OfficeScan: Intrusion Defense Firewall – Trend Micro

, , 1 Comment


Hello, my name is Kevin Sparks. I’m an engineer with Trend Micro and today I’m going to be giving you a quick demo of our Intrusion Defense Firewall plug-in to our office scan OfficeScan product. This is a additional demo, the precursor to which is the main OfficeScan demonstration video. So I am I’m going to bring up the Intrusion Defense Firewall interface and that’s down here in our plug-in manager area. I simply click on ‘manage program,’ and this brings us to the dashboard of what we call the IDF console. This is where all of the security events detected by IDF are presented in graphical form. There’s various widgets that I [xx] can either add or remove depending on what features I’m using of the Intrusion Defense Firewall. If I click on the add or remove, which is in this upper righthand corner presented with a list of options that I can choose from, and this just helps me make better use of my real estate on my screen, so I’m not of having to look at things that aren’t important to me, so I can choose from firewall, graphs and charts, to Deep Pack inspection which we’ll get into in a few minutes. Maybe I want to know reconnaissance scans going on in my network. Got a variety of things to choose from here But let’s talk about the firewall. Because first and foremost that is what the IDF is all about. It’s a endpoint [xx] Firewall, and it comes with a number of rules that allow you to pick and choose what traffic you want to allow or lock on your the net work and you also have the ability to write your own rules. So, if you see something you need that is not in this list, you can either import from the existing file or you can create a new rule from the ground up. You just give it a quick name and then choose the direction of traffic whether that’s incoming or outgoing, and what action you want want to take on the traffic, whether that’s allow, bypass, meaning ignore it or deny it, force allow which means always going to be pushed through regardless of other restrictions that might be in place. Determine your frame type and your protocol, so maybe this might be an IP rule based on PCP traffic or ICMP traffic, possibly UDP. Again just depending on what your needs are. If there’s any specific flags that you need to set. We’ll go ahead and select TCP here. I can either do an N/A flag or I can identify specific flags that I am interested in. Once I’ve defined the content of the rule I can assign it certain options, either alert options or schedules meaning this rule is only active at certain times. And then I assign it what we call a security profile. A security profile is actually a group of machines that have something in common and whether that be a platform or a business function, perhaps a location. You can see that we have profiles here setup for Windows XP, Windows 7 another for our laptops, but this allows me to assign rules to multiple computers without having to do individual assignments, which is actually one of the bigger problems with inpoint-based firewall and IDS systems and makes them very difficult to manage, and this simplifies that a great deal In addition to the Deep Packet Inspection, excuse me, this is the firewall, the Deep Packet Inspection module, and this actually enhances the firewall great deal because it turns what is normally a traffic cop directing cars into the guy with a flashlight who inspecting the inside of the car as it passes by. Making sure that there’s nothing in there that’s untoward or unsafe. And that’s exactly the packet Inspection is doing. It’s actually examining the contents of the packet coming through the firewall in addition to all the other checks going on but there’s nothing in there that’s going to harm your computer. You can put this in prevent or detect mode, and then you can come down here to into DPI rules and you have all sorts of application folders that you can choose from. Anything from instant messenger to mail clients, remote login types of if a applications R admin, SSH and Telnet, and again you can create your own just like you can with the other rules that we talked about. here’s several different rules for different browsers and then, we get into our intrusion detection and intrusion prevention capabilities. This is where we’re actually doing Symmetra-based IPS and IPS to make sure network traffic that we detect is safe There’s a variety of rules here that you could choose from, and again you can write your own if there’s something that you need, it’s not in here, you simply come up to ‘new,’ you can click on ‘new DPI rule’ or ‘import from a file’, and then you tell it the application type and you can also define your own application types if you want, and then your priority, whether this his high priority traffic or low priority, and then you you want this to be in detect only. Then you can check that option as well. If you want you can base the rule on a signature or you can base it on a certain [xx] pattern whether that be a start or end pattern. And then custom XML programming, if you prefer to do it that way as well. Sighn into a security profile and then you are finished with creating that rule. One of the easiest ways to assign rules to your security profiles found, just actually do it from the profile itself. So I select the group of machines that I want to make the rule change to. For example, I’m gonna select Windows 7 here. and then I simply come into the firewall rule area or the DPI rule area, select the rules that I want and then as soon as I hit the save button in the lower corner, those rules would be automatically applied to the machines that I’ve selected. So that is a quick demo of our IDF it’s a plugged in office scanner and it really goes a long way to enhancing your security [xx] That’s beyond the anti virus capabilities of office scan. Now, we are able to offer [xx] inspection firewall We also have a virtual patching function that is part of Deep Packet Inspection, and this is useful in two ways, because the recommendations scan will look at the configuration of your computers, look at the software that’s installed, and suggest a base set of rules to apply apply it to the machines in your environment. This ensures that configuring and deploying the product is efficient and easy, and it takes a lot of the guesswork out of what rules you need to block the traffic that needs to be blocked while allowing valid business traffic. We also do virtual patching and this is critical, because the virtual patching will look at missing Microsoft and third-party patches, and it will deploy policies to mimic the functionality of the missing patch and this is important, because a large number of virus and malware infections actually happen as a result of unpatched machines, so by using our virtual patching feature, you have the time that you need to properly test and deploy the patches while staying safe from the latest vulnerabilities. If you have more questions about the IDF, then you can contact a trim micro sales representative or customer service, or get more information from www.trimmicro.com.

 

One Response

Leave a Reply