Protecting a local server from local applications

Can CIS protect a local server from being used by unauthorized applications? Imagine a web proxy that accepts requests, sends them to the internet, reads responses and forwards the responses to the original applications (standard proxy behavior).

My problem is, I want only selected applications to access the server, all other applications must be prevented from doing it. To follow my proxy example above, I want Internet Explorer and Firefox to be able to use the proxy, but I most certainly don’t want a spyware to do the same (after reading proxy information from IE’s registry keys, for example).

With my current firewall which allows mixing application and global rules, it is easy. I set up my rules in this fashion:

1. Server - allow internet access
2. Server - allow listening to local traffic on port P
3. Permitted application 1 - allow access to localhost:P
4. Permitted application 2 - allow access to localhost:P
5. All applications - deny access to localhost:P
6. Other application rules, including “allow access everywhere to application 3”

As far as I can tell, this is not possible with CIS because applications and global rules are processed separately and I can’t go back and forth between them (in the scheme above, I can make rules 1-5 but not 6, because 4-5 was a switch from application to global rules and 5-6 would require a switch from global rules to application rules). I expect there must be a different way of solving this issue in CIS, then, but what is it?

Hi. A couple of things. First, in theory you don’t actually need to use Global rules at all, however, doing so makes things somewhat easier and I’m not sure what the problem would be in the set-up you have outlined above.

To understand that, you have to understand how rules are processed by CIS firewall. The easiest way to explain that is by taking a section from the on-line help. [see attached]

Second and perhaps more importantly, it sounds from your description, that you are running the firewall on a server, if so I’d need to know the platform OS?

[attachment deleted by admin]

I don’t? How would I do that? The Network Security Policy won’t allow me to to add a rule unless an application path is filled in.

however, doing so makes things somewhat easier and I'm not sure what the problem would be in the set-up you have outlined above.

The problem would be that that setup is impossible to achieve. Consider a simplified situation where my computer is a part of local network and many of its components need an access to this LAN (Windows sharing, for example). Also, many programs work through local sockets (e.g. service listens on a specific port and its UI controls it using TCP communication to this port). For these reasons it is almost necessary to have a global rule along the lines of "allow all applications to communicate to localhost/local-lan"; it is theoretically possible to create separate rules for every single application, but it gets impractical very quickly.

Unfortunately, this global rule also means that if I want to prevent an application from some communication, I need to use a higher-priority application-specific rule that says so. Which is fine if my goal is to “prevent application X from communication Y”, but my need is opposite - I need to “prevent all applications except X from communication Y”. Now I have yet to see a firewall which allows this kind of rule, but in some firewalls (those that allow mixing global and application rules) it can be done by a sequence of two rules: 1:“allow application X to communication Y”, 2:“prevent all application from communication Y”.

To understand that, you have to understand how rules are processed by CIS firewall. The easiest way to explain that is by taking a section from the on-line help.

That's exactly the image I am referring to, which shows that I [b]can't[/b] mix global and application rules, that one group is treated all at once before the other group is treated, also all at once.

Second and perhaps more importantly, it sounds from your description, that you are running the firewall on a server, if so I'd need to know the platform OS?

I am running Windows XP. But this issue is not server-specific, it will appear on ANY computer that runs ANY kind of server application. Many server applications can reasonably be expected to run on client computers (e.g. web proxy, spam proxy, VPN, possibly a local mail server), and if you happen to be a developer, all your computers will likely be [b]infested[/b] with various server software (database and webserver come to mind).

I think you have to separate the functionality of Application and Global rules. With Application Rules you specify what an application can and cannot do. With Global Rules you are simply deciding what to allow in and what to block.

Take for example a browser, for it to be able to connect with a web server, it would, at the very least, require an application rule that allowed that [insert preferred browser here] to connect OUT on TCP 80 to a given Domain Name. It doesn’t, however, need a Global Rule for outbound permission as by default all communication is allowed out, but only where a specific Application Rule exists. it also doesn’t need a Global rule to allow inbound communication as this is a classic response to a request that is handled by all SPI firewalls in the same way.

If, on the other hand, we had a web server for which we need to all inbound connectivity, then we would need to open a port in Global rules and in addition, have an Application rule to deal with the processing of the request.

Coming back to your earlier rules:

1) Server - allow internet access

Create an Application Rule.

2) Server - allow listening to local traffic on port P

Create an Application Rule and a corresponding inbound Global Rule

3) Permitted application 1 - allow access to localhost:P 4) Permitted application 2 - allow access to localhost:P

Create Application Rules

5) All applications - deny access to localhost:P

Create Application Rules

6) Other application rules, including "allow access everywhere to application 3"

Create Application Rules

If I am misunderstanding your intentions, perhaps you could post a specific example with some actual rules

Apparently there’s a terminological difference between our respective use of “global” and “application”. When talking about “application rule”, I mean a rule which is specific to one application. When talking about “global rule”, I mean a rule which is applied to all applications. In a rule list, the first matching rule with a final verdict (“accept” or “reject”) is used and further processing stops. This is a common behavior among rule-based firewalls.

I am not quite sure what you mean by “application rule” and “global rule”. It seems to me that you consider application rules as one level of protection and global rules as another level of protection. A packet is first checked against application rules and if the verdict is “accept”, it is also checked against matching global rules, and only if “accept” is reached* is the packed allowed to go to the net. The same is done with an inbound packet, though in different order. Correct me if I am wrong.

*) Here it’s not clear whether a final verdict is copied from the first matching rule or whether all matching rules must return “accept” for the verdict to be “accept”. That is, if I had two global rules A=“accept outbound connections to port 80” and B=“deny outbound connections to host google.com” and I had a packet to google.com:80, would the result be:
a) always reject regardless of rule order (because one rule returns “reject”)
b) accept if rules’ order is A,B (because rule “A” return “accept” and that stops further processing)
c) reject if rules’ order is B,A (because rule “B” return “reject” and that stops further

5) All applications - deny access to localhost

Create Application Rules

How? I would have to write one rule for every single file (!!! - you can run any file, no matter what extension it has) on my computer. Every time I connect an USB disk, I would have to add rules for every file on that disk. Every time any application creates a file, I would have to add rule for that file. The list of rules would be monstrous, even if it was at all possible to create and maintain it.

If I am misunderstanding your intentions, perhaps you could post a specific example with some actual rules

OK. Imagine that I am on a slow metered line (mobile phones come to mind) and need to minimize data transfers. So I install a HTTP proxy server to do caching of pages. This proxy sever needs to access the internet:

#1: Allow "CachingProxy.exe" outbound TCP to remote-port=80

It also needs to listen to local requests:

#2: Allow "CachingProxy.exe" inbound TCP from remote-addr=localhost to local-port=3128

(One application rule would be enough with most firewalls. With CIS, I would apparently need an additional global rule of ‘Allow inbound TCP from remote-addr=localhost to local-port=3128’, which is an annoyance, but can be handled.)

Now I need to set up my browsers to use that proxy (using their own network setups) and let them pass through firewall:

#3: Allow "Firefox.exe" outbound TCP to remote-addr=localhost remote-port=3128
#4: Allow "Iexplore.exe" outbound TCP to remote-addr=localhost remote-port=3128
...

Which is all fine, browsers now work through proxy as intended. The only problem is that if a malware got installed into my computer, it could read the registry of Internet Explorer and discover that IE uses proxy server localhost:3128. Then it could connect to localhost:3128 and gain access to the internet through my proxy. I don’t want that, so I need to prevent it somehow. I am trying to find how to do it with CIS.

With some other firewalls, the solution is simple: In the list of rules I would place the above rules at the beginning and immediately follow them with another rule:

#5: Deny "*.*" outbound TCP to remote-addr=localhost remote-port=3128

Then I could write any rules I like, including “allow access to loopback to any adapter”, because those rules would be tested only if none of the rules above them yielded a result (either “accept” or “reject”). If a malicious software tried to connect to my proxy, it would get stopped by rule #5 as the first matching rule.

Apparently there's a terminological difference between our respective use of "global" and "application". When talking about "application rule", I mean a rule which is specific to one application. When talking about "global rule", I mean a rule which is applied to all applications. In a rule list, the first matching rule with a final verdict ("accept" or "reject") is used and further processing stops. This is a common behaviour among rule-based firewalls.

I am not quite sure what you mean by “application rule” and “global rule”. It seems to me that you consider application rules as one level of protection and global rules as another level of protection.

It’s not a matter of protection it’s a matter of processing logic. Application rules apply to applications and Global rules apply to protocols and ports. However, one may also apply the term ‘global’ when implementing an application rule that has an effect of all other application rules.

A packet is first checked against application rules and if the verdict is "accept", it is also checked against matching global rules, and only if "accept" is reached* is the packed allowed to go to the net. The same is done with an inbound packet, though in different order. Correct me if I am wrong.

Correct.

*) Here it's not clear whether a final verdict is copied from the first matching rule or whether all matching rules must return "accept" for the verdict to be "accept". That is, if I had two global rules A="accept outbound connections to port 80" and B="deny outbound connections to host google.com" and I had a packet to google.com:80, would the result be: a) always reject regardless of rule order (because one rule returns "reject") b) accept if rules' order is A,B (because rule "A" return "accept" and that stops further processing) c) reject if rules' order is B,A (because rule "B" return "reject" and that stops further

First match is accepted further processing stops.

5) All applications - deny access to localhost Create Application Rules

How? I would have to write one rule for every single file (!!! - you can run any file, no matter what extension it has) on my computer. Every time I connect an USB disk, I would have to add rules for every file on that disk. Every time any application creates a file, I would have to add rule for that file. The list of rules would be monstrous, even if it was at all possible to create and maintain it.

Only files that require network access would be processed by the firewall engine. For those applications that you wish to restrict, you could create a predefined rule, which could be applied more easily than manually creating individual rules. Also, once you have your firewall rule hierarchy correctly configured, you can place a final block rule with logging. This would prevent any additional applications from connecting without first meeting your approval.

If you have a server process that listens for unsolicited requests, then you will need to open a port in Global Rules. The other alternative, is, as I mentioned before, to remove all Global rules and perform all firewall rule processing via Application rules.

Personally, having used the firewall in this configuration for some considerable time, I wouldn’t recommend it. It requires a far greater amount of work.

Which is all fine, browsers now work through proxy as intended. The only problem is that if a malware got installed into my computer, it could read the registry of Internet Explorer and discover that IE uses proxy server localhost:3128. Then it could connect to localhost:3128 and gain access to the internet through my proxy. I don't want that, so I need to prevent it somehow. I am trying to find how to do it with CIS.

With some other firewalls, the solution is simple: In the list of rules I would place the above rules at the beginning and immediately follow them with another rule:
Code:

#5: Deny “.” outbound TCP to remote-addr=localhost remote-port=3128

Then I could write any rules I like, including “allow access to loopback to any adapter”, because those rules would be tested only if none of the rules above them yielded a result (either “accept” or “reject”). If a malicious software tried to connect to my proxy, it would get stopped by rule #5 as the first matching rule.

If you are using the firewall without Defense+ then you will need additional rules to cater for that eventuality. If, however, you have D+ installed, then any potential malware would be captured and you would receive an appropriate alert. Obviating the need for overly complex rules.

Without D+ you would be able to reproduce the configuration outlined above with firewall rule processing.

Indeed. But any file in a computer can potentially fall amoing “files that require network access”. Think of a malware which creates a new file with random filename and executes it using CreateProcess. This new file will pass through any predefined list of deny rules, unless I have a deny rule which is not application-specific.

If you have a server process that listens for unsolicited requests, then you will need to open a port in Global Rules. The other alternative, is, as I mentioned before, to remove all Global rules and perform all firewall rule processing via Application rules.

That's not the point. While it is, IMHO, a needless annoyance to write two rules for a single application, it can be done quite easily. It doesn't influence my problem in any way. Just assume that the CachingProxy.exe is correctly setup to receive connections from local computer.

If you are using the firewall without Defense+ then you will need additional rules to cater for that eventuality. If, however, you have D+ installed, then any potential malware would be captured and you would receive an appropriate alert. Obviating the need for overly complex rules.

I am not satisfied with this solution. It would depend on Defense+ correctly identifying malware. I much prefer a solution that stops all applications except those I explicitly allow.

Without D+ you would be able to reproduce the configuration outlined above with firewall rule processing.

Again, how? I would much appreciate an example config for CIS, because I don't see a way to do it. I want a setup where:

• applications A and B can connect to CachingProxy.exe which runs on localhost
• no other application can connect to CachingProxy.exe
• all applications have acess to all other localhost resources

Just checked out what Defense+ does.

I don’t want to (and indeed can’t) use something like that on my computer. I am looking for a solution at network level, not at application level.

If you are not using D+ or any other HIPS based application, then you’ll have to do everything in the firewall.

As the firewall rules are hierarchical create your allow rules at the top. Create a policy for for applications that are not allowed and place that below. Finally use the all applications policy to stop everything else accessing localhost.

I am sorry to keep repeating myself, but how am I supposed to do that? There’s an infinite number of these applications that are not allowed to access CachingProxy.exe but at the same time are allowed to access other local resources. It must be solved with global rules, but I just don’t see how. Could you please suggest me a ruleset that would work for my simplified situation?

1. Allow application A to localhost:3128
2. Allow application B to localhost:3128
3. Prevent all other applications from localhost:3128
4. Allow all local network access (in and out)

I know how to do 1, 2 and 4 in CIS. I have no idea how to do 3.

Create your first two rules and place them at the top of application rules. For number 3 create something similar to the following:

In firewall application rules:

Select Add/Select/File Groups/All applications
Add allow rules here…
Block localhost:3128…

Place this below the first two. Add your forth rule ad whatever point is appropriate.

This is far from ideal as you are grouping virtually everything under one umbrella. I’d suggest you take a serious look at D+, this is after all a security suite and the components are designed to work together to provide the best protection.

THAT’S what I needed! Yes, with File Groups it is quite obvious how to do what I need to do. Thanks!

Though it does raise more questions:

1. What is the content of predefined groups? Executables are obvious, but the rest can mean anything and everything.
2. Can I modify the groups and possibly create my own?

File groups are part of D+, that’s where they’re defined…

As far as I’m aware ‘All Applications’ are exactly that, everything.

Not all of them. Or I can’t find them.

Btw., when installing, I specifically chose the version of CIS without D+.

They’re under ‘my protected files’ option in D+