The rules in Tiny Firewall may target:
Selecting 'All Application' allows to build gen eral rules for situation when the specific application is unknown or when there is a need to build a general rule. Selecting Group of applications or particular application allows to build more granular policies.
The application and dll may include following information:
Label The rule refers the application by its label - name under which such application exists in the Application Repository. The label - name - of the application may be different from the actual name of the executable or .dll. The advantage of this is that you may give your applications friendly names or that you are not bound by the specific name of the executable or dll in case that it would change.
Description Most of the applications include the Description as a part of the information embedded in the executable. This information is automatically added by TF6 when used for the application definition.
MD5 Every file (including executables and dlls) has its unique signature - checksum - which is calculated based on its size and information embedded. It is considered as a fact that there are no two different applications with the identical MD5 signature. Thus MD5 serves as the unique identifier of the application or dll. One application may include multiple MD5 signatures.
Path Sometimes it is not possible or practical to define the application using MD5 checksum. The application may be defined by its position on the disk or network share. Event though this definition is not secure sometimes it may be practical to use it.
The applications may be organized into groups. One application may be member of multiple groups. Groups may not be members of the groups.
System and User Groups
Tiny Firewall recognized applications running under user account and system account. This definition is reflected in the Application Repository. There are two types of the groups:
Note! Systemapplications groups ALWAYS bear '$' prefix.
Some applications may run under both types of accounts, some of them you don't know. If you are unsure or have application running under both accounts you may place it into both types of groups.
In order to understand all of this it is good to imagine the application activity at the endpoint:
When application starts it starts under one of two types of the accounts: either is starts as the user process or as a system process. There is nothing in between except of that certain applications (courtesy of Microsoft) may start as a system process and once they would identify a user continue as a user process.
When the application starts Tiny Firewall on the endpoint recognizes the application (or not if it is unknown) then it applies policy for unknown applications and if these are allowed to run then it applies policies applicable to 'All' applications) and from that point on it applies policies applicable to this application (based on its group membership etc).
In summary it is up to the administrator how complicated and granular his policies need to be.
Each rule includes the description whi ch will appear in the 'Simple View'. This allows to build more human readable policies rather then pure tables with ports and protocols.
The rules in their views will be always sorted automatically according to the logic explained in other chapters.
In order to prevent user errors Tiny Firewall incorporate rule sorting mechanism which sorts rules based on the specific logic. Without this sorting mechanism it would be impossible to build the policies for more group memberships then just one.
The benefit is that no matter where and how you enter the rule you would always know that the rule will be applied correctly.
How to move rules where you want them...
Host Tiny Firewall incorporate several importance layers which allow to apply the rules where you need - still without manually shifting rules up and down in the rule list.
The importance layers are (by their importance from top to bottom):
As you can see you can apply four levels of the rule importance on the Tiny Firewall which should be sufficient for any needs. We recommend to keep the High Priority Preferred level for circumstances where you need to apply certain general overriding rule immediately (e.g. block all traffic, allow all traffic etc.)
The endpoint firewall can distinguish and apply different policies based on the account under which the application run.
There are three options:
Each choice has its use and it is up to the administrator to decide when to apply which. In general if you don't know the specific application and just want to block the port you will choose 'All Applications' running under 'All' accounts in the rule.
You might need to disable created rules from various reasons. Tiny Firewall has the solution for this in a form of 'Disabled' parameter. Disabled parameter allows conveniently enable and disable rules previously created.
Note! Disabling the rule will cause it inactive for the entire organization and all filters associated with the rule. If you want to disable rule for particular combination of security memberships (filter) you must deselect such filter at the particular rule!
The benefit is that no matter where and how you enter the rule you would always know that the rule will be applied correctly.
Sort Order
The rules are sorted similar to how the Excel would sort the table - by Column A, then B, then C etc. In the network security module these columns and their order are:
Tiny Firewall allows to predefine network security objects for convenient use when building the policies. You can predefine following:
When building the policies you will be referring to these objects by their names which will appear in the options offered to fill in.
When creating the network security rules you should consider your goal. Do you want to block the port in general or do you wan to block specific application? Either way Tiny Firewall offers wide array of options which may accomplish your security goal.
In general you should start with the simple rules allowing or blocking the ports for all applications and then - when you would become more comfortable - start to make your policies more granular.
When creating the rules you must consider following details (explained in different chapters):
The benefit is that no matter where and how you enter the rule you would always know that the rule will be applied correctly.
Sort Order
Note: The Application Spawning it is sorted first by a child application and then by a parent application. The first priority has the application, then groups (alphabetically) and then Any (*).
Absolute paths: For local drives, use the drive letters (e.g. " C:\Folder1\Subfolder2\file.doc ") and for network mapped drives and shared folders locations use their UNC name (e.g. " server\some_share\some_folder\some_file.doc ").
Relative paths: in addition to absolute paths, also relative paths can be used, starting with variables:
Usage example: " %SystemRoot%\System32 ".
Some relative variables can expand into multiple directories:
Paths can be also retrieved from registry, with the use of the following variables:
Note: DirOnXXX => do not use HKCU in rules = > it will be expanded with a service running under system account. %UserSpecific% gets special user specific folders go t from registry (syntax: %UserSpecific%\(FOLDER-TYPE-SUCH-AS-LOCALSETTINGS)\\\(OPTIONAL-PATH-TO-APPEND) )
Note: %UserSpecific% uses the HKU\(USER-SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders and value name specified right after the %UserSpecific% variable to get the file path (usually under the Documents and Settings folder). The following value names are typical: AppData, Local AppData, Local Settings, Cache, Cookies. See your own registry for further options. %Root% => Get root of the specified folder (use with %DirOnKeyValue% ) => usage: %Root%\(OTHER-VARIABLE)
Wildcards: You can use ? and * wildcards in the file path segments (e.g. C:\Photos\?*\small\*.jpg ).
Note: ? means one character and * means zero characters or any characters. Use " ...\?*\... " instead of " ????????????????????????????????\*\... " to avoid undesired results. Do not use *.* since it gets only files or dirs containing "." in their name. To differentiate traverse access to particular folder, use two rules: " C:\SomeFolder\?* " and " C:\SomeFolder ".
Use HKCR, HKCU, HKLM and HKU shortcuts when defining paths to registry keys. Use two backslashes to separate a value name from the remaining registry path. Use "\\" for default value. (e.g. for value Version use " HKLM\Software\Microsoft\DirectX\\Version ").
Wildcards ? and * can be used to substitute one character or multiple characters.
Note: * means zero or any character, we recommend to use "?*" combination which means 'at least one character long'.
Applications and dlls are identified in rules by string ID, called Label, and are defined in Application Repository. This link is usually an executable or dll file name such as iexplore.exe.
Spawning and dll loading guard examples:
A Service is identified by its registry key name in the HKLM\System\CurrentControlSet\Services key (e.g. " Alerter ").
TF client contains the following services: UmxAgent (FW Event Manager), UmxCC (FW Communication Client), UmxCfg (FW Configuration Interpreter), UmxFwHlp (FW User-Mode Helper), UmxLU (FW Live Update) and UmxPol (FW Policy Manager).
COM objects are identified by its CLSID (e.g. " 7EBFD170-E4FE-48C5-8E21-05D903BAAEEC} ")
Create In-Proc COM Server - It is very common for applications to use COM dlls such as ActiveX. The ActiveX is running in the security c ontext of an application, so this type of COM access cannot be used to gain more privileges than the application already has. However, special case are "container" applications such as Internet Explorer which are designed to dynamically load and host Acti veX controls. For example, in Internet Explorer, the ActiveX to load could be determined by HTML page. Similar to IE there are other programs that can dynamically load In-Proc COM Servers, such as the Windows scripting Host (wscript.exe) that can be directed to load COM module by a VB (.vbs) or JScript (.js) scripts. For these "container" applications we recommend not having them in the Trusted applications and rather running them under Default Security.
Create Out-Of-Process (Local) COM Servers - This is a way how one application can use (and also misuse) services of another application. This access is less common (but it still could be regular) and more dangerous, since it is a potential way how an application running under Default security can gain privi leges by controlling another - Trusted - application. Create Remote Server - this is similar to Create Out-Of-Process (Local) COM Servers but in this case the application to be controlled is running on a different computer. There is no reason why an unkno wn application should do that. It is recommended to Prevent such access in this case.
There are two ways how to identify devices:
Device name syntax: DRIVER-NAME}\DevN\*\{DEVICE-NAME} (e.g. " Tcpip\DevN\*\RawIp" or "*\DevN\*\RawIp " if the driver is unknown).
Link syntax (Plug and Play devices): Plug and play devices have the device name variable, so it is better to use the second syntax: DRIVER-NAME}\Link\{DEVICE-CLASS}\{DEVICE-LINK}DEVICE-LINK} (e.g. "*\Link\Modem\*" or "Disk\Link\*\usbstor*" )
Wildcards ? and * can be used in links, device and driver names, so *CdRomTEAC* can do the job for the mentioned ugly DEVICE-LINK} DEVICE-LINK}.
Note: Device rules are sorted by path elements from left to right, * has the lowest significance.
The following global properties can be set:
Disable/Enable System Security Module Audit (SBXChangeSecurityAL) - Audit Level of the notification about disable/enable System Security module on client.
Start Process Audit (StartProcessAL) - Audit Level of the notification about a process start. Note: It must be set to Monitor in order to be able on the server to add unknown applications to the Application Repository.
End Process Audit (EndProcessAL) - Audit Level of the notification about a process end.
Unknown Application Start (UnkAppStartDlg) - Handling of unknown applications. Can be set to: No Special Action - when unknown application (does not exist in the Application Repository) starts, no special actions is done - rules with the "*" in the application column apply Show Options Dlg to User - displays Alert dialog to the user with an optional enrollment into the client specific database (applications in the client database have lower priority then applications in the policy from the server if conflict arises) Kill the Application - kills the unknown application unconditionally
Unknown Application Start from System Application (UnkSysAppStartDlg) - Handling of unknown system applications. Similar to Unknown Application Start, but valid only when parent application is a system application (e.g. when a particular new process is started from a service).
Dll Group to Bypass Inject Code Restrictions (SafeToInjectDllGroup) - Dll group which bypasses the Inject Code restrictions. Contains string name of an existing dll group in the Application Repository. See System Privileges for more details.
To use only some features of System Security, you can turn OFF particular guards. You should do it by modifying settings for the "*" application.
For all system applications ("*" with the "S" flag set) we recommend to leave ON spawning and device guards only, unless you have properly filled $TrustedSystemApps group. A too restricted rule applied accidentally to core operating system services (they fall into the "S" - system applications) may cause problems during the system boot.
You can also adjust guards for a specific application or an application group.
If a particular guard is OFF (e.g File guard), then all rules for this object type (all file rules in this case) are bypassed for the specified application.
Tiny Firewall incorporates the support for SNORT IDS databases. SNORT is an open standard Intrusion Detection format. More information about SNORT is at www.snort.org.
Tiny Firewall allows full customization of SNORT rules. At present time from the security perspective in order to protect the integrity of the IDS database Tiny Firewall interface does not allow to edit the SNORT signatures. The signatures may be changed manually through the editing of XML database. The support for UI based editing of SNORT signatures is planed in the near future.
Tiny Firewa ll recognizes two types of IDS rules - monitoring and preventing rules. While monitoring rules incorporate asynchronous cache mechanism and do not represent a threat as far as the speed of the processing it is very important to carefully consider the depl oyment of Preventing rules. Preventing rules inspect the traffic in real time and the speed of processing directly affects the endpoint. Therefore it is important to plan on IPS rules carefully and use only prevention rules which are necessary.
IDS/IPS rules may be modified based on:
In order to preserve the integrity of IDS database Tiny Firewall does not allow to modify the signatures.
Remote IP addresses may only be modified using predefined IP address objects.