Protecting a Mobile Laptop

The following describes the steps involved in using Vulnerability ProtectionDeep Security to protect a mobile laptop. It will involve the following steps:

  1. Adding Computers to the Manager
    1. Adding individual computers
    2. Performing a Discovery Operation on your network
    3. Importing computers from a Microsoft Active Directory
  2. Create a new Policy for a Windows laptop
    1. Creating and naming the new Policy
    2. Setting which interfaces to monitor
    3. Setting the network engine to Inline Mode
    4. Assigning Firewall Rules (including some with Location Awareness) and enabling Firewall Stateful Configuration
    5. Assigning Intrusion Prevention Rules
    6. Assigning Log Inspection Rules
    7. Assigning Integrity Monitoring Rules
  3. Applying the Policy to the computer
  4. Monitoring Activity using the Manager

We will assume that you have already installed the Manager on the computer from which you intend to manage the Vulnerability ProtectionDeep Security Agents throughout your network. We will also assume that you have installed (but not activated) Vulnerability ProtectionDeep Security Agents on the mobile laptops you wish to protect. If you have not done so, consult the installation instructions for the steps to get to this stage.

Adding computers to the Manager

You can add computers to the Vulnerability ProtectionDeep Security Computers page by:

  1. Adding computers individually by specifying their IP addresses or hostnames
  2. Discovering computers by scanning the network
  3. Connecting to a Microsoft Active Directory and importing a list of computers
  4. Connecting to a VMware vCenter and importing a list of computers (not covered in this section because we are dealing with mobile laptops.)

Adding computers individually by specifying their IP addresses or hostnames

To add an individual computer by specifying its IP address or hostname, go to the Computers page and click New in the toolbar.

Type the hostname or IP address of the new computer in the Hostname text box. The New Computer wizard also lets you specify a Policy which it will apply to the new computer if it finds the computer and determines that an unactivated Agent is present. (For now, don't select a Policy.) When you click Next, the wizard will find the computer and activate the Agent. When Agent activation has completed, the wizard will give you the option of opening the Computer Editor window (the Details window) which lets you configure many the Agent's settings. Skip the Details window for now.

Adding computers by scanning the network (Discovery)

To discover computers by scanning the network:

  1. Go to the Computers page.
  2. Click Discover... in the toolbar to display the Discover Computers dialog.
  3. Type a range of IP addresses you want to scan for computers. If you wish, you can enter a masked IP address to do the same thing.
  4. Select Automatically resolve IPs to hostnames to instruct the Manager to automatically resolve hostnames as it performs the discovery.
  5. You have the option to add discovered computers to a computer group you have created. For now, leave the Add Discovered Computers to Group drop-down list choice set to "Computers".
  6. Finally, clear the Automatically perform a port scan of discovered computers checkbox. (Port scanning detects which ports are open on the discovered computers.)
  7. Click OK. The dialog box will disappear and "Discovery in progress..." will appear in the Manager's status bar at the bottom of your browser. (The discovery process can be cancelled by clicking the "X".)

    In a few minutes, all visible computers on the network will have been detected and the Manager will have identified those with Vulnerability ProtectionDeep Security Agents installed. These Agents now need to be activated.

  8. Activate the Agents by right-clicking an Agent (or multiple selected Agents), and select "Activate/Reactivate" from the shortcut menu. Once the Agents are activated, their status light will turn green and "Managed (Online)" will appear in the status column.

Importing Computers from a Microsoft Active Directory

Computers imported from an Active Directory are treated the same as any other computers in the Computers page.

To import computers from a Microsoft Active Directory:

  1. Click the down arrow next to "New" in the Computers page toolbar and select Add Directory.... to start the Add Directory wizard.
    Synchronization of computers from other LDAP-based directories may be possible but would require some customization. For assistance contact your support provider.
  2. Type the Active Directory server name, a name and description for your imported directory as it will appear in the Manager (it doesn't have to match that of the Active Directory), the IP and port of the Active Directory server, and finally your access method and credentials. Click Next.
    You must include your domain name with your username in the User Name field.
  3. If you select SSL or TLS as the Access method, the wizard will ask you to accept a security certificate. You can view the certificate accepted by the Vulnerability ProtectionDeep Security Manager by going to Administration > System Settings > Security and clicking "View Certificate List..." in the Trusted Certificates area. Click Next.
  4. The second page of the New Directory wizard asks for schema details. (Leave the default values). Click Finish.
  5. The next page will tell you if there were any errors. Click Next.
  6. The final page will let you create a Scheduled Task to regularly synchronize the Manager's Computers page with the Active Directory. Leave this option cleared for now. Click Close.

The directory structure now appears on the Computers page.

Additional Active Directory Options

Right-clicking an Active Directory structure gives you the following options that are not available for ordinary computer groups listed under Computers.

Now that the Agents are active, they can be assigned Firewall Rules and Intrusion Prevention Rules. Although all the individual security objects can be assigned individually to an Agent, it is convenient to group common security objects into a Policy and then assign the Policy to one or more Agents.

More information is available for each page in the Vulnerability ProtectionDeep Security Manager by clicking the Support link in the menu bar.

Activating the Agents on Computers

Agents need to be "activated" by the Manager before Policies and rules can be assigned to them. The activation process includes the exchange of unique fingerprints between the Agent and the Manager. This ensures that only this Vulnerability ProtectionDeep Security Manager (or one of its nodes) can send instructions to the Agent.

An Agent can be configured to automatically initiate its own activation upon installation. For details, see Command-Line Utilities.

To manually activate an Agent on a computer, right-click one or more selected computers and select Actions > Activate/Reactivate.

Create a Policy for a Windows laptop

Now that the Agents are activated, it's time to assign some rules to protect the computer. Although you can assign rules directly to a computer, it's more useful to create a Policy which contains these rules and which can then be assigned to multiple computers.

Creating the Policy will involve the following steps:

  1. Creating and naming the new Policy
  2. Setting which interfaces to monitor
  3. Setting the network engine to Inline Mode
  4. Assigning Firewall Rules (including some with location awareness) and enable Stateful Inspection
  5. Assigning Intrusion Prevention Rules
  6. Assigning Integrity Monitoring Rules
  7. Assigning Log Inspection Rules
  8. Assigning the Policy to the computer

Creating and naming the New Policy

To create and name the new Policy:

  1. Go to the Policies section, click on Policies in the navigation panel on the left to go to the Policies page.
  2. Click New in the toolbar to display the New Policy wizard.
  3. Name the new Policy "My New Laptop Policy" and select Base Policy from the Inherit from: menu. Click Next.
  4. The next page asks if you would like to base the Policy on an existing computer's current configuration. If you were to select Yes, you would be asked to pick an existing managed computer and the wizard would take all the configuration information from that computer and create a new Policy based on it. This can be useful if, for instance, you have fine-tuned the security configuration of an existing computer over a period of time and now wish to create a Policy based on it so that you can apply it to other functionally identical computers. For now, select No and click Next.
  5. The last page confirms that the new Policy has been created. Select the Open Policy Details on 'Close' option and click Close.

Setting which interfaces to monitor

To set which interfaces to monitor:

  1. Because you set the Open Policy Details on 'Close' option, the new Policy editor window is displayed.
  2. The laptops to which this Policy will be assigned are equipped with two network interfaces (a local area connection and a wireless connection) and we intend to tune the security configuration to take into account which interface is being used. Click Interface Types in the navigation panel and select the Rules can apply to specific interfaces option. Enter names for the interfaces and strings (with optional wildcards) which the Agent will use to match to interface names on the computer: "LAN Connection" and "Local Area Connection *", and "Wireless" and "Wireless Network Connection *" in the first two Interface Type areas. Click Save at the bottom right of the page.

Setting the network engine to Inline Mode

The Agent's network engine can operate Inline or in Tap Mode. When operating Inline, the live packet stream passes through the network engine. Stateful tables are maintained, Firewall Rules are applied and traffic normalization is carried out so that Intrusion Prevention Rules can be applied to payload content. When operating in Tap Mode, the live packet stream is cloned and diverted from the main stream. In Tap Mode, the live packet stream is not modified; all operations are carried out on the cloned stream.

