- The behavior of the Ivanti EPS Firewall doesn't seem to be always consistent
- Hosts added to the trusted scope should be whitelisted so the device would be able to communicate unrestricted (both incoming and outgoing) with these hosts, but that doesn't seem to be the case
- A device with the Ivanti EPS Firewall installed is able to ping a host even though the host has been blocked ibya connection rule
- A device with the Ivanti EPS Firewall installed is able to browse network shares on a host even though the host has been blocked in a connection rule
- Ivanti EPS Firewall is not able to filter the traffic on a device at a host level, but it filters the traffic for at application level. This means that the processes run by the SYSTEM user and incoming/outgoing connections at kernel level won't be controlled by the Ivanti EPS Firewall.
- The ICMP (ping) protocol is not filtered
- The SMB/CIFS client (network shares) is not blocked by default
More about the Ivanti EPS Firewall
What the Ivanti EPS Firewall controls are the user started applications, according to the list defined in the "Trusted file lists" section of the EPS Settings.
If the Ivanti EPS Firewall is set to Blocking, only the applications listed among the Trusted files will be allowed to produce traffic inbound and outbound the device.
The Ivanti EPS Firewall uses two zones:
- Zone A: trusted scope (defined in in the "trusted scope" list in the LANDESK Firewall settings)
- Zone B: outside the trusted scope (hosts that are not in the "trusted scope" list)
In the trusted file list, you can allow an application to:
- Send/receive only from the trusted scope: Zone A
- Send/receive from/to both trusted scope and outside: Zone A+B
Other than this standard behaviour, you can add a specific rule to accept or drop a specific tcp/udp connection to or from a specific address and port, allowing the applications in the trusted file list to bypass the rule, if you want to make sure that a trusted application won't be blocked.
These rules, both when set to accept and drop, work regardless the application, which means for instance that if Internet Explorer is not in the trusted file list and we set a rule to allow the traffic towards the TCP port 80, the browser will be able to browse the network (both Zone A and Zone B) via http, but not via https.
All these configurations and rules are subjected to the first rule that we don't filter the system processes and activities.
There is just one exception to this rule regarding the file sharing, where it's possible to block the host to share files to others, configurable for Zone A and Zone B (target device as an SMB/CIFS file server).
These settings are in the Ivanti EPS Firewall, General settings, File sharing section. They don't affect the behaviour of the device as an SMB/CIFS client.
The File Sharing checkboxes are about accepting (ACCEPT) connections into the computer’s port 139 or 445.
The first checkbox relates to trusted hosts (hosts whose IP address is within the trusted scope)
The second one relates to hosts outside of the trusted scope.
Information on Port 137:
Port 137 is considered the most dangerous port to have open:http://www.iss.net/security_center/advice/Exploits/Ports/139/default.htm
Information on Port 445: