Trend Micro's PC-cillin Firewall FeatureOne of many third-party antivirus/Internet security suites, Trend Micro's PC-cillin includes a personal firewall that you can use to protect the system. The Trend Micro PC-cillin suite is a combination of a personal firewall, an antivirus system, an antispyware system, an antispam filter, and an identity-theft protection system through blocking of phishing and pharming attacks. This product is ideal for end-user, home or small office customers who need an all-in-one package to defend against a wide variety of threats from the network. It is not really targeted to the enterprise user because centralized management and configuration are not available. This section focuses only on the firewall portion of PC-cillin security suite. Like Windows Firewall, PC-cillin firewall is configurable and provides protection against a wide variety of network threats. PC-cillin RequirementsTrend Micro's firewall supports Windows systems going all the way back to Windows 98 and 98 SE. This backward compatibility is a rare feature for many personal firewalls because vendors typically consider those systems so old that they are no longer on the market. Microsoft no longer supports Windows 98 or 98 SE, but you can still find these systems in use. PC-cillin requires systems to meet the specifications described in Table 4-2.
How the Trend Micro Firewall WorksThe Trend Micro firewall works as a blend of a traditional stateful firewall and intrusion detection system (IDS). An IDS monitors the traffic in and out of the protected system for attacks and upon detection of an attack it can alert the user. Most IDSs detect attacks by matching the network traffic against a signature of the attack. A signature is like a fingerprint. It identifies an attack by matching the network traffic ("the evidence") against a known signature describing the attack ("the fingerprint"). When the traffic matches the signature, an attack has been detected. As in the case of real evidence, however, this method is not foolproof and leads to false positives sometimes. A false positive is a case where benign network traffic is mistakenly categorized as an attack and an alert is generated for the user. A stateful firewall not only examines the various headers of a packet but also ensures that the connection is active by tracking each connection in a state table. Most stateful firewalls, such as PC-cillin, can also dynamically open secondary ports for protocols that require more than one network port to complete a connection. PC-cillin's firewall also inspects the contents, too, using a rudimentary built-in IDS. Filtering decisions made by the firewall are based on defined rules as well as the context that has been established and stored in a state table by previous packets that have already passed through the firewall. The Trend Micro firewall comes with a preset series of policies that end users can modify to accommodate their specific requirements. The firewall can filter HTTP strings from server to server to prevent hybrid attacks such as Nimda and Code Red and to identify and stop Trojan attacks. Finally, the firewall uses its built-in IDS capabilities to identify and stop common firewall attacks such as oversize packet fragments, overlapping fragment attack, ping of death, and others. Unfortunately, the IDS signatures are not user updateable or configurable. If Trend Micro determines that a new IDS signature needs to be released for the firewall, users can only update the system when Trend Micro incorporates that signature into the product. They cannot configure new signatures on their own. Configuring the Trend Micro FirewallConfiguring the Trend Micro firewall is straightforward and easy. When the firewall software, which is a part of Trend Micro's PC-cillin Internet security suite, has been installed, the main control panel should be opened. This can be done either by right-clicking the Trend Micro Internet security suite icon in the notification area at the lower right of the Windows taskbar and then choosing the Open Main option or by just double-clicking the icon. Alternatively, the user can open PC-cillin's main panel by choosing Start > Programs > Trend Micro PC-cillin > Trend Micro PC-cillin Internet Security 2005. To verify that PC-cillin has registered properly in Windows XP's security center, you can launch the security center by choosing Start > Control Panels > Windows Security Center (which brings up the Windows Security Center window displayed in Figure 4-10). From here you can see that the Trend Micro PC-cillin software has registered itself as both the firewall for the system (effectively disabling the built-in Windows Firewall) and the antivirus suite for this system. Figure 4-10. Trend Micro PC-cillin Registration in Windows Security CenterWhen the Trend Micro Internet Security window is open, you can choose the firewall configuration controls by clicking the Firewall button near the lower right of the control panel, as shown in Figure 4-11. Figure 4-11. Trend Micro Internet Security WindowFrom this window, the user can modify the firewall profiles by clicking the Firewall Profiles button in the middle of the window. This opens up the profile selection window shown in Figure 4-12. At this window, users can choose to enable or disable the firewall as well as choose the specific profile they want to apply to the firewall. Additionally, they can add and configure a new profile if the default profiles are insufficient to meet their needs. Figure 4-12. Trend Micro Firewall ProfilesThe default profiles include an office network connection, a home network connection, a wireless network connection, and a direct connection to the Internet. Each one has specific exceptions to the firewall policy for various services. The office network, wireless network, and direction connection profiles each have a list of specific exceptions for various services such as HTTP, Secure Shell (SSH), DNS, and others in the firewall profile. The home network profile, however, has no preconfigured exceptions. Not all exceptions are active. By default, only the NetBIOS (for Windows file sharing and printing) and the Windows Domain Services protocols are enabled by default in the office network and the wireless network profiles. In the direct connection profile, these two services are disabled, but the AOL Connection service is enabled. It is up to the end user to enable additional exceptions to the various profiles. These profiles provide the end user with a quick way of allowing specific services in and out of the system. Unlike the Windows Firewall, the Trend Micro firewall only deals with services and not programs. From a conceptual point of view, this means that programs that open dynamic ports (for example, many instant messenger programs) for listening are not easy to configure in the Trend Micro firewall because the ports they use will vary. To accommodate this issue, a range of ports needs to be opened, which leaves the system more vulnerable. The Home Network profile is analyzed for the purpose of this configuration example. When a profile has been selected, the security level needs to be set. You can do this in the Firewall Profiles Editor window shown in Figure 4-13. To access the Firewall Profiles Editor window, choose a specific profile in the Firewall Profiles panel and click the Edit button in the middle of the Firewall Profiles panel. Figure 4-13. Trend Micro Firewall Security LevelThe security level feature of the Trend Micro firewall enables the end user to adjust the overall protection provided by the firewall. There are three security levels defined in the Trend Micro firewall product: Low, Medium, and High. The Low security level is recommended for users who do not need a great deal of protection, such as those who are on a LAN that is considered secure or for home users who do not directly connect to the Internet without another device such as a Linksys router or other device. This profile allows both incoming and outgoing network traffic but blocks viruses and other known threats through the firewall's rudimentary IDS capabilities. The Medium security level, designed for most users who use a wireless network or some sort of public LAN, blocks incoming traffic unless specifically listed in the exception list but allows all outgoing traffic unless it's specifically blocked in the exception list. It also blocks network virus attacks and other known threats as in the Low security level. Finally, the High security level blocks both incoming and outgoing traffic unless specifically provided for in the profile exception list. It also blocks, as in the Medium and Low security levels, network virus attacks and other threats, but it also provides alerts for outgoing traffic. This level is meant for users who require a high degree of security on their system, such as those who are directly connected to the Internet through a broadband connection where the connection is always active. To change the security level in the policy, open the Security Level tab in the Firewall Profiles window, as shown in Figure 4-13. Slide the slider either up (towards High) for greater security or down (towards Low) for lower security. By default, the slider is set to Medium, which is sufficient for most users. With the security level for the firewall set, the next step is to define the exception list to the policy. Open the Exception List tab in the Firewall Profiles window. Remember that an exception is designed to allow a particular service in or access to a particular service on the outside of the firewall. Because the Trend Micro firewall is a stateful firewall, many of the more common services such as DNS and DHCP work because the system generates the initial traffic outbound and the firewall knows that a response is expected from a server to the initial traffic. Adding exceptions to the firewall depends on what specific traffic should be allowed inbound to the system or, as in the case of the High security level, what traffic should also be allowed outbound from the system. For example, in many cases, exceptions in the firewall profile for the Windows Domain Services and NetBIOS are needed to allow the system to authenticate to Windows domain controllers as well as participate in file sharing and printing in a Windows network environment. If a web server is running on the system, an exception should be added to allow other systems access to the web server port. It all depends on the role and on what software is installed on the system. To add exceptions to the firewall policy, click the Add button, as shown in Figure 4-14. Figure 4-14. Trend Micro Firewall Exception ListThis opens a new window where a wide variety of information about the exception can be entered, such as the protocol to use, the direction of traffic, the port number(s) the traffic uses, whether to allow the traffic or deny it, and a name for the service. One final feature to review in Trend Micro's firewall is the Network Virus Emergency Center. To access this panel in the Internet security suite, go back to the main window (Figure 4-11) and click the Network Virus Emergency Center button. This will open the window shown in Figure 4-15. Figure 4-15. Trend Micro Network Virus Emergency CenterYou can configure this part of the firewall to respond to a wide variety of network viruses, as shown in the list in the middle of the window. The response is limited to one of two possibilities: a simple pop-up window indicating that the firewall has responded to a detected virus or completely severing the network connection upon detection of a virus. This allows the user to configure the firewall to help prevent the spread of the virus or worm immediately upon detection. Trend Micro Firewall FeaturesLike the Windows Firewall, the Trend Micro firewall is a stateful firewall that keeps track of outbound packets and allows inbound response packets to reach the destination host. In addition, the firewall security level can easily be set according to a predefined level of Low, Medium, or High. Coupled with the IDS and antivirus features in PC-cillin, the firewall can identify and stop a network virus or worm before it damages the underlying host operating system and spreads to other systems. Trend Micro Firewall ChecklistLike the Windows Firewall, you must configure several features depending on the system role in the network. One of the key differences is that the Windows Firewall should be disabled. Fortunately, the Trend Micro Internet security suite installer checks the status of the Windows Firewall before installing the Trend Micro product to ensure that no conflict exists between the two firewalls. You can use the following checklist to help ensure that the Trend Micro firewall settings are appropriate for a given system:
After you have answered these questions, you can appropriately configure the firewall for the system. |