The Barracuda Personal Firewall

Transcription

1 In this Article: Overview If you already have firewall administration experience and knowledge of the Barracuda Personal Firewall, you may continue reading on the Configuring Personal Firewall Rules on the Barracuda NG Control Center [1] page. is a lighter version of the Barracuda NG Firewall especially designed for client usage. Nevertheless, most configuration options of the Barracuda NG Firewall are available. When connected to an Access Control or via VPN, the Barracuda Personal Firewall can accept rule sets sent from the Barracuda NG Firewall (depending on the used client license). Open the configuration screen of the Barracuda Personal Firewall by right-clicking the VPN Status icon in the system tray, followed by selecting Personal Firewall from the context menu. You can also use the Windows start menu by browsing to Start > All Programs > Barracuda Network Access Client > Personal Firewall. Selecting one of the following functional firewall modes is possible within the context menu of the system tray icon: Block All Barracuda Networks Secure Mode Disable Firewall (Allow all Traffic) The active operational mode is selected. To change the mode, click another item in the menu. You must not directly switch from Disable Firewall (Allow all Traffic) to Block All. Always select Barracuda Networks Secure Mode as intermediate step. Each rule in a Barracuda Personal Firewall rule set is constructed from a variety of configuration entities (s, Networks, s, s, Users), which can be created and maintained independently from the rule set itself. They are then pieced together building a logical formation. Each configuration entity may be accessed from the Configuration sub-menu in the left navigation bar. The Configuration section of the Barracuda Personal Firewall complements the automatic configuration mechanisms made available by the Firewall Settings Wizard in the Administration section (see Firewall Settings Wizard [2] ). It allows you to: Create rules from scratch in the Rules [3] view. Modify objects and rules that have been created automatically determined through settings in the Administration view (see the Firewall Settings Wizard [4] ). Modify objects and rules that have been created in the History [5] view by selecting Add Pass/Block > Traffic Policy from the context menu. Firewall administration experience is required to manipulate the Barracuda Personal Firewall manually. 1 / 37

2 Integration with Windows 7's Intrusion Control integrates with Windows 7 s intrusion control system. If configured to do so in Firewall Settings > Firewall Settings > Disable Windows Firewall, it will properly replace the built-in Windows firewall as long as it is enabled. Disabling the Barracuda Personal Firewall will automatically re-enable the Windows firewall. You can view the current protection status in your Windows 7 system within Control Panel > System and Security > Windows Firewall and within Control Panel > System and Security > Action Center: Rule Set Selection Click Rule Set Selection to select one of the available rule sets for viewing. The Local Rule Set is selected by default. Only the Local Rule Set may be edited in the Barracuda Personal Firewall. In order to learn about configuring centrally managed Personal Firewall rule sets on the Barracuda NG Firewall, see the Configuring Personal Firewall Rules on the Barracuda NG Control Center [6] page. User Interface The graphical user interface of the Barracuda Personal Firewall consists of the following items: Menu Bar (General Firewall Settings and Tasks) The following configuration items of the Barracuda Personal Firewall are accessible via the menu bar (use the ALT key to open or close the menu bar): Firewall Navigate to Firewall Menu [7] for more information. View Navigate to View Menu [8] for more information. Security Mode Navigate to Security Mode Menu [9] for more information. Help Firewall Menu Save Configuration Select this item to save configuration changes immediately. Click the Save Configuration link within the configuration item bar to save configuration changes after prior confirmation inquiry. 2 / 37

3 Settings Select this item to adjust general behavior of the Barracuda Barracuda Personal Firewall. The following parameters are available for configuration: Firewall Settings Tab Configure various firewall settings here. Parameter Firewall Settings > Protocol Option Select these checkboxes to activate logging for dropped packets and / or successful connections. Log dropped packets The log line structure is illustrated below. Log successful connections Parameter File name Firewall Settings > Protocol File Path and name of the VPN client log file. By default, the file is saved to: C:\Program Files\BarracudaNG\phlog.txt Size limit Maximum size for the log file (default: 4096 KByte). Parameter IP Monitor Automatic Assignment Parameter Disable Windows Firewall This computer is an ICS gateway (.e.g. allow PAN) Block all IP Fragments Passthru all IPv6 Packets Firewall Settings > Network Object Selecting this checkbox (default: selected) activates the dynamic updating of network objects (see Networks [10] ). Selecting this checkbox (default: selected) activates the dynamic updating of network interface adapters. If active, network adapters are automatically added to the Objects configuration area as soon as they are used for the first time (see s [11] ). Firewall Settings > Firewall Settings Selecting this checkbox disables the Windows firewall if it is installed (default: selected). For security reasons, the client prevents the workstation from acting as an ICS gateway. PAN devices will be ignored unless this checkbox is selected (default: not selected). By default, IP fragments are generally allowed to pass the firewall notwithstanding the configured rule set. Select this checkbox to block IP fragments. By default, IPv6 packets are generally allowed to pass the firewall notwithstanding the configured rule set. Select this checkbox to block IPv6 packets. ICMP Parameters Tab Configure the blocking of ICMP packets here. 3 / 37

4 Export Firewall Rule Set... This item allows you to export the rule set from the Barracuda Personal Firewall to a text file. Import Firewall Rule Set This item allows you to import a rule set into the VPN client. The rule set may either originate from another Barracuda Personal Firewall or from a firewall configured on a Barracuda NG Firewall. Close Firewall Window Selecting this item closes the Barracuda Personal Firewall configuration window. View Menu DCERPC List Status of each DCERPC communication slot. For detailed information concerning DCERPC, see the Barracuda NG Firewall [12] documentation. Access Control Server IPs Displays every Access Control Server the client knows of. Security Mode Menu The items in the Security Mode menu allow you to adjust the security level of the Barracuda Personal Firewall. Block All Prohibit all traffic. Disable Firewall (Allow All Traffic) Turn the firewall off and allow all traffic. Barracuda Networks Secure Mode Activate customized firewall rule sets. Process Monitor Generate an entry in the Events [13] monitor for every process initiation. Load Display The load display is a graphical view of current incoming and outgoing connections. The dimensions of the graphs depend on the current peak load. The last graph (Block) depicts the amount of blocked connections. Live Activity - Monitoring Firewall Activities Items arranged in the Life Activity view give a review of application activities in the Barracuda Personal Firewall. The Life Activity view is divided into the following sub-items: Summary 4 / 37

5 Summary Navigate down to the next section below this item list. Events Navigate to Events [14] for more information. History Navigate to History [15] for more information. Live Activity Navigate to Live Activity [16] for more information. This view gives a quick comparison overview of the 5 most used Ports, Active Internet, and Blocked s. Events The Events view details all applications that are currently or have been executed on the machine, respectively if they have requested passing the firewall. Double-click a list entry to view event details. Select Reload Logs from the context menu to reload the display of logged entries. The listing is divided into the following columns: Event View Details Column Date Action Parent Access Date and time the connection has been initiated at. Type of the recorded action: System Information, Monitored connection, or Informational message. The application that initiated the connection and assigned the port over that the connection is processed. Parent process that initiated the application. Status and direction assigned to the connection. An application can either be in Process started or Process ended state, and the connection direction can either be Outbound or Inbound. User The user object assigned to the connection (see also: Users [17] ). Object Full path to the application that is responsible for the connection. Filter Section The Filter section allows you to define filters in order to narrow down the view in the event listing. Select the checkbox assigned to an item to activate filter effectiveness and select or insert the desired filter value. Click Refresh to apply the filter settings. History The History view details the entire network traffic, established connections and connection attempts that is, that appeared since the last system boot. 5 / 37

6 Listing and Context Menu The listing is divided into the following columns: History Window Details Column Direction Connection State Date/Time Protocol Port User Traffic Policy Info Count Last AID Flags the connection direction (Incoming icon, Outgoing icon). Flags the connection state (Granted connections icon, Blocked connection attempts icon, Failed connection attempts icon). Date and time of traffic initiation. Name of the application. Protocol assigned to the application. IP of the connection. IP of the connection. Connection port. Name of the user who has initiated the connection attempt. Name of the effective firewall rule. Connection status (passed, blocked, failed). Total number of connections processed over this slot. Time that passed since the last traffic activity over this slot. Affected service object or UUID (Universal Unique IDentifier). NIC that was used for connection. Unique Access ID of the connection. Select and then right-click a list entry to display the following context menu: Show Details Item Resolve / IP Send to Rule Tester Add Pass Rule Add Block Rule Flush History Ungroup Group by Select Show Details or double-click a list entry to view a summary of connection details. Tries to resolve the source and destination IP adresses and summarizes the results (port, IP address, hostname and description) in a separate window. Inserts the connection details into the rule tester and opens the rule tester window. Inserts the connection details into a new rule with default action Pass and opens the rule object window for editing. Inserts the connection details into a new rule with default action Block and opens the rule object window for editing. Clears all entries from the history listing. Undoes the Group by command and sorts the connection entries into a successive listing. Groups list entries by the selected item. History Selection Tab In the History Selection tab, the following checkboxes are available for fast and easy filtering. Access Only displays connections that have been granted (marked with a green dot). Rule Block Only displays connection attempts that have been blocked (marked with a red square). Fail 6 / 37

7 Only displays connection attempts that have failed (marked with an exclamation mark icon). Show all Ethernet protocols Additionally displays connection attempts over protocols other than TCP, UDP and ICMP. Show Hostnames Translates IP addresses into hostnames, if possible. After each selection change, click the refresh arrows icon to refresh the view. Click the Group History by link to sort listing entries by topic. History Filter Tab In the History Filter tab, filter conditions can be set to confine the view to the minimum wanted amount of entries. If filters apply, the History Filter tab is highlighted in yellow. Select the checkbox on the right side of an available filter to activate it and insert the condition to apply. Policy Filter the connection s traffic policy. Filter the source IP address of the connection. Filter the application which has attempted to connect. In/Out Filter incoming or outgoing connections. Protocol Filter a connection protocol. Filter the destination IP address of the connection. Port Filter a connection port. Show matching entries / Hide matching entries Toggle between displaying and hiding the matching entries. Live Activity The Live Activity view details all currently active connections. Listing and Context Menu The listing is divided into the following columns: Live Activity Window Details Column Direction Load Date/Time Protocol Port Flags the connection direction (Outgoing connections icon, Incoming connections icon). Displays the current connection load using a bar graph. Date and time of traffic initiation. name and its PID (Process ID). Protocol assigned to the application. IP address of the connection. IP address of the connection. Connection port. 7 / 37

8 User Name of the user who has initiated the connection attempt. Traffic Policy Name of the effective firewall rule. bps Connection load in bits per second. Idle Idle time of the connection. Total Total amount of traffic summarized from incoming (In column) and outgoing (Out column). Start Time that has passed since the connection's initiation. Affected service object or UUID (universal unique identifier). ID Internal slot ID. Session Timeout Effective connection state or current session timeout value. Select and right-click a list entry to display the following context menu: Show Details Disconnect Item Resolve / IP Select Show Details or double-click a list entry in order to view a summary of the connection's details. Terminates the selected connection. Tries to resolve the source and destination IP addresses and summarizes the results (port, IP address, hostname and description) in a separate window. Entries displayed in italic indicate closed connections waiting for RST-ACK (reset acknowledgement). The RST-ACK must be awaited in order to avoid it being blocked by the firewall. Filter Conditions Click the Filter button to open the Filter Condition window. This allows you to specify filter conditions in order to confine the view to the minimum wanted amount of entries. Click Activate to activate the filter settings. Click Disable to deactivate the filter settings. After having specified a filter, click Refresh to refresh the view. Click Capture to record traffic processed over the network interface. Administrator rights are required to use the Capture option. The data acquired is saved as a.cap file in the local folder of the VPN client (usually C:\Program Files\BarracudaNG). A special viewer is needed for viewing network traffic recorded in.cap files. You may e.g. use wireshark for this purpose; it's downloadable from [18], Current State - Setting the Security Mode Clicking the link below the appropriate navigation item changes the effective state of the Barracuda Personal Firewall. The current state is depicted by one of the following icons and links respectively: Disabled 8 / 37

9 By default (after a fresh installation), the firewall is in disabled state. Click the link to enable the secure mode. Secure The secure firewall mode is active. Click the link to deactivate any impacts of the configured rule set. Configuration Usually, the configuration of the firewall is directly made at the server (see the Configuring Personal Firewall Rules on the Barracuda NG Control Center [19] page). General In Windows Vista, if an item named Increase permissions as illustrated below appears in the Configuration sub-menu as illustrated in the figure below, you have no access to the configuration. In this case, contact your system administrator to have editing enabled. Rules The Rules view allows manual rule configuration. Rules controlling incoming traffic are arranged in the Incoming tab, rules controlling outgoing traffic are arranged in the Outgoing tab. See the figure below for an example. See the Configuring Personal Firewall Rules on the Barracuda NG Control Center [20] page th learn how to configure centrally managed rule sets on a Barracuda NG Firewall using Barracuda NG Admin. Personal Firewall rule sets are not capable of RCS. Context Menu Select and right-click a list item to display the following context menu: Item Show Addresses Show Addresses Show s Show s Show s Show Users Opens a window displaying all source addresses affected by the selected rule. Opens a window displaying all destination addresses affected by the selected rule. Opens a window displaying all services affected by the selected rule. Opens a window displaying all applications affected by the selected rule. Opens a window displaying all adapters affected by the selected rule. Opens a window displaying all users affected by the selected rule. 9 / 37

10 Select Overlapping As a connection request can match several conditions, the succession of the rules within a rule set is very important. If rules are in an erroneous sequence, they might interfere with one another. The Select Overlapping function is meant to help avoiding configuration mistakes. When applied to a selected rule, all rules possibly interfering with it are highlighted. In the majority of cases, the overlap is a harmless outcome of the use of very openly defined objects such as e.g. the InterNet object. Edit Opens the rule configuration dialog for the selected rule (see Rule Configuration [21] ). New Opens the rule configuration dialog for a new rule (see Rule Configuration [22] ). Delete Copy Paste Deletes the selected rule(s). Copies the selected rule(s) into the clipboard. Pastes the selected rule(s) out of the clipboard. Button Bar In the button bar, the Up and Down buttons enable you to select a rule followed by clicking one of these buttons in order to shift the rule either up or down within the rule set. Alternatively, you can drag and drop rules within the rule set.. According to a regular Barracuda NG Firewall rule set, the Barracuda Personal Firewall rule set is processed in sequence until an applicable rule is available. Therefore, to achieve correct rule processing, rules need to be arranged in the correct order. Rule Configuration Select New from the context menu in order to create a new rule. Configure the following connection details in the Rules view of the Rule Object window: Rules > Rule Object > Options Item / Parameter Action Name Comment Select Pass to enable a connection request, or select Block to prevent it. Insert a rule name into this field. For easier identification, insert a rule description (optional). Inactive checkbox Select the Inactive checkbox to disable a rule (default: unselected). A minimum specification of the following connection details is mandatory in the sections below: / / or / / or / / Always take into consideration that modifying an object is a global action. For example, any other rule using the specific object will be affected by the modification. This applies only for referenced objects, not for objects of the type. Explicit objects are only available for the current rule. Rules > Rule Object > Options > Sections Section 10 / 37