For now, we will configure our Policy to direct the engine to operate Inline.

To set the network engine to Inline Mode:

  1. Still in the My New Laptop Policy editor, go to Settings and click on the Network Engine tab.
  2. Set the Network Engine Mode to Inline. By default, the setting should already be set to "Inherited (Inline)" since the Base policy default mode is Inline and your new Policy inherits its settings from there.

Assigning Firewall Rules (including some with location awareness) and turn on Stateful Inspection

To assign Firewall Rules:

  1. Click Firewall in the navigation panel and in the Firewall area of the General tab, select On from the Firewall State drop-down menu.
    Selecting "Inherit" will cause this setting on this Policy to be inherited from its parent Policy. This setting in the parent Policy may already be "On" but for now you will enforce the setting at the level of this Policy regardless of any parent Policy settings. For information on Inheritance, see Policies, Inheritance and Overrides.
  2. Now we will assign some Firewall Rules and Firewall Stateful Configuration rules to this Policy. Click Firewall Rules to display the list of available predefined Firewall Rules. (You can create your own Firewall Rules, but for this exercise we will select from the list of existing ones.) Select the following set of Firewall Rules to allow basic communication:
    • Allow Solicited ICMP replies
    • Allow solicited TCP/UDP replies
    • Domain Client (UDP)
    • ARP
    • Wireless Authentication
    • Windows File Sharing (This is a force-allow rule to permit incoming Windows File Sharing traffic.)
    Notice the gray down-arrow next to the Firewall Rule checkboxes. These appear if you have defined multiple interfaces in the previous step. They allow you to specify whether the Firewall Rule will apply to all interfaces on the computer or just to interfaces that you specify. Leave these at the default setting for now. Click the Save button.

We assigned a Firewall Rule that permitted Windows File Sharing. Windows File Sharing is a very useful feature in Windows but it has had some security issues. It would be better to restrict this ability to when the laptop is in a secure office environment and forbid it when the laptop is out of the office. We will apply Location Awareness to the Firewall Rule when used with this Policy to implement this policy.

To implement location awareness:

  1. In the My New Laptop Policy Policy editor, go to Firewall > General > Assigned Firewall Rules, right-click the Windows File Sharing Firewall Rule and select Properties.... This will display the Properties window for the Firewall Rule (but the changes we make to it will only apply to the Firewall Rule when it is applied as part of this new Policy).
  2. In the Properties window, click the Options tab.
  3. In the Rule Context area, select New... from the drop-down list. This displays the New Context Properties window. We will create a Rule Context that will only allow the Firewall Rule to be active when the laptop has local access to its Domain Controller. (That is, when the laptop is in the office.)
  4. Name the new Rule Context "In the Office". In the Options area, set the Perform check for Domain Controller connectivity option and select Local below it. Then click Ok.
  5. Click OK in the Windows File Sharing Firewall Rule Properties window.

Now the Windows File Sharing Firewall Rule will only be in effect when the laptop has local access to its Windows Domain Controller. The Windows File Sharing Firewall Rule is now displayed in bold letters in the Policy Details window. This indicates that the Firewall Rule has had its properties edited for this Policy only.

Location Awareness is also available for Intrusion Prevention Rules.

The final step in the Firewall section is to enable Stateful inspection.

To enable Stateful Inspection:

  1. Still in the My New Laptop Policy Policy editor window, go to Firewall > General > Firewall Stateful Configurations.
  2. For the Global (All Interfaces) setting, select Enable Stateful Inspection.
  3. Click Save to finish.

Assigning Intrusion Prevention Rules

To assign Intrusion Prevention rules to the Policy:

  1. Still in the My New Laptop Policy editor window, click Intrusion Prevention in the navigation panel.
  2. On the General tab, in the Intrusion Prevention area, set the Intrusion Prevention State to On.
    Intrusion Prevention can be set to either Prevent or Detect mode when the Network Engine is operating Inline (as opposed to Tap Mode). Detect mode is useful if you are trying out a new set of Intrusion Prevention Rules and do not want to risk dropping traffic before you are sure the new rules are working properly. In Detect Mode, traffic that would normally be dropped will generate events but will be allowed to pass. Set Intrusion Prevention to "On".
    Note the Recommendations area. The Vulnerability ProtectionDeep Security Agent can be instructed to run a Recommendation Scan. (On the Manager's Computers page, right-click a computer and select Actions > Scan for Recommendations.) The Recommendation engine will scan the computer for applications and make Intrusion Prevention Rule recommendations based on what it finds. The results of the Recommendation Scan can be viewed in the computer editor window by going to Intrusion Prevention > Intrusion Prevention Rules > Assign/Unassign... and selecting Recommended for Assignment from the second drop-down filter menu.
  3. For now, leave the Recommendations > Automatically implement Intrusion Prevention Recommendations (when possible): option set to Inherited (No).
  4. In the Assigned Intrusion Prevention rules area, click Assign/Unassign... to open the rule assignment window.
  5. Intrusion Prevention Rules are organized by Application Type. Application Types are a useful way of grouping Intrusion Prevention Rules; they have only three properties: communication direction, protocol, and ports. For our new laptop Policy, assign the following Application Types:
    • Mail Client Outlook
    • Mail Client Windows
    • Malware
    • Malware Web
    • Microsoft Office
    • Web Client Common
    • Web Client Internet Explorer
    • Web Client Mozilla Firefox
    • Windows Services RPC Client
    • Windows Services RPC Server
    Make sure the first two drop-down filter menus are showing All and that the third sorting filter menu is sorting By Application Type. It's easier to page through the Application Types if you right-click in the Rules list and select Collapse All. There are many Application Types (and Intrusion Prevention Rules), so you will have to use the pagination controls at the bottom right of the page to find them all, or use the search feature at the top right of the page. Select an Application Type by putting a check next to the Application Type name.
    Some Intrusion Prevention Rules are dependent on others. If you assign a rule that requires another rule to also be assigned (which has not yet been assigned) a popup window will appear letting you assign the required rule.
    When assigning any kinds of Rules to a computer, do not let yourself be tempted to be "extra secure" and assign all available rules to your computer. The Rules are designed for a variety of operating systems, applications, vulnerabilities and may not be applicable to your computer. The traffic filtering engine would just be wasting CPU time looking for patterns that will never appear. Be selective when securing your computers!
  6. Click OK and then Save to assign the Application Types to the Policy.

Assigning Integrity Monitoring Rules

To assign Integrity Monitoring Rules to the Policy:

  1. Still in the My New Laptop Policy editor window, click Integrity Monitoring in the navigation panel.
  2. On the General tab, set Integrity Monitoring State to On.
  3. Set Automatically implement Integrity Monitoring Recommendations (when possible): to No.
  4. Now click Assign/Unassign... in the Assigned Integrity Monitoring Rules area.
  5. In the Search box at the top right of the page type the word "Windows" and press Enter. All the rules that apply to Microsoft Windows will be displayed in the rules list. Right-click one of the rules and choose "Select All", then right-click again and choose "Assign Rule(s)". This will assign all the rules that came up in the search result to the Policy.

Assigning Log Inspection Rules

To assign Log Inspection Rules to the Policy:

  1. Still in the My New Laptop Policy editor window, click Log Inspection in the navigation panel.
  2. Deselect Inherit and set Log Inspection to On.
  3. Set Automatically implement Log Inspection Rule Recommendations (when possible): to No.
  4. Now click Assign/Unassign... in the Assigned Log Inspection Rules area.
  5. Select the "1002792 - Default Rules Configuration" Rule (required for all other Log Inspection Rules to work), and the "1002795 - Microsoft Windows Events" rule. (This will log events any time Windows auditing functionality registers an event on the laptop.)
  6. Click Ok and then Save to apply the rules to the Policy.

We are now finished editing the new Policy. You can now close the My New Policy Details window.

