the list

  2. In the Enabled column, select the check box to enable the rule.

    or

    Deselect the check box to disable the rule.

When you add a rule it is enabled by default. You can disable a rule to save it in the policy but no longer apply it.

Edit a rule

  1. Click the rule name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename a rule

  1. Select the check box next to the rule name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export a rule

  1. Select the check box next to the rule name.

    You can select multiple rules to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete a rule

  1. Select the check box next to the rule name, then click Delete.

  2. Click OK to confirm deletion of the rule.

 

A.4.4 Standard Access Control Lists

The standard Access Control Lists (ACLs) represent predefined protocol packet types. For each ACL, select one of the following settings. The ACL setting overrides the default behavior and any port/protocol rules.

  • Allow: Allows the ACL’s protocol packets.

  • Inherit: Inherits this setting from other Firewall policies assigned higher in the policy hierarchy. For example, if you assign this policy to a user, the setting is inherited from any Firewall policies assigned to the user’s groups, folders, or zone.

The following list provides a brief descriptions of each ACL:

  • 802.1x: Allows 802.1x packets. To overcome deficiencies in Wired Equivalent Privacy (WEP) keys, Microsoft and other companies are utilizing 802.1x as an alternative authentication method. 802.1x is a port-based network access control that uses the Extensible Authentication Protocol (EAP) or certificates. Currently, most major wireless card vendors and many access point vendors support 802.1x. This setting also allows Light Extensible Authentication Protocol (LEAP) and WiFi Protected Access (WPA) authentication packets.

  • ARP: Allows Address Resolution Protocol (ARP) packets. Address resolution refers to the process of finding an address of a computer in a network. The address is resolved by using a protocol in which a piece of information is sent by a client process executing on the local computer to a server process executing on a remote computer. The information received by the server allows the server to uniquely identify the network system for which the address was required and therefore to provide the required address. The address resolution procedure is completed when the client receives a response from the server containing the required address.

  • Ethernet Multicast: Allows Ethernet Multicast packets. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets can be distributed by using either IP or Ethernet addresses.

  • ICMP: Allows Internet Control Message Protocol (ICMP) packets. ICMP packets are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. ICMP messages are sent in several situations; for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route.

  • IP Multicast: Allows IP Multicast packets. Multicast is a bandwidth-conserving technology that reduces traffic by simultaneously delivering a single stream of information to thousands of corporate recipients and homes. Applications that take advantage of multicast include video conferencing, corporate communications, distance learning, and distribution of software, stock quotes, and news. Multicast packets can be distributed by using either IP or Ethernet addresses.

  • IP Subnet Broadcast: Allows Subnet Broadcast packets. Subnet broadcasts are used to send packets to all hosts of a subnetted, supernetted, or otherwise nonclassful network. All hosts of a nonclassful network listen for and process packets addressed to the subnet broadcast address.

  • Logical Link Layer Control: Allows LLC-encoded packets.

  • SNAP: Allows SNAP-encoded packets. Subnetwork Access Protocol (SNAP) is an extension of the Logic Link Control (LLC IEEE 802.2) header and is used for encapsulating IP datagrams and ARP requests and replies on IEEE 802 networks.

  • ZENworks Server: Allows packets sent to and received from the ZENworks Server.

A.4.5 Access Control Lists

You can create custom Access Control Lists (ACLs) to define specific IP or MAC addresses from which unsolicited traffic should always be blocked or should always be allowed. An ACL setting overrides port rules and the default port behavior.

The following table provides instructions for managing the ACLs:

Task

Steps

Additional Details

Create a new ACL

  1. Click Add > Create New.

  2. Fill in the following fields:

    Name: Specify a unique name for the Access Control List. For information about valid characters, see Naming Conventions in ZENworks Control Center.

    Description: Provide optional text that helps identify the purpose, membership, creator, or owner.

    ACL Behavior: Select Trusted to specify that membership in this ACL allows access. Select Non-Trusted to specify that membership in this ACL denies access.

    Configure Optional Ports: By default, the ACL behavior is applied to all ports. For example, if the ACL behavior is trusted, all ports trust the addresses included in the ACL.

    If you want the ACL to apply to only specific ports, select this option then specify the ports and the behavior for the ports (Open, Closed, or Stateful). This causes the ACL Behavior setting to be ignored in favor of the individual port behavior settings.

    Address Types: Specify the IP and MAC addresses that are members of the ACL. To do so, click New, select the type (IP Address or DNS Name, MAC Address, or Macro), specify the appropriate address or select the desired macro, then click OK.

    The macros are predefined IP address groups. For example, All DHCP applies the ACL behavior to a device’s current DHCP server IP addresses while Default DHCP applies it to the current Default DHCP server IP address.

    Define Another Access Control List: Select this option to create another Access Control List after you finish with this one.

  3. Click OK to save the Access Control List.

    By default, the ACL is enabled. If you do not want it enabled at this time, deselect the Enabled box.

Use one of the following formats:

  • xxx.xxx.xxx.xxx: Standard dotted-decimal notation for a single address. For example, 123.45.167.100.

  • xxx.xxx.xxx.xxx/n: Standard CIDR (Classless Inter-Domain Routing) notation. For example, 123.45.167.100/24 matches all IP addresses that start with 123.45.167.

  • www.domain_name: Standard domain name notation. For example, www.novell.com.

  • www.domain_name/n: Standard CIDR (Classless Inter-Domain Routing) notation for a domain name. For example, www.novell.com/16.

IMPORTANT:To enforce the ACL, an IP address range is expanded to individual IP addresses. A large range can consume significant resources on the device and impact performance. To minimize this impact, define ranges that include only the IP addresses you want to control.

Use the following format when specifying a MAC address: xx:xx:xx:xx:xx:xx. For example, 01:23:45:67:89:ab.

Copy an existing ACL from another policy

  1. Click Add > Copy Existing.

  2. Select the Firewall policies whose ACL you want to copy.

  3. Click OK.

All ACLs included in the other Firewall policies are copied. If necessary, you can edit the copied ACLs after they are added to the list.

Import an ACL from a policy export file

  1. Click Add > Import.

  2. Click to display the Select File dialog box.

  3. Click Browse, select the export file, then click OK.

  4. Click OK to add the ACLs to the list.

All ACLs included in the export file are imported. If necessary, you can edit the imported ACLs after they are added to the list.

For information about exporting ACLs, see Export an ACL.

Enable or disable an ACL

  1. Locate the ACL in the list

  2. In the Enabled column, select the check box to enable the ACL.

    or

    Deselect the check box to disable the ACL.

When you add an ACL it is enabled by default. You can disable an ACL to save it in the policy but no longer apply it.

Edit an ACL

  1. Click the ACL name.

  2. Modify the fields as desired.

  3. Click OK.

 

Rename an ACL

  1. Select the check box next to the ACL name, then click Edit > Rename.

  2. Modify the name as desired.

  3. Click OK.

 

Export an ACL

  1. Select the check box next to the ACL name.

    You can select multiple ACLs to export.

  2. Click Edit > Export.

  3. Save the file.

    The default name given to the file is sharedComponents.xml. You can change the name if desired. Do not change the .xml extension.

 

Delete an ACL

  1. Select the check box next to the ACL name, then click Delete.

  2. Click OK to confirm deletion of the ACL.