11 / (optional) User (optional) / / / / User / Specify an adapter for the connection request. In the list, all objects that have been defined in the window are available (9.8.3 s, page 110). Right-click the window below the list and select New to create a new object. Double-click an available entry to edit the assigned object. Specify a source for the connection request. In the list, all Network objects that have been defined in the Networks window are available (9.8.4 Networks, page 112). Select to define a Network object explicitly without adding it to the Network Objects listing. Right-click the source window below the list and select New to create a new Network object. Double-click an available entry to edit the assigned Network object. Specify a service for the connection request. In the list, all objects that have been defined in the s window are available (9.8.5 s, page 114). Select to define a network object explicitly without adding it to the Objects listing. Right-click the source window below the list and select New to create a new object. Double-click an available entry to edit the assigned object. Specify an application for the connection request. In the list, all objects that have been defined in the window are available (9.8.6 s, page 116). Select to define an application object explicitly without adding it to the Objects listing. Right-click the source window below the list and select New to create a new Object. Double-click an available entry to edit the assigned object. Specify an user for the connection request. In the list all User objects that have been defined in the User window are available (9.8.7 Users, page 119). Select to define an user object explicitly without adding it to the User Objects listing. Right-click the source window below the list and Select New to create a new User Object. Double-click an available entry to edit the assigned User Object. Continue on Mismatch (default) Process the rule, even if the corresponding object does not match the configured setting. BLOCK on Mismatch Do not process the rule if the corresponding object does not match the configured setting. Configure the following connection details in the Advanced view of the Rule Object window: Parameter Edit/Create Rule Object > Options > Rule Mismatch Policy / / / / User / Parameter Continue on Mismatch (default) Process the rule even if the corresponding object does not match the configured setting. BLOCK on Mismatch Do not process the rule if the corresponding object does not match the configured setting. Edit/Create Rule Object > Options > Miscallenous 11 / 37

12 Time Restriction A time restriction can be assigned to each rule. The granularity is one hour on a weekly base. A rule is allowed at all times by default, for example, all checkboxes in the Time Interval window are cleared. Selecting a checkbox denies a rule for the given time. Select (set invert) from the list to configure allowed and disallowed time intervals simultaneously. Select (set allow) from the list to clear selected checkboxes. Select (set deny) from the list to to configure disallowed time intervals. Select Continue if Mismatch to process the rule even if time restriction denies it. Select Block if Mismatch to prevent rule processing if time restriction denies it (default). Monitor Connections Yes No s The example figure below this table shows a time interval setting for a rule which has been set to disallowed on all days from 8 a.m. to 5 p.m. The s view allows you to view and configure network adapters available on the system. s may be employed in firewall rules, in order to restrict rule processing to a specific adapter or a set of adapters only. The listing is contains the following columns: Object View Column Name Name of the adapter object. Referenced by Number of references pointing to the adapter object. Status Current connection status of the adapter object (connected, disabled or multi). IP s IP addresses and / or references assigned to the adapter object. Trust Trust type assigned to the adapter object (trusted or untrusted). Comment Optional adapter object description. In the Objects view, several dynamic adapter objects (flagged with the icon) are preconfigured. Dynamic objects are updated at runtime when adapter configuration changes and cannot be edited manually. In order for this to work, Automatic Assignment must be selected in the Firewall Menu [23]. The following objects (assigned with status multi) are available: [Dial-up] This object summarizes all dial-up adapters available on the system (e.g. UMTS, ISDN, and modem cards). [Ethernet] This object summarizes all Ethernet adapters available on the system (e.g. LAN devices). [Wireless] This object summarizes all wireless adapters available on the system (e.g. WLAN cards). s available on the system are automatically assigned to the appropriate adapter object with status type multi. These objects may be used to construct abstract rule sets, for example, to configure a rule blocking access to all available dial-up or wireless adapters. 12 / 37

13 The following further adapter objects are available: [Network Connection name] (for example, Local Area Connection) These are the LAN devices available on the system. The Network Connection name is retrieved from the Microsoft Windows Network Connections view (available through Start >Control > Network Connections). The "logical" Microsoft Windows name, which is dependent on the operating system s language version, not the device name is applicable for object naming. VPN This is the virtual interface of the Barracuda VPN connection. To create a new adapter object, click New in the Objects window: The following options are available: Edit/Create Object Parameter Name Comment Trust Type Status IPs Ref Networks Specify a name for the adapter object. Optionally, insert an adapter description. Select Trusted to add a reference to the adapter object to the network object that has been defined as Trusted Network [24] in Administration > Firewall Settings. If you do not want to create a reference, then select Untrusted. When later changing the setting from Trusted to Untrusted, the reference to the adapter object is automatically deleted from the Trusted Network object. References to Untrusted adapter objects must not be added to the Trusted Network object manually. Displays the connection status of the adapter object. Read-only. The IP addresses assigned to the adapter object. Read-only. Network adapter you wish to create the adapter object for. Click New to add your selection to the list. Network reference you wish to create the adapter object for. Click New to add your selection to the list. The Networks view facilitates IP address/network management. Use the Networks window to assign names to single IP addresses or to combine several IP addresses, networks, or references into networking objects. For a clearly arranged network management, rather make use of referencing network objects than explicit IP addresses when configuring firewall rule sets. In the Network Objects window, a number of dynamic network objects (flagged with the preconfigured. icon) are Dynamic objects are updated at runtime with network configuration changes. They cannot be edited manually. 13 / 37

14 For dynamic updating to work, Automatic Assignment must be selected in the Firewall Settings [25]. localip The localip object contains all IP addresses that are configured on trusted adapters as well as a reference to the Net-Broadcast object. virtualip The virtualip object contains the IP address assigned from the VPN server. The virtual IP address is only available while VPN connections are established. Net-[Network Connection name] These objects contain the network addresses of each specific adapter available on the system. The Network Connection name is retrieved from the Microsoft Windows Network Connections view (available within Start > Control > Network Connections). The "logical" Microsoft Windows name, depending on the operating system s language version, but not the device name, is applicable for object naming. Net-[Network Connection name] objects may be used for setup of abstract rule sets. InterNet The InterNet object may be used for outbound connections to the Internet (the /0 network). TrustedNet Use the TrustedNet object to refer to trustworthy networks. The content of this object is dependent on assignment of an adapter as trusted or untrusted (see s [26] ). If an adapter is specified as trusted, the IP addresses living on it are added to the TrustedNet object. Vice versa, they are deleted from it as soon as trust assignment changes to untrusted. The TrustedNet object is also updated when IP address configuration of a trusted adapter changes. Net-NGVPN The Net-NGVPN object contains the address of the network the virtualip object is living in. Secured routes are assigned to the Net-NGVPN object. Net-Broadcast This object contains the broadcast addresses of IP addresses configured on trusted adapters. The broadcast addresses are calculated directly from the IP addresses. Net-Multicast This object includes the multicast network /16. Click New to open the Net Object dialog. Insert a Name and a for the Net Object in order to later identify it easily. 14 / 37

15 In the Entry section, insert IP and network address(es) of the new Net Object and/or specify a Reference to the Net Object, for example select an existing Net Object to refer to a new one. The Excluded Entry section allows excluding specific networks from a network object. For transparency and consistency reasons there are no references available in this section. s The s window facilitates port and protocol management. Use the s window for assigning ports and protocols to specific services and for merging multiple services to one Object using references. Properties of Objects are described in detail in Objects [27]. The following services are available in the Barracuda Personal Firewall by default: Barracuda Personal Firewall s Name Port Protocol Connection ICMP 15 / 37 Out / In DNS 53 TCP/UDP Out BOOTPS 67 UDP Out Internet Control Message Protocol. ICMP messages, delivered in IP packets are used for out-of-band messages related to network operation, or misoperation. Domain Name. Method by which the Internet addresses in mnemonic form (e.g., are converted into the equivalent numeric IP address (e.g., ). Bootstrap protocol. Also used for DHCP (Dynamic Host Configuration). Kerberos 88 TCP/UDP Out Protocol for authentication in Windows 2000 environments. NTP 123 UDP Out Network Time Protocol. Used to synchronize the time of a computer client or server with another server or a reference time source. LOC-SRV/EPMAP 135 TCP Out NetBIOS. Very common protocol. It is supported on both NETBIOS-NS 137 UDP Out / In Ethernet and TokenRing. In NetBIOS, TCP and UDP communication is supported. It supports broadcasts and multicasting plus three distinct services: naming, session, and NETBIOS-DGM 138 UDP Out / In NETBIOS-SSN 139 TCP Out / In datagram. SNMP 161 UDP Out LDAP 389 TCP/UDP Out CIFS 445 TCP Out / In MSTASK 1026 TCP Out s Simple Network Management Protocol. A network management system contains two primary elements: manager (console to perform network management functions) and agents (entities interfacing to the actual managed device). SNMP allows managers and agents to communicate. Lightweight Directory Access Protocol. A set of protocols for accessing information directories. An advancement of the SMB protocol. It serves as an addition and improvement to FTP and HTTP. Windows Task Scheduler. Used to schedule tasks, such as backups or updates, to run at certain times or dates. The Objects window allows creating predefined applications for employment in rule sets.

16 Click New to open the Object window. Liability and Type classifications are purely informational. Insert Name and Object for easier identification. Again, click New to specify an application. The Entry Parameters window opens. Click Browse and select the file you want to create the object for. Subsequently, the path to the file and its inherent file description will be displayed in the Path and fields below. Optionally, insert a file description into the Comment field. Specify Liability and Type. Momentarily, these classifications are purely informational. Click Generate to create an MD5 hash in order to clearly identify the selected file as soon as it is executed. MD5 hash creation is recommended in order to avoid file corruption and a vulnerable PC after an attack. Consider that in case an application equipped with an MD5 hash is used on multiple clients, file versions must match exactly. The Object will otherwise not be applicable. To delete the hash, click Clear. In addition to the application, first level DLLs are taken into consideration. This provides additional security. However, DLLs that are used by first-level DLLs are not monitored. The following application objects required in Microsoft Windows domains are available in the Barracuda Personal Firewall by default: s required in Microsoft Windows domains Connection System Out / In s needed by the OS kernel. TCP/IP Ping Command lsass.exe services.exe spoolsv.exe userinit.exe winlogon.exe svchost.exe Users Out / In Out Out Out Out Out Out Local Security Authority. Process responsible for management of local security authority domain authentication and Active Directory management. Upon startup, services.exe enumerates through all registry sub-keys located in the HKEY_LOCAL_MACHINE\s registry key. The Windows Printer Spooler stores printer jobs and forwards them to the printer when it is ready. By default, WinLogon executes this application that triggers logon scripts, re-establishes network connections, etc. This application manages security-related user interactions in Windows NT. It handles requests to log on or off, to change passwords, etc. This is a generic host process name for services run from dynamic-link libraries (DLLs). There can be multiple instances of svchost.exe running at the same time. 16 / 37

17 The Users view allows you to create User and User Group objects to be employed in rule sets. Click New to open the User Object window: A user object is automatically created whenever a connection attempt is processed by the firewall. The object is then inserted into the corresponding rule. In the User/Group list, the Microsoft Windows domain users and groups known to the Barracuda Personal Firewall are available for selection. Local user/group information is displayed first in the list. If the Windows workstation is a member of a Microsoft Windows domain, then domain user and group information can be retrieved from the Active Directory server by clicking Update. Irrespective of the operating system's language version installed on the workstation, the following users will always be displayed in English: AUTHORITY\SYSTEM AUTHORITY\LOCAL SERVICE AUTHORITY\NETWORK SERVICE AUTHORITY\NETWORK The internal firewall engine will transform these names to the appropriate language version. Do not insert them manually in a different language. Rule Tester The Rule Tester view allows testing rule sets for consistency. The following entities are available for rule testing: Rule Tester > Test Connection Parameter Direction From: IP / Port Protocol Time (optional) User (optional) (optional) Test Rule Tester > Test Result Parameter This is the direction of the traffic policy (either Incoming or Outgoing). To query for an arbitrary application, leave the asterisk character (*) that's already set as default value. Click the link and Select Update s to reset the field to the default value. Insert the source IP address and the corresponding connection port. Click the From or To link to swap IP address and/or port information. Specify which protocol to test. Click the Protocol link and select Show all Protocols to include protocols other than TCP/UDP and ICMP into the list. Insert day of the week and time (optionally). Click the Time link and select Insert current Time in order to insert current day and time. Select a user from the list (optional). Click the User link and select Update Users to clear the field. Select an adapter from the list (optional). Click the link and select Update s to clear the field. Click Test to test the connection and display the test result in the section below. 17 / 37

18 Test Status Icon / Action Rule PlugIn Save Result to Attribute / Value listing A connection attempt with the given values can either have failed or have been successful if a rule is applicable. A failed connection attempt will be indicated by the symbol and the Block Action field. A successful connection attempt will be indicated by the symbol and the Pass Action field. Tthe applicable rule responsible for the rule test result. Click Edit to open and modify the corresponding rule. If the connection attempt has been blocked because no rule has applied, the field will display. The applicable Object. If applicable, the name of the plugin that has been employed in the connection. Insert the report name and click Save Result to to save the test result. The output of the connection test is written to the Test Reports [28] view. This listing displays attributes of the tested connection in detail. Test Reports Test reports are saved first-come first-served. Test results with Pass are indicated by a green icon, test results with Blocked are indicated by a red icon. Changing any parameter in any configuration area that influences the result of a test report leads to a status icon change in the overview window. Green icons will become red. To apply the new conditions to an already existing test report, select the data set in the overview window of the Test Reports window and click Rectify. After this action, the status icons will no longer indicate whether an action was successful or not, but instead whether rectification has been applied. Rectified entries will be flagged with a green status icon, even if the test that generated the entry has failed. Select a report and click Edit to open the test result in the Rule Tester window. You may now use the report as a template for further connection tests. Or, select a report and click Delete to delete the report from the Test Report window. Administration - Firewall Settings Wizard Options available in the Firewall Settings view allow you to adjust the preconfigured local rule set of the Barracuda Personal Firewall. Changing these paramaters either triggers rule creation, deletion, or traffic policy changes. Use this configuration area to customize the preconfigured rule set. The settings defined in this window are triggered by the specifications defined during the installation process by default. See also: Installing, Updating or Uninstalling the Barracuda Network Access Client [29] ). The following customizable options are available: Parameter Firewall Settings > Trusted Domain Membership 18 / 37

19 Trusted Network Domain Member Windows File Sharing Allow NetBIOS Incoming Outgoing Parameter Interactive Alarm Notifications Ask for unknown incoming connections Ask for unknown outgoing connections Ask for adapter update confirmation Connectivity Connect to the Internet with ADSL (PPTP) Network assignments and references in the network object that has been defined as trustworthy are updated dynamically if network adapters are added to the system with a trusted trust assignment level or if IP address configuration of a trusted adapter changes (see also: s [30] ). By default, the Trusted Network option points to the preconfigured TrustedNet object (see also: Networks [31] ). You may change this to another available network object. Be aware of possible implications. Set to No to disable this feature. Can only be set to yes if a network object was previously configured as Trusted Network. Setting this to yes creates and activates default rules allowing applications required in Microsoft Windows domains. Can only be set to yes if a network object was previously configured as Trusted Network. Setting this to yes allows incoming connections to local printer(s) and files. Setting to yes (default: no) allows incoming NetBIOS traffic. Setting to yes (default: no) allows outgoing NetBIOS traffic. Firewall Settings > Miscallenous s and Protocols Employed by the ADSL Rule Port Protocól Name GRE pptp Set to yes to enforce a manual confirmation for all incoming connection attempts. Confirmation for connection establishment granting is going to be requested by a notification pop-up. For details on the design of this notification window see Automatic Rule Configuration [32]. Set this value to yes to enforce manual confirmation for all unknown outgoing connection attempts. Confirmation for connection establishment grant will be requested by a notification pop-up. For details on the design of this notification window see Automatic Rule Configuration [33]. Setting to yes (default) triggers a pop-up on detecting changes on the settings assigned to a network adapter. See also: Automatic Configuration [34]. Setting this to yes creates a Pass rule named ADSL in the Outgoing tab of the firewall configuration that is needed for Internet connections via ADSL. The service object used in this rule amongst others implements the services and protocols listed in the previous table. Generic Routing Encapsulation. A protocol allowing an arbitrary network protocol A to be transmitted via any other arbitrary network protocol B by encapsulating A's packets within GRE packets, rthat in turn are contained within packets of B TCP NETBIOS-DGM Point-to-point tunnelling protocol. Control port. Automatic Configuration Set the Ask for adapter update confirmation option in the Firewall Settings view (see Firewall Settings Wizard [35] ) if you would like to be notified of adapter configurations changes. A security alert window will then pop-up asking you to confirm each configuration change. Click Untrust to add the adapter to the Objects list and assign it as Untrusted adapter. This will create an incoming adapter block rule in the Incoming tab of the firewall rule set configuration area (see Rules [36] ). Click Trust to add the adapter to the Objects list and assign it as trusted adapter. This will add a 19 / 37

20 reference to the trusted adapter in the TrustedNet object and delete a possibly existing incoming adapter block rule in the Incoming tab of the firewall rule set configuration area. Generally, the security alert window will pop up if:... an adapter is used for the first time, for example if it is added to the system.... the IP configuration of an adapter changes, for example if an IP address is added or deleted. However, it will not pop up if:... an IP address is reintroduced (for example, on a DHCP renew).... an adapter s IP configuration is reset to For a detailed description of adapter configuration options navigate to s [37]. Automatic Rule Configuration If Ask for unknown outgoing/incoming connections is active in the Firewall Settings view (see Firewall Settings Wizard [38] ), then an unknown application or service requesting network connection will trigger a security alert pop-up window requesting authorization. Windows Vista: if you can't access the dialog as shown in the figure above, then please contact your system administrator. The following information is included in the security alert window: Connection Request Details as Summarized in the Security Alert Window Column Date / Time Time of the connection request. Local Server / Program requesting the connection. Path User / Message Counter More Info Full path to the application requesting the connection. User being responsible for the connection request. Connection source and target destination and port. requesting the connection. Number of security alerts to be considered. Click the alert windows. Click this link to open the online help. arrows to scroll through the Select the Remember this answer checkbox (defaults to selected) to permanently allow or deny a connection request. Selecting this checkbox automatically creates a corresponding rule in the Configuration area of the Barracuda Personal Firewall, including required Network,, and User Objects (see Configuration [39] ). If cleared, one-time access is granted for this specific connection request when clicking Allow. Selecting the checkbox also makes the Advanced Policy link available. Click the link in order to customize further connection details: 20 / 37

21 Advanced Policy Options in the Security Alert Column Only this / All s/s Only Port Binds the outgoing or incoming connection to a specific IP address. If selected, this detachs the connection binding from a specific IP address (default). Binds the outgoing or incoming connection to a specific port. This option is selected by default to allow a restrictive rule set only. All activities for this application Allows connection initiation on arbitrary ports if selected. Port Range Select this and insert a port range in order to allow connection initiation on the specified ports only. Click Allow to grant the connection request in consideration of the conditions defined above. Or, click Block to deny the connection request in consideration of the conditions defined above. For your convenience, you may use hot keys in the security alert window: holding the CTRL key while leftclicking either Allow or Block confirms all current connection notifications. The number of messages is shown in the message counter. Or, pressing the Escape key confirms the current connection notification with Block. A connection request related to browsing the Internet with a web browser should be treated differently than other more specific connection requests. For connections initiated by the browser, select All s. With All s selected, the rule set will be created referencing the global InterNet object. Then again, with Only this selected, the rule set will be created to reference only the specific web server s address. IPv6 Router Advertisement Guard Barracuda Network Access Client helps you dealing with different aspects of IPv6 s Router Advertisement functionality. The IPv6 Router Advertisement Guard keeps track of IPv6 Router Advertisement (RA) messages by inspecting the RA packets, and puts you in control of them while conforming to IETF RFC You can straight away proceed to Router Advertisement Guard Functionalities [40] if you already know about purpose and potential endangement coming along with Router Advertisement. What is IPv6 Router Advertisement? Router Advertisement (RA) is a feature of IPv6's Neighbor Discovery Protocol (NDP), which replaces IPv4's Address Resolution protocol (ARP). RA helps network nodes determine information about their LAN, such as the network prefix list, the default routers list, the default gateway, and other information that can help them communicate. It can for example lead a node to utilize the emitting router as its default gateway. RA is sent out by routers periodically using ICMPv6 type 134 messages. Part of any RA message is an expiration time value. Entries created by RA messages within network nodes will be deleted after expiration. This way, only routers will persist in the lists that are actively broadcasting their presence by sending RA messages. An RA 21 / 37

22 emission can also be forced by sending a Router Solicitation Message to the network's router multicast address to avoid waiting for an entry's expiry, which can e.g. help to quickly activate new interfaces. See the list below to understand the structure of an RA prefix data set: Structural Parameters for RA Prefix Information RA Parameter Hop Limit M bit O bit Router Lifetime Reachability Timeout Resolution Timeout Purpose The hop limit is an 8-bit value containing the maximum hop count proposed by the router. If set, the receiving node may also use Stateful Auto Configuration, besides normal Auto Configuration, for the IP address. If set, the node may also use Stateful Auto Configuration, besides normal Auto Configuration, for all remaining values that are not the IP address. 16-bit integer defining the expiration time for the information contained in this RA message. The maximum value is 18.2 hours. A value of 0 (zero) means that the router is not a default router and therefore should not be stored in the default router list. 32-bit integer defining the duration in milliseconds for which an entry in the Neighbor Cache should be indicated as being reachable after the last data was received. 32-bit integer defining the duration in milliseconds to wait until another Neighbor Solicitation message is to be sent. Valid RA options are the sender's link layer address, the router's MTU and all valid prefixes. All unknown options are actually ignored according to the RFC. Potential Vulnerabilities in Conjunction with RA Messages Given the purpose and abilities of RA, harmful RA messages can become a security treat to a network node, to a LAN or at least to performance and bandwidth. Barracuda Network Access Client offers various configuration options to effectively prevent treats such as: Denial of (DoS) Attacks RA messages may be used for DoS attacks. Therefore, the forwarding of RA messages should be disabled on specific interfaces if they are not needed to prevent the generation of DoS messages. Stateless Address Auto Configuration Attacks IPv6 nodes are capable of having a stateless address auto configuration mode, in which they listen to RA messages to automatically configure themselves. A local attacker could send malicious RA messages to divert traffic to a not existing address, thus blackholing the victim s traffic, or the attacker could insert himself in the traffic flow in order to perform a man-in-the-middle attack. Various Other Network Discovery Protocol Attacks IPv6 depends on the Neighbor Discovery Protocol to discover the mapping between an IPv6 address and an ethernet MAC address. The protocol exhibits the same vulnerabilities as IPv4's ARP and is therefore not secure when the attacker is in the same LAN as the victim. A broad variety of further endangerments exists beside these. IPv6 Router Advertisement Guard Functionalities The IPv6 Router Advertisement Guard tracks all RA messages by reading the following data from a RA packet: Option 1: Link Layer Address 22 / 37