About network traffic that can be managed with the LANDESK EPS Firewall

Version 6

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6

    Environment

     

    • LANDESK Management Suite 9.x
    • LANDESK EPS Firewall

    Issue

     

    • The behaviour of the LANDESK EPS Firewall doesn't seem to be always consistent
    • Hosts added to the trusted scope should be white listed so the device would be able to communicate unrestricted (both incoming and outgoing) with these hosts, but that doesn't seem to be the case
    • A device with the LANDESK EPS Firewall installed is able to ping a host even though the host has been blocked in a connection rule
    • A device with the LANDESK EPS Firewall installed is able to browse network shares on a host even though the host has been blocked in a connection rule

     

    Cause

     

    • LANDESK EPS Firewall is not able to filter the traffic on a device at a host level, but it filters the traffic for at application level. This means that the processes run by the SYSTEM user and incoming/outgoing connections at kernel level won't be controlled by the LANDESK EPS Firewall.
    • The ICMP (ping) protocol is not filtered
    • The SMB/CIFS client (network shares) is not blocked by default

     

    More about the LANDESK EPS Firewall

     

    What the LANDESK EPS Firewall controls are the user started applications, according to the list defined in the "Trusted file lists" section of the EPS Settings.

    If the LANDESK EPS Firewall is set to Blocking, only the applications listed among the Trusted files will be allowed to produce traffic inbound and outbound the device.

     

    The LANDESK EPS Firewall uses two zones:

     

    • Zone A: trusted scope (defined in in the "trusted scope" list in the LANDESK Firewall settings)
    • Zone B: outside the trusted scope (hosts that are not in the "trusted scope" list)

     

    eps_trusted_file_list_firewall.png

    In the trusted file list, you can allow an application to:

     

    • Send/receive only from the trusted scope: Zone A
    • Send/receive from/to both trusted scope and outside: Zone A+B

     

    eps_firewall_trusted_scope_zone_a.png

     

    Other than this standard behaviour, you can add a specific rule to accept or drop a specific tcp/udp connection to or from a specific address and port, allowing the applications in the trusted file list to bypass the rule, if you want to make sure that a trusted application won't be blocked.

     

    These rules, both when set to accept and drop, work regardless the application, which means for instance that if Internet Explorer is not in the trusted file list and we set a rule to allow the traffic towards the TCP port 80, the browser will be able to browse the network (both Zone A and Zone B) via http, but not via https.

     

     

    fw_settings_connection_rules.png

     

    All these configurations and rules are subjected to the first rule that we don't filter the system processes and activities.

    There is just one exception to this rule regarding the file sharing, where it's possible to block the host to share files to others, configurable for Zone A and Zone B (target device as an SMB/CIFS file server).

    These settings are in the LANDESK EPS Firewall, General settings, File sharing section. They don't affect the behaviour of the device as an SMB/CIFS client.

     

    fw_settings_file_sharing.png

     

    The File Sharing checkboxes are about accepting (ACCEPT) connections into the computer’s port 139 or 445.

     

    The first checkbox relates to trusted hosts (hosts whose IP address is within the trusted scope)

     

    The second one relates to hosts outside of the trusted scope.

     

    Information on Port 137:

    https://www.grc.com/port_137.htm

     

    Port 137 is considered the most dangerous port to have open:http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm

     

    Information on Port 445:

    https://www.grc.com/port_445.htm