About_the_OfficeScan_Firewall
The OfficeScan firewall protects clients and servers on the network using stateful inspection and high performance network virus scanning. Through the central management console, you can create rules to filter connections by application, IP address, port number, or protocol, and then apply the rules to different groups of users.
You can also configure OfficeScan to update the Common Firewall Driver only after the computer restarts to prevent network interruptions.
You can enable, configure, and use the OfficeScan firewall on Windows XP computers that also have Windows Firewall enabled. However, manage policies carefully to avoid creating conflicting firewall policies and producing unexpected results. See the Microsoft documentation for details on Windows Firewall.
To ensure that this feature does not interfere with critical applications, OfficeScan leaves this feature disabled on server platforms. To enable this feature on a server computer. Refer to Additional Service Settings.
The OfficeScan firewall includes the following key features and benefits:
The OfficeScan firewall filters all incoming and outgoing traffic, providing the ability to block certain types of traffic based on the following criteria:
Direction (inbound/outbound)
Protocol (TCP/UDP/ICMP)
Destination ports
Source and destination computers
The OfficeScan firewall filters incoming and outgoing traffic for specific applications, allowing these applications to access the network. However, network connections will depend on the policies set by the administrator.
The Certified Safe Software List provides a list of applications that can bypass firewall policy security levels. If the security level is set to Medium or High, OfficeScan will still allow applications to run and access the network.
Enable querying of the global Certified Safe Software List that provides a more complete list. This is a list dynamically updated by Trend Micro.
This feature works with Behavior Monitoring. Ensure that you enable the Unauthorized Change Prevention Service and Certified Safe Software Service, before enabling the global Certified Safe Software List.
The OfficeScan firewall also examines each packet for network viruses. For details, see Network Virus.
The OfficeScan firewall gives you the ability to configure policies to block or allow specified types of network traffic. Assign a policy to one or more profiles, which you can then deploy to specified OfficeScan clients. This provides a highly customized method of organizing and configuring firewall settings for clients.
The OfficeScan firewall is a stateful inspection firewall; it monitors all connections to the client and remembers all connection states. It can identify specific conditions in any connection, predict what actions should follow, and detect disruptions in a normal connection. Therefore, effective use of the firewall not only involves creating profiles and policies, but also analyzing connections and filtering packets that pass through the firewall.
The OfficeScan firewall also includes an Intrusion Detection System (IDS). When enabled, IDS can help identify patterns in network packets that may indicate an attack on the client. The OfficeScan firewall can help prevent the following well-known intrusions:
Too Big Fragment: A Denial of Service Attack where a hacker directs an oversized TCP/UDP packet at a target computer. This can cause the computer's buffer to overflow, which can freeze or reboot the computer.
Ping of Death: A Denial of Service attack where a hacker directs an oversized ICMP packet at a target computer. This can cause the computer's buffer to overflow, which can freeze or reboot the computer.
Conflicted ARP: A type of attack where a hacker sends an Address Resolution Protocol (ARP) request with the same source and destination IP address to a computer. The target computer continually sends an ARP response (its MAC address) to itself, causing it to freeze or crash.
SYN Flood: A Denial of Service attack where a program sends multiple TCP synchronization (SYN) packets to a computer, causing the computer to continually send synchronization acknowledgment (SYN/ACK) responses. This can exhaust computer memory and eventually crash the computer.
Overlapping Fragment: Similar to a Teardrop attack, this Denial of Service attack sends overlapping TCP fragments to a computer. This overwrites the header information in the first TCP fragment and may pass through a firewall. The firewall may then allow subsequent fragments with malicious code to pass through to the target computer.
Teardrop: Similar to an overlapping fragment attack, this Denial of Service attack deals with IP fragments. A confusing offset value in the second or later IP fragment can cause the receiving computer’s operating system to crash when attempting to reassemble the fragments.
Tiny Fragment Attack: A type of attack where a small TCP fragment size forces the first TCP packet header information into the next fragment. This can cause routers that filter traffic to ignore the subsequent fragments, which may contain malicious data.
Fragmented IGMP: A Denial of Service attack that sends fragmented IGMP packets to a target computer, which cannot properly process the IGMP packets. This can freeze or slow down the computer.
LAND Attack: A type of attack that sends IP synchronization (SYN) packets with the same source and destination address to a computer, causing the computer to send the synchronization acknowledgment (SYN/ACK) response to itself. This can freeze or slow down the computer.
The OfficeScan firewall sends a customized notification message to specified recipients when firewall violations exceed certain thresholds, which may signal an attack.
Grant client users the privilege to view their firewall settings on the OfficeScan client console. Also grant users the privilege to enable or disable the firewall, the Intrusion Detection System, and the firewall violation notification message.
See also: