Creating a custom policy for Symantec Client Firewall 8.x or Symantec Client Security 3.x

Article:TECH101223  |  Created: 2005-01-17  |  Updated: 2006-01-10  |  Article URL http://www.symantec.com/docs/TECH101223
Article Type
Technical Solution


Issue



This document describes how to create a custom policy for Symantec Client Firewall.


Solution



To create a custom policy for Symantec Client Firewall, you must have Symantec Client Firewall and the Symantec Client Firewall Administrator installed. Follow the steps below to create a custom policy and deploy it to your firewall installations.

Step 1: Create a new policy, or open an existing one with Symantec Client Firewall Administrator

To create a new policy
  1. Open the Symantec Client Firewall Administrator.
  2. Click File > New.

New policies are created from the ScfaDefaultPolicy.cfp template.

To open an existing policy
  1. Open the Symantec Client Firewall Administrator.
  2. Click File > Open.
  3. Navigate to the .xml or .cfp policy file that you want to customize, and then click Open.

The initial firewall policy that is installed with the firewall is copied to the \Program Files\Symantec\Symantec Client Firewall Administrator\Policies folder on the computer where Symantec Client Firewall Administrator is installed.


Step 2: Import one or more groups of policy settings from other policy files or the Active Client

To import data from an existing policy into Symantec Client Firewall Administrator
When importing a policy, you have the option of importing all settings categories or selected settings categories. This convenience lets you build a new policy by using sections of multiple existing policy files.
  1. Open the Symantec Client Firewall Administrator.
  2. Click File > Import. The File Import Data Selection window appears.
  3. Select the categories of configuration data that you want to import, and then click OK.
  4. Go to the policy file that contains the data that you want to import, and then click Open.


Note: When importing settings from the Active Client, IDS Exclusions are not available.



To import policy data from the Active Client
You can also import settings directly from the Active Client by doing the following:
  1. Open the Symantec Client Firewall Administrator.
  2. Click File > Import from Active Client.
  3. In the File Import Data Selection window, select the categories of configuration data that you want to import, and then click OK.


Step 3: Customize the policy within Symantec Client Firewall Administrator

Rules
Firewall rules include System-Wide, Application, and Trojan horse rules.
  • System-Wide firewall rules apply to all of the network communications of Symantec Client Firewall clients that access the Internet. These rules are based on port numbers and IP addresses rather than specific applications or Trojan horses, which are handled separately.
  • Application rules permit or block communications between specific client applications and the Internet. You can configure an application rule that is specific to communications on a particular port or address, or one that applies to all IP ports and addresses.
  • Trojan horses are malicious programs that are disguised as useful applications. Symantec Client Firewall Administrator Trojan horse rules examine the network communications of Symantec Client Firewall clients that access the Internet. If a malicious program is detected, the firewall rule takes immediate action against this type of threat.

Manually creating firewall rule
Firewall rules can be built using the Symantec Client Firewall Administrator, saved to a new policy and then distributed to the Symantec Client Firewall clients. Firewall rules can also be created on the Symantec Client Firewall client, if the user has the proper access level.

To create a System-Wide rule
  1. On the Rules tab, on the General Rules tab click Add. The Add Firewall Rule screen is displayed.
  2. Type a description for the rule.
  3. In the Action list, select whether you want to Block, Permit, or Permit and Monitor the communication of the application.
  4. In the Connection list, select whether the rule applies to inbound communications, outbound communications or both inbound and outbound communications.
  5. In the Protocol list, select whether the rule applies to TCP communications, UDP communications, TCP and UDP communications, or ICMP communications.
  6. Choose whether or not you want to allow secure HTTPS connections.
  7. On the Ports tab, select whether the rule applies to all ports or one or more particular ports, for both remote ports (ports on remote computers) and local ports (ports on the local computer).
  8. On the Computers tab, identify the IP addresses to which the rule applies.
  9. On the Tracking tab, specify whether you want to create a log entry when the rule is triggered and whether you want the AlertTracker utility to be enabled.
  10. After choosing all of the appropriate settings, click OK. The new rule appears in the Rules list.
  11. Highlight the rule and use the Move Up and Move Down buttons to place the rule in the list.


Note: Rules are processed from the top of the list to the bottom, so those rules closer to the top get highest priority.



To change any rule settings, highlight the rule and click Edit. To delete any rule, highlight the rule and click Delete.

To create a Program rule
  1. On the Rules tab, on the ProgramRules tab, under Program, click the application you want to create a rule for. If the application you want to create a rule for is not listed:
    1. Click Add.
    2. Type a description for the application.
    3. Browse to and select the application.
  2. Under Rules, click Add. The Add Firewall Rule screen is displayed.
  3. Type a description for the rule.
  4. In the Action list, select whether you want to Block, Permit, or Permit and Monitor the communication of the application.
  5. In the Connection list, select whether the rule applies to inbound communications, outbound communications, or both inbound and outbound communications.
  6. In the Protocol list, select whether the rule applies to TCP communications, UDP communications, TCP and UDP communications, or ICMP communications.
  7. On the Ports tab, select whether the rule applies to all ports, or one or more particular ports, for both remote ports and local ports.
  8. On the Computers tab, identify the IP addresses or domain names to which the rule applies.
  9. On the Tracking tab, specify whether you want to create a log entry when the rule is triggered, whether you want the AlertTracker to notify the user that a rule was triggered, and whether you want to create a Security Alert.
  10. After choosing all of the appropriate settings, click OK. The new rule appears in the Rule list.
  11. Highlight the rule and use the Move Up and Move Down buttons to place the rule in the list.


Note: Application rules apply only to the application in question. If multiple rules are created for the same application, they are processed in order, from the top of the rule list to the bottom.



To change an application or any rule settings, highlight the application or rule and click the associated Edit button. To delete an application or a rule, highlight the application rule and click the associated Delete button.

To create a Trojan horse rule
  1. On the Rules tab, on the Trojan horse Rules tab, click Add.
  2. On the Add Firewall Rule screen, type a description for the rule.
  3. In the Action list, select whether you want to Block, Permit, or Permit and Monitor the communication of the application.
  4. In the Connection list, select whether the rule applies to inbound communications, outbound communications, or both inbound and outbound communications.
  5. In the Protocol list, select whether the rule applies to TCP communications, UDP communications, TCP and UDP communications, or ICMP communications.
  6. On the Ports tab, select whether the rule applies to all ports, or one or more particular ports, for both remote ports (ports on remote computers) and local ports (ports on the local computer).
  7. On the Computers tab, identify the IP addresses to which the rule applies.
  8. On the Tracking tab, specify whether you want to create a log entry when the rule is triggered and whether you want the AlertTracker utility to be enabled.
  9. After choosing all of the appropriate settings, click OK. The new rule appears in the Rules list.
  10. Highlight the rule and use the Move Up and Move Down buttons to place the rule in the list.


Note: Rules are processed from the top of the list to the bottom, so those rules closer to the top get highest priority.


To change any rule settings, highlight the rule and click Edit. To delete any rule, highlight the rule and click Delete.


pRules
Application rules are created in the registry of the client when the firewall policy is rolled out. If all clients are similarly configured, this is an efficient method of providing uniform protection. If client workstations use widely divergent sets of applications, pRules are appropriate.

With pRules, or potential rules, data about applications is installed on the client workstation. However, the rules themselves are not created in the registry. When an application first attempts to access the Internet, the pRule is invoked. If the application matches the pRule criteria, then a new application rule is created from the pRule data in the registry of the client workstation.

To create a pRule
You create or modify a pRule for distribution to firewalls by configuring the following four sets of options for the pRule:
  • Application identity: Specify the application's executable file and supply a brief description of the application.
  • Match names: Generate application match names, which label sets of match criteria that are used to authenticate an application's executable file. Each match name for the pRule has separate associated match criteria.
  • Match criteria: Configure the values that the pRule uses to verify the application before allowing it to run. You can configure one or more sets of match criteria for an individual pRule, with each match set containing one or more match criteria. You choose from among the following match criteria:
    File Version Specify a version number or range of version numbers for the application to use as a match.
    Version Data Specify file resource property values to use as match criteria. After you select this option, you can select one of the following: Comments, Company name, File description, Internal name, Original file name, Product name, Product version, Legal copyright, or Legal trademarks.
    Required Digest Specify an encrypted pRule digest value to use for matching the Internet-enabled application. Using a required digest match means that the application executable must be authenticated by the digest or a security alert is triggered. It is the strongest method of verifying the authenticity of an application.
    File Size Specify an application executable file size or a range of possible file sizes to use for matching the application.
      By default, Symantec Client Firewall Administrator uses the executable file name as a match criterion for the application when a pRule is added.
    • Rules: Configure the Application rule that will be created on the Symantec Client Firewall client once the executable file specified by the pRule has been validated. Refer to the section "To create an Application rule."


    Zones
    With Zones, you can identify computers that you can trust, and those that you want to restrict from accessing a client computer.
      • Computers that are in the Trusted Zone are not regulated by Symantec Client Firewall client, and have total access to the client computer.
      • Computers that are in the Restricted Zone are prevented from accessing client computers.
      • Computers that are not placed in any Zone are regulated by all other settings of the firewall policy.

    Use the Trusted Zone to list computers on your local network with which you need to share files and printers. Add computers to the Restricted Zone that have attempted to attack computers in your organization. The Restricted Zone provides the highest level of protection provided by Symantec Client Firewall. Clients cannot interact with any computers that are in the Restricted Zone.

    To add computers to Trusted or Restricted Zones
    1. Open Symantec Client Firewall Administrator.
    2. On the Zones tab, on either the Trusted or Restricted tab, click Add.
    3. You can add a computer or multiple computers by choosing one of the following options:
      • Single address - Enter the IP address of the computer.
      • Domain name - Enter the domain name of the computer or computers.
      • Network address - Enter the IP address and Network mask of the computer.
      • Address range - Enter the starting and ending IP addresses for the range of computers.
    4. After choosing a computer or computers, click OK. The address appears in the Internet Addresses list under the Zone chosen.

    To change an existing address or range, highlight it, and then click Edit.


    IDS Exclusions
    Intrusion detection is based on signatures. A signature defines or describes a network traffic pattern. Intrusion Detection System (IDS) signatures detect traffic patterns that are derived from previously detected exploits or attacks, or an anomalous pattern that is outside of the realm of expected traffic patterns and could be destructive.

    Symantec supplies and periodically updates the set of signatures that are monitored.

    Because each signature has a small corresponding resource impact, you can exclude specified signatures from being processed. For example, you may not need protection against certain attack signatures because your environment does not contain the systems or components that they are known to attack. Once you exclude an IDS attack signature, the signature can cross the firewall and is not logged. You can also exclude specific IP addresses for a signature. For example, the addresses may already be specified for automatic blocking by the firewall or it is possible that the threat from an IP address has been eliminated, and you want information from the IP to flow across the firewall.

    There are only two actions you can perform with IDS Exclusions:
    • Excluding attack signatures that you know are actually coming from legitimate sources.
    • Excluding certain computers from IDS AutoBLock, allowing those computers access, regardless of any attack signatures.


    Client Settings
    You can customize client settings for each firewall policy to enable or disable specific components of firewall protection. For a complete list of settings and their explanations, please refer to the document What client settings can be changed using Symantec Client Firewall Administrator.


    Step 4: Export the policy file to the Active Client for testing
    The Active Client is the Symantec Client Firewall client that is installed on the same computer as Symantec Client Firewall Administrator. You can use the Active Client to develop, test and troubleshoot the rules and configuration settings of a policy package.

    If you want to use the Symantec Client Firewall Administrator Active Client to test and customize a policy that was created in Symantec Client Firewall Administrator, you must export the policy data.


    Note: Make sure to install a Symantec Client Firewall client on the same computer as Symantec Client Firewall Administrator before using the export to Active Client option.



    To export policy data to the Active Client
    1. Open the Symantec Client Firewall Administrator.
    2. Click File, and then click Export to Active Client.
    3. In the File Import Data Selection window, select the categories of configuration data that you want to import, and Click OK.


    WARNING: Zones and IDS Exclusions are always checked by default, whether or not information was imported or changed in these categories. If the Zones and IDS Exclusions contain no configuration information and are left checked, any information in those categories on the client is erased upon export. Be sure to either import the Zones and IDS Exclusions before exporting them back to the client, or uncheck those boxes if you have not made changes.




    Step 5: Save the modified policy as a .cfp or .xml file for distribution to firewall installations
    After you finish configuring a policy, save it for later distribution to Symantec Client Firewall clients. By default, policy files are saved to the C:\Program Files\Symantec\Symantec Client Firewall Administrator\Policies folder on the computer where Symantec Client Firewall Administrator is installed. You can, however, choose to save in any location.

    When you choose to save a policy file, the File Import Data Selection window appears. Select the categories of configuration data that you want to import and Click OK. Only the selected categories are saved.







    Legacy ID



    2005041718372548


    Article URL http://www.symantec.com/docs/TECH101223


    Terms of use for this information are found in Legal Notices