From eScan Wiki
Revision as of 07:35, 23 September 2008
eConceal Firewall is a comprehensive software firewall that is designed to prevent unauthorized access to a computer or network that is connected to the Internet. It enforces a boundary between two or more networks by implementing default or user-defined access-control policies (rules) between two or more networks.
It allows the user to choose the type of Internet access. The user can set rules to control network access from and to their system. Rules are user’s selection of Internet access either to allow or block on the system.The rules function as filters, analyzing packets (small chunks of data) to check if they fulfill the filter criteria and if they do pass them to the requesting system or else discard them.
Within the software, are provided set of predefined rules that can be added to the firewall by selecting those that are appropriate to one’s security needs. Users can define their own 'rules', and when they don't feel the need for any of the rules they have 'added', they can remove them. Among the pre-set rules involving Internet access that eConceal offers, the user is able to select ARP, DHCP & BOOTP, DNS, E-mail, WWW, News, NetBios, FTP, ICMP, ICQ, Telnet & SSH, IRC, MSN, and VPN.
Internet access involves the usage of these functions in one form or the other. When a system connects to a publci networkd like the Internet, the system becomes vulnerable to unauthorized access. The eConceal firewall is basically designed to protect from unauthorized access by people designed to disrupt or destroy your personal and/or business data functions, often stealing valuable information like your Identity, Account Numbers, other Personal information, Confidential information or Proprietary business related data among other things.
Vulnerable Scenarios -
A user is vulnerable to hacker attack when their system connects to a public network
- When you log in to chat, you connect to Internet Relay Chat (IRC) servers on the Internet and join others in the numerous 'channels' on the IRC network.
- When you use Telnet to connect to a server on the Internet and execute commands 'on' the server from your computer.
- When you use FTP to transfer files from a remote server to your computer. FTP is the File Transfer Protocol for exchanging files over the Internet, and works in the same way that HTTP and SMTP do in transferring Web pages from servers to user's browser and transferring e-mail across the WWW respectively.
- When you use NetBIOS (Network Basic Input/Output System) to communicate with another user on the LAN; the LAN could in turn be connected to the Internet. NetBIOS insulates the applications that users use to communicate with one another, from understanding the underlying network details.
- When you are a part of a Virtual Private Networks (VPN). These private network connections communicate 'securely' over a public network, such as the Internet.
- When you browse the Web.
- When you send/receive e-mail.
The “Firewall” option page shows the current status of the Firewall Protection. The green color right tick mark denotes that the module is “Active” while the red color cross mark displays that the module is “InActive”.
On the Firewall option page in the “Configuration” section, when clicked on the “Settings” option, one can change and customize the Firewall Protection level, while clicking on either the “Allow All”, “Filter All” and “Block All” options (next to Settings) makes the module to “Allow”, “Filter” or “Block” traffic.
1. Configuration section -
When clicked on “Settings” the below options are available, through which the eScan software’s Firewall protection can be customized -
It has different options like "Zone Rule", "Expert Rule", “Application Rule”, “Trojan Rule”, “Trusted MAC Address” and “Local IP list”.
A) Zone Rule -
This option page has different options on the right hand side of the page like – Add Host Name, Add IP, Add IP Range, Modify and Remove.
1) Add Host Name - This option enables you to add a “host” that you wish to add to a zone. When clicked on the option of “Add Host Name”, it displays a window prompting for the Host Name, Zone, if trusted or blocked and Name for the Zone Rule and when clicked on the “OK” option, gets added to the “Zone Rule” page.
2) Add IP – This option enables you to add an “IP” that you wish to add to a zone. When clicked on the option of “Add IP”, it displays a window prompting for the IP Address, Zone, if trusted or blocked and Name for the Zone Rule and when clicked on the “OK” option, gets added to the “Zone Rule” page.
3) Add IP Range – This option enables you to add an “IP Range” that you wish to add to a zone. When clicked on the option of “Add IP Range”, it displays a window prompting for the IP Address Range, Zone, if trusted or blocked and Name for the Zone Rule and when clicked on the “OK” option, gets added to the “Zone Rule” page.
4) Modify - This option works in conjunction with the present rules defined in the above categories. To change the same, select any of the above rules defined and then select the “Modify” option
5) Remove – This option works in conjunction with the present rules defined in the above categories. To remove, select any of the above rule defined and then click on the “Remove” option
B) Expert Rule - This option page has different options on the right hand side of the page like – Add, Modify, Remove, Default Rule along with the UP and DOWN arrows.
1) Add - This option enables you to add a new rule to the “Expert Rule”. When clicked on the option of “Add”, it displays a window with four screen, viz. General, Source, Destination and Advanced.
a. General - This screen page helps to define a name for the rule being defined, the action to be taken, i.e. either to pass or reject the packet, protocol to be used and the interface to be used (network adaptors).
b. Source – This screen page helps to define the “source” of the connection, i.e. source IP Address and Port of the connection.
c. Destination - This screen page helps to define the “destination” of the connection, i.e. destination IP Address and Port to get connected to.
d. Advanced - This screen page is helpful ONLY incase if the ICMP protocol is selected in the above “General” screen page.
2) Modify - This option works in conjunction with the present rules defined in the above category. To change the same, select any of the above rules defined and then select the “Modify” option.
3) Remove - This option works in conjunction with the present rules defined in the above category. To remove, select any of the above rule defined and then clck on the “Remove” option.
4) Default Rule - This option reverts back to the default rules set within the software.
Do note - this option should be used with caution for if the user has defined any rules they would be lost when this option is used.
The UP and DOWN arrows provided below the “default rule” option help you to move the defined rule either Upward or Downward based on one’s requirements.
C) Application Rule -
This option page has different options on the right hand side of the page like – Add and Remove.
1) Add - This option enables you to add a new rule to the “Application Rule”. When clicked on the option of “Add”, it displays a window prompting for the name of the application that needs to be filtered along with the action to be set, i.e Ask, Permit and Deny.
2) Remove – This option works in conjunction with the present rules defined in the above category. To remove, select any of the above rule defined and then click on “Remove” option.
Do note – in order to change the action preference for a particular application, simply right click on the desired application name and select the new action to be taken provided on the menu. Likewise, more information on the process properties and it’s other details can also be accessed using the appropriate options provided within.
D) Trojan Rule – This option page has different options on the right hand side of the page like – Add, Modify, Remove, Default Rule along with the UP and DOWN arrows.
1) Add - This option enables you to add a new rule to the “Trojan Rule”. When clicked on the option of “Add”, it displays a window with four screen, viz. General, Source, Destination and Advanced.
a. General - This screen page helps to define a name for the rule being defined, the action to be taken, i.e. either to pass or reject the packet, protocol to be used and the interface to be used (network adaptors).
b. Source – This screen page helps to define the “source” of the connection, i.e. source IP Address and Port of the connection.
c. Destination - This screen page helps to define the “destination” of the connection, i.e. destination IP Address and Port to get connected to.
d. Advanced - This screen page is helpful ONLY incase if the ICMP protocol is selected in the above “General” screen page.
2) Modify - This option works in conjunction with the present rules defined in the above category. To change the same, select any of the above rules defined and then select the “Modify” option.
3) Remove - This option works in conjunction with the present rules defined in the above category. To remove, select any of the above rule defined and then clck on the “Remove” option.
4) Default Rule - This option reverts back to the default rules set within the software.
Do note - this option should be used with caution for if the user has defined any rules they would be lost when this option is used.
The UP and DOWN arrows provided below the “default rule” option help you to move the defined rule either Upward or Downward based on one’s requirements.
E) Trusted MAC Address – This option page has different options on the right hand side of the page like – Add, Edit, Remove, Clear All, Import.
1) Add - This option enables you to add a new rule to the “Trusted MAC Address Rule”. When clicked on the option of “Add”, it displays a window prompting for the MAC Address and Comment for it.
2) Edit - This option works in conjunction with the present rules defined in the above category. To change the same, select any of the above rules defined and then select the “Edit” option.
3) Remove - This option works in conjunction with the present rules defined in the above category. To remove, select any of the above rule defined and then clck on the “Remove” option.
4) Clear All – This option will delete all the rules defined.
Do note - this option should be used with caution for if the user has defined any rules they would be lost when this option is used.
5) Import – This option enables you to import the “trusted mac address list” from a text file.
F) Local IP list - This option page has different options on the right hand side of the page like – Add, Remove, Clear All, Default list.
1) Add - This option enables you to add a new rule to the “Local IP list”. When clicked on the option of “Add”, it displays a window prompting for the Local IP Address.
2) Remove - This option works in conjunction with the present rules defined in the above category. To remove, select any of the above rule defined and then clck on the “Remove” option.
3) Clear All – This option will delete all the rules defined.
Do note - this option should be used with caution for if the user has defined any rules they would be lost when this option is used.
4) Default list - This option reverts back to the default rules set within the software.
Do note - this option should be used with caution for if the user has defined any rules they would be lost when this option is used.
Other options –
1. Clear Alert Cache - This option will clear / delete all the cache maintained of the alerts generated earlier.
2. OK – This option will “Save” the recent settings done to the configuration of the software.
3. Cancel – This option will discard the recent changes done to the configuration of the software.
4. Apply – This option will apply the recent changes done to the configuration of the software.
2. Reports section - The below options are available within -
a. Inbound Allowed (TCP/UDP) - This displays the details of the Inbound connectiuons that were allowed.
b. Inbound Allowed (TCP/UDP) – This displays the details of the Outbound connectiuons that were allowed.
c. Inbound Blocked (TCP/UDP) – This displays the details of the Inbound connectiuons that were blocked.
d. Inbound Blocked (TCP/UDP) - This displays the details of the Inbound connectiuons that were blocked.
e. View current network activity – When clicked on “View current network activity” , this option dispkays different options like "Active Connections" and "Established Connections".
A) Active Connections:
1. Process - This tab on the active connections page displays the total number of process/es that are active in the background and working
2. Protocol - This tab on the active connections page displays the protocol being used by these process/es,
3. Local Address - This tab on the active connections page displays the local address from where these processes have started/originated from.
4. Remote Address - This tab on the active connections page displays the remote address to where these processes are connecting to.
5. Status - This tab on the active connections page displays the status of the connection of a particular process or all.
B) Established Connections:
1. Process - This tab on the established connections page displays the total number of process/es that are active in the background and presently on.
2. Protocol - This tab on the established connections page displays the protocol being used by these process/es,
3. Local Address - This tab on the established connections page displays the local address from where these process/es have started/originated from.
4. Remote Address - This tab on the established connections page displays the remote address to where these process/es are connecting to.
Note:- This TCP Connections module is helpful in precisely knowing which process/es are running in the background, using which protocols, the local address from where it is originating from and the remote address to where it is connected to along with it's status. So, in case you suspect your system to be infected with any malware/s, this module basically helps in identifying the process/es along with it's other characteristics (mentioned above) and then take an informed decision (by right clicking on the process/es) to either check the process/es properties, find information/detail if available on the said process/es, kill/end the process/es, etc... thus resulting in restricting/blocking any and all malware/s activity.
f. Report – This displays the current status as a log/report.