Edit the Domain Controller(s) IP List

Finally, since the new Policy includes three Firewall Rules that use the "Domain Controller(s)" IP List, we will have to edit that IP List to include the IP addresses of the local Windows Domain Controller.

To edit the Domain Controllers IP list:

  1. In the main window of the Vulnerability ProtectionDeep Security Manager console, go to the Policies > Common Objects > IP Lists.
  2. Double-click the Domain Controller(s) IP List to display its Properties window.
  3. Type the IP(s) of your domain controller(s).
  4. Click OK.

Apply the Policy to a Computer

Now we can apply the Policy to the computer.

To apply the Policy to the computer:

  1. Go to the Computers page.
  2. Right-click the computer to which you will assign the Policy and select Actions > Assign Policy....
  3. Choose "My New Laptop Policy" from the drop-down list in the Assign Policy dialog box.
  4. click OK

After clicking OK, the Manager will send the Policy to the Agent. The computer Status column and the Manager's status bar will display messages that the Agent is being updated.

Once the Agent on the computer has been updated, the Status column will read "Managed (Online)".

Configure SMTP Settings

Configuring the Vulnerability ProtectionDeep Security Manager's SMTP settings allows email Alerts to be sent out to Users.

To configure SMTP settings:

  1. Go to Administration > System Settings and click the SMTP tab.
  2. Type the configuration information and click the Test SMTP Settings to confirm Vulnerability ProtectionDeep Security Manager can communicate with the mail server.
  3. Go to the Alerts tab.
  4. In the Alert Event Forwarding (From the Manager) section, type the default email address to which you want notifications sent.
  5. Click Save.
Whether a User gets emailed Alerts can be configured on that User's Properties window (Administration > User Management > Users). Whether a particular Alert generates emailed notifications can be configured on that Alert's Properties window.

Monitor Activity Using the Manager

The Dashboard

After the computer has been assigned a Policy and has been running for a while, you will want to review the activity on that computer. The first place to go to review activity is the Dashboard. The Dashboard has many information panels ("widgets") that display different types of information pertaining to the state of the Vulnerability ProtectionDeep Security Manager and the computers that it is managing.

At the top right of the Dashboard page, click Add/Remove Widgets to view the list of widgets available for display.

For now, we will add the following widgets from the Firewall section:

Select the checkbox beside each of the three widgets, and click OK. The widgets will appear on the dashboard. (It may take a bit of time to generate the data.)

Note the trend indicators next to the numeric values in the Firewall Computer Activity (Prevented) and Firewall IP Activity (Prevented) widgets. An upward or downward pointing triangle indicates an overall increase or decrease over the specified time period, and a flat line indicates no significant change.

Logs of Firewall and Intrusion Prevention Events

Now drill-down to the logs corresponding to the top reason for Denied Packets: in the Firewall Activity (Prevented) widget, click the first reason for denied packets. This will take you to the Firewall Events page.

The Firewall Events page will display all Firewall Events where the Reason column entry corresponds to the first reason from the Firewall Activity (Prevented) widget ("Out of Allowed Policy"). The logs are filtered to display only those events that occurred during the view period of the Dashboard (Last 24 hours or last seven days). Further information about the Firewall Events and Intrusion Prevention Events page can be found in the help pages for those pages.

For the meaning of the different packet rejection reasons, see:

Reports

Often, a higher-level view of the log data is desired, where the information is summarized, and presented in a more easily understood format. The Reports fill this Role, allowing you to display detailed summaries on computers, Firewall and Intrusion Prevention Event Logs, Events, Alerts, etc. In the Reports page, you can select various options for the report to be generated.

We will generate a Firewall Report, which displays a record of Firewall Rule and Firewall Stateful Configuration activity over a configurable date range. Select Firewall Report from the Report drop-down. Click Generate to launch the report in a new window.

By reviewing scheduled reports that have been emailed by the Vulnerability ProtectionDeep Security Manager to Users, by logging into the system and consulting the dashboard, by performing detailed investigations by drilling-down to specific logs, and by configuring Alerts to notify Users of critical events, you can remain apprised of the health and status of your network.

See also: