Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein

without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro Web site at: http://downloadcenter.trendmicro.com/ Trend Micro, the Trend Micro t-ball logo, Intrusion Defense Firewall, OfficeScan, and TrendLabs are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2011 Trend Micro Incorporated. All rights reserved. Document Part No.: OSEM15025/110817 Release Date: September 2011

The user documentation for Trend Micro Intrusion Defense Firewall introduces the main features of the software and installation instructions for your production environment. Read through it before installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micros Web site. Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please contact us at [email protected]. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp

Contents

Contents
Preface
Intrusion Defense Firewall Documentation ................................................xiv Audience .............................................................................................................xv Document Conventions ..................................................................................xv

Chapter 1: Introducing Intrusion Defense Firewall

About Instrusion Defense Firewall .............................................................. 1-2 New in this Release ......................................................................................... 1-2

Chapter 2: Getting Started with Intrusion Defense Firewall

The IDF Server Plug-in ................................................................................. 2-2 The IDF Client Plug-in .................................................................................. 2-2 Opening the IDF Server Plug-in Interface ................................................. 2-3 IDF Server Plug-in Interface ........................................................................ 2-4 Navigation Pane ......................................................................................... 2-4 Task Pane .................................................................................................... 2-5 Pagination Controls ................................................................................... 2-5 View Control .............................................................................................. 2-6 Toolbar ........................................................................................................ 2-6 Search and Advanced Search ................................................................... 2-6 Status Bar .................................................................................................... 2-8 Context Menus ........................................................................................... 2-8 Program Overview .......................................................................................... 2-8 Dashboard ................................................................................................... 2-9 Alerts .......................................................................................................... 2-10 Reports ...................................................................................................... 2-11 Computers ................................................................................................. 2-12 Security Profiles ........................................................................................ 2-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Firewall .......................................................................................................2-14 Deep Packet Inspection ..........................................................................2-15 Components ..............................................................................................2-16 System ........................................................................................................2-17

Chapter 3: Dashboard
About the Dashboard ..................................................................................... 3-2 About Widgets ............................................................................................ 3-2 Customizing the Dashboard .......................................................................... 3-3 Configuring Widget Layout ...................................................................... 3-4 Adding and Removing Dashboard Widgets ........................................... 3-5 Filtering Information by Tags .................................................................. 3-5 Filtering Information by Date/Time Range .......................................... 3-6 Filtering by Computer and Computer Domain ..................................... 3-6 Managing Dashboard Configurations .......................................................... 3-6 Opening a Saved Dashboard Configuration ............................................... 3-7

Chapter 4: Alerts
About Alerts ..................................................................................................... 4-2 Viewing Alerts .................................................................................................. 4-2 Configuring Alerts ........................................................................................... 4-3 Setting Up Alert Emails .................................................................................. 4-4

Chapter 5: Reports
About Reports ................................................................................................. 5-2 Generating Reports ......................................................................................... 5-2

Chapter 6: Managing Computers

About Computers ............................................................................................ 6-2 Viewing Computer Information ................................................................... 6-2 Viewing a Computer Preview ................................................................... 6-3

ii

Contents

Checking the Status of a Computer ........................................................ 6-3 Searching for a Computer ......................................................................... 6-3 Synchronizing the Computer List with OfficeScan .............................. 6-4 Scanning Computers for Open Ports .......................................................... 6-5 Canceling Any Currently Executing Port Scans .................................... 6-6 Scanning Computers for Recommendations .............................................. 6-6 Managing Recommendation Scan Results ............................................. 6-8 Configuring Recommended Rules .......................................................... 6-9 Clearing Recommendations ...................................................................... 6-9 Assigning Security Profiles .......................................................................... 6-10 Assigning a Security Profile to a Computer ......................................... 6-10 Assigning a Security Profile to the Current Domain .......................... 6-11 Managing Client Plug-ins ............................................................................. 6-11 Configuring Plug-in Communications .................................................. 6-11 Deploying the Client Plug-in .................................................................. 6-13 Deploying the Client Plug-in from the Server ................................ 6-13 Using the Standalone Client Plug-in Installer ................................. 6-13 Activating/Reactivating the Client Plug-in .......................................... 6-14 Stopping and Starting the Client Plug-in .............................................. 6-15 Updating the Client Plug-in on a Computer ........................................ 6-15 Manually Upgrading the Client Plug-in ................................................ 6-16 Deactivating the Client Plug-in on a Computer .................................. 6-16 Uninstalling the Client Plug-in ............................................................... 6-17 Viewing Events for a Computer ................................................................. 6-18 Clearing Warnings/Errors ...................................................................... 6-19 Locking and Unlocking a Computer .......................................................... 6-19 Assigning Computer Asset Value ............................................................... 6-20 Viewing and Editing Computer Details .................................................... 6-21 Computer Information ............................................................................ 6-21 Inheritance and Overrides ........................................................................... 6-28 Other Properties ...................................................................................... 6-29 Viewing Computer or Security Profile Overrides ............................... 6-32

iii

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Chapter 7: Security Profiles

About Security Profiles ................................................................................... 7-2 Managing Security Profiles ............................................................................. 7-2 Creating a Security Profile ......................................................................... 7-2 Viewing and Editing Security Profile Details .............................................. 7-3

Chapter 8: Using the IDF Firewall

About the IDF Firewall .................................................................................. 8-2 Turning the Firewall On or Off .................................................................... 8-2 Firewall Events ................................................................................................ 8-2 Viewing Firewall Event Properties .......................................................... 8-5 Filtering the List and/or Searching for an Event ..................................8-5 Exporting Events ....................................................................................... 8-6 Tagging Firewall Events ............................................................................ 8-6 Firewall Rules ................................................................................................... 8-8 About Firewall Rules .................................................................................. 8-8 Rule Action ............................................................................................. 8-8 Rule Priority .........................................................................................8-10 Putting Rule Action and Priority Together .....................................8-10 Stateful Filtering ...................................................................................8-11 Bypass Rule ...........................................................................................8-12 Firewall Rule Sequence ............................................................................8-13 A Note on Logging .............................................................................8-14 Putting It All Together To Design a Firewall Policy .....................8-15 Important Things To Remember ......................................................8-16 Creating and Applying New Firewall Rules .........................................8-17 Stateful Configurations .................................................................................8-23 Managing Stateful Configurations .........................................................8-23

Chapter 9: Using Deep Packet Inspection

About Deep Packet Inspection ..................................................................... 9-2 Packet Processing Sequence ..................................................................... 9-2

iv

Contents

Turning Deep Packet Inspection On or Off .............................................. 9-3 DPI Events ...................................................................................................... 9-4 Filtering the List and/or Searching for an Event ................................. 9-5 Viewing DPI Event Properties ................................................................ 9-6 Exporting the Event Log ..................................................................... 9-7 Tagging DPI Events .................................................................................. 9-7 DPI Rules ......................................................................................................... 9-9 Creating and Editing DPI Rule Properties .......................................... 9-10 Creating Custom DPI Rules ........................................................................ 9-13 Considerations for DPI Rules ................................................................ 9-13 Hello World .............................................................................................. 9-13 XML Quoting ........................................................................................... 9-14 Application Types and Rule Directions ............................................... 9-15 Using State to Refine Rules .................................................................... 9-15 Adding Comments .............................................................................. 9-16 More Rule Actions ................................................................................... 9-16 Resetting a Connection (drop) .......................................................... 9-16 Understanding Detect and Prevent Modes ..................................... 9-16 Deferred Reset of a Connection (setdrop) ...................................... 9-17 More About Rule Attributes .................................................................. 9-17 State ....................................................................................................... 9-18 Case-sensitive Matching ..................................................................... 9-18 Distance Constraints .......................................................................... 9-18 Using Counters .................................................................................... 9-19 More About Patterns ............................................................................... 9-20 Advanced Rule Actions ........................................................................... 9-21 Register Assignments .............................................................................. 9-22 Accessing Registers ............................................................................. 9-23 Comparing Registers ........................................................................... 9-23 Order Of Execution ................................................................................ 9-27 UDP Pseudo Connections ..................................................................... 9-28 Web Rules for URIs ................................................................................ 9-28 Web Resource and Query Rules ....................................................... 9-29 Considerations for Web Rules .......................................................... 9-29 Application Types ......................................................................................... 9-29

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Chapter 10: Components

About Components ......................................................................................10-2 IP Lists ............................................................................................................10-2 IP List Properties ......................................................................................10-3 MAC Lists .......................................................................................................10-3 MAC List Properties ................................................................................10-4 Port Lists .........................................................................................................10-4 Port List Properties ..................................................................................10-5 Configuring Port Scan Settings ..............................................................10-5 Contexts ..........................................................................................................10-6 Context Properties ...................................................................................10-7 Schedules ........................................................................................................10-8 Schedule Properties ..................................................................................10-9

Chapter 11: Managing the IDF Server Plug-in

Securing the IDF Server Plug-in .................................................................11-2 Upgrading the Server Plug-in ......................................................................11-3 Migrating To a Larger Database .................................................................11-3 Migrating Managed Computers to a New IDF Server ............................11-6 Migrating a Single Managed Computer to a New IDF Server ...............11-7 Optimizing the Embedded Database .........................................................11-7 MS SQL Server Expresss 4GB Limitation ..........................................11-8 Archiving the Logs ...................................................................................11-8 Minimizing the Space Used by the Database .......................................11-8 Shrinking the Size of the IDF Database ...............................................11-9 Migrating IDF Data To Another Database .............................................11-10 Backing Up and Restoring IDF ................................................................11-10 Backup ......................................................................................................11-11 Restore .....................................................................................................11-12 Modifying Backup and Restore Options ............................................11-12 Backup .................................................................................................11-12

vi

Contents

Setting Up Scheduled Backups Using IDFBackup.bat ............... 11-13 Restore ................................................................................................ 11-13 Uninstalling the Server Plug-in ................................................................. 11-14

Chapter 12: System

About the System .......................................................................................... 12-2 Viewing System Events ................................................................................ 12-2 Filtering the List and Searching for an Event ...................................... 12-3 Exporting Events ................................................................................ 12-4 Event Tagging .......................................................................................... 12-4 Tagging Events .................................................................................... 12-5 System Settings .............................................................................................. 12-6 Computers ............................................................................................ 12-7 Firewall and DPI Settings ................................................................ 12-10 Interface Isolation Settings ................................................................... 12-17 Contexts Settings .................................................................................... 12-18 Reconnaissance Settings ........................................................................ 12-19 Scan Settings ........................................................................................... 12-21 Notifications Settings ............................................................................ 12-21 Ranking Settings ..................................................................................... 12-22 Updates .................................................................................................... 12-23 System ...................................................................................................... 12-24 Tags ............................................................................................................... 12-25 Tasks ............................................................................................................. 12-26 Licenses ........................................................................................................ 12-27 Updates ......................................................................................................... 12-28 Security Updates ..................................................................................... 12-28 Applying Security Updates .............................................................. 12-28 Client Plug-in Updates .......................................................................... 12-29 Server Diagnostics ................................................................................. 12-30

vii

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Chapter 13: Logging

About Logging ...............................................................................................13-2 Configuring Logs ...........................................................................................13-2 Configuring Notifications ............................................................................13-2 Syslog ..........................................................................................................13-3 SNMP .........................................................................................................13-3 Scripts .........................................................................................................13-3 Configuring Syslog Integration ...................................................................13-3 Setting up a Syslog on Red Hat Enterprise ..........................................13-4 IDF Server Plug-in Settings ....................................................................13-4 Parsing Syslog Messages ..........................................................................13-5 Firewall Event Log Format ................................................................13-6 DPI Event Log Format ....................................................................13-11 System Event Log Format ...............................................................13-17 Advanced Logging Policy Modes .............................................................13-19

Chapter 14: Getting Help

Contacting Trend Micro ...............................................................................14-2 Technical Support ....................................................................................14-2 The Trend Micro Knowledge Base .......................................................14-3 TrendLabs ..................................................................................................14-4 Security Information Center ...................................................................14-4 Sending Suspicious Files to Trend Micro .............................................14-5 Documentation Feedback .......................................................................14-5

Appendix A: Ports Used by IDF

Port: 4118 ................................................................................................... A-1 Port: 4119 (default) ................................................................................... A-1 Port: 4120 (default) ................................................................................... A-2 Port: 514 (default) ...................................................................................... A-2 Port: 25 (default) ........................................................................................ A-2 Port: 80 ........................................................................................................ A-3 Port: 389 ...................................................................................................... A-3 Port: Randomly selected ........................................................................... A-3

viii

Contents

Appendix B: Computer and Client Plug-in Status

Computer States ..............................................................................................B-2 Client Plug-in States ........................................................................................B-5 Computer Errors .............................................................................................B-5

Appendix C: Events
Firewall Events ................................................................................................C-2 DPI Events ......................................................................................................C-5 System Events .................................................................................................C-8 Client Plug-in Events .................................................................................. C-24

Index

ix

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

List of Tables

List of Tables
Table P-1. OfficeScan documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiv Table P-2. Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Table 9-1. XML Quoting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14 Table 9-2. Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20 Table 9-3. Reserved Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20 Table 9-4. Virtual Registers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22 Table 9-5. Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Table 9-6. Signed Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Table 9-7. Unsigned Comparison. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25 Table 9-8. Modulo32 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26 Table 9-9. Basic Arithmetic Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-26 Table 9-10. Bitwise Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-27 Table 12-1. Client Plug-in's activation-related command-line options . . . . . . . . 12-9 Table 13-1. Signature IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6 Table 13-2. Firewall Event Extension Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7 Table 13-3. DPI Event Log Format Extensions . . . . . . . . . . . . . . . . . . . . . . . . 13-12 Table 13-4. System Event Log Format Extensions. . . . . . . . . . . . . . . . . . . . . . 13-18 Table 13-5. Ignored Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

xi

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Table B-1. Computer States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-2 Table B-2. Client Plug-in States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5 Table B-3. Computer Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-5 Table C-1. Firewall Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-2 Table C-2. DPI Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-5 Table C-3. System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-8 Table C-4. Client Plug-in Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-24

xii

Preface

Preface
Welcome to the Trend Micro Intrusion Defense Firewall Administrators Guide. This guide discusses getting started information, client installation procedures, and Intrusion Defense Firewall (IDF) server and client management. Topics in this chapter: Intrusion Defense Firewall Documentation on page xiv Audience on page xv Document Conventions on page xv

xiii

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Intrusion Defense Firewall Documentation

Intrusion Defense Firewall documentation includes the following:
TABLE P-1.
OfficeScan documentation

D OCUMENTATION
Deployment Guide

D ESCRIPTION
A PDF document that discusses requirements and procedures for installing the IDF Server Plug-in, upgrading the Server Plug-in, and installing the IDF Client Plug-in A PDF document that discusses getting started information, IDF Client Plug-in installation procedures, and IDF Server Plug-in and Client Plug-in management HTML files that provide "how to's", usage advice, and field-specific information. The Help is accessible from the IDF Server Plug-in user interface. Contains a list of known issues and basic installation steps. It may also contain late-breaking product information not found in the Help or printed documentation. An online database of problem-solving and troubleshooting information. It provides the latest information about known product issues. To access the Knowledge Base, go to the following Web site: http://esupport.trendmicro.com/support

Administrators Guide

Help

Readme file

Knowledge Base

Download the latest version of the PDF documents and readme at: http://www.trendmicro.com/download

xiv

Preface

Audience
The Intrusion Defense Firewall documentation is intended for OfficeScan Administrators who are responsible for OfficeScan management. These users are expected to have in-depth knowledge of networking, server management, and OfficeScan.

Document Conventions
To help you locate and interpret information easily, the OfficeScan documentation uses the following conventions:
TABLE P-2.
Document conventions

C ONVENTION
ALL CAPITALS

D ESCRIPTION
Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and tasks References to other documentation or new technology components A "breadcrumb" found at the start of procedures that helps users navigate to the relevant Web console screen. Multiple breadcrumbs means that there are several ways to get to the same screen. Indicates that the text inside the angle brackets should be replaced by actual data. For example, C:\Program Files\<file_name> can be C:\Program Files\sample.jpg. Provides configuration notes or recommendations

Bold

Italics

TOOLS > C LIENT TOOLS

<Text>

Note: text

xv

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE P-2.

Document conventions (Continued)

C ONVENTION

D ESCRIPTION
Provides best practice information and Trend Micro recommendations

Tip: text

WARNING! text

Provides warnings about activities that may harm computers on your network

xvi

Chapter 1

Introducing Intrusion Defense Firewall

This chapter introduces Trend Micro Intrusion Defense Firewall and describes whats new in this release. Topics in this chapter: About Instrusion Defense Firewall on page 1-2 New in this Release on page 1-2

1-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Instrusion Defense Firewall

Trend Micro Intrusion Defense Firewall 1.5 for OfficeScan is an advanced intrusion defense system. It provides the best and last line of defense against attacks that exploit vulnerabilities in commercial and custom software, including web applications. IDF enables you to create and enforce comprehensive security policies that proactively protect sensitive data, applications, computers or network segments. The system consists of an IDF Server Plug-in and multiple IDF Client Plug-ins.

New in this Release

Trend Micro Intrusion Defense Firewall includes the following new features and enhancements:
Performance and Scalability

Intrusion Defense Firewall 1.5 brings increased overall performance and scalability by significantly improving the speed and efficiency of security update deployments, heartbeats, recommendation scans, memory usage, and the IDF Server Plug-in user interface.
Automatic Activation and/or Protection of Newly Added Computers

Tasks now let you automatically and conditionally activate and/or assign Security Profiles to computers that are: Added via Client Plug-in-initiated activation Added when OfficeScan client inventory is synchronized

Expanded OfficeScan Corporate Edition (OSCE) Support

Intrusion Defense Firewall 1.5 supports the following OSCE features: OSCE 10.6 and PLM 2.0 OSCE dashboard widgets OSCE mash-up widgets

Event Tagging

Event Tagging allows you to manually tag events with predefined or custom labels, which enables specialized views of events, dashboards, and reports that can be applied to a single event, similar events, or even to all future similar events.

1-2

Introducing Intrusion Defense Firewall

Expanded Platform and File System Support

Intrusion Defense Firewall 1.5 supports the following client and server platforms: 32- and 64-bit clients and servers Separate 32- and 64-bit client deployment FAT32 file systems Microsoft SQL Server 2008

Multi-Language Support

Intrusion Defense Firewall 1.5 is available in multiple language versions. Please contact Trend Micro to find out what languages are available.

1-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

1-4

Chapter 2

Getting Started with Intrusion Defense Firewall

This chapter introduces the Trend Micro Intrusion Defense Firewall Server Plug-in, describes the basics of the Server Plug-in interface, and provides an overview of the Server Plug-in screens. For a description of how to install and configure IDF, see the Intrusion Defense Firewall Deployment Guide. Topics in this chapter: The IDF Server Plug-in on page 2-2 The IDF Client Plug-in on page 2-2 Opening the IDF Server Plug-in Interface on page 2-3 IDF Server Plug-in Interface on page 2-4 Program Overview on page 2-8

2-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

The IDF Server Plug-in

The IDF Server Plug-in is the application for managing all client computers. The server performs two important functions: Installs, monitors, and manages IDF clients Downloads most of the components needed by clients. The server downloads components from the Trend Micro ActiveUpdate server and then distributes them to clients.

The IDF Server Plug-in is capable of providing real-time, bidirectional communication between the server and clients. The IDF Server Plug-in operates as a plug-in to OfficeScan and allows you to manage the clients from the browser-based OfficeScan Web console, which you can access from virtually anywhere on the network. The server communicates with the client (and the client with the server) through Hypertext Transfer Protocol (HTTP).

The IDF Client Plug-in

Protect computers from security risks by installing the IDF Client Plug-in on each computer. The client provides Port Scanning and Recommendation Scanning.

2-2

Getting Started with Intrusion Defense Firewall

Opening the IDF Server Plug-in Interface

The IDF Plug-in Interface is the central point for monitoring Internet Defense Firewall. The IDF Plug-in Interface opens as a plug-in to the OfficeScan Web console. Once logged into OfficeScan Web console, you can access the IDF Server Plug-in.
To open the IDF Server Plug-in:

1. 2. 3. 4. 5.

Open the OfficeScan Web console. In the navigation panel, click Plug-in Manager. In the Intrusion Defense Firewall section, click Manage Program. The Intrusion Defense Firewall - Getting Started screen appears. To open IDF next time without the Getting Started screen displayed, select Do not display this message the next time I access the Intrusion Defense Firewall. In the Intrusion Defense Firewall - Getting Started screen, click Continue. IDF Interface opens with the Dashboard displayed.

FIGURE 2-1.

IDF Dashboard

2-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

IDF Server Plug-in Interface

IDF Server Plug-ins web-based user interface was designed to provide you with easy access to all elements of the IDF system. The following are its main features.

FIGURE 2-2.

IDF User Interface

Navigation Pane
The navigation pane contains the tree-based navigation system. Elements of the IDF system are organized as follows: Dashboard: an at-a-glance overview of the status of the IDF system Alerts: a summary of current critical and warning alerts concerning system or security events Reports: a report generator to produce summaries of system status and summaries of activities Computers: a list of computers on your network with status information for each Security Profiles: a list of defined Security Profiles Firewall

2-4

Getting Started with Intrusion Defense Firewall

Firewall Events: logs of security-related Firewall activity Firewall Rules: where you define and manage Firewall Rules Stateful Configurations: where you define and manage Stateful Configurations DPI Events: logs of security-related DPI activity DPI Rules: where you define and manage DPI Rules Application Types: Application Types are defined by connection direction, protocol, and ports. They define the traffic DPI Rules operate on.

Deep Packet Inspection

Components: a list of common components used by various elements of the IDF system System: where you can find administrative tools to manage the operation of the IDF system, and view records and reports of system events

Task Pane
Clicking an element in the navigation pane will display that elements screen in the task pane. Almost all of your work will be done on a screen in the task pane. Where the task pane displays lists of items, columns can be added or removed by clicking the Add/Remove Columns button in the toolbar ( ). The order in which the columns are displayed can be controlled by dragging them into their new position. Listed items can be sorted and searched by the contents of any column.

Pagination Controls
Some lists displayed in the task pane will contain more elements than can be shown on a single screen. When this is the case, the pagination information shows the subset of items you are viewing. Use the pagination tool to move from page to page of your list or enter an item number in the text box to start the list there. The number of items to display per page can be configured in the System section.

2-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

View Control
Where appropriate, the view control gives you options for displaying listed items. For example, when you click a computer domain in the navigation pane, computers belonging to that domain will be listed in the task pane. The view control will let you choose between displaying only computers from that domain, and displaying computers in that domain and all sub-domains. Where appropriate, the view control lets you organize your listed items into categories. For example, you may want to domain your listed computers by the Security Profile that has been assigned to them.

Toolbar
The toolbar holds buttons which carry out various actions specific to the screen you are working in. Most commonly, these will include buttons for the deletion, modification, and creation of list items. Many of the toolbar options are also available from the context menu. The IDF Server Plug-in allows you to save your searches for reuse. This effectively lets you create reusable filters to apply to listed items.

Search and Advanced Search

The simplest way to search is to use the simple search bar.

FIGURE 2-3.

The Simple Search Bar

This will search the database for matches among the listed items (Firewall Events in the Firewall screen, System Events on the System Events screen, etc.)
Note: All items will be searched, not just the ones currently displayed. For instance, if you are viewing Firewall Events for all computers over the last 7 days, the Firewall Events screen may display a message like Only the most recent 1,000 out of 55,056 items have been included. Consider using a narrower date range or additional search criteria. Even though only 1000 items are made available for display, all 55,056 items will be searched. The search engine will search through each field in the database except the date.

2-6

Getting Started with Intrusion Defense Firewall

For more sophisticated searches, click Advanced Search and then Open Advanced Search.

FIGURE 2-4.

Advanced Search

The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe. The Computers toolbar lets you organize the display of event log entries by domain or computer Security Profiles.

FIGURE 2-5.

Computers Toolbar

Search functions (searches are not case sensitive): Contains: The entry in the selected column contains the search string Does Not Contain: The entry in the selected column does not contain the search string Equals: The entry in the selected column exactly matches the search string Does Not Equal: The entry in the selected column does not exactly match the search string

2-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

In: The entry in the selected column exactly matches one of the comma-separated search string entries Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Pressing the plus button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the submit button (at the right of the toolbars with the right-arrow on it).

Status Bar
The status bar displays information relating to the current state of your IDF system. The number of active alerts (if any) is displayed at the right edge of the status bar. The left side of the status bar dynamically displays what actions are currently in progress such as computer-discovery, port-scanning operations, Client Plug-in activations, Client Plug-in updates, or Client Plug-in upgrades.

Context Menus
Many of the IDF Server Plug-ins screens have context-sensitive menus. Right-clicking a security Profile, for example, gives you a context menu with quick access to most of the options in the toolbar for that screen. Right-clicking a computer domain displays a context menu with options to manage the current domain or create a new one.
Note: Many elements of the UI display informative tool tips when the mouse pointer is held over them.

Program Overview
The Server Plug-in provides the following screens for managing Intrusion Defense Firewall: Dashboard Alerts Reports Computers

2-8

Getting Started with Intrusion Defense Firewall

Security Profiles Firewall Deep Packet Inspection Components System

Dashboard
The Dashboard provides a quick at-a-glance view of the state of the IDF system. The following figure shows an example of the Dashboard display.

FIGURE 2-6.

Dashboard screen

The Dashboard displays information panels, called widgets, that can be customized on the screen and filtered by date/time range. For detailed information about the Dashboard, see Dashboard starting on page 3-1.

2-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Alerts
The Alerts screen allows you to view and configure IDF Alerts. IDF Alerts notify you when important events occur that may require action. The following figure shows the Alerts screen.

FIGURE 2-7.

Alerts screen

For detailed information about the Alerts screen, see Alerts starting on page 4-1.

2-10

Getting Started with Intrusion Defense Firewall

Reports
The Reports screen allows you to generate reports. The following figure shows the Reports screen.

FIGURE 2-8.

Reports screen

For detailed information about generating reports, see Reports starting on page 5-1.

2-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Computers
The Computers screen allows you to manage the computers in your network. The following figure shows the Computers screen.

FIGURE 2-9.

Computers screen

For detailed information about how to manage computers, see Managing Computers starting on page 6-1.

2-12

Getting Started with Intrusion Defense Firewall

Security Profiles
Security Profiles allow common configurations of Firewall Rules, Stateful Configurations, and DPI Rules to be saved for easy assignment to multiple computers. The following figure shows the Security Profiles screen.

FIGURE 2-10. Security Profiles screen

For detailed information about Security Profiles, see Security Profiles starting on page 7-1.

2-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Firewall
The Firewall screen allows you to manage the Firewall, including monitor Firewall Events and configure Firewall Rules. The following figure shows the Firewall Rules screen.

FIGURE 2-11. Firewall screen

For more information on managing the Firewall, see Using the IDF Firewall starting on page 8-1.

2-14

Getting Started with Intrusion Defense Firewall

Deep Packet Inspection

The Deep Packet Inspection screen enables you to monitor DPI events and configure DPI Rules. The following figure shows the DPI Rules screen.

FIGURE 2-12. Deep Packet Inspection DPI Rules screen

For more information on managing Deep Packet Inspection, see Using Deep Packet Inspection starting on page 9-1.

2-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Components
The Components screens allow you to manage IP lists, MAC lists, Port lists, Contexts, and Schedules. The following figure shows the Components Port Lists screen.

FIGURE 2-13. Components Port Lists screen

For more information on managing components, see Components starting on page 10-1.

2-16

Getting Started with Intrusion Defense Firewall

System
The System screens allow you to manage system tasks, including monitor system events, configure system settings, define event tags, define tasks, and manage licenses and updates. The following figure shows the System Events screen.

FIGURE 2-14. System Events screen

For more information, see System starting on page 12-1.

2-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

2-18

Chapter 3

Dashboard
This chapter describes how to use Trend Micro Intrusion Defense Firewall Dashboard. Topics in this chapter: About the Dashboard on page 3-2 Customizing the Dashboard on page 3-3 Managing Dashboard Configurations on page 3-6 Opening a Saved Dashboard Configuration on page 3-7

3-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About the Dashboard

The Dashboard is the first screen that comes up after you log in to the IDF Server Plug-in. The Dashboard provides a quick at-a-glance view of the state of the IDF system by displaying a configurable number of information panels, called widgets, that provide information such as Alert history and status, computer status, firewall activity, DPI activity, Reconnaissance Scan history, and System Event history. When logging in to the IDF Server Plug-in, the layout of the Dashboard is preserved from your last session.

FIGURE 3-1.

Dashboard

To open the Dashboard, select Dashboard from the IDF Main Menu.

About Widgets
Many widgets contain links to let you drill down to the data. For example, clicking a column in the DPI History chart takes you to the DPI Events screen listing all the DPI Events that occurred on that day.

3-2

Dashboard

Note:

The trend indicators next to the numeric values in the 1x1 widgets. An upward or downward pointing triangle indicates an increase or decrease compared to the previous time period, and a flat line indicates no significant change.

Customizing the Dashboard

Several aspects of the Dashboard can be configured and customized, and layouts can be saved and displayed when you log in. (The Dashboard will be displayed as you left it when you logged out. Configurable elements of the Dashboard display are by tag, the time period the data is taken from, which computers or computer domains data is displayed, which widgets are displayed, and the layout of those widgets on the screen.

3-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Configuring Widget Layout

Widgets can be rearranged on the screen by selecting them by the title bar, and dragging and dropping them to their new locations. Move the widget over an existing one and they will exchange places. (The widget that is about to be displaced will temporarily gray out.) Widgets can also be added to or removed from the Dashboard display.

FIGURE 3-2.

Changing Widget Layout

3-4

Dashboard

Adding and Removing Dashboard Widgets

Click Add/Remove Widgets... at the top right of the Dashboard to open the Add/Remove Widgets window to view the list of available widgets and choose which widgets to display.

FIGURE 3-3.

Adding and removing Dashboard Widgets

To remove a widget from the Dashboard, click the X in the top-right corner of the widget.

Filtering Information by Tags

The Dashboard allows you to filter information by one or more tags, or to view all or untagged information. To switch between these views, use the drop-down menu at the top of the screen.

FIGURE 3-4.

View by Tag

3-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To filter by tags, enter the tag names into the Tag(s) box. Use * to indicate any string and ? to indicate any character. To remove the filter, select All or Untagged.

Filtering Information by Date/Time Range

The Dashboard displays data from either the last 24 hours, or the last seven days. To switch between these two views, use the drop-down menu at the top of the screen.

FIGURE 3-5.

Date/Time Range

Filtering by Computer and Computer Domain

Use the Computer: drop-down menu to filter the displayed data to display only data from specific computers.

FIGURE 3-6.

Computers and Computer Domains

Managing Dashboard Configurations

Individual Dashboard configurations can be saved, loaded, and deleted using the Configuration menu at the top right of the Dashboard.
To save a Dashboard configuration:
P ATH : IDF M AIN M ENU | D ASHBOARD

1. 2. 3.

Add, remove, and rearrange widgets and set any filters as desired. Click the Configuration menu in the top right of the Dashboard and select Save Configuration... Enter a name in the Name box and click OK.

3-6

Dashboard

To delete a Dashboard configuration:

P ATH : IDF M AIN M ENU | D ASHBOARD

Click the Configuration menu in the top right of the Dashboard and click the X next to the Configuration name.

Opening a Saved Dashboard Configuration

To open a saved configuration, click Configuration and select the configuration from the drop-down menu

FIGURE 3-7.

Opening a Saved Dashboard Configuration

3-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

3-8

Chapter 4

Alerts
This chapter describes how to use Trend Micro Intrusion Defense Firewall Alerts to monitor events. Topics in this chapter: About Alerts on page 4-2 Viewing Alerts on page 4-2 Configuring Alerts on page 4-3 Setting Up Alert Emails on page 4-4

4-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Alerts
There are just over 60 conditions that trigger Alerts in the IDF system. Generally Alerts exists to warn of system status anomalies such as computers going offline or DPI Rules being out of date, although there are some alerts for the detection of fingerprinting scans and other security-related events. (For notifications of individual DPI and Firewall Events, consider setting up a Syslog server.)

Viewing Alerts
The Alerts screen displays all active alerts. Alerts can be displayed in a Summary View which will domain similar alerts together, or in List View which lists all alerts individually. To switch between the two views, use the drop-down menu next to Alerts in the screens title.

FIGURE 4-1.

Alerts

In Summary View, expanding an alert panel (by clicking Show Details) displays all the computers that have generated that particular alert. (Clicking the computer will display the computers Details window.) In Summary View if the list of computers is longer than five, an ellipsis (...) appears after the fifth computer. Clicking the ellipsis displays the full list. Once you have taken the appropriate action to deal with the alert, you can dismiss the alert by selecting the checkbox next to the target of the alert and clicking the Dismiss link. (In List View, right-click the alert to see the list of options in the context menu.) Alerts can be of two types: system and security. System alerts are triggered by System Events (Client Plug-in Offline, Clock Change on Computer, etc.) Security alerts are triggered by DPI and Firewall Rules. Alerts can be configured by clicking Configure Alerts....

4-2

Alerts

Note:

Use the computers filtering bar to view only alerts for computers in a particular computer domain, with a particular Security Profile, etc.

Configuring Alerts
Alerts can be turned on or off, the severity set to Warning or Critical, and which of the following actions to take when an Alert occurs. Send email to notify when this alert is raised. Send email to notify when conditions for this alert change, such as the number of items. Send email to notify when this alert no longer exists.

To configure Alerts:
P ATH : IDF M AIN M ENU | A LERTS P ATH : IDF M AIN M ENU | S YSTEM > S YSTEM S ETTINGS > S YSTEM

1.

Click Configure Alerts... at the top-right of the Alert screen, or in the System screen, click View Alert Configuration... The Alert Configuration window opens, showing a list of the alerts, along with Severity and On/Off information.

2. 3.

To filter the list, choose By Severity or No Grouping from the drop-down list at the top of the screen. To view alert information and edit the actions precipitated by each alert, right-click on the alert and select Properties... to open the Properties window. Alerts can be turned on or off; their severity can be switched between Warning and Critical.
Note: Alerts cannot be configured differently for individual Security Profiles or computers. All configuration changes to an Alert's properties are global.

You can specify a default email address to which all email alerts will be sent. To set up Alert emails, see the next section, Setting Up Alert Emails.

4-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Setting Up Alert Emails

The IDF Server Plug-in can send an email when selected alerts are triggered. To enable the email system, you must give IDF Server Plug-in access to an SMTP mail server. You must configure your SMTP settings and select which alerts will trigger emails. There are over 30 conditions that trigger alerts and you may not want all of them to trigger the sending of an email.
To configure your SMTP Settings:
P ATH : IDF M AIN M ENU | S YSTEM > S YSTEM S ETTINGS > S YSTEM

1. 2.

In the SMPTP area, type the address of your SMTP mail (with the port if required). Enter a From email address from which the emails should be sent. Optionally type a bounce address to which delivery failure notifications should be sent if the alert emails cant be delivered. If your SMTP mail server requires outgoing authentication, type the username and password credentials. Once youve entered the necessary information, use Test SMTP Settings to test the settings.

3.

To configure which alerts trigger the sending of an email:

P ATH : IDF M AIN M ENU | S YSTEM > S YSTEM S ETTINGS

4.

Click the System tab, then click View Alert Configuration... to display the list of all alerts. A checkmark in the On column indicates whether the alert is on or not. If it is on, it means the alert will be triggered if the corresponding situation arises, but it does not mean an email will sent out.

5. 6.

Double-click an alert to view its Alert Configuration screen, or right-click on the alert and select Properties... from the popup menu. To have an alert trigger an email, choose On and select at least one of the Send Email checkboxes.

4-4

Chapter 5

Reports
This chapter describes how to configure and generate Trend Micro Intrusion Defense Firewall reports. Topics in this chapter: About Reports on page 5-2 Generating Reports on page 5-2

5-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Reports
Most of the reports generated by the Reports screen have configurable parameters such as date range or reporting by computer domain. Parameter options will be disabled for reports to which they dont apply. The available report types are: Alert Report Attack Report Firewall Report Forensic Computer Audit Report Computer Report DPI Report Recommendation Report Summary Report Suspicious Application Activity Report System Event Report

Generating Reports
Reports allow you to generate reports in PDF or RTF formats. You can select the type of report and filter the information to include by tags, time period, security profile, and domain or computer. You can choose to password protect the reports.
To generate a report:
P ATH : IDF
MAIN MENU

| R EPORTS

1. 2.

In the Reports area, select the type of report to generate and a format. The reports can be output to PDF or RTF format. In the Tag Filter area, define any tags for the report. When you select a report which contains event data, you have the option to filter the report data using Event Tags. Select All for only tagged events, Untagged for only untagged events, or select Tag(s) and specify one or more tags to include only those events with your selected tag(s).

3.

In the Time Filter area, you can set the time filter for any period for which records exist. This is useful for security audits.

5-2

Reports

Note:

Reports use data stored in counters. Counters are data aggregated periodically from Events. Counter data is aggregated on an hourly basis for the most recent three days. Data older than three days is stored in counters that are aggregated on a daily basis. For this reason, the time period covered by reports for the last three days can be specified at an hourly level of granularity, but beyond three days, the time period can only be specified on a daily level of granularity.

4. 5.

In the Computer Filter area, set the computers whose data will be included in the report. In the Encryption area, you can set password protection.
Note: If your reporting requirements are not met by the original reports included with IDF Server Plug-in, it may be possible to have custom reports designed for you. Please contact your support provider for more information.

5-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

5-4

Chapter 6

Managing Computers
This chapter describes how to manage Trend Micro Intrusion Defense Firewall Computers and the IDF Client Plug-in. Topics in this chapter: About Computers on page 6-2 Viewing Computer Information on page 6-2 Scanning Computers for Open Ports on page 6-5 Scanning Computers for Recommendations on page 6-6 Assigning a Security Profile to a Computer on page 6-10 Managing Client Plug-ins on page 6-11 Viewing Events for a Computer on page 6-18 Locking and Unlocking a Computer on page 6-19 Assigning Computer Asset Value on page 6-20 Viewing and Editing Computer Details on page 6-21 Inheritance and Overrides on page 6-28

6-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Computers
Intrusion Defense Firewall enables you to monitor the computers in your network, manage the Client Plug-in on each computer, perform port scans and Recommendation Scans, assign Security Profiles, and view Events for a computer.

Viewing Computer Information

The Computers screen allows you to manage and monitor the computers on your network, displaying the managed computers along with information about each computer such as the platform, security profile, status, and last successful update. To open the Computers screen, click Computers in the IDF main menu.

FIGURE 6-1.

Computers Screen

This screen updates itself periodically. To add or remove information columns, click the Add/Remove Columns button in the toolbar, and select the columns to include from the Add/Remove Columns popup window.

6-2

Managing Computers

Viewing a Computer Preview

Preview expands a display area beneath a listed computer. The preview pane displays the presence of a Client Plug-in, its status, and details about the Firewall and DPI modules.

FIGURE 6-2.

Computer Preview Pane

To view a computer preview:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Click Preview in the toolbar. Select the computer to preview. The Preview option remains enabled until you click the Preview button again.

Checking the Status of a Computer

This command simply checks the status of a Computer without performing a scan or activation attempt. For detailed information on computer status, see Computer and Client Plug-in Status on page B-1.
To check the status:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers for which to check the status. Right-click to display the popup menu and select Actions > Check Status.

Searching for a Computer

Use the Search textbox to search for a particular Computer among listed Computers. For more sophisticated search options, use the Advanced Search option below it. Advanced Search functions (searches are not case sensitive):

6-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Contains: The entry in the selected column contains the search string Does Not Contain: The entry in the selected column does not contain the search string Equals: The entry in the selected column exactly matches the search string Does Not Equal: The entry in the selected column does not exactly match the search string In: The entry in the selected column exactly matches one of the comma-separated search string entries Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Synchronizing the Computer List with OfficeScan

The IDF computer list is synchronized automatically with OfficeScan every time you start the Server Plug-in, but it will not be updated if Computers are added to OfficeScan while the Server Plug-in is running. Use Synchronize with OfficeScan button on the toolbar to force a synchronization with OfficeScan while the Server Plug-in is running.
Note: When the OfficeScan Client is installed on a Computer, the OfficeScan Server assigns it a unique identification number. It is this unique identification number that OfficeScan and Intrusion Defense Firewall use to keep track of individual Computers. If the OfficeScan Client is uninstalled from a Computer and then reinstalled (with the Intrusion Defense Firewall Client Plug-in), OfficeScan will assign the Computer a new Unique ID. The next time you synchronize with OfficeScan to update the list of Computers, Intrusion Defense Firewall will see the new unique identification number and treat the Computer as a new entry. Because the Computer's hostname will not have changed, the new listing for the Computer will append _1 (or _2, or _3, and so on) to the end of the hostname. You will now have the same Computer listed twice: once as hostname and again as hostname_1. You should delete the first listing (hostname) and keep the second (hostname_1). (You can rename hostname_1 back to hostname after deleting the original listing.)

6-4

Managing Computers

Scanning Computers for Open Ports

A port scan performs a scan on all selected computers and checks the Client Plug-in installed on the computer to determine whether its state is either Client Plug-in Deactivate Required, Client Plug-in Activate Required, Client Plug-in Reactivate Required, or Online. (The scan operation, by default, scans ports 1-1024. This range can be changed in the System > System Settings section under the Scan tab.) For information on how configure the ports to scan, see Configuring Port Scan Settings on page 10-5.
Note: Port 4118 is always scanned regardless of port range settings. It is the port on the computer to which Server Plug-in initiated communications are sent. If communication direction is set to Client Plug-in Initiated for a computer (Computer Details > System > Settings > Computer > Communication Direction), port 4118 is closed.

To scan for open ports from the computer list:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers to scan. Click Scan for Open Ports in the toolbar, or right-click and select Actions > Scan for Open Ports from the popup menu.
MAIN MENU

To scan for open ports from the computer Firewall screen:

P ATH : IDF | C OMPUTERS

1. 2. 3. 4.

Select the computer. Right-click and select Details... from the popup menu. In the navigation pane, click Firewall. Click the Scan for Open Ports button.

Another way to initiate port scans is to create a Scheduled Task to regularly carry out port scans on a list of computers.

6-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Canceling Any Currently Executing Port Scans

If you have initiated a set of port scans to a large number of Computers and/or over a large range of ports and the scan is taking too long, use this option to cancel the scans.
To cancel a scan:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers for which to cancel a scan. Right-click to display the popup menu and select Actions > Cancel Scan(s) for Open Ports or Cancel Scan(s) for Recommendations.

Scanning Computers for Recommendations

Scan for Recommendations causes the IDF Server Plug-in to scan the Computer and then make recommendations for Security Rules based on what is detected. The results of a recommendation scan can be seen in the Computers Details window on the various Rules screens. See Viewing and Editing Computer Details on page 6-21 for more information. When you instruct IDF to run a Recommendation Scan on a computer, the IDF Client Plug-in scans the computers registry, running processes, open ports, file system, and services for known vulnerabilities. The Client Plug-in scans not only the operating system but also installed applications. Based on what is detected, IDF will recommend DPI Rules.
Note: For large deployments, Trend Micro recommends managing Recommendations at the Security Profile level. That is, all computers that are to be scanned should already have a Security Profile assigned to them. This way, you can make all your rule assignments from a single source (The Security Profile) rather than having to manage individual rules on individual computers.

Recommendation Scans can be initiated manually or you can create a Scheduled Task to periodically run scans on certain computers.

6-6

Managing Computers

To scan for recommendations manually:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers to scan. Click Scan for Recommendations in the toolbar, or right-click and select Actions > Scan for Recommendations from the popup menu.
MAIN MENU

To create a Recommendation Scan Scheduled Task:

P ATH : IDF | S YSTEM > TASKS

1. 2. 3. 4.

Click New on the toolbar and select New Scheduled Task to display the New Scheduled Task wizard. Select Scan Computers for Recommendations from the Type menu and select how often you want the scan to occur. Click Next. The next screen will let you be more specific about the scan frequency, depending on your choice. Make your selection and click Next. Now select which computer(s) will be scanned and click Next.
Note: As usual, for large deployments its best to perform all actions through Security Profiles.

5.

Finally, give a name to your new Scheduled Task, select whether or not to Run Task on Finish, click Finish.

6-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Managing Recommendation Scan Results

Once a Recommendation Scan is complete, open the Security Profile that is assigned to the computers you have just scanned. Navigate to Deep Packet Inspection > DPI Rules. Sort the rules By Application Type, and select Show Recommended for Assignment from the display filter menu:

FIGURE 6-3.

Recommendation Scan Results

All the recommendations made for all the computers included in the Security Profile will be listed.
Note: There are two kinds of green flags. Full flags ( ) and partial flags( ). Recommended Rules always have a full flag. Application Types may have a full or partial flag. If the flag is full, it signifies that all the Rules that are part of this Application Type have been recommended for assignment. If the flag is partial, it signifies that only some of the Rules that are part of this Application Type have been recommended.

6-8

Managing Computers

Also notice the tool tip in the screen shot above. It reads: This DPI Rule is recommended on 3 of 21 computer(s) to which the security profile is assigned. Trend Micro recommends assigning all the recommended Rules to all the computers covered by the Security Profile. This may mean that some Rules are assigned to computers on which they are not required. However, the minimal effect on performance is outweighed by the ease of management that results from working through Security Profiles. Remember that a Recommendation Scan will make recommendations for DPI Rules. Once a Recommendation Scan has run, Alerts will be raised on the all computers for which recommendations have been made.
Note: The results of a recommendation scan can also include recommendation to unassign rules. This can occur if applications are uninstalled, if security patches from a manufacturer are applied, or if unnecessary rules have been applied manually. To view rules that are recommended for unassignment, select Show Recommended for Unassignment from the display filter menu.

Configuring Recommended Rules

Some Rules require configuration before they can be applied. For example, one DPI Rule requires that you set minimum and maximum thresholds for the number of emails expected to arrive in a day. If this is the case, an Alert will be raised on the computer on which the recommendation has been made. The text of the Alert will contain the information required to configure the rule.

Clearing Recommendations
Clear Rule recommendations resulting from a Recommendation Scan on this Computer. This will also remove the Computer from those listed in an Alert produced as a result of a Recommendation Scan.
Note: This action will not un-assign any rules that were assigned because of past recommendations.

6-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To clear recommendations:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers for which to clear recommendations. Right-click to display the popup menu and select Actions > Clear Recommendations.

Assigning Security Profiles

You can assign security profiles to one or more computers, or assign a profile to the current domain. For more on Security Profiles, see Security Profiles starting on page 7-1.

Assigning a Security Profile to a Computer

You can assign a Security Profile to one or more computers. The name of the Security Profile assigned to the computer will appear in the Security Profile column in the Computers List.
Note: If you apply other settings to a computer (for example, adding additional Firewall Rules, or modifying stateful configuration settings), the name of the Security Profile will be in bold indicating that the default settings have been changed.

To assign a Security Profile to one or more computers:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2. 3.

Select the computers to be assigned a profile. Click Assign Security Profile... in the toolbar, or right-click and select Actions > Assign Security Profile... from the popup menu. In the Assign Security Profile window, select the Security Profile to assign, and click OK.

6-10

Managing Computers

Assigning a Security Profile to the Current Domain

Assigning a Security Profile to a Domain has the effect of assigning that profile to every computer in that Domain. Keep in mind that Security Profiles are tied to computers at the Computer level, and not at the Domain level. Assigning a Security Profile to a Domain will assign that Security Profile to all computers in that Domain, but any computers added subsequently to the Domain will not automatically have that Security Profile assigned to them.

Managing Client Plug-ins

The Client Plug-in is installed on all client computers in the network, allowing the Server Plug-in to communicate and manage security on the client computer.

Configuring Plug-in Communications

At the default setting (Bi-directional), the Client Plug-in will initiate the heartbeat but will still listen on the Client Plug-in port for Server Plug-in connections and the Server Plug-in is free to contact the Client Plug-in in order to perform operations as required. Server Plug-in Initiated means that the Server Plug-in will initiate all communications. Communication will occur when the Server Plug-in performs scheduled updates, performs heartbeat operations (below), and when you choose the Activate/Reactivate or Update Now options from the Server Plug-in interface. If you are isolating the computer from communications initiated by remote sources, you can choose to have the Client Plug-in itself periodically check for updates and control heartbeat operations. If this is the case, select Client Plug-in Initiated.
Note: The following information is collected by the Server Plug-in during a heartbeat: the status of the drivers (on- or off-line), the status of the Client Plug-in (including clock time), Client Plug-in logs since the last heartbeat, data to update counters, and a fingerprint of the Client Plug-in security configuration (used to determine if it is up to date). You can change how often heartbeats occur (whether Client Plug-in or Server Plug-in initiated), and how many missed heartbeats can elapse before an alert is triggered.

6-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

This setting (like many other settings) can be configured at three levels: on all computers by setting a system-wide default, only on computers to which a particular Security Profile has been assigned, and on individual computers.
On the system as a whole:

1. 2.

Go to the Server Plug-ins System > System Settings screen and click the Computers tab. Select Server Plug-in Initiated, Client Plug-in Initiated, or Bi-Directional from the drop-down list in the Communication Direction panel. Open the Security Profiles Properties screen of the Security Profile whose communications settings you want to configure. Go to System > System Settings and go to the Computer tab. In the Direction of IDF Server Plug-in to Client Plug-in communication: drop-down menu, select one of the three options (Server Plug-in Initiated, Client Plug-in Initiated, or Bi-directional), or choose Inherited. If you select Inherited, the Security Profile will inherit the setting that was specified in the Server Plug-ins System > System Settings screen. Selecting one of the other options will override the global selection. Click Save to apply the changes. Open the Details screen of the computer whose communications settings you want to configure. Go to System > System Settings and go to the Computer tab. In the Direction of IDF Server Plug-in to Client Plug-in communication: drop-down menu, select one of the three options (Server Plug-in Initiated, Client Plug-in Initiated, or Bi-directional), or choose Inherited. If you select Inherited, the computer will inherit the setting that was specified on its Security Profiles Details window or in the Server Plug-ins System > System Settings screen. Selecting one of the other options will override the Security Profile and/or the global selection. Click Save to apply the changes.

Only on computers to which a particular Security Profile has been assigned:

1. 2. 3.

4. 1. 2. 3.

Only on a specific computer:

4.

6-12

Managing Computers

Note:

Client Plug-ins look for the IDF Server Plug-in on the network by the Server Plug-in's hostname. Therefore the Server Plug-in's hostname must be in your local DNS for Client Plug-in initiated or bi-directional communication to work.

Deploying the Client Plug-in

The Client Plug-in can generally be installed and managed using the Server Plug-in interface. However, in some cases, actions must be performed on the client computer itself.

Deploying the Client Plug-in from the Server

When you install a Client Plug-in on an OfficeScan client, the Client Plug-in will activate automatically.
Note: The Client Plug-in will install to <PROGRAM FILES>Trend Micro\IDF Client (This is the default location and cannot be changed.)

To deploy the Client Plug-in:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers on which to deploy the Client Plug-in. Right-click to display the popup menu and select Actions > Deploy Client Plug-in(s).

Using the Standalone Client Plug-in Installer

The IDF Stand-alone Client Plug-in Installer package is a self-extracting .msi file which is run on the client computer and is available from Trend Micro Support upon request. The client computer must already have the OSCE client installed on it. The Client Plug-in will perform automatic agent-initiated activation after installation but Client Plug-in Initiated Activation must be enabled from the IDF Server Plug-in console for automatic activation to work. (System > System Settings > Computers)

6-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

The standalone installer uses the OSCE Client to perform the installation of the IDF Client Plug-in, and assumes that the OSCE Client is already installed in the default location:
C:\Program Files\Trend Micro\OfficeScan Client. To use the Standalone Client Plug-in Installer:

1.

If you do not need logging: For the 32-bit platform, double-click IdfClient-1.5.0.xxxx-en.i386.msi. For the 64-bit platform, double-click IdfClient-1.5.0.xxxx-en.x86_64.msi. (xxxx is the internal build number.) If you need logging, do the following instead of step 1 above: a. b. c. Open a command window. Navigate to the folder containing the standalone msi. Run the following command:
msiexec /i IdfClient-1.5.0.xxxx-en.i386.msi /l*v idf_standalone.log

2.

The log file is named idf_standalone.log. 3. Verify the client is listed on the Computers screen and that its status is Managed.
Because the standalone installer will briefly interrupt the client's network connection, the installer must be run locally on the host computer.

Note:

Activating/Reactivating the Client Plug-in

When a Computer is unmanaged the Client Plug-in must be activated to move the Computer into a managed state. Prior to activation the Client Plug-in will be one of the following states: No Client Plug-in: Indicates there is no Client Plug-in running or listening on the default port. The No Client Plug-in status can also mean that a Client Plug-in is installed and running but is working with another Server Plug-in and communications are configured as Client Plug-in Initiated, and so the Client Plug-in is not listening for this Server Plug-in. (If you wish to correct the latter situation, you will have to deactivate the Client Plug-in from the Computer).

6-14

Managing Computers

Client Plug-in Installed: The Client Plug-in is installed and listening, and is ready to be activated by the Server Plug-in. Client Plug-in Activate Required: The Client Plug-in is installed and listening and is waiting to be activated by the Server Plug-in. Client Plug-in Reactivate Required: The Client Plug-in is installed and listening and is waiting to be activated by the Server Plug-in. Client Plug-in Deactivate Required: The Client Plug-in is installed and listening, but has already been activated by another Server Plug-in. To be activated by this Server Plug-in, the Client Plug-in must be deactivated locally on the Computer.

After a successful activation the Client Plug-in state will change to Managed. If the activation failed the Computer status will display Client Plug-in Activation Failed with the reason for the failure in brackets. Click this link to display the system event for more details on the reason for the activation failure.
To activate the Client Plug-in:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers on which to activate the Client Plug-in. Right-click to display the popup menu and select Actions > Activate/Reactivate.

Stopping and Starting the Client Plug-in

Stopping or starting the Client Plug-in can only be done locally on the computer.
To start or stop the Client Plug-in:

Stop: from the command line, run the following: sc stop ds_agent Start: from the command line, run the following: sc start ds_agent

Updating the Client Plug-in on a Computer

Updating the Client Plug-in on a Computer deploys any configuration changes you have made for that computer from the Server Plug-in to the Client Plug-in. Updates occur automatically at every heartbeat, but if you wish to apply your changes immediately, you can use this option. The Update Now button can be used to override the Computer access schedule or to force the Server Plug-in to retry an update if the previous attempt failed.

6-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

The automatic updates actually occur immediately if the communications are not Client Plug-in initiated, and they occur on the next heartbeat if Client Plug-in initiated.

To update the Client Plug-in:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers on which to deactivate the Client Plug-in. Right-click to display the popup menu and select Actions > Update Now.

Manually Upgrading the Client Plug-in

The occasion may arise where you are not able to upgrade the Client Plug-in software on a computer from the Server Plug-in interface because of connectivity restrictions between the Server Plug-in computer and the Client Plug-in computer. In such cases, upgrading the Client Plug-in software on a computer has to be performed manually. The new Client Plug-in software has to be downloaded manually from the Trend Micro Download Center. To manually upgrade the Client Plug-in, copy the Client Plug-in installer to the computer and run it. It will detect the previous Client Plug-in and perform the upgrade.

Deactivating the Client Plug-in on a Computer

Deactivating a Client Plug-in is not the same as uninstalling the Client Plug-in. Deactivation simply removes all rules, filters, etc. from the Client Plug-in and unbinds it from the exclusive control of the Server Plug-in. (Once a Server Plug-in activates a Client Plug-in, no other installation of an Intrusion Defense Firewall system can communicate with the Client Plug-in. Once deactivated, the Client Plug-in can then be re-activated by any Intrusion Defense Firewall Server, which will then have exclusive control over it.) Manual deactivation is required if the Server Plug-in can no longer communicate with the Client Plug-in. You may want to transfer control of a Computer/Client Plug-in from one IDF Server Plug-in installation to another. If so, the Client Plug-in has to be deactivated and then activated again by the new Server Plug-in. Deactivating the Client Plug-in can be done

6-16

Managing Computers

locally on the Computer through the Client Plug-in UI or from the Server Plug-in currently managing the Client Plug-in. (A computer does not have to be reachable in order to be deactivated. If an unreachable deactivated Computer becomes reachable again, it will simply appear as a New (Unknown) Computer in the Computers List.)
To deactivate the Client Plug-in from the Server Plug-in:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2. 1. 2. 3.

Select the computers on which to deactivate the Client Plug-in. Right-click to display the popup menu and select Actions > Deactivate. On the client machine, open a command prompt window (Start > Run > cmd.exe). Go to the Client Plug-in install directory:
cd c:\Program Files\Trend Micro\IDF Client

To manually deactivate the Client Plug-in:

Instruct the Client Plug-in to deactivate:

dsa_control /r /c ds_agent.crt

The Client Plug-in is now ready to be activated by another (or the same) Intrusion Defense Firewall Server.
Note: The Computer is now no longer being protected by the Intrusion Defense Firewall filters and rules.

Uninstalling the Client Plug-in

The Client Plug-in can generally be uninstalled from the Server Plug-in interface; however, in some cases, the Client Plug-in may have to be uninstalled manually from the the client computer.
Note: The IDF Client Plug-in cannot be uninstalled using the Control Panel Add or Remove Programs applet.

6-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To remove the Client Plug-in from the Server:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers from which to remove the Client Plug-in. Right-click to display the popup menu and select Actions > Remove Client Plug-in(s). On the client machine, open a command prompt window (Start > Run > cmd.exe). For 32-bit Windows, type the following and press Enter:
rundll32 "C:\Program Files\Trend Micro\IDF Client\IdfClientAgent.dll",Uninstall

To manually uninstall a Client Plug-in:

1. 2.

3.

For 64-bit Windows, type the following and press Enter:

rundll32 "C:\Program Files (x86)\Trend Micro\IDF Client\IdfClientAgent.dll",Uninstall

Viewing Events for a Computer

You can examine system and administrative events (that is, non security-related events) associated with a particular computer, or examine the latest Firewall Events uploaded from the Client Plug-in on this computer. You can override the normal event retrieval schedule (usually every heartbeat) and retrieve the Event logs from the computers now. For detailed information on computer events, see Client Plug-in Events on page C-24.
To view system events for a computer:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2. 3.

Select the computer for which to view system events. Right-click to display the popup menu and select View > View System Events... A new window opens, displaying the system events for the selected computer. For information about system events, see System Events on page C-8.

6-18

Managing Computers

To view firewall events for a computer:

P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2. 3.

Select the computer for which to view firewall events. Right-click to display the popup menu and select View > View Firewall Events... A new window opens, displaying the firewall events for the selected computer. For information about system events, see Firewall Events on page C-2.
MAIN MENU

To get events from the Client Plug-in now:

P ATH : IDF | C OMPUTERS

1. 2.

Select the computers from which to get events. Right-click to display the popup menu and select Actions > Get Events Now.

Clearing Warnings/Errors
If a Client Plug-in has been reset locally, or has simply been removed from the network before being deactivated or before the computer has been deleted from the Computers List, you can clear any warnings or errors generated for the computer.
To clear warnings and errors:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers for which to clear warnings and errors. Right-click to display the popup menu and select Actions > Clear Warnings/Errors.

Locking and Unlocking a Computer

You can lock a computer if you are going to perform some maintenance on it and dont want to trigger a series of alerts on the Server Plug-in.

6-19

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

The computers status will be displayed as locked while in this state and the Server Plug-in will not communicate with the Client Plug-in or trigger any Computer/Client Plug-in related alerts. Existing Computer alerts are not affected. If a Computer update is in progress it will be allowed to complete normally. Note that the Client Plug-in is not told that the Computer is in a locked state. If communication between the Client Plug-in and the Server Plug-in has been set to Client Plug-in Initiated or Bi-directional, it may generate an event which it will report when it finally contacts the Server Plug-in again.

To lock a computer:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computers to lock. Right-click to display the popup menu and select Actions > Lock.
MAIN MENU

To unlock a computer:
P ATH : IDF | C OMPUTERS

1. 2.

Select the computers to unlock. Right-click to display the popup menu and select Actions > Unlock.

Assigning Computer Asset Value

A Computer Asset Value is a (customizable) rating system used to assign value to Computers. Each grade in the rating system has a value between 1 and 100. This value gets multiplied by the severity value of a rule to allow you to rank Firewall and DPI Rule Events. To configure Ranking, go to System > System Settings > Ranking.
To assign computer asset value:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2. 3.

Select the computers to assign an asset value. Right-click to display the popup menu and select Actions > Assign Asset Value... In the Assign Asset Value window, select an asset value and click OK.

6-20

Managing Computers

Viewing and Editing Computer Details

The computers Details window mirrors the main interface of the IDF Server Plug-in. It includes all the settings and configurations that can be changed to override any higher level settings and configurations.
To open the Computer Details window:
P ATH : IDF
MAIN MENU

| C OMPUTERS

1. 2.

Select the computer for which to view or edit details and click Details in the toolbar, or right-click to display the popup menu and select View > Details... A new window opens, displaying the a navigation bar to access details for the selected computer.

FIGURE 6-4.

Computer Details Window

Computer Information
The Computer Information screen of the Computer Details window allows you to edit information about the selected computer, such as the host name and domain, and view information, such as Client Plug-in status.

6-21

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To view or edit computer information:

P ATH : IDF
MAIN MENU

| C OMPUTERS > D ETAILS

1. 2.

Select a computer and click Details in the toolbar, or right-click to display the popup menu and select Details... In the General area, edit any of the following options: Hostname: Appears in the Name column on the Computers screen. The name must be either the IP address of the computer or the hostname of the computer. (Either a fully qualified hostname or a relative hostname may be used if a hostname is used instead of an IP address.) Description: a description of the computer. Platform: Details of the computers OS will appear here. Domain: The computer domain to which the computer belongs appears in the drop-down list. You can reassign the computer to any other existing computer domain. Security Profile: The Security Profile (if any) that has been assigned to this computer.
Note: Keep in mind that if you unassign a Security Profile from a computer, Rules may still be in effect on the computer if they were assigned independently of the Security Profile.

Asset Importance: IDF Server Plug-in uses a ranking system to quantify the importance of Security Events. Rules are assigned a Severity Level (high, medium, low, etc.), and Assets (computers) are assigned an Asset Importance level. These levels have numerical values. When a Rule is triggered on a computer the Asset Importance value and the Severity Level value are multiplied together. This produces a score which is used to sort Events by importance. (Event ranking can be seen in the Events screens.) Use this Asset Importance drop-down list to assign an Asset Importance level to this computer. (To edit the numerical values associated with severity and importance levels, go to System > System Settings > Ranking.)

6-22

Managing Computers

Lock Computer (Prevents all communication): Setting this option blocks all communications between the Client Plug-in and the Server Plug-in. The computers Security Profile is still active (all rules are still applied to all traffic), but should any alerts be generated, they will not be sent to the Server Plug-in.
Note: You may wish to lock out a computer if you are going to perform some maintenance on it and don't want a series of alerts to appear in the Server Plug-in.

3.

In the Status area, the following Status information and options are available: Status: Shows the current computer status as follows: When the computer is unmanaged the status will display Unmanaged followed by the Client Plug-in state in brackets (No Client Plug-in, Unknown, Reactivation Required", "Activation Required", or "Deactivation Required"). When the computer is managed and no computer errors are present, the status will display Managed followed by the state of the Client Plug-in in brackets (Online or Offline). When the computer is managed and the Client Plug-in is in the process of performing an action (e.g., Upgrading Client Plug-in (Install Program Sent), etc.) the task status will be displayed. When there are errors on the computer (e.g., Offline, Update Failed, etc.) the status will display the error. When more than one error is present, the status will display Multiple Errors and each error will be listed beneath.

Firewall: Whether the Firewall is on or off and how many rules are in effect. DPI: Whether DPI is on or off and how many rules are in effect. Online: Indicates whether the Server Plug-in can currently communicate with the Client Plug-in. Last Communication: The last time the Server Plug-in successfully communicated with the Client Plug-in on this computer.

6-23

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Check Status: This button allows you to force the Server Plug-in to perform an immediate heartbeat operation to check the status of the Client Plug-in. Check Status will not perform an update of the Client Plug-in. (If an update is required click the Update Now button on the Actions tab.) When Server Plug-in to Client Plug-in Communications is set to Client Plug-in Initiated the Check Status button is disabled. (Checking status will not update the logs for this computer. To update the logs for this computer, go to the Actions tab.) Clear Warnings/Errors: Dismisses any alerts or errors on this computer.

4.

In the Activation area, the following information and options are available: A newly installed IDF Client Plug-in needs to be activated by the IDF Server Plug-in before Security Profiles, Rules, requests for Event logs, etc. can be sent to it. The activation procedure includes the exchange of SSL keys which uniquely identify a Server Plug-in (or one of its nodes) and a Client Plug-in to each other. Once activated by an IDF Server Plug-in, a Client Plug-in will only accept instructions or communicate with the IDF Server Plug-in which activated it (or one of its nodes). An unactivated Client Plug-in can be activated by any IDF Server Plug-in. Client Plug-ins can only be deactivated locally on the computer or from the IDF Server Plug-in which activated it. If a Client Plug-in is already activated, the button in this area will read Reactivate rather than Activate. Reactivation has the same effect as Activation. A reactivation will reset the Client Plug-in to the state it was in after first being installed and initiate the exchange of a new set of SSL keys.

5.

In the Update area, the following information and options are available: When you change the configuration of a Client Plug-in on a computer using the IDF Server Plug-in (Apply a new DPI Rule, change logging settings, etc.) the IDF Server Plug-in has to send the new information to the Client Plug-in. This is an update. Updates usually happen immediately but you can force an update by clicking the Update Now button.

6.

In the Software area, the following information and options are available: This displays the version of the Client Plug-in currently running on the computer. If a newer version of the Client Plug-in is available for the computers platform you can click the Upgrade Client Plug-in... button to remotely upgrade the Client Plug-in from the IDF Server Plug-in. You can configure the IDF Server Plug-in to trigger an alert if new Client Plug-in versions for any of your computers by going to System > Updates in the main IDF Server Plug-in window.

7.

In the Support area, you can create a Diagnostics Package:

6-24

Managing Computers

The Create Diagnostic Package... button creates a snapshot of the state of the Client Plug-in on the computer. Your support provider may request this for troubleshooting purposes. If you have lost communication with the computer, a diagnostics package can be created locally. To create a diagnostics package locally on a Windows computer: a. From a command line, type:
C:\Program Files\Trend Micro\IDF Client Plug-in> dsa_control.exe /d

and press Enter. b. 8. A numbered zip file (for example, 341234567.zip) containing the diagnostics information will be created in the same directory.

To view or make any changes to interfaces, click Interfaces in the navigation pane. The Interfaces screen displays the interfaces detected on the computer. If a Security Profile with multiple interface assignments has been assigned to this computer, interfaces that match the patterns defined in the Security Profile will be identified.

9.

To view or make any changes to alerts, click Alerts in the navigation pane. Alerts are displayed the same way as they are in the main IDF Server Plug-in window except that only alerts relating to this computer are displayed. When an Alert is dismissed here, it is also dismissed in the main IDF Server Plug-in window. For more information on Alerts, see Alerts starting on page 4-1.

10. To view or make any changes to the Firewall Settings, click Firewall in the navigation pane. The Firewall for this computer inherits its on or off state either from its Security Profile or the global setting in the IDF Server Plug-in unless you choose to override it.
Note: If a Security Profile with Firewall turned off is applied to a computer and that computer is set to inherit firewall settings, all Firewall elements (Firewall Rules and Stateful Configurations) will be turned off on that computer, even elements that were assigned directly to the computer before the Security Profile was applied.

6-25

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Events: Firewall Events are displayed the same way as they are in the main IDF Server Plug-in window except that only events relating this computer are displayed. Rules: The Firewall Rules defined in the IDF Server Plug-in are displayed here. Select which ones will be active on this computer. If the computer has multiple interfaces, click the down-arrow and use the drop-down menu to select whether the Firewall Rule will apply to all interfaces or to specific interfaces only.

FIGURE 6-5. Rules

Note the checkmarks next to the active firewall rules. Grayed-out checkmarks indicate that the Firewall Rule is active on this computer because it has been applied by a Security Profile. (The same applies to any other type of rule.)

FIGURE 6-6. Rule Checkmarks

Stateful Configurations: Select which Stateful Configuration to apply to this computer (if any). If the computer has multiple interfaces you can specify independent configurations for each interface.

11. Click Deep Packet Inspection in the navigation pane to view or make any changes. The DPI engine for this computer inherits its on or off state, its Inline behavior, and it Recommendation Scan behavior from the global setting in the IDF Server Plug-in or the Security Profile assigned to it unless you choose to override it.

6-26

Managing Computers

Events: DPI Events are displayed the same way as they are in the main IDF Server Plug-in window except that only events relating to this computer are displayed. Rules: The DPI Rules defined in the IDF Server Plug-in are displayed here. Select which ones will be active in this computer. Application Types: The Application Types defined in the IDF Server Plug-in are displayed here. Their properties can be edited globally or for this Security Profile only. SSL Configurations: IDF Server Plug-in supports DPI analysis of SSL traffic. The SSL Configurations screen allows you to create SSL Configurations for a given certificate-port pair on one or more interfaces. Certificates can be imported in P12 or PEM format and Windows computers have the option of using Windows CryptoAPI directly. To create a new SSL Configuration, click New and follow the steps in the SSL Configuration wizard. If the computer you are configuring is being installed on the computer hosting the IDF Server Plug-in, the wizard will provide let you use credentials already stored in the IDF Server Plug-in. Double-click an existing configuration to display its Properties window. Assignment: General Information: The name and description of the SSL configuration, and whether it is enabled on this computer. Interface Assignments: Which interfaces this configuration is being applied to. IP Assignment: Which IP(s) this configuration applies to. Port Selection: Which port(s) this configuration applies to.

Credentials: The Credentials tab lists the current credentials, and has an Assign New Credentials... button which lets you change them.
Note: Filtering of SSL traffic is supported by the IDF Client Plug-in. The Client Plug-in does not support filtering SSL connections on which SSL compression is implemented.

6-27

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

12. To view or edit the System information, click System, System Settings, or System Events to open the System screens. System Events: System Events are displayed the same way as they are in the main IDF Server Plug-in window except that only events relating to this computer are displayed. System Settings: All System Settings from the IDF Server Plug-in that can be overridden on specific computers are displayed here.

13. Click Overrides to view or edit the elements have been overridden for the computer.

Inheritance and Overrides

Global settings can be overridden by settings at the Security Profile or computer level. For example, the Firewall can be turned off globally by going to the Firewall screen in the main IDF Server Plug-in window and setting Firewall to off.

FIGURE 6-7.

Firewall Settings

6-28

Managing Computers

By default, lower levels in the hierarchy inherit their settings from the level above them. Therefore, if you turn off the Firewall at the Global level, it will be turned off in all Security Profiles and computers that are set to Inherit.

FIGURE 6-8.

Inheritance

Other Properties
Elements like Firewall Rules and DPI Rules can have some of their properties changed for specific computers. For example, lets say you have a Firewall Rule called FirewallRuleAlpha and among its properties is the fact that it operates on incoming port 12345 because the application you have designed the Firewall Rule for usually operates on that port.

6-29

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

But lets say you have one particular computer where that application operates on port 44444. Instead of writing a new Firewall Rule for this computer, we can simply open the computers Details window, go to Firewall Rules, find the Firewall Rule in the list, right-click it and select Properties (For This Computer).

FIGURE 6-9.

Properties (For This Computer)

6-30

Managing Computers

In the Properties window for this Firewall Rule you will now see that many of the properties have a checkbox called Inherit next to them. This means that the setting is inherited from the level above it in the inheritance hierarchy (either from a Security Profile or the Global list). Clearing Inherited next to Port: and changing it to 44444 means that this Firewall Rule on this computer only will now operate on port 44444.

FIGURE 6-10. Inheriting Properties

This operation can also be performed at the Security Profile level if the Firewall Rule is part of a Security Profile. You would open the Security Profiles Details window and make the same changes. (You could then override those again on a particular computer.)

6-31

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Viewing Computer or Security Profile Overrides

You can see what elements have been overridden on a Security Profile or a computer by opening the Details window and going to the Overrides screen.

FIGURE 6-11. View Overrides

6-32

Chapter 7

Security Profiles
This chapter describes Trend Micro Intrusion Defense Firewall Security Profiles. Topics in this chapter: About Security Profiles on page 7-2 Managing Security Profiles on page 7-2 Viewing and Editing Security Profile Details on page 7-3

7-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Security Profiles

Security Profiles allow common configurations of Firewall Rules, Stateful Configurations, and DPI Rules (with interface assignments for each) to be saved for easy assignment to multiple computers.

Managing Security Profiles

To open the Security Profile screen, click Security Profiles in the IDF Main Menu. In the main Security Profiles screen, you will see a list of existing profiles. From here you can: Create New Security Profiles from scratch ( Import Security Profiles from an XML file (
Note:

New) )

Do not import Security Profiles from a newer Security Update into a system running an older Security Update. The new Security Profile may reference rules that do not exist in the older version. Always make sure your Security Updates are current.

Examine or modify the Properties of an existing Security Profile ( ) Duplicate (and then modify and rename) an existing Security Profile ( Delete a Security Profile ( ) Export a Security Profile to an XML file ( ) )

Creating a Security Profile

Clicking New ( New) opens the Security Profiles wizard which will prompt you for the name of the new profile and then give you the option of opening the Security Profile Details window. Clicking Details ( ) displays the Security Profile Details window.

7-2

Security Profiles

Note:

You can create a new Security Profile based on a Recommendation Scan of a computer. To do so, select a computer and run a Recommendation Scan. (Right-click the computer on the Computers screen and select Actions > Scan for Recommendations). When the scan is complete, return to the Security Profiles screen and click New to display the New Security Profile wizard. When prompted, choose to base the new Security Profile on an existing computers current configuration. Then select Recommended Application Types and DPI Rules from among the computers properties.

Note:

The Security Profile will consist only of recommended elements on the computer, regardless of what Rules are currently assigned to that computer.

Viewing and Editing Security Profile Details

Whereas the main IDF Server Plug-in window serves to manage and organize the elements of the whole IDF system, the Security Profile Details window is used to select available elements from the IDF Server Plug-in and apply them to the particular Security Profile. The Security Profile Details window is very similar to the main IDF Server Plug-in window except that all elements in the Security Profile Details screen apply specifically to the Security Profile. By default, all settings are inherited from the global settings of the main IDF Server Plug-in window. Changes can be made in the Security Profile window that will apply only to this Security Profile. When modifying the properties of an element in the main IDF Server Plug-in window (Firewall Rule, DPI Rule, etc.), the

7-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

only option is to modify the Properties. When modifying the properties of an element in the Security Profile Details window, an additional option is available: Properties (For This Security Profile)

FIGURE 7-1.

Security Profile Details

If you edit the Properties (For this Security Profile), the changes will only affect that element when it is applied to a computer by this Security Profile. If you edit the Properties, the changes will affect the element globally (except where it has been overridden elsewhere).

7-4

Security Profiles

An element whose properties have been edited For This Security Profile will appear in bold letters in the Task Pane to indicate that it has special properties when applied to a computer as a part of this Security Profile.

FIGURE 7-2.

Properties (For This Security Profile)

To view or edit a Security Profile:

P ATH : IDF M AIN M ENU | S ECURITY P ROFILES

1. 2.

Select the profile to view or edit and click Details...

, or right-click on the profile and select

In the Details window, navigate through the screens using the navigation pane and make any desired changes to the following: Interface Types: If you have computers with more than one interface, you can assign various elements of a Security Profile (Firewall Rules, etc.) to each interface. To configure a Security Profile for multiple interfaces, select Multiple Interface Assignments and type names and pattern matching strings in the fields below.

7-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

The interface type name is used only for reference. Common names include LAN, WAN, DMZ, and Wi-Fi though any name may be used to map to your networks topology. The Matches defines a wildcard based interface name match to auto map the interfaces to the appropriate interface type. Examples would be Local Area Connection *, eth*, and Wireless *. When an interface cannot be mapped automatically, an alert is triggered. You can manually map it from the Interfaces screen in the computers Details window.
Note: If interfaces are detected on the computer which don't match any of these entries, the Server Plug-in will trigger an alert.

Alerts: Alerts are displayed the same way as they are in the main IDF Server Plug-in window except that only alerts relating to computers using this Security Profile are displayed. When an Alert is dismissed here, it is also dismissed in the main IDF Server Plug-in window. Firewall (Events, Rules, and Stateful Configurations): The Firewall for this Security Profile inherits its on or off state from the global setting in the IDF Server Plug-in unless you choose to override it.
Note: If a Security Profile with Firewall turned off is applied to a computer and that computer is set to inherit firewall settings, all Firewall elements (Firewall Rules and Stateful Configurations) will be turned off on that computer, even elements that were assigned directly to the computer before the Security Profile was applied.

Events: Firewall Events are displayed the same way as they are in the main IDF Server Plug-in window except that only events relating to computers using this Security Profile are displayed.

7-6

Security Profiles

Rules: The Firewall Rules defined in the IDF Server Plug-in are displayed here. Select which ones will be active in this Security Profile. If you have defined multiple Interfaces for this Profile (above), use the gray drop-down menu to select whether the Firewall Rule will apply to all interfaces or to specific ones only.

FIGURE 7-3.

Properties (For This Security Profile)

Stateful Configurations: Select which Stateful Configuration to apply to this Security Profile. If you have defined multiple Interfaces for this Profile (above), you can specify independent configurations for each interface.

Deep Packet Inspection (Events, Rules and Application Types): The DPI engine for this Security Profile inherits its on or off state, its Inline behavior, and it Recommendation Scan behavior from the Global or Security Profile setting unless you choose to override them. Events: DPI Events are displayed the same way as they are in the main IDF Server Plug-in window except that only events relating to computers using this Security Profile are displayed. Rules: The DPI Rules defined in the IDF Server Plug-in are displayed here. Select which ones will be active in this Security Profile. If you have defined multiple Interfaces for this Profile (above), use the gray drop-down menu to select whether the DPI Rule will apply to all interfaces or to specific ones only. Application Types: The Application Types defined in the IDF Server Plug-in are displayed here. As with other elements at the Security Profile level, their properties can be edited globally or for this Security Profile only.

7-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

System: Events (For Computers): System Events are displayed the same way as they are in the main IDF Server Plug-in window except that only events relating to computers using this Security Profile are displayed. Events (For Security Profile): System Events for this Security Profile (if it was created, modified, etc.) are displayed here. System Settings: All System Settings from the IDF Server Plug-in that can be overridden on specific Security Profiles are displayed here.

3.

Overrides: Overrides shows the elements that have been overridden for the Security Profile.

Click Save.

7-8

Chapter 8

Using the IDF Firewall

This chapter describes Trend Micro Intrusion Defense Firewall Firewall. Topics in this chapter: About the IDF Firewall on page 8-2 Turning the Firewall On or Off on page 8-2 Firewall Events on page 8-2 Firewall Rules on page 8-8 Stateful Configurations on page 8-23

8-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About the IDF Firewall

The IDF Firewall protects clients and servers on the network. The IDF Server Plug-in interface provides screens for managing Firewall Events, Firewall Rules, and Stateful Configurations. By default, the IDF Server Plug-in collects Firewall and DPI Event logs from the IDF Client Plug-ins at every heartbeat. Firewall Rules examine the control information in packets, allowing you to either block or allow those packets based on rules. Stateful Configuration mechanism analyzes packets in the context of traffic history, correctness of TCP and IP header values, and TCP connection state transitions.

Turning the Firewall On or Off

To turn the Firewall on or off:
P ATH : P ATH : IDF
MAIN MENU

| F IREWALL

1.

In the Firewall area, choose On or Off. The information area will tell you whether the network engine is operating Inline or in Tap mode. When operating Inline, the live packet stream passes through the network engine. Stateful tables are maintained, Firewall Rules are applied and traffic normalization is carried out so that DPI Rules can be applied to payload content. When operating in Tap Mode, the live packet stream is cloned and diverted from the main stream. In Tap Mode, the live packet stream is not modified; all operations are carried out on the cloned stream.

2.

To switch between Inline and Tap mode, go to System > System Settings > Firewall and DPI.

Firewall Events
By default, the IDF Server Plug-in collects Firewall and DPI Event logs from the IDF Client Plug-ins at every heartbeat. (This can be turned off from the Firewall and DPI tab in the System > System Settings screen.) The data from the logs is used to populate the various reports, graphs, and charts in the IDF Server Plug-in. Once collected by the IDF Server Plug-in, Event logs are kept for a period of time which can be set from System tab in the System > System Settings screen.

8-2

Using the IDF Firewall

The Firewall Events screen displays the current Firewall events, along with the following information columns: Firewall Event icon: Indicates the event type. Events can be any of the following: Single Event Single Event with data Folded Event Folded Event with data
Note: Event folding occurs when multiple events of the same type occur in succession. This saves disk space and protects against DoS attacks that may attempt to overload the logging mechanism.

Time: Time the event took place on the computer. Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read Unknown Computer.) Reason: Log entries on this screen are generated either by Firewall Rules or by Stateful Configuration settings. If an entry is generated by a Firewall Rule, the column entry will be prefaced by Firewall Rule: followed by the name of the Firewall Rule. Otherwise the column entry will display the Stateful Configuration setting that generated the log entry. Tag(s): Tags associated with the event. Action: The action taken by the Firewall Rule or Stateful Configuration. Possible actions are: Allow, Deny, Force Allow, and Log Only. Rank: The Ranking system provides a way to quantify the importance of DPI and Firewall Events. By assigning asset values to computers, and assigning severity values to DPI Rules and Firewall Rules, the importance (Rank) of an Event is calculated by multiplying the two values together. This allows you to sort Events by Rank when viewing DPI or Firewall Events. Direction: The direction of the affected packet (incoming or outgoing). Interface: The MAC address of the interface through which the packet was traveling. Frame Type: The frame type of the packet in question. Possible values are IP, ARP, REVARP, and Other: XXXX where XXXX represents the four digit hex code of the frame type.

8-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Protocol: Possible values are ICMP, IGMP, GGP, TCP, PUP, UDP, IDP, ND, RAW, TCP+UDP, N/A, and Other: nnn where nnn represents a three digit decimal value. Flags: Flags set in the packet. Source IP: The packets source IP. Source MAC: The packets source MAC address. Source Port: The packets source port. Destination IP: The packets destination IP address. Destination MAC: The packets destination MAC address. Destination Port: The packets destination port. Packet Size: The size of the packet in bytes.
Log-only rules will only generate a log entry if the packet in question is not subsequently stopped either by a deny rule, or an allow rule that excludes it. If the packet is stopped by one of those two rules, those rules will generate a log entry and not the log-only rule. If no subsequent rules stop the packet, the log-only rule will generate an entry.

Note:

From the Firewall Events screen you can: View ( ) the properties of a particular event Filter the list: Use the Period and Computer toolbars to filter the list of events Export ( Search ( ) the event list data to a CSV file ) for a particular event

Additionally, right-clicking a log entry gives you the option to: Add Tag(s): Add an Event Tag to this event (see Event Tagging on page 12-4) Remove Tag(s): Remove exiting event Tags Computer Details: View the Details screen of the computer that generated the log entry Firewall Rule Properties: View the properties of the Firewall Rule associated with this event Whois Source IP: Perform a whois on the source IP Whois Destination IP: Perform a whois query on the destination IP

8-4

Using the IDF Firewall

Viewing Firewall Event Properties

Double-clicking an event displays the Properties window for that entry which displays all the information about the event on one screen. The Tags tab displays tags that have been attached to this Event. To configure Event Tagging, go to System > Tags. For More information on Event tagging, see Event Tagging on page 12-4.

Filtering the List and/or Searching for an Event

Selecting Open Advanced Search from the Advanced Search drop-down menu toggles the display of the advanced search options. The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe. The Computers toolbar lets you organize the display of event log entries by computer domain or computer Security Profiles.

FIGURE 8-1.

Computers Toolbar

Advanced Search functions (searches are not case sensitive): Contains: The entry in the selected column contains the search string Does Not Contain: The entry in the selected column does not contain the search string Equals: The entry in the selected column exactly matches the search string Does Not Equal: The entry in the selected column does not exactly match the search string

8-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

In: The entry in the selected column exactly matches one of the comma-separated search string entries Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Pressing the plus button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the submit button (at the right of the toolbars with the right-arrow on it).

Exporting Events
Clicking the Export... button exports all or selected events to a CSV file.

Tagging Firewall Events

Event Tagging allows you to manually tag Firewall Events with custom labels (Assigned to Tom for review, etc.). Event tagging enables specialized views of events, dashboards, and reports and can be applied to a single event, similar events, or even to all future similar events.
To apply a tag to one or more selected Events:
P ATH : IDF M AIN M ENU | F IREWALL > F IREWALL E VENTS

1. 2. 3. 4.

Select the events in the Events list, then right-click and select Add Tag(s).... Type a name for the tag. (IDF Server Plug-in will suggest matching names of existing tags as you type.) Select 1 Selected System Event. (If you selected multiple events from the Events list, the number of selected events will be displayed.) Click Next. Enter some optional comments and click Finish.

Looking at the Events list, you can see that the Event has now been tagged.
To tag multiple similar Events:

1. 2. 3.

Right-click on a representative event from the Events list and select Add tag(s).... Type a name for the tag. (IDF Server Plug-in will suggest matching names of existing tags as you type.) Select Also apply to similar Firewall Events.

8-6

Using the IDF Firewall

4. 5. 6.

If you want to narrow your event selection, select Include Advanced Options. Click Next. If you selected Advanced Options, make your selections. For example, you could look for similar events only on a specific computer, or domain of computers. If this is the case, make your selections and click Next. Select which attributes will be examined to determine whether Events are similar or not. For the most part, the attribute options are the same as the information displayed in the columns of the Events list screen. When you have selected which attributes to include in the Event selection process, click Next. Select what type of similar Firewall Events should this rule be applied to.
Note: Notice the Save Auto-Tag Rule option. The selection criteria you have specified can be saved so that you can apply them again at a future date when new events have accumulated. Saved auto-tag rules can be found in the System > Tags screen.

7.

8.

9.

Click Next.

10. Enter some optional comments and click Next. 11. Review the Summary of your Event selection criteria and click Finish. Looking at the Events list, you can see that your original Event and all similar Events have been tagged.
To tag multiple similar Events as well as future similar Events:

The procedure for tagging multiple similar as well as future Events is the same as above except for step 8, where you also select New Firewall Events. Selecting New Firewall Events causes the IDF Server Plug-in to scan its database every five seconds (or more) for new Events and tag the appropriate ones.
Note: Tagging only occurs after Events have been retrieved from the Client Plug-ins to the IDF Server Plug-ins database.

8-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Firewall Rules
Firewall Rules examine the control information in individual packets. The Rules either block or allow those packets based on rules that are defined on these screens. Firewall Rules are assigned directly to computers or to Security Profiles which are in turn assigned to a computer or collection of computers.

About Firewall Rules

IDF Firewall Rules have both a rule action and a rule priority. Used in conjunction, these two properties allow you to create very flexible and powerful rule-sets. Unlike rule-sets used by other firewalls, which may require that the rules be defined in the order in which they should be run, IDF Firewall Rules are run in a deterministic order based on the rule action and the rule priority, which is independent of the order in which they are defined or assigned.

Rule Action
Each rule can have one of the following actions: Bypass: If a packet matches a bypass rule, it is passed through both the firewall and the DPI Engine regardless of any other rule (at the same priority level). Log Only: If a packet matches a log only rule it is passed and the event is logged. Force Allow: If a packet matches a force allow rule it is passed regardless of any other rules (at the same priority level). Deny: If a packet matches a deny rule it is dropped. Allow: If a packet matches an allow rule, it is passed. Any traffic not matching one of the allow rules is denied.

8-8

Using the IDF Firewall

Adding an ALLOW rule will deny everything else:

FIGURE 8-2.

ALLOW Rule

A DENY rule can be implemented over an ALLOW to block certain kinds of traffic:

FIGURE 8-3.

DENY Rule

8-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

The FORCE ALLOW rule can be placed over the denied traffic to allow certain exceptions to pass through:

FIGURE 8-4.

FORCE ALLOW Rule

Rule Priority
Rule actions of type deny and force allow can be defined at any one of 5 priorities to allow further refinement of the permitted traffic defined by the set of allow rules. Rules are run in priority order from highest (Priority 4) to lowest (Priority 0). Within a specific priority level the rules are processed in order based on the rule action (force allow, deny, allow, log only). The priority context allows you to successively refine traffic controls using deny/force allow combinations to achieve a greater flexibility. Within the same priority context an allow rule can be negated with a deny rule, and a deny rule can be negated by a force allow rule.
Note: Rule Actions of type allow run only at priority 0 while rule actions of type log only run only at priority 4.

Putting Rule Action and Priority Together

Rules are run in priority order from highest (Priority 4) to lowest (Priority 0). Within a specific priority level the rules are processed in order based on the rule action. The order in which rules of equal priority are processed is as follows: Bypass

8-10

Using the IDF Firewall

Log Only Force Allow Deny Allow

Remember that Rule Actions of type allow run only at priority 0 while rule actions of type log only run only at priority 4.

Note:

Note:

It is important to remember that if you have a force allow rule and a deny rule at the same priority the force allow rule takes precedence over the deny rule and therefore traffic matching the force allow rule will be permitted.

Stateful Filtering
When stateful analysis is enabled, packets are analyzed within the context of traffic history, correctness of TCP and IP header values, and TCP connection state transitions. In the case of stateless protocols (e.g. UDP and ICMP) a pseudo-stateful mechanism is implemented based on historical traffic analysis. A packet is passed through the stateful routine if it is explicitly allowed via static rules. The packet is examined if it belongs to an existing connection by checking the connection table for matching end points The TCP header is examined for correctness (e.g. sequence numbers, flag combination)

Once enabled, the stateful engine is applied to all traffic traversing the interface. UDP pseudo-stateful inspection, by default, rejects any incoming unsolicited UDP packets. If a computer is running a UDP server, a force allow rule must be included in the policy to permit access to that service. For example, if UDP stateful inspection is enabled on a DNS server, a force allow rule permitting UDP traffic to port 53 is required.

8-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

ICMP pseudo-stateful inspection, by default, rejects any incoming unsolicited ICMP request-reply and error type packets. A force allow must be explicitly defined for any unsolicited ICMP packet to be allowed. All other ICMP (non request-reply or error type) packets are dropped unless explicitly allowed with static rules.

Bypass Rule
There is a special type of Firewall Rule called a Bypass Rule. It is designed for media intensive protocols where filtering may not be desired. You create a Bypass Rule by selecting bypass as the rules Action when creating a new Firewall Rule. The Bypass action on Firewall Rules differs from a Force Allow rule in the following ways: Packets matching Bypass will not be processed by DPI Rules Unlike Force Allow, Bypass will not automatically allow the responses on a TCP connection when Stateful Configuration is on (see below for more information) Some Bypass rules are optimized, in that traffic will flow as efficiently as if our Client Plug-in was not there (see below for more information)
When a Bypass Firewall Rule is sent to a Client Plug-in older than version 5.0, it will be treated as a Force Allow, which will not skip DPI Rule processing.

Note:

Using Bypass When Stateful Configuration Is On If you plan to use a Bypass Rule to skip DPI Rule processing on incoming traffic to TCP destination port N and Stateful Configuration is set to perform stateful inspection on TCP, you must create a matching outgoing rule for source port N to allow the TCP responses. (This is not required for Force Allow rules because force-allowed traffic is still processed by the stateful engine.) All Bypass rules are unidirectional. Explicit rules are required for each direction of traffic. Optimization The Bypass Rule is designed to allow matching traffic through at the fastest possible rate. Maximum throughput can be achieved with (all) the following settings: Priority: Highest

8-12

Using the IDF Firewall

Frame Type: IP Protocol: TCP, UDP, or other IP protocol. (Do not use the Any option.) Source and Destination IP and MAC: all Any If the protocol is TCP or UDP and the traffic direction is incoming, the Destination Ports must be one or more specified ports (not Any), and the Source Ports must be Any. If the protocol is TCP or UDP and the traffic direction is outgoing, the Source Ports must be one or more specified ports (Not Any), and the Destination Ports must be Any. Schedule: None.

Logging Packets that match the bypass rule will not be logged. This is not a configurable option.

Firewall Rule Sequence

Packets arriving at a computer running a Client Plug-in get processed first by Firewall Rules, then the Stateful Configuration conditions, and finally by the DPI Rules. This is the order in which Firewall Rules are applied (incoming and outgoing): 1. Firewall Rules with priority 4 (highest) a. b. c. 2. Bypass Log Only (Log Only rules can only be assigned a priority of 4 (highest)) Force Allow

d. Deny Firewall Rules with priority 3 (high) a. b. c. 3. a. b. Bypass Force Allow Deny Bypass Force Allow

Firewall Rules with priority 2 (normal)

8-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

c. 4. a. b. c. 5. a. b. c.

Deny Bypass Force Allow Deny Bypass Force Allow Deny

Firewall Rules with priority 1 (low)

Firewall Rules with priority 0 (lowest)

d. Allow (Note that an Allow rule can only be assigned a priority of 0 (lowest)) Within the same priority context, a deny rule will override an allow rule, and a force allow rule will override a deny rule. By using the rule priorities system, a higher priority deny rule can be made to override a lower priority force allow rule. Consider the example of a DNS server policy that makes use of a force allow rule to allow all incoming DNS queries over TCP/UDP port 53. Creating a deny rule with a higher priority than the force allow rule lets you specify a particular range of IP addresses that must be prohibited from accessing the same public server. Priority-based rule sets allow you set the order in which the rules are applied. If a deny rule is set with the highest priority, and there are no force allow rules with the same priority, then any packet matching the deny rule is automatically dropped and the remaining rules are ignored. Conversely, if a force allow rule with the highest priority flag set exists, any incoming packets matching the force allow rule will be automatically allowed through without being checked against any other rules.

A Note on Logging
Bypass Rules will never generate a log entry. This is not configurable. Log-only rules will only generate a log entry if the packet in question is not subsequently stopped by either: a deny rule, or an allow rule that excludes it.

8-14

Using the IDF Firewall

If the packet is stopped by one of those two rules, those rules will generate the log entry and not the log-only rule. If no subsequent rules stop the packet, the log-only rule will generate an entry.

Putting It All Together To Design a Firewall Policy

Generally speaking, there are two approaches when defining a firewall policy for a computer: Prohibitive: That which is not expressly allowed is prohibited. Prohibitive policies can be created by using a combination of allow rules to describe allowed traffic and deny rules to further restrict permitted traffic. Permissive: That which is not expressly prohibited is allowed. Permissive policies can be created through the exclusive used of deny rules to describe the traffic that should be dropped.

In general, prohibitive policies are preferred and permissive policies should be avoided. Force allow rules should only be used in conjunction with allow and deny rules to allow a subset of traffic that has been prohibited by the allow and deny rules. Force allow rules are also required to allow unsolicited ICMP and UDP traffic when ICMP and UDP stateful are enabled. Take the example of how a simple firewall policy can be created for a Web server. 1. 2. First enable stateful inspection for TCP, UDP, and ICMP using a global stateful configuration with these options enabled. Add a Firewall Rule to allow TCP and UDP replies to requests originated on the workstation. To do this create an incoming allow rule with the protocol set to TCP + UDP and select the Not checkbox and the Syn checkbox under Specific Flags. At this point the policy only allows TCP and UDP packets that are replies to requests initiated by a user on the workstation. For example, in conjunction with the stateful analysis options enabled in step 1, this rule allows a user on this computer to perform DNS lookups (via UDP) and to browse the Web via HTTP (TCP). Add a Firewall Rule to allow ICMP replies to requests originated on the workstation. To do this, create an incoming allow rule with the protocol set to ICMP and select the Any Flags checkbox. This means that a user on this computer can ping other workstations and receive a reply but other users will not be able to ping this computer.

3.

8-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

4.

Add a Firewall Rule to allow incoming TCP traffic to port 80 and 443 with the Syn checkbox checked in the Specific Flags section. This means that external users can access a Web server on this computer. At this point we have a basic firewall policy that allows solicited TCP, UDP and ICMP replies and external access to the Web server on this computer all other incoming traffic is denied. For an example of how deny and force allow rule actions can be used to further refine this profile consider how we may want to restrict traffic from other computers in the network. For example, we may want to allow access to the Web server on this computer to internal users but deny access from any computers that are in the DMZ. This can be done by adding a deny rule to prohibit access from servers in the DMZ IP range.rule

5.

Next we add a deny rule for incoming TCP traffic with source IP 10.0.0.0/24 which is the IP range assigned to computers in the DMZ. This rule denies any traffic from computers in the DMZ to this computer. We may, however, want to refine this policy further to allow incoming traffic from the mail server which resides in the DMZ.

6.

To do this we use a force allow for incoming TCP traffic from source IP 10.0.0.100. This force allow overrides the deny rule we created in the previous step to permit traffic from this one computer in the DMZ.

Important Things To Remember

All traffic is first checked against Firewall Rules before being analyzed by the stateful inspection engine. If the traffic clears the Firewall Rules, the traffic is then analyzed by the stateful inspection engine (provided stateful inspection is enabled in the stateful configuration). Allow rules are prohibitive. Anything not specified in the allow rules is automatically dropped. This includes traffic of other frame types so you need to remember to include rules to allow other types of required traffic. For example, dont forget to include a rule to allow ARP traffic if static ARP tables are not in use. If UDP stateful inspection is enabled a force allow rule must be used to allow unsolicited UDP traffic. For example, if UDP stateful is enabled on a DNS server then a force allow for port 53 is required to allow the server to accept incoming DNS requests.

8-16

Using the IDF Firewall

If ICMP stateful inspection is enabled a force allow rule must be used to allow unsolicited ICMP traffic. For example, if you wish to allow outside ping requests a force allow rule for ICMP type 3 (Echo Request) is required. A force allow acts as a trump card only within the same priority context. If you do not have a DNS or WINS server configured (which is common in test environments) a force allow incoming UDP port 137 rule may be required for NetBios.
When troubleshooting a new firewall policy the first thing you should do is check the Firewall Rule logs on the Client Plug-in. The Firewall Rule logs contain all the information you need to determine what traffic is being denied by Firewall elements that have been defined so that you can further refine your policy as required.

Note:

Creating and Applying New Firewall Rules

The Firewall Rules screen allows you to view, create, and edit Firewall Rules. The screen displays a list of current Firewall Rules, along with information columns that include: Firewall icon: Indicates the following for each rule: Normal Firewall Rules Firewall Rules that operate according to a schedule Action: Whether the Client Plug-in will allow packets matching the rules criteria through regardless of any other rules that would block them (force allow); block packets matching the rules criteria (deny); exclusively allow only packets matching the rules criteria and block all others (Allow); or log packets matching the rules criteria and let them pass (log only). Within a priority level (see next item), rules are applied in this order: a. b. c. e. bypass force allow deny log only

d. allow

8-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Priority: Firewall Rules can have a priority of 0 (lowest) to 4 (highest). High priority rules are applied first. Packet Direction: Whether the packet is incoming or outgoing. Packet Source: All the information that describes the packets source (frame type, protocol, IPs, ports, flags, etc.) Packet Destination: All the information that describes the packets destination (frame type, protocol, IPs, ports, flags, etc.). Specific Flags: Which particular to flags have to be set for the rule to trigger. (Flags will vary depending on protocol.) Create New Firewall Rules from scratch ( Import ( New)

From the Firewall Rule screen you can: ) Firewall Rules from an XML file )

Examine or modify the Properties of an existing Firewall Rule ( ) Duplicate (and then modify) existing Firewall Rules ( Delete a Firewall Rule ( ) Export ( ) one or more Firewall Rules to an XML file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed)
Firewall Rules that are assigned to one or more computers or that are part of a Security Profile cannot be deleted.

Note:

Clicking New ( window.

P ATH : IDF

New) or Properties ( ) displays the Firewall Rules Properties

To create or edit a Firewall Rule:

MAIN MENU

| F IREWALL > F IREWALL R ULES

1. 2.

Click New to create new Firewall Rules from scratch, or select an existing Firewall Rule and click Properties ( ) to modify the Firewall Rule. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the Firewall Rule.

8-18

Using the IDF Firewall

Description: A detailed description of the Firewall Rule. Action: Your Firewall Rule can behave in four different ways. These are described here in order of precedence: The traffic can bypass the firewall completely. This is a special rule that can cause the packets to bypass the firewall and DPI engine entirely. Use this setting for media intensive protocols where filtering may not be desired. To find out more about the bypass rule, see Bypass Rule on page 8-12. It can log only. This means it will only make an entry in the logs and not interfere with the traffic. It can force allow defined traffic (it will allow traffic defined by this rule without excluding any other traffic.) It can deny traffic (it will deny traffic defined by this rule.) It can allow traffic (it will exclusively allow traffic defined by this rule.)
Only one rule action is applied to any particular packet, and rules (of the same priority) are applied in the order listed above.

Note:

Priority: If you have selected force allow, deny, or log only as your rule action, you can set a priority here of 0 (low) to 4 (highest). Setting a priority allows you to combine the actions of rules to achieve a cascading rule effect. Log only rules can only have a priority of 4, and Allow rules can only have a priority of 0.
Note: The priority determines the order in which rules are applied. High priority rules get applied before low priority rules. For example, a port 80 incoming deny rule with a priority of 3 will drop a packet before a port 80 incoming force allow rule with a priority of 2 ever gets applied to it.

Packet Direction: Select whether this rule will be applied to incoming or outgoing traffic. Frame Type: Select or specify the frame type your rule will be looking for. Use the checkbox to specify whether you will be filtering for this frame type or anything but this frame type.

8-19

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

For a list of frame types, see the Internet Assigned Numbers Authority (IANA) Web site.

Protocol: Select or specify the protocol your rule will be looking for. Use the checkbox to specify whether you will be filtering for this protocol or anything but this protocol.
Note: You can choose from the drop down list of predefined common protocols, or you can select Other and enter the protocol code yourself (a three digit decimal value from 0 to 255).

3.

In the Packet Source area, specify any option to apply to the packet headers source information. IP: Specify an IP address, a masked IP address, an IP range, or select an IP list from one you defined in the IP Lists screen. MAC: Specify a MAC address or select a MAC list from one you defined in the MAC Lists screen. Port: You can specify a comma separated list of ports or a dash separated port range in the port(s) option as well as just a single port (e.g., 80, 443, 1-100) or select a Port list from one you defined in the Port Lists screen.

4.

In the Packet Destination area, specify any options to apply to the packet headers destination information. IP: Specify an IP address, a masked IP address, an IP range, or select an IP list from one you defined in the IP Lists screen. MAC: Specify a MAC address or select a MAC list from one you defined in the MAC Lists screen. Port: You can specify a comma separated list of ports or a dash separated port range in the port(s) option as well as just a single port (e.g., 80, 443, 1-100) or select a Port list from one you defined in the Port Lists screen.

5.

In the Specific Flags area, if you have selected TCP, ICMP, or TCP+UDP as your protocol in the General Information section above, you can direct your Firewall Rule to watch for specific flags. In the popup window, specify any desired information in General Information area of the General tab.

6.

8-20

Using the IDF Firewall

7.

Click the Options tab and specify any desired information. Alert: Select whether or not this Firewall Rule should trigger an alert when it is triggered. If you only wish this rule to be active during specific periods, assign a schedule from the drop-down list.
Note: Only Firewall Rules whose Action is set to Deny or Log Only can be configured to trigger an alert. (This is because alerts are triggered by counters which are incremented with data from log files.)

Schedule: Select whether the Firewall Rule should only be active during a scheduled time.
Note: Firewall Rules that are active only at scheduled times are displayed in the Firewall Rules screen with a small clock over their icon ().

Context: Rule Contexts are a powerful way of implementing different security policies depending on the computers network environment. You will most often use Contexts to create Security Profiles which apply different Firewall and DPI Rules to computers (usually mobile laptops) depending on whether that computer is in or away from the office. Contexts are designed to be associated with Firewall and DPI Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied. To determine a computer's location, Contexts examine the nature of the computer's connection to its domain controller. For more information on Contexts, see Contexts on page 10-6.
Note: For an example of a Security Profile that implements Firewall Rules using Contexts, look at the properties of the Windows Mobile Laptop Security Profile.

8-21

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

8.

Click the Assigned To tab to view a list of Security Profiles which include this Firewall Rule as well as any computers to which this Firewall Rule has been assigned directly. Firewall Rules can be assigned to Security Profiles in the Security Profiles screen and to computers in the Computers screen. Click OK.

9.

Now you have to assign the new Firewall Rule to a computer. The best way to manage the application of Firewall Rules to computers is by way of Security Profiles. Having a Security Profile called Developer Laptop, for example, allows you to create a set of Firewall Rules all designed for the particular environment developer laptops operate in. You can then assign them all to the Developer Laptop Security Profile, and then assign that Security Profile to that collection of computers. Anytime you need to create and assign a new Firewall Rule to your developer laptops, you just assign it to the Security Profile, and all Developer Laptop computers will be updated with the new Firewall Rule.
To include a new Firewall Rule in a Security Profile:
P ATH : IDF
MAIN MENU

| S ECURITY P ROFILES

1. 2. 3. 4.

Double-click the Security Profile to which you want to assign a new rule. This will open the Profiles Details window. Click Firewall Rules in the navigation pane on the left. Find your new Firewall Rule in the list and put a check in its checkbox. Click Save.

If the Automatically update all affected computers after changing any aspect of the IDF System. option is enabled on the Computers tab in the System > System Settings screen, all computers to which that Security Profile has been assigned will be updated with the new rule.
To assign a new Firewall Rule directly to a computer:
P ATH : IDF M AIN M ENU | C OMPUTERS

1. 2. 3. 4.

Double-click the computer to which you want to assign the new rule. Click Firewall Rules in the navigation pane on the left. Find your new Firewall Rule in the list and put a check in its checkbox. Click Save.

8-22

Using the IDF Firewall

As before, if the Automatically update all affected computers after changing any aspect of the IDF System. option is enabled on the Computers tab in the System > System Settings screen, all computers to which that Security Profile has been assigned will be updated with the new rule.
Note: If you apply other settings to a computer (for example, adding additional Firewall Rules, or modifying stateful configuration settings), an asterisk will appear next to the name of the Security Profile (in the Security Profile column in the Computers screen) indicating that the default settings have been changed.

Stateful Configurations
IDFs Stateful Configuration mechanism analyzes each packet in the context of traffic history, correctness of TCP and IP header values, and TCP connection state transitions. In the case of stateless protocols like UDP and ICMP, a pseudo-stateful mechanism is implemented based on historical traffic analysis. Packets are handled by the stateful mechanism as follows: 1. 2. A packet is passed to the stateful routine if it has been allowed through by the static Firewall Rule conditions, The packet is examined to determine whether it belongs to an existing connection by checking a connection table created by the stateful mechanism for matching end points, and The TCP header is examined for correctness (e.g. sequence numbers, flag combinations, etc.).

3.

Managing Stateful Configurations

The Stateful Configuration screen lets you define multiple stateful inspection configurations which you can then include in your Security Profiles. The screen lists current stateful configurations, along with information that includes the name, description, and Normal Stateful Configurations icon ( ). From the toolbar or context menu you can: Create New ( Import ( New) Stateful Configurations from scratch ) Stateful Configuration from an XML file

8-23

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Examine or modify the Properties ( ) of an existing Stateful Configuration Duplicate ( ) (and then modify) existing Stateful Configurations Delete a Stateful Configuration ( ) Export ( ) one or more Stateful Configurations to an XML file. (Either export them all by click the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the Stateful Configuration properties

Clicking New ( window.

P ATH : IDF

To create or edit a Stateful Configuration:

MAIN MENU

| F IREWALL > STATEFUL C ONFIGURATIONS

1. 2.

Click New to create a new Stateful Configuration from scratch, or select an existing configuration and click Properties ( ) to modify it. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the Stateful Configuration. Description: Type a description of the Stateful Configuration. This description will only appear here.

3.

In the IP Packet Inspection area, choose whether to Deny all incoming fragmented packets: If this option is enabled, all fragmented packets are dropped with the following log entry: IP fragmented packet. The one exception to this rule is the presence of packets with a total length smaller than the IP header length. Such packets are dropped silently.
WARNING! Attackers sometimes create and send fragmented packets in an attempt to bypass Firewall Rules.

The Firewall Rule engine, by default, performs a series of checks on fragmented packets. This is default behavior and cannot be reconfigured. Packets with the following characteristics are dropped: Invalid fragmentation flags/offset: A packet is dropped when either the DF and MF flags in the IP header are set to 1, or the header contains the DF flag set to 1 and an Offset value different than 0.

8-24

Using the IDF Firewall

First fragment too small: A packet is dropped if its MF flag is set to 1, its Offset value is at 0, and it has total length of less than 120 bytes (the maximum combined header length). IP fragment out of boundary: A packet is dropped if its Offset flag value combined with the total packet length exceeds the maximum datagram length of 65535 bytes. IP fragment offset too small: A packet is dropped if it has a non-zero Offset flag with a value that is smaller than 60 bytes.

4.

Click the TCP tab and specify any desired information in the TCP Packet Inspection area. Deny TCP packets containing CWR, ECE flags: These flags are set when there is network congestion. RFC 3168 defines two of the six bits from the Reserved field to be used for ECN (Explicit Congestion Notification), as follows: Bits 8 to 15: CWR-ECE-URG-ACK-PSH-RST-SYN-FIN TCP Header Flags Bit Name Reference: Bit 8: CWR (Congestion Window Reduced) [RFC3168] Bit 9: ECE (ECN-Echo) [RFC3168]

WARNING! Automated packet transmission (such as that generated by a denial of service attack, among other things) will often produce packets in which these flags are set.

Enable TCP stateful inspection: Enable stateful inspection at the TCP level. If you enable stateful TCP inspection, the following options become available: Enable TCP stateful logging: TCP stateful inspection events will be logged. Limit the number of incoming connections from a single computer to: Limiting the number of connections from a single computer can lessen the effect of a denial of service attack. Limit the number of outgoing connections to a single computer to: Limiting the number of outgoing connections to a single computer can significantly reduce the effects of Nimda-like worms.

8-25

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Limit the number of half-open connections from a single computer to: Setting a limit here can protect you from DoS attacks like SYN Flood. Although most servers have timeout settings for closing half-open connections, setting a value here can prevent half-open connections from becoming a significant problem. If the specified limit for SYN-SENT(remote) entries is reached, subsequent TCP packets from that specific computer will be dropped.
When deciding on how many open connections from a single computer to allow, choose your number from somewhere between what you would consider a reasonable number of half-open connections from a single computer for the type of protocol being used, and how many half-open connections from a single computer your system can maintain without getting congested.

Note:

Enable Syn-Flood protection when the number of half-open connections exceeds: Unlike setting a hard limit on the number of half-open connections from a single computer, the Syn-Flood protection mechanism starts to use Syn-cookies once the set number of open connections is reached (regardless of whether the connections come a single computer or not). The use of Syn-cookies means that connections are not rejected. However, no entry is created for them in the state table, and they are not passed to the application until an appropriate SYN-ACK is received from the destination computer.
SYN Flood protection is only supported on versions 7.5 or earlier of the Windows Client Plug-ins. It is not supported on versions 7.5 SP1 or later of the Windows Client Plug-ins.

Note:

Enable ACK Storm protection when the number of already acknowledged packets exceeds: Set this option to log an event that an ACK Storm attack has occurred. Drop Connection when ACK Storm detected: Set this option to drop the connection if such an attack is detected.

8-26

Using the IDF Firewall

5.

In the FTP Options area, specify any desired information. Active FTP Allow Incoming: Allow Active FTP when this computer is acting as a server. Allow Outgoing: Allow Active FTP when this computer is acting as client. Allow Incoming: Allow Passive FTP when this computer is acting as a server. Allow Outgoing: Allow Passive FTP when this computer is acting as a client.
Generally speaking, Active FTP is more secure from the server point of view, and Passive FTP is more secure from the client point of view.

Passive FTP

Tip:

6.

Click the UDP tab and specify any desired information in the UDP Packet Inspection area. Enable UDP stateful inspection: Check to enable stateful inspection of UDP traffic.
Note: The UDP stateful mechanism drops unsolicited incoming UDP packets. For every outgoing UDP packet, the rule will update its UDP stateful table and will then only allow a UDP response if it occurs within 60 seconds of the request. If you wish to allow specific incoming UDP traffic, you will have to create a Force Allow rule. For example, if you are running a DNS server, you will have to create a Force Allow rule to allow incoming UDP packets to destination port 53.

WARNING! Without stateful inspection of UDP traffic, an attacker could masquerade as a DNS server and send unsolicited UDP replies from source port 53 to computers behind a firewall.

Enable UDP stateful logging: Checking this option will enable the logging of UDP stateful inspection events.

8-27

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

7.

Click the ICMP tab and specify any desired information in the ICMP Packet Inspection area. Enable ICMP stateful inspection: Check to enable stateful inspection of ICMP traffic.
Note: The ICMP (pseudo-)stateful mechanism drops incoming unsolicited ICMP packets. For every outgoing ICMP packet, the rule will create or update its ICMP stateful table and will then only allow a ICMP response if it occurs within 60 seconds of the request. (ICMP pair types supported: Type 0 & 8, 13 & 14, 15 & 16, 17 & 18.)

WARNING! With stateful ICMP inspection enabled, you can, for example, only allow an ICMP echo-reply in if an echo-request has been sent out. Unrequested echo-replies could be a sign of several kinds of attack including a Smurf amplification attack, a Tribe Flood Network communication between master and daemon, or a Loki 2 back-door.

8.

Enable ICMP stateful logging: Checking this option will enable the logging of ICMP stateful inspection events.

Click the Assigned To tab and specify any desired information. The Assigned To tab lists the Security Profiles and computers that are making use of this stateful inspection configuration.

8-28

Chapter 9

Using Deep Packet Inspection

This chapter describes how to use Trend Micro Intrusion Defense Firewall Deep Packet Inspection to protect your network and computers from security risks. Topics in this chapter: About Deep Packet Inspection on page 9-2 Turning Deep Packet Inspection On or Off on page 9-3 DPI Events on page 9-4 DPI Rules on page 9-9 Creating Custom DPI Rules on page 9-13 Application Types on page 9-29

9-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Deep Packet Inspection

When first applying a new set of DPI Rules you can choose to set the DPI behavior to Detect. When in Detect mode, the DPI engine will apply all the same DPI Rules to traffic but instead of dropping packets, it will only log an Event and let the traffic pass. Use this behavior to ensure the new DPI Rules will not interfere with legitimate traffic. This setting only applies when the Network Engine is operating Inline; that is, live traffic is being streamed through the IDF network engine. The alternative to Inline mode is Tap mode, where the live traffic is cloned, and it is only this cloned traffic that is analyzed by the network engine. Prevent mode is impossible when in Tap mode because the network engine does not control the live traffic stream.

Packet Processing Sequence

Both incoming and outgoing network traffic gets fed through a pipeline of modules:

FIGURE 9-1.

Module Pipeline

Verification: Basic checks for validity of the packet Micro Filter: Basic firewall bypass rules are enforced at this layer Blacklist: Maintains a list of known bad IPs as used by the Traffic Analysis feature Fragmentation: Fragments packets that are larger than the MTU Firewall Rules: All packets not processed by the Micro Filter are processed by the Firewall Stateful Inspection, SSL Decryption, and DPI Rules: Acts as one module where the following functions are performed: Stateful Inspection: Maintains known connections that are valid for a response. This feature also controls the connection limits and does SYN Flood and ACK Storm protection SSL Decryption: If required and configured this feature decrypts the SSL protected traffic for analysis by the DPI engine

9-2

Using Deep Packet Inspection

DPI: Deep Packet Inspection engine that does pattern matching and custom code operations

Reassembly: Reassembles fragmented packets for later use by the DPI engine

Although incoming and outgoing traffic flow through the pipeline in the same order, the internal sub-order inside the Stateful Inspection, SSL, and DPI module depends on traffic direction:

FIGURE 9-2.

Module Pipeline

Turning Deep Packet Inspection On or Off

To turn the Deep Packet Inspection on or off:
P ATH : IDF
MAIN MENU

| D EEP P ACKET I NSPECTION

1. 2.

In the Deep Packet Inspection area, choose On or Off. Set the Inline DPI behavior to Prevent or Detect. To switch between Inline and Tap mode, go to System > System Settings > Firewall and DPI.

3.

Choose whether to enable Recommendation Scans. Client Plug-ins can be configured to perform regular Recommendation Scans which scan a computer and make recommendations about the application of various Security Rules. Selecting this checkbox will automatically assign recommended rules for the computer and automatically unassign rules that are not required.

9-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

If you select this option, you should also opt to allow IDF Rule Updates to automatically assign new DPI Rules. Go to System > System Settings > Updates and select Allow IDF Rule Updates to automatically assign new DPI Rules in the IDF Rule Updates area.

To perform periodic Recommendation Scans, go to System > System Settings > Scan.

DPI Events
By default, the IDF Server Plug-in collects Firewall and DPI Event logs from the IDF Client Plug-ins at every heartbeat. (This can be turned off from the Firewall and DPI tab in the System > System Settings screen.) The data from the logs is used to populate the various reports, graphs, and charts in the IDF Server Plug-in. Once collected by the IDF Server Plug-in, Event logs are kept for a period of time which can be set from System tab in the System > System Settings screen. The default setting is one week. From the main screen you can: View ( ) the properties of a particular event Filter the list: Use the Period and Computer toolbars to filter the list of events Export ( Search ( ) the event log data to a CSV file ) for a particular event

Additionally, right-clicking a log entry gives you the option to: Add Tag(s): Add an Event Tag to this event (see Event Tagging on page 12-4.) Remove Tag(s): Remove exiting event Tags Computer Details: View the Details screen of the computer that generated the log entry DPI Rule Properties: View the all the properties of a particular log entry on open Properties window Whois Source IP: Perform a whois on the source IP Whois Destination IP: Perform a whois on the destination IP

9-4

Using Deep Packet Inspection

Filtering the List and/or Searching for an Event

Selecting Open Advanced Search from the Advanced Search drop-down menu toggles the display of the advanced search options. The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe. The Computers toolbar lets you organize the display of event log entries by computer domain or computer Security Profiles.

FIGURE 9-3.

Computers Toolbar

Advanced Search functions (searches are not case sensitive): Contains: The entry in the selected column contains the search string Does Not Contain: The entry in the selected column does not contain the search string Equals: The entry in the selected column exactly matches the search string Does Not Equal: The entry in the selected column does not exactly match the search string In: The entry in the selected column exactly matches one of the comma-separated search string entries Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

9-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Pressing the plus button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the submit button (at the right of the toolbars with the right-arrow on it).

Viewing DPI Event Properties

Double-clicking an event displays the Properties window for that entry. The Tags tab displays tags that have been attached to this Event. For More information on Event tagging, see System > Tags, and Event Tagging on page 12-4.
To view DPI Event information:
P ATH : IDF
MAIN MENU

| D EEP P ACKET I NSPECTION

Columns for the DPI Events display: Time: Time the event took place on the computer. Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read Unknown Computer.) Reason: The DPI Rule associated with this event. Tag(s): Tags associated with the event. Application Type: The Application Type associated with the DPI Rule which caused this event. Action: What action the DPI Rule took (Allow, Deny, Force Allow, Log Only, or Detect Only (if the rule is in Detect Only mode)). Rank: The Ranking system provides a way to quantify the importance of DPI and Firewall Events. By assigning asset values to computers, and assigning severity values to DPI Rules and Firewall Rules, the importance (Rank) of an Event is calculated by multiplying the two values together. This allows you to sort Events by Rank when viewing DPI or Firewall Events. Severity: The Rule Severity level: Critical, High, Medium, Low, or Error. Direction: The direction of the packet (incoming or outgoing). Flow: The source of the packet. Connection Flow indicates that the packet comes from the initiator of the TCP connection. Reverse Flow indicates that the packet comes from the receiver of the TCP connection. Interface: The MAC address of the interface through which the packet was passing.

9-6

Using Deep Packet Inspection

Protocol: Possible values are ICMP, IGMP, GGP, TCP, PUP, UDP, IDP, ND, RAW, TCP+UDP, N/A, and Other: nnn where nnn represents a three-digit decimal value. Flags: Flags set in the packet. Source IP: The packets source IP. Source MAC: The packets source MAC address. Source Port: The packets source port. Destination IP: The packets destination IP address. Destination MAC: The packets destination MAC address. Destination Port: The packets destination port. Packet Size: The size of the packet in bytes.

Exporting the Event Log

Clicking the Export... button exports all event log entries to a CSV file.

Tagging DPI Events

Event Tagging allows you to manually tag DPI Events with custom labels (Assigned to Tom for review, etc.). Event tagging enables specialized views of events, dashboards, and reports and can be applied to a single event, similar events, or even to all future similar events.
To apply a tag to one or more selected Events:
P ATH : IDF M AIN M ENU | D EEP P ACKET I NSPECTION > DPI E VENTS

1. 2. 3. 4.

Select the events in the Events list, then right-click and select Add Tag(s).... Type a name for the tag. (IDF Server Plug-in will suggest matching names of existing tags as you type.) Select 1 Selected System Event. (If you selected multiple events from the Events list, the number of selected events will be displayed.) Click Next. Enter some optional comments and click Finish.

Looking at the Events list, you can see that the Event has now been tagged.

9-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To tag multiple similar Events:

1. 2. 3. 4. 5. 6.

Right-click on a representative event from the Events list and select Add tag(s).... Type a name for the tag. (IDF Server Plug-in will suggest matching names of existing tags as you type.) Select Also apply to similar DPI Events. If you want to narrow your event selection, select Include Advanced Options. Click Next. If you selected Advanced Options, make your selections. For example, you could look for similar events only on a specific computer, or domain of computers. If this is the case, make your selections and click Next. Select which attributes will be examined to determine whether Events are similar or not. For the most part, the attribute options are the same as the information displayed in the columns of the Events list screen. When you have selected which attributes to include in the Event selection process, click Next. Select what type of similar DPI Events should this rule be applied to.
Note: Notice the Save Auto-Tag Rule option. The selection criteria you have specified can be saved so that you can apply them again at a future date when new events have accumulated. Saved auto-tag rules can be found in the System > Tags screen.

7.

8.

9.

Click Next.

10. Enter some optional comments and click Next. 11. Review the Summary of your Event selection criteria and click Finish. Looking at the Events list, you can see that your original Event and all similar Events have been tagged.
To tag multiple similar Events as well as future similar Events:

The procedure for tagging multiple similar as well as future Events is the same as above except for step 8, where you also select New DPI Events. Selecting New DPI Events causes the IDF Server Plug-in to scan its database every five seconds (or more) for new Events and tag the appropriate ones.

9-8

Using Deep Packet Inspection

Note:

Tagging only occurs after Events have been retrieved from the Client Plug-ins to the IDF Server Plug-ins database.

DPI Rules
Whereas Firewall Rules and Stateful Configurations examine a packets control information (data that describes the packet), DPI Rules examine the actual content of the packet (and sequences of packets). Based on the conditions set within the DPI Rule, various actions are then carried out on these packets: from replacing specifically defined or suspicious byte sequences, to completely dropping packets and resetting the connection. The DPI Rules screen lists the current DPI Rules and information, including the following: DPI Rule icon: Normal DPI Rules DPI Rules that operate according to a schedule DPI Rules that have configuration options DPI Rules that require configuration The DPI Rules screen lets you create and manage DPI Rules. From the toolbar or the right-click context menu you can: Create New DPI Rules from scratch ( Import ( New) ) DPI Rules from an XML file )

Examine or modify the Properties of an existing DPI Rule ( ) Duplicate (and then modify) existing DPI Rules ( Delete a DPI Rule ( ) Export ( ) one or more DPI Rules to an XML file. (Either export them all by click the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the DPI Rule Properties window.

Clicking New (

9-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

Note the Configuration tab. DPI Rules from Trend Micro are not directly editable through IDF Server Plug-in. Instead, if the DPI Rule requires (or allows) configuration, those configuration options will be available on the Configuration tab. Custom DPI Rules that you write yourself will be editable, in which case the Rules tab will be visible.

Creating and Editing DPI Rule Properties

To create or edit DPI Rule properties:
P ATH : IDF
MAIN MENU

| D EEP P ACKET I NSPECTION > DPI R ULES

1. 2.

Click New to create new DPI Rules from scratch, or select an existing DPI Rule and click Properties ( ) to modify the DPI Rule. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the DPI Rule. Description: The description of the DPI Rule. Minimum Client Plug-in Version: The minimum version of the IDF Client Plug-in required to implement this DPI Rule. Application Type: The Application Type this DPI Rule will be grouped under. You can select an existing type, or create a new one.
Note: You can also edit existing types from this panel. Remember that if you edit an existing Application Type from here, the changes will be applied to all security elements making use of it.

3.

In the Details area, specify any desired information.

Priority: The priority level of the DPI Rule. Higher priority rules are applied before lower priority rules.

9-10

Using Deep Packet Inspection

Severity: Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as a sorting criteria when viewing a list of DPI Rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computers Asset Value to determine the Ranking of an Event. (See System > System Settings > Ranking.) CVSS Score: A measure of the severity of the vulnerability according the National Vulnerability Database. Detect Only: Use this checkbox when testing new rules. By checking this box, the rule will create a log entry prefaced with the words detect only: but will not interfere with traffic. If you set the disable logging checkbox in the next panel (below), the rules activity will not be logged regardless of whether Detect Only is checked or not.
Note: Some DPI Rules are designed to only operate in Detect Only mode and cannot be configured to block traffic. For theses rules, the Detect Only option will be set and locked so it cannot be changed.

4.

In the Events area, specify any desired information. Disable Logging: Check to disable Event logging. Generate Event on Packet Drop: Log the dropping/blocking of a packet. Always Include Packet Data: Includes the packet data in the log entry. Enable Debug Mode: Logs multiple packets preceding and following the packet that triggered the rule. Trend Micro recommends only using this option if instructed to do so by your support provider.

5.

In the Identification area (displayed for downloaded rules only), specify any desired information. Type: Can be either Smart (one or more known and unknown (zero day) vulnerabilities), Exploit (a specific exploit, usually signature based), or Vulnerability (a specific vulnerability for which one or more exploits may exist). Issued: The date the Rule was released (not downloaded). Identifier: The rules unique identifier tag. Last Updated: The last date the Rule was updated.

9-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

6.

Click the Vulnerability tab (displayed for Trend Micro rules only), to view information about this particular vulnerability. When applicable, the Common Vulnerability Scoring System (CVSS) is displayed. (For information on this scoring system, see the CVSS page at the National Vulnerability Database.)

7.

Click the Configuration tab (displayed for Trend Micro rules only), to set any configuration options for the download rule. Configuration Options: If the downloaded rule has any configurable options, they will be displayed here. Examples of options might be header length, allowed extensions for http, cookie length, etc. If you apply a rule without setting a required option, an alert will be triggered telling you which rule on which computer(s) requires configuration. (This also applies to any rules that are downloaded and automatically applied by way of a Security Update.)
Note: DPI Rules that have configuration options are displayed in the DPI Rules screen with a small checkmark over their icon ( ).

View Rules (available for custom DPI Rules only): The View Rules... button will be available for DPI Rules that have not been marked confidential by Trend Micro. (Please contact Trend Micro for information on writing your own DPI Rules.)

8. 9.

Click the Options tab to vie w the options. In the Alert area, select whether or not this DPI Rule should trigger an alert when it is triggered. If you only wish this rule to be active during specific periods, assign a schedule from the drop-down list.

10. In the Schedule area, select whether the DPI Rule should only be active during a scheduled time.
Note: DPI Rules that are active only at scheduled times are displayed in the DPI Rules screen with a small clock over their icon ( ).

11. In the Context area, make any desired settings. Contexts are a powerful way of implementing different security policies depending on the computers network environment. You will most often use Contexts to

9-12

Using Deep Packet Inspection

create Security Profiles which apply different Firewall and DPI Rules to computers (usually mobile laptops) depending on whether that computer is in or away from the office. Contexts are designed to be associated with Firewall and DPI Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied. To determine a computers location, Contexts examine the nature of the computers connection to its domain controller. For more information on Contexts, see Contexts on page 10-6. 12. In the Recommendation Options area, choose whether to exclude this DPI Rule from Rule recommendations made after Recommendation Scans. 13. In the Assigned To tab, you can view the list of computers and Security Profiles to which this DPI Rule is assigned.

Creating Custom DPI Rules

IDF provides an XML-based language designed for examining packet contents and deciding whether to log an event or reset the connection.

Considerations for DPI Rules

DPI rules operate on network data as packets are processed in the kernel before delivery to the application (for incoming packets) or before transmission on the network (for outgoing packets). For this reason efficiency of rules is very important and DPI Rules are restricted to simple instruction like operations.

Hello World
Here is an example of a simple rule to detect the occurrence of a pattern:
<rule pat="hello"> log "hello found" </rule>

9-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

This pattern-rule is triggered by the presence of the string hello in a packet. When the rule is triggered the action block of code is executed to log an Event to the IDF Server Plug-in. The string hello found is supplied as a note in the DPI Event in the IDF Server Plug-in.
Note: Pattern rules are case insensitive by default, i.e., this rule will trigger on any variation of the string hello, HELLO, hElLo.

Note:

The DPI engine does not apply pattern rules directly on raw packet data. A malicious payload could be separated into multiple segments or packet fragments, transmitted out of order or in one byte segments. The DPI engine protects against such possible attacks by analyzing the data stream before pattern rule analysis.

XML Quoting
Some characters have special meaning in XML and must be quoted if they are to be used in patterns or note strings. This quoting is required for the following characters: <>&"'
TABLE 9-1.
XML Quoting

C HARACTER
< > & " ' &lt; &gt; &amp; &quot; &apos;

XML Q UOTING

For example to match the string one&"2" use:

<rule pat="one&amp;&quot;2&quot;">

9-14

Using Deep Packet Inspection

log "onetwo" </rule>

Sometimes it may be more convenient to use hex encoded patterns. (See More About Patterns on page 9-20.) If these characters are not quoted properly a Computer Updated system error will result when they are assigned.

Application Types and Rule Directions

By default, rules are triggered as patterns found in the forward connection direction. The meaning of the direction depends on where the rule is to be deployed. On a Web server listening traffic incoming http requests arriving on port 80 would be considered the forward direction and outgoing http responses from the Web server would be considered the backward direction. On a Web client outgoing http requests destined for port 80 would be considered the forward direction whilst incoming replies would be the backwards direction. DPI Rules can contain multiple pattern-rules that look for strings in forward or backwards direction.
<fwd pat="hello">log "hello found"</fwd> <bwd pat="goodbye"> log "goodbye"</bwd>

Using State to Refine Rules

In the above example the goodbye event triggers regardless of whether hello has been seen or not. We can revise this rule so that goodbye is only significant if hello has already been seen:
<fwd pat="hello"> stateset 1 </fwd> <!-- this rule resets the connection when goodbye is seen after hello --> <bwd pat="goodbye" state="1">

9-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

log "goodbye" stateset 0 </bwd>

These rules illustrate the use of the stateset action instruction and the state rule constraint attribute to implement a simple state computer that continually recognizes the occurrence of hello followed by goodbye in the reverse direction on the same connection. Any number of pattern rules can be defined together to track state in this way.

Adding Comments
As rules start to get complex it is helpful to add comments as shown above. Comments can also be used to temporarily block out some sections when testing. Standard XML comments are used with the form <!-- ... -->.

More Rule Actions

Resetting a Connection (drop)
To reset a connection, use the drop instruction:
<rule pat="bad"> drop "bad" </rule>

When a connection is reset with the drop instruction then no further rules will be executed on that connection or any further content even in the same packet (and the connection is reset to both endpoints and no further packets will be permitted)

Understanding Detect and Prevent Modes

A single DPI rule can be placed in detect mode. In this case a drop instruction executed by such a DPI rule is logged but does not cause the connection to be reset. Since the connection is not reset, further rules will still be executed because there may be other DPI rules that are operating in prevent mode.

9-16

Using Deep Packet Inspection

Additionally, the DPI Engine can also be placed into Detect Mode. In this mode connections are not reset but processing of further rules does stop.

Deferred Reset of a Connection (setdrop)

Sometimes its useful to postpone the reset of a connection to allow further rules to execute.
<fwd pat="bad"> setdrop "bad" </fwd> <fwd pat="worse"> drop "worse" </fwd>

In this case we will reset a connection if the content contains bad or worse but if it contains both then the reason will always be worse. As well its possible to cancel a deferred reset:
<fwd pat="good"> clrdrop </fwd>

Note that setdrop defers the drop until the end of the packet. The occurrence of worse may not be the reason since that pattern may come in another packet. This is because the DPI engine does not know that worse is to follow and if the initial packet is determined to be malicious, it will be dropped.

More About Rule Attributes

There are several constraint attributes that can be used to constrain a rule from triggering unless preconditions are met:

9-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

State
The state attribute specifies that the rules action is only to be executed if a previous action has set the current state to the specified value. The value can be in the range 0-255. If the state attribute is not specified then the action is triggered regardless of the current state.

Case-sensitive Matching
The case attribute can be used to require an exact case match:
<fwd pat="hello" case="1"> ... </fwd>

Distance Constraints
The dist attribute can be used to require that two patterns occur within a specified range of each other:
<fwd pat="hello"> ... </fwd>

<fwd pat="goodbye" dist="10,20"> log "goodbye" </fwd>

<fwd pat="salut" distmax="10"> log "salut" </fwd>

<fwd pat="ciao" distmin="10"> log "ciao" </fwd>

The first form of the attribute specifies that goodbye will be detected but only if it is between 10 and 20 bytes from the occurrence of another pattern.

9-18

Using Deep Packet Inspection

The second form distmax specifies only the upper bound and no lower bound on the distance. The last form specifies no upper bound, only a lower bound.
Note: Distance constraints work with patterns in the connection direction, it is not possible to use distance constraint between a forward occurrence pattern and a backwards pattern.

Using Counters
Sometimes it is useful to trigger a rule in the absence of a pattern within a certain distance, for example, to limit the maximum size of a header field. One pattern rule can be used to start a counter, and if desired another rule can clear the counter. Counters can be used to trigger a rules without a specific pattern:
<fwd pat="HELLO"> startcount 1024 </fwd>

<!-- reset if the line is longer than 256 bytes --> <counter> stateset 0 </counter>

<!-- clear the counter when newline is found --> <fwd pat="\n"> clrcount </fwd>

Only one counter can be active at a time in the same domain of rules. If another counter is started while one is pending then the pending counter is automatically cleared.

9-19

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

If a rule starts a counter, it must be followed by a <counter> ...</counter>. This is enforced by the rule compiler.

More About Patterns

Patterns are restricted to fixed length strings. These may include wildcard characters as follows:
TABLE 9-2.
Patterns

\ A (\A)
\w (\W) \d (\D) \s (\S) \p (\P)

A LPHA , A - Z A-Z ( NON - ALPHA )

Alphanumeric a-zA-Z0-9 (non-alpha-numeric) Digit 0-9 (non digit) Whitespace (not whitespace) [\r,\n,\t,0x32] Punctuation character, printable ascii other than above Control character, < 32, >= 127 not including whitespace Any

\c (\C)

\.

Special reserved or binary characters must be quoted or escaped as follows:

TABLE 9-3.
Reserved Characters

\ X DD
\\ \| |xx xx xx...| '\' escape Pipe '|' escape

H EX BYTE 0 X DD

Hex pipe (Byte sequence)

9-20

Using Deep Packet Inspection

Additional rules: Patterns cannot consist solely of wildcards. Hex-encoded sequences are still case-insensitive by default. Regular expression-style variable-length sequences like +,* are not permitted.

Examples:
<rule pat="|90 E8 C0 FF FF FF|/bin/sh" case="1"> drop "IMAP overflow" </rule> <rule pat="port\s\d\d"> ...</rule>

Advanced Rule Actions

When a pattern rule triggers and the constraints are met, the rules action is executed. So far we have seen the simple log, drop, and stateset actions. Actions can be used to define constraints that are more complex than those that can be expressed using the simple distance, case attributes. Actions are defined mostly as a sequence of low level instructions. The instructions have access to a set of virtual registers and can perform simple arithmetic and comparison operations. Actions can also have conditional if-then-else blocks. Each instruction has one of the formats:
instruction STRING instruction REG OPAND

For example,
<fwd pat="login"> add r5 0x100 <!-- r5 <- hex 100 (=256) --> </fwd>

<fwd pat="two"> add r4 256 <!-- r4 <- decimal 256 --> load r6 r4 <!-- r6 <- -->

9-21

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

<if>eq r4 r5<then/> log "ok" </if> </fwd>

Register Assignments
The following virtual registers r0-r7 and c0-c7 are defined for use in instructions
TABLE 9-4. R EGISTER #
0 1 2 3 4-7 Virtual Registers

F ILTER R EGISTER ( R 0- R 7)
State Cursor Reserved Reserved User defined

C ONNECTION R EGISTER ( C 0- C 7)
Connection State UTC time/seconds Packet count Reserved User defined

The state register is another way of referring to the state as used by the state attribute. The packet count register c2 register keeps track of the number of packets processed in each connection direction. The c1 register keeps track of the current time (in seconds since 1970.) These registers can be used to express time or packet based constraints. Additional details on registers: Registers c0-c3 and r0-r3 have predefined meaning. Registers r4-r7 can be used for any purpose. The connection registers c0-c7 are shared across all rules on the same connection (each connection has its own set). The registers r0-r7 are private to each domain of rules in a DPI Rule. All registers can contain 32-bit values.

9-22

Using Deep Packet Inspection

Accessing Registers
Values can be put in registers and moved between registers using the load instruction:
<rule pat="test"> load r4 100 <!-- load value 100 decimal into r4 --> load r5 r4 <!-- copy contents of register r4 into r5 --> </rule>

Since r0 is the state register, the stateset instruction is really just a shorthand for the load instruction; the following are equivalent:
<rule pat="test"> load r0 1 load stateset 1 <!-- same as above --> </rule>

Comparing Registers
Registers can be compared using if blocks and comparison instructions. For example the following rule will reset a connection when the pattern login occurs more than three times:
<rule pat="login"> add r4 1 <if> gt r4 3<then/> drop "repeated3" </if> </rule>

if-Statement The if statement has the general format:

<if> (condition) <then/> <!-- if blocks can be nested -->

9-23

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

<if> (condition) <then/> (statements) </if>

<elseif/> (else condition) <then/> (elseif statements) <else/> (else statements) </if>

break The break instruction stops processing further instructions for the action. This is sometimes helpful to simplify a nested if-block
<if>lt r4 0<then/> break </if>

<if>gt r4 10<then/> drop "range" </if>

The following instructions can be used to compare registers:

9-24

Using Deep Packet Inspection

Equality
TABLE 9-5.
Equality

I NSTRUCTION
eq !eq REG == OPERAND REG != OPERAND

TRUE I F

Signed Comparison The following instructions perform comparison, treating the register and operand as signed 32-bit quantities:
TABLE 9-6.
Signed Comparison

I NSTRUCTION
gt !gt lt !lt

D ESCRIPTION
True if REG > OPERAND True if REG <= OPERAND True if REG < OPERAND True if REG >= OPERAND

Unsigned Comparison The following instructions perform comparison, treating the register and operand as unsigned 32-bit quantities:
TABLE 9-7.
Unsigned Comparison

I NSTRUCTION
ugt !ugt ult

D ESCRIPTION
Unsigned: REG > OPERAND Unsigned: REG <= OPERAND Unsigned: REG < OPERAND

9-25

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 9-7.

Unsigned Comparison

I NSTRUCTION
!ult

D ESCRIPTION
Unsigned: REG >= OPERAND

Modulo32 Comparison The following instructions treat the register and operand as modulo32 quantities. Protocols like TCP use sequence numbers that wrap around across 32-bit boundaries.
TABLE 9-8.
Modulo32 Comparison

I NSTRUCTION
mlt !mlt mgt !mgt

D ESCRIPTION
Mod32: REG < OPERAND Mod32: REG >= OPERAND Mod32: REG > OPERAND Mod32: REG <= OPERAND

Basic Arithmetic Instructions The arithmetic instructions allow for addition, subtraction, multiplication, division and modulo (remainder) operations:
TABLE 9-9.
Basic Arithmetic Instructions

I NSTRUCTION
add sub mul div mod REG += OPERAND REG -= OPERAND REG *= OPERAND REG /= OPERAND REG %= OPERAND

D ESCRIPTION

9-26

Using Deep Packet Inspection

Bitwise Instructions The bitwise logical instructions treat the operand and registers as a set of 32 bits:
TABLE 9-10.
Bitwise Instructions

I NSTRUCTION
and or xor shiftl shiftr REG &= OPERAND REG |= OPERAND REG ^= OPERAND REG <<= OPERAND REG >>= OPERAND

D ESCRIPTION
bitwise and bitwise or bitwise exclusive or bitshift left (zero filled) bitshift right (zero filled)

Order Of Execution
The DPI Engine analyzes all patterns simultaneously and executes them according to the order of pattern occurrence in the traffic stream. The engine stops processing all rules after a connection is reset, so in the case that there are two rules that might drop a connection, only the first one of these will be executed and the possible effect of the second one is masked. If two patterns might occur at the same position then the engine will execute the rules in order of definition:
<rule pat="goodbye">drop "goodbye"</rule> <rule pat="bye">drop "bye"</rule>

In this example the first defined rule will always execute before the second rule. If the pattern rules are defined in separate DPI Rules then the order of definition can be controlled through priorities in IDF Server; patterns in higher priorities rules will execute before patterns in lower priorities at the same position.

9-27

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

UDP Pseudo Connections

Rules can be assigned to UDP traffic as well as TCP traffic. UDP traffic is not connection oriented by definition however request-response sequences between the same source/destination IPs and ports can be inspected in a similar way to TCP data. The following differences apply: UDP messages are never re-ordered by the DPI engine UDP pseudo connections cannot explicitly be reset like TCP

If a rule uses the drop instruction on a UDP pseudo connection, then traffic will be blocked between these endpoints for the UDP timeout period (default 10 seconds).

Web Rules for URIs

Standard Rules can be written to check for access to particular Web server resources. However the same URI can be encoded in many different ways, for example all the following are the same:
http://server/index.html http://server/./index.html http://server/index%2ehtml http://server/i%6edex.html

The DPI engine provides support for normalizing URIs. This feature is only enabled when the Web Protocol Decoding rules are assigned. The following pattern rules apply only to URIs after they have been normalized, this rule will match all the above encodings:
<uri pat="index"> log "index" </uri>

It is not necessary to constrain these rules from executing in the HTTP body or header using additional rules. The Web decoding rules take care of tracking the state of the HTTP protocol.

9-28

Using Deep Packet Inspection

Web Resource and Query Rules

Sometimes it is useful to distinguish between the first part of a URI before a ? and the parameter part following the query. uri rules only run on the part of the URI before the ?. To match on parameters use the uriquery rule:
<uriquery pat="client=firefox"> log "firefox" </uriquery>

URI parameters can be encoded in the body of an HTTP POST request. uriquery rules match the parameters in the post body as well as the part of the URI after the ?.

Considerations for Web Rules

Be careful about mixing uri rules with normal rules and using state. URI rules are executed after decoding and normalization of the URI. The URI in the request line is generally not decoded until the full request line, however other rules on the raw traffic can still be executed. If there are patterns that match on the raw request line, then these will generally be triggered before the uri rules.

Application Types
The applications defined by Application Types are identified by the direction of traffic, the protocol being used, and the port through which the traffic passes. Application Types are a useful way of grouping DPI Rules. They are used to organize DPI Rules with a common purpose into groups. This simplifies the process of selecting a set of DPI Rules to assign to a computer. For example, consider the set of DPI Rules required to protect HTTP traffic to an Oracle Report Server. By grouping DPI Rules into Application Types it is easy to select rules in the Web Server Common and Web Server Oracle Report Server sets while excluding, for example, the set of rules that are specific to IIS Servers. The Application Types screen lists the defined Application Types, along with the following information columns: Application Type icon: Normal Application Types

9-29

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Application Types that have configuration options From the main screen you can: Define a New ( ) Application Type ) View or edit the Properties ( ) of an existing Application Type Duplicate (and then modify) existing Application Types ( Delete ( ) an Application Type New) or Properties ( ) displays the Application Type Properties

Clicking New ( window.

P ATH : IDF

To create or edit Application Types:

MAIN MENU

| D EEP P ACKET I NSPECTION > A PPLICATION TYPES

1. 2.

Click New to create new Application Types from scratch, or select an existing Application Type and click Properties ( ) to modify the Application Type. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the Application Type. Description: The description of the Application Type. Minimum Client Plug-in Version: The minimum version of the IDF Client Plug-in required to implement this Application Type. Direction: The direction of the initiating communication. That is, the direction of the first packet that establishes a connection between two computers. For example, if you wanted to define an Application Type for Web browsers, you would select Outgoing because it is the Web browser that sends the first packet to a server to establish a connection (even though you may only want to examine traffic traveling from the server to the browser). The DPI Rules associated with a particular Application Type can be written to examine individual packets traveling in either direction. Protocol: The protocol this Application Type applies to. Port: The port(s) this Application Type monitors. (Not the port(s) over which traffic is exclusively allowed.)

3.

In the Connection area, specify any desired information.

9-30

Using Deep Packet Inspection

4.

In the Configuration tab, you can control how DPI Rules associated with this Application Type behave. For example, the Web Server Common Application Type has an option to Monitor responses from Web Server. If this option is deselected, DPI Rules associated with this Application Type will not inspect response traffic over source port 80.

5.

In the Options tab, you can set how the IDF Server Plug-in uses and applies the Application Type. For example, most Application Types have an option to exclude them from Recommendation Scans. This means that if the Exclude from Recommendations options is selected, a Recommendation Scan will not recommend this Application Type and its associated DPI Rules for a computer even if the application in question is detected.

6.

In the Assigned To tab, you can view the DPI Rules associated with this Application Type.

9-31

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

9-32

Chapter 10

Components
This chapter describes the Trend Micro Intrusion Defense Firewall components. Topics in this chapter: About Components on page 10-2 IP Lists on page 10-2 MAC Lists on page 10-3 Port Lists on page 10-4 Contexts on page 10-6 Schedules on page 10-8

10-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Components
Components allow you to create reusable lists for the following: IP Lists: Reusable lists of IPs. MAC Lists: Reusable lists of MAC addresses. Port Lists: Reusable lists of ports. Contexts: Contexts which specify the circumstances under which a Firewall or DPI Rule is in effect. Schedules: Reusable schedules.

IP Lists
Use the IP Lists screen to create reusable lists of IP addresses for use by multiple Firewall Rules. From the main screen you can: Create New IP Lists from scratch Import ( (New) ) IP Lists from an XML file )

Examine or modify the Properties of an existing IP List ( ) Duplicate (and then modify) existing IP Lists ( Delete an IP List ( ) Export ( ) one or more IP lists to an XML file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the IP List Properties window.

Clicking New (

10-2

Components

IP List Properties
To create or edit IP List properties:
P ATH : IDF
MAIN MENU

| C OMPONENTS > IP L ISTS

1. 2.

Click New to create new IP List Properties from scratch, or select an existing IP List and click Properties ( ) to modify the IP List. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the IP List. Description: The description of the IP List.

3.

In the IP(s) area of the General tab, type the IP addresses, masked IP addresses, and IP address ranges that are going to be on your list. Only put one of these per line. As well as individual addresses, you can enter IP ranges and masked IPs. Use the examples in the Supported Formats area to properly format your entries. (You can insert comments into your IP list by preceding the text with a hash sign (#).)

4.

In the Assigned To tab, you can view a list of rules making use of this IP List. Clicking the names of the rules displays their Properties window.

MAC Lists
Use the MAC Lists section to create reusable lists of MAC addresses. From the main screen you can: Create New ( ) MAC lists from scratch Import ( ) MAC lists from an XML file ) Examine or modify the Properties of an existing MAC list ( ) Duplicate (and then modify) existing MAC lists ( Delete a MAC list ( ) Export ( ) one or more MAC lists to an XML file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the MAC List Properties window.

Clicking New (

10-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

MAC List Properties

To create or edit MAC List properties:
P ATH : IDF
MAIN MENU

| C OMPONENTS > MAC L ISTS

1. 2.

Click New to create new MAC List Properties from scratch, or select an existing MAC List and click Properties ( ) to modify the MAC List. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the MAC List. Description: The description of the MAC List.

3.

In the MAC(s) area, type the MAC addresses that are going to be on your list. Only put one of these per line. The MAC(s) list supports MAC addresses in both hyphen- and colon-separated formats. Use the examples in the Supported Formats area to properly format your entries. (You can insert comments into your MAC list by preceding the text with a pound sign (#).)

4.

In the Assigned To tab, you can view a list of rules making use of this MAC list. Clicking the names of the rules displays their Properties window.

Port Lists
Use the Port Lists screen to create reusable lists of ports. From the main screen you can: Create New port lists from scratch ( Import ( New) ) port lists from an XML file )

Examine or modify the Properties of an existing port list ( ) Duplicate (and then modify) existing port lists ( Delete a port list ( ) Export ( ) one or more port lists to an XML file. (Either export them all by click the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the Port List properties window.

Clicking New (

10-4

Components

Port List Properties

To create or edit Port List properties:
P ATH : IDF
MAIN MENU

| C OMPONENTS > P ORT L ISTS

1. 2.

Click New to create new Port List Properties from scratch, or select an existing Port List and click Properties ( ) to modify the Port List. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the Port List. Description: The description of the Port List.

3.

In the Ports(s) area, enter the ports that are going to be on your list. Only put one of these per line. For a listing of which ports are used for what, see the Internet Assigned Numbers Authority (IANA). Individual ports and port ranges can be included on the list. Use the examples in the Supported Formats area to properly format your entries. (You can insert comments into your port list by preceding the text with a pound sign (#).)

4.

In the Assigned To tab, you can view a list of rules making use of this port list. Clicking the names of the rules displays their Properties window.

Configuring Port Scan Settings

By default, the range of ports that are scanned is the range known as the Common Ports, 1-1024, but you can define a different set of ports to scan.
Note: Port 4118 is always scanned regardless of port range settings. It is the port on the computer to which Server Plug-in initiated communications are sent. If communication direction is set to Client Plug-in Initiated for a computer (System > System Settings > Computers), port 4118 is closed.

10-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To define a new port range to be scanned:

1. 2.

Go to Components > Port Lists and click New in the menu bar. The New Port List screen will appear. Type a name and description for the new port list and then define the ports in the Port(s) text box using the accepted formats. (For example, to scan ports 100, 105, and 110 through 120, you would type 100 on the first line 105 on the second, and 110-120 on the third.) Click OK. Now go to System > System Settings > Scan and click the Ports to Scan drop-down menu. Your newly defined Port List will be one of the choices.

3.

Contexts
Contexts are a powerful way of implementing different security policies depending on the computers network environment. Contexts are designed to be associated with Firewall and DPI Rules. If the conditions defined in the Context associated with a Rule are met, the Rule is applied. (To link a Security Rule to a Context, go to the Options tab in the Security Rules Properties window and select the Context from the Context drop-down menu.) Contexts can be used to provide Client Plug-ins with location awareness. To determine a computers location, Contexts examine the nature of the computers connection to its domain controller and connectivity to the internet. Select the Context applies when Domain Controller connection is: option and choose from the following: Locally Connected to Domain: True only if the computer can connect to its domain controller directly Remotely Connected to Domain: True if the computer can only connect to its domain controller via VPN Not Connected to Domain: True if the computer cannot connect to its domain controller by any means Not Connected to Domain, No Internet Connectivity: True if the computer cannot connect to its domain controller by any means and the computer has no Internet connectivity. (The test for Internet connectivity can be configured in System > System Settings > Contexts.)

10-6

Components

By assessing the ability of the computer to connect with its domain controller or the Internet, the Client Plug-in can then implement rules such as restricting HTTP traffic to non-routable (private) IP addresses only. For an example of a Security Profile that implements Firewall Rules using Contexts, examine the properties of the Location Aware - High Security Profile. From the toolbar or the right-click context menu on the Contexts screen, you can: Create New ( Import ( New) Contexts from scratch ) Contexts from an XML file )

Examine or modify the Properties of an existing Context ( ) Duplicate (and then modify) existing Contexts ( Delete a Context ( ) Export ( ) one or more Contexts to an XML file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the Context Properties window.

Clicking New (

Context Properties
To create or edit Context properties:
P ATH : IDF
MAIN MENU

| C OMPONENTS > C ONTEXTS

1. 2.

Click New to create new Context Rule Properties from scratch, or select an existing Context Rule and click Properties ( ) to modify the Context Rule. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the Context Rule. Description: The description of the Context Rule. Minimum Client Plug-in Version: Shows the earliest version of the IDF Client Plug-in the rule is compatible with.

3.

In the Options area, configure the following:

10-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Context applies when Domain Controller connection is: Specifying an option here will determine whether or not the Firewall Rule is in effect depending on the ability of the computer to connect to its Domain Controller or its Internet Connectivity. (Conditions for testing Internet Connectivity can be configured in System > System Settings > Contexts.) If the Domain Controller can be contacted directly (via ICMP), the connection is Local. If it can be contacted via VPN only, then the connection is Remote (VPN). The time interval between Domain Controller connectivity test is the same as the Internet Connectivity Test interval which is also configurable in System > System Settings > Contexts.
Note: The Internet Connectivity Test is only performed if the computer is unable to connect to its Domain Controller.

Context Applies to Interface Isolation Restricted Interfaces: This context will apply to network interfaces on which traffic has been restricted through the use of Interface Isolation. (Primarily used for Allow or Force Allow Firewall Rules.)

4.

In the Assigned To tab, you can view a list of rules making use of this Context.

Schedules
Schedules are rule components used to define when a particular Firewall or DPI rule is in effect. Schedules can also be used to specify when the Server Plug-in can communicate with Client Plug-ins to update a Security Profile. Other non-rule based Scheduled Tasks such as downloading and applying new Security Updates can be defined from System > Tasks. From the toolbar or the right-click context menu you can: Create New schedules from scratch ( Import ( New) ) schedules from an XML file )

Examine or modify the Properties of an existing schedule ( ) Duplicate (and then modify) existing schedules (

10-8

Components

Delete a schedule ( ) Export ( ) one or more schedules to an XML file. (Either export them all by clicking the Export... button, or choose from the drop-down list to export only those that are selected or displayed) New) or Properties ( ) displays the Schedule properties window.

Clicking New (

Schedule Properties
To create or edit Schedule properties:
P ATH : IDF
MAIN MENU

| C OMPONENTS > S CHEDULES

1. 2.

Click New to create new Schedule Properties from scratch, or select an existing Schedule and click Properties ( ) to modify the Schedule. In the popup window, specify any desired information in General Information area of the General tab. Name: The name of the Schedule. Description: The description of the Schedule.

3. 4.

Define the schedule. Schedule periods are defined by hour-long time blocks. Clicking a time block selects it, and shift-clicking de-selects it. In the Assigned To tab, you can view a list of rules making use of this schedule.

10-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

10-10

Chapter 11

Managing the IDF Server Plug-in

This chapter describes Trend Micro Intrusion Defense Firewall server management and configurations. Topics in this chapter: Securing the IDF Server Plug-in on page 11-2 Upgrading the Server Plug-in on page 11-3 Migrating To a Larger Database on page 11-3 Migrating a Single Managed Computer to a New IDF Server on page 11-7 Optimizing the Embedded Database on page 11-7 Migrating IDF Data To Another Database on page 11-10 Uninstalling the Server Plug-in on page 11-14

11-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Securing the IDF Server Plug-in

Protecting the IDF Server Plug-in with a Client Plug-in

Protect IDF Server Plug-in by installing a Client Plug-in on its computer and apply the IDF Server Plug-in Security Profile.
Configuring a Client Plug-in on the IDF Server Plug-in's computer

1. 2. 3. 4. 5. 6. 7.

Install an OfficeScan Client on the same computer as the Server Plug-in. Make sure the computer is listed as a Networked Computer on the OfficeScan Web console. Go to the Computers screen and click the Synchronize with OfficeScan button. Double-click the new computer in the Computers screen to display its Details window and go to Deep Packet Inspection > SSL Configurations. A listing of the SSL Configurations for this computer will be displayed. Click New to start the wizard to create a new SSL Configuration. Specify the interface used by the Server Plug-in. Click Next. On the Port screen, choose to protect the port used by the IDF Server Plug-in Web Application GUI over HTTPS. (4119 by default, unless you chose another port during installation. To confirm which port the Server Plug-in is using, check the URL youre using to access it.) Click Next. Specify whether SSL DPI analysis should take place on all IP addresses for this computer, or just one. (This feature can be used to set up multiple virtual computers on a single computer.) Next, choose to Use the SSL Credentials built into the IDF Server Plug-in. (This option only appears when creating an SSL Configuration for the Server Plug-ins computer.) Click Next.

8.

9.

10. Finish the wizard and close the SSL Configuration screen. 11. Back in the computers Details window, apply the IDF Server Plug-in Security Profile which includes the Firewall Rules and DPI Rules required for the IDF Server Plug-in to operate on port 4119. You have now protected the Server Plug-ins computer and are now filtering the traffic (including SSL) to the Server Plug-in.

11-2

Managing the IDF Server Plug-in

Note:

After configuring the Client Plug-in to filter SSL traffic, you may notice that the IDF Client Plug-in will return several Renewal Error events. These are certificate renewal errors caused by the new SSL certificate issued by the Server Plug-in computer. You should therefore restart your browser session with the Server Plug-in to acquire the new certificate from the Server Plug-in computer.

The IDF Server Plug-in Security Profile has the basic Firewall Rules assigned to enable remote use of the Server Plug-in. Additional Firewall Rules may need to be assigned if the Server Plug-ins computer is being used for other purposes. The Security Profile also includes the DPI Rules in the Web Server Common Application Type. Additional DPI Rules can be assigned as desired. Because the Web Server Common Application Type typically filters on the HTTP Port List and does not include port 4119, port 4119 is added as an override to the ports setting in the DPI Rules screen of the Security Profiles Details window.

Upgrading the Server Plug-in

The OfficeScan Plug-in Manager screen will inform you if a new version of the Intrusion Defense Firewall Server Plug-in is available. The new version will be listed above the current version. To upgrade to the new version, click the Download button. When the new version has finished downloading, click Upgrade to upgrade your Server Plug-in.
Note: Before upgrading the IDF Server Plug-in, make sure that you have already installed the required minimum version of OfficeScan and Plug-in Manager. (See the Intrusion Defense Firewall Deployment Guide.)

Migrating To a Larger Database

IDF installs Microsoft SQL Server 2005 to use as its database. SQL Server 2005, with its 4GB limit, may be too small for your needs. The following instructions are for migrating to a larger SQL Server Enterprise database. For assistance with migrating to other supported databases, please contact Trend Micro Support.

11-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

Normally you do not have to activate the SQL Browser service, but in some instances you have to switch it on, particularly if you are using the default instance. Please refer to the Microsoft page SQL Browser Service.

Note:

Remote connection via Windows authentication is not supported. IDF connection to the DB should be either Mixed Mode or SQL Server authentication.

1. 2. 3. 4. 5. 6.

Back up the data in question. This can be done via a scheduled task. Go to System > Scheduled Tasks > New. Select Once Only as the frequency. Choose the Backup task type. e.g. to "C:\dbbackup". Let the task run. Monitor the System Events for the Backup Finished event. When the event shows up, immediately shut down the Intrusion Defense Firewall service in the Windows Services control panel. This will ensure new logs/data are not created after your backup. Find your database backup file e.g. "C:\dbbackup\IDFBackup.bak", and copy the file (or make it available) to the machine where the new database will be saved. Restore the backup. For example, create a new database called idf-restore1. Right-click the file and select Tasks > Restore..., then link up the file in the Devices area, and chose to Overwrite Existing Database on the Options tab.
Note: Your exact settings here may vary.

7. 8.

9.

Once the database has been migrated, you need to point your IDF to use the new database. Edit the following file on your IDF server host:
C:\Program Files\Trend Micro\OfficeScan\Addon\Intrusion Defense Firewall\webclient\webapps\ROOT\WEB-INF\dsm.properties

10. Update the file: A simple dsm.properties file looks like this:
#Wed Jun 11 16:19:19 EDT 2008

11-4

Managing the IDF Server Plug-in

database.SqlServer.user=sa database.name=IDF database.directory=null\\ database.SqlServer.password=$1$87251922972564e6bb3e2da9e688c d4ceb42b9bfb17a942c3c8ad99ff05938c81 database.SqlServer.instance=IDF mode.demo=false database.SqlServer.namedPipe=true database.type=SqlServer database.SqlServer.server=. manager.node=1

It should be modified to look like this:

#Wed Jun 11 16:19:19 EDT 2008 database.SqlServer.user=sa database.name=idf-restore1 database.directory=null\\ database.SqlServer.password=<cleartext password> database.SqlServer.instance= mode.demo=false database.SqlServer.namedPipe=false database.type=SqlServer database.SqlServer.server=bdurie-desktop manager.node=1 Note: Your options may vary, but ensure that if you choose named pipes, the proper windows authentication/trust exists between the IDF Server host and the database host. If you choose TCP, ensure it is enabled on the database.

11. Restart the Intrusion Defense Firewall service on the IDF Server.
Note: Upgrades should work normally and continue to point to the new database instance, but the old database will be retained. It is not necessary to remove the old database, although it could be removed if desired.

11-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Migrating Managed Computers to a New IDF Server

Computers with existing Client Plug-ins can be successfully migrated to another Intrusion Defense Firewall Server without losing their configuration as long as the Client Plug-ins have remained installed and have not been deactivated.
Note: The deactivation instruction (carried out from the Computers screen by right-clicking a Computer and selecting Actions > Deactivate) unbinds the Client Plug-in from the exclusive control of the current Server Plug-in and removes all filters and rules that were in effect.

The migration operation is essentially identical to a Backup and Restore Operation (see Backing Up and Restoring IDF on page 11-10) but with the added step of informing the Server Plug-in of its new hostname.
To migrate computers to a new Intrusion Defense Firewall:

1. 2.

Perform a Backup operation on the original Intrusion Defense Firewall installation as described in Backing Up and Restoring IDF on page 11-10. Install the Intrusion Defense Firewall Server Plug-in onto the new OfficeScan server using the same procedures as described in the Intrusion Defense Firewall installation instructions. Copy the file named IDFBackup.bak from Microsoft SQL Servers backup directory (typically C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Backup\IDFBackup.bak) from the original installation to the new Intrusion Defense Firewalls SQL Server backup directory. Perform a Restore operation as described in Backing Up and Restoring IDF on page 11-10. Inform the new restored Intrusion Defense Firewall Server Plug-in of its new hostname by executing the following idf_c.exe command from the Intrusion Defense Firewall root directory, replacing NewComputerName with the updated hostname. (This can be a static IP or a fully qualified name.)
idf_c -action changesetting -name "configuration.dsmUrl" -value "NewComputerName"

3.

4. 5.

For example, to change the hostname to OfficeScan_Win2K, you would execute:

11-6

Managing the IDF Server Plug-in

idf_c -action changesetting -name "configuration.dsmUrl" -value "OfficeScan_Win2K"

The new installation of the Intrusion Defense Firewall will detect and recognize the Client Plug-ins from the previous installation and operations will continue as before.

Migrating a Single Managed Computer to a New IDF Server

Single Computers can be migrated to a new Intrusion Defense Firewall but they will not retain any configuration information unless the new Intrusion Defense Firewall Server Plug-in has been restored with the backed-up files from the original Intrusion Defense Firewall (see Backing Up and Restoring IDF on page 11-10).
To migrate a single computer from one Intrusion Defense Firewall to another:

1.

Right-click the computer in the Computers screen of the current Server Plug-in and select Actions > Deactivate Client Plug-in(s) to deactivate the Client Plug-in. Use the Move Client feature of the OfficeScan management console to move the computer to the Server. (Computers listed in the OfficeScan server are automatically listed in the Computers screen of the IDF Server Plug-in.) Right-click the computer in the Computers screen of the new IDF Server Plug-in and select Actions > Activate/Reactivate Client Plug-in(s) to activate the Client Plug-in.

2.

3.

The Client Plug-in has now been activated by the new Server Plug-in. The old Server Plug-in will no longer be able to communicate with the Client Plug-in.

Optimizing the Embedded Database

The IDF Server Plug-in installs and uses Microsoft SQL Server Express for data storage. The following information will

11-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

MS SQL Server Expresss 4GB Limitation

It is not possible to increase the database capacity for SQL Server Express, but it is possible to migrate to a database that has no space constraints such as SQL Server database. A set of migration steps have been established. (See Migrating To a Larger Database on page 11-3 for instructions.) Contact your support provider for additional assistance.

Archiving the Logs

SQL Server Expresss cap GB of data makes it unsuitable for archiving. For audit and compliance requirements, you should periodically backup your database. For information on creating scheduled backups, see Backing Up and Restoring IDF on page 11-10.

Minimizing the Space Used by the Database

IDF Server stores events in the database and automatically purges events when they reach a certain age. The maximum age of these events is fully configurable from IDF Server. This allows an administrator to tune how long they want to keep certain types of events in IDF Server, and hence allows an administrator to effectively tune how their database space is utilized. Prune settings are configured in IDF Server by going to System > System Settings, selecting the System tab, and then editing the settings within the Prune section. Changes to these settings are effective immediately, but it will take IDF Server up to an hour to do the actual pruning, as it is done every hour. To decide what prune settings would benefit from being shortened, you can use a SQL Server database tool to inspect your database and find out which tables are taking up the majority of the space: http://www.microsoft.com/downloadS/details.aspx?familyid=C243A5AE-4BD1-4E3 D-94B8-5A0F62BF7796&displaylang=en If you intend to use the tool indicated above, install it on the IDF Server host, launch the tool and login to the IDF instance, expand the IDF database, view the tables, and then fetch the properties of the tables listed below to determine their size. Considering

11-8

Managing the IDF Server Plug-in

that SQL Server Express has a maximum size of 4GB, you should consider any table below that is over 1GB to be too large, and its pruning settings should be lowered if possible. The following tables are included in the Firewall/DPI events prune settings:
packetlogs payloadlogs payloadlogdatas

The following tables are included in the system/client plug-in events prune settings:
systemevents agentevents

The following tables are included in the counters prune settings:

counter3s counter3ports counter3ips

Shrinking the Size of the IDF Database

SQL Server Express database by default has a maximum data capacity of 4GB, but its database log file (IDF_Log.mdf) can grow as large as needed. In some extreme cases it can grow up to the size of the main database file (4GB). In some situations it may be helpful to shrink the database so it consumes less actual disk space. The only way to perform this operation on the IDF database is by using a SQL Server tool. This can be done using the SQL Server Express Management tool, or via a similar command line tool both tools are provided free from Microsoft:
http://www.microsoft.com/downloadS/details.aspx?familyid=C243A5 AE-4BD1-4E3D-94B8-5A0F62BF7796&displaylang=en http://www.microsoft.com/DownLoads/details.aspx?familyid=FA87E8 28-173F-472E-A85C-27ED01CF6B02&displaylang=en

After installing the command-line tool on the IDF Server machine, the following command will shrink the database:

11-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

sseutil shrink name=IDF server .\IDF m

Usually the shrink is performed on the logical logs. They grow more rapidly than the database and sometimes are not flushed.
To release logical log space:

1. 2. 3.

Perform a full backup. Perform logical logs backup. Run the following two SQL queries to release the space:
USE idf GO Checkpoint USE idf DBCC SHRINKFILE(idf_log, 1) BACKUP LOG WITH TRUNCATE_ONLY DBCC SHRINKFILE(idf_log, 1)

Note:

Another option, discouraged by Microsoft but still technically an option to keep the files small, is to switch the IDF database into Auto-Shrink mode. You can do this using the latter GUI tool mentioned above by selecting the Databases->IDF node, right-click and select Properties, choose Options, and then configuring the Auto Shrink mode to be True.

Migrating IDF Data To Another Database

A set of migration steps have been established (see Migrating To a Larger Database starting on page 11-3. Contact your support provider team for additional assistance.

Backing Up and Restoring IDF

Intrusion Defense Firewall uses Microsoft SQL Server Express as its database. The database stores all the Intrusion Defense Firewall data: All Logs and Events Security Profiles

11-10

Managing the IDF Server Plug-in

IPS Filters Firewall Rules Stateful Configurations All Components (IP Lists, MAC Lists, Port Lists, etc.) Alert Configurations System Settings The configurations of the Client Plug-ins on all Computers
Intrusion Defense Firewall can always restore the first eight of these items to any OfficeScan Server, but to restore #9, The configurations of all Client Plug-ins on all Computers, the OfficeScan Server must have the same list of Networked Computers with the same OfficeScan-generated unique IDs as it did when the Intrusion Defense Firewall backup was executed. If that is the case, the Server Plug-in will push out the backed up Security Profiles (any other elements) out to the Client Plug-ins during the next Update operation and the Client Plug-ins will be in the same state with the same configuration they were in at the time of the backup. If the OfficeScan Server has had to re-populate its Networked Computers list from scratch (and therefore assigned new unique IDs to each Computer), the Server Plug-in has no way of recognizing the Computers and will not be able to restore their previous configurations.

Note:

Backup
To schedule regular database backups, go to System > Scheduled Tasks and click New in the toolbar to start the Scheduled Task Wizard. Select Backup from the drop-down list and then use the next two screens to specify how often you want a backup to be performed. When you are prompted for the output location, specify the SQL Server backup directory which is typically located at:
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Backup\

The next step of the Wizard will prompt you to name the new Scheduled Task and give you the option to run task after closing the Scheduled Task Wizard.

11-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Backups are stored in a single SQL Server backup file named IDFBackup.bak. Each time a backup is performed, data is added to the backup file. Each backup instance that is added to the backup file will be retained in the backup file for 15 days, after which that backup instance will be overwritten the next time a backup is performed.

Restore
To restore from the last backup:

1. 2.

Stop the Intrusion Defense Firewall service from the Services Microsoft Management Console snap-in. Run IDFRestore.bat from the Intrusion Defense Firewall root directory (typically C:\Program Files\Trend Micro\OfficeScan\Addon\Intrusion Defense Firewall). Start the Intrusion Defense Firewall service.

3.

When restoring, IDFRestore.bat will attempt to restore from IDFBackup.bak found in the SQL Server backup directory.

Modifying Backup and Restore Options

Backup
Intrusion Defense Firewall comes with a file called IDFBackup.bat which can be used to perform backups manually. It is located in the Intrusion Defense Firewall root directory (C:\Program Files\Trend Micro\OfficeScan\Addon\Intrusion Defense Firewall). Use IDFBackup.bat if you want to modify the directory where backups are stored, the name of the backup file, or the number of days that backups are kept (15 days by default). To change the directory where backup files will be stored, or to change the number of days that a backup instance should be retained you will need to edit IDFBackup.bat in a text editor. The backUpFile parameter specifies the file name and location of the backup file. The retainDays parameter specifies the number of days a backup instance should be retained for.

11-12

Managing the IDF Server Plug-in

For example, to change the backup file to C:\IDF Backups\MyIDFBackup.bak, and the number of days to 7, you would make the following changes to IDFBackup.bat:
CALL sqlcmd -S localhost\IDF -E -v backUpFile="C:\IDF Backups\MyIDFBackup.bak" retainDays=7 -i "IDFBackup.sql" Note: The directory in which backups will be stored must already exist prior to running the backup. For the above example that would be C:\IDF Backups\

Setting Up Scheduled Backups Using IDFBackup.bat

To schedule regular backups using IDFBackup.bat, a Windows scheduled task will need to be created. Windows Scheduled Tasks can be accessed from the Control Panel within Windows. When creating the scheduled backup task, you will need to select IDFBackup.bat as the program you want Windows to run. This will require browsing to the Intrusion Defense Firewall root directory (typically C:\Program Files\Trend Micro\OfficeScan\Addon\Intrusion Defense Firewall). Within the Windows Scheduled Task Wizard, you can select the time and frequency you want the backup to run.

Restore
To change the directory and file from which backups will restored, you will need to edit IDFRestore.bat in a text editor. The backUpFile parameter will need to be changed. For example, to change the backup file to C:\IDF Backups\MyIDFBackup.bak, you would make the following changes to IDFRestore.bat:
CALL sqlcmd -S localhost\IDF -E -v backUpFile="C:\IDF Backups\MyIDFBackup.bak" -i "IDFRestore.sql"

11-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Uninstalling the Server Plug-in

From the OfficeScan Plug-In Manager click Uninstall in the Intrusion Defense Firewall panel.

FIGURE 11-1. Uninstall Server Plug-in

Note:

The IDF Server Plug-in cannot be uninstalled using the Control Panel Add or Remove Programs applet.

11-14

Chapter 12

System
This chapter describes how to monitor and manage the Trend Micro Intrusion Defense Firewall System. Topics in this chapter: About the System on page 12-2 Viewing System Events on page 12-2 System Settings on page 12-6 Tags on page 12-25 Tasks on page 12-26 Licenses on page 12-27 Updates on page 12-28

12-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About the System

The System screen allows you to manage all of the following: System Events: Use the System Events screen to examine system-related events (as opposed to security-related events). System Settings: The Settings section lets you control the administration of the IDF system. Tags: All currently defined tags are displayed in the Tags screen. Tasks: The Tasks section provides the ability to configure recurring automated and event-based tasks. License: The license page displays details about your Trend Micro product license such as which IDF Modules are available and how many computers you are licensed to install Client Plug-in software on. Updates: The Updates section allows you to manage security and software updates.

Viewing System Events

The System Events screen lists the System Event log, which is a record of system-related events (as opposed to security-related events). For a list of possible System Events, see System Events on page C-8. The System Event screen displays the following information for each event: Time: The time according to the system clock on the computer hosting the IDF Server Plug-in. Level: The severity level of event that occurred. Event levels include Info, Warning, and Error. Event ID: The event types unique identifier. Event: The name of the event (associated with the event ID.) Target: The system object associated with the event will be identified here. Clicking the objects identification will display the objects properties sheet. Event Origin: The source of the event. Action By: The user who initiated the event, if initiated by a user. Server Plug-in: The hostname of the IDF Server Plug-in computer.

From the main screen you can:

12-2

System

View ( ) the details (properties) of a system event Search ( Export ( ) for a particular system event ) currently displayed system events to a CSV file

Additionally, right-clicking a log entry gives you the option to: Add Tag(s): Add an Event Tag to this event (see Event Tagging on page 12-4) Remove Tag(s): Remove exiting Event Tags
MAIN MENU

To view details for a system event:

P ATH : IDF | S YSTEM > S YSTEM E VENTS

1. 2. 3. 4.

Select an event and click View ( ) to display the Event Viewer Properties window. In the General Information area, you can view information about the selected event. In the Description area, the specific details of what action was performed to trigger this entry in the system event log will be displayed here, if appropriate. Click the Tags tab to display tags that have been attached to this Event. To view more tag information, see System > System Settings > Tags. For information on tagging events, see Event Tagging on page 12-4.

Filtering the List and Searching for an Event

The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe. The Computers toolbar lets you organize the display of event log entries by computer domain or computer Security Profiles.

12-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Clicking Advanced Search toggles the display of the search bar.

FIGURE 12-1. Computers Toolbar

Pressing the Add Search Bar button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the Submit Request button (at the right of the toolbars with the right-arrow on it).

Exporting Events
You can export displayed events to a CSV file. (Paging is ignored, all pages will be exported.) You have the option of displaying the displayed list or the selected items.

Event Tagging
Event Tagging allows administrators to manually tag events with custom labels (Assigned to Tom for review, etc.). In addition to the manual tagging of events, automated event tagging can be accomplished via the use of a Reference Computer. For example, a planned rollout of a patch can be applied to the reference computer, the events associated with the application of the patch can be tagged as Patch X, similar events raised on other systems can automatically be deemed to be acceptable changes and suppressed to reduce the number of events subjected to scrutiny by an administrator. Event tagging enables specialized views of events, dashboards, and reports and can be applied to a single event, similar events, or even to all future similar events.

12-4

System

Tagging Events
Event Tagging allows you to manually tag System Events with custom labels (Assigned to Tom for review, etc.). Event tagging enables specialized views of events, dashboards, and reports and can be applied to a single event, similar events, or even to all future similar events.
To apply a tag to one or more selected Events:
P ATH : IDF M AIN M ENU | S YSTEM > S YSTEM E VENTS

1. 2. 3. 4.

Select the events in the Events list, then right-click and select Add Tag(s).... Type a name for the tag. (IDF Server Plug-in will suggest matching names of existing tags as you type.) Select 1 Selected System Event. (If you selected multiple events from the Events list, the number of selected events will be displayed.) Click Next. Enter some optional comments and click Finish.

Looking at the Events list, you can see that the Event has now been tagged.
To tag multiple similar Events:

1. 2. 3. 4.

Right-click on a representative event from the Events list and select Add tag(s).... Type a name for the tag. (IDF Server Plug-in will suggest matching names of existing tags as you type.) Select Also apply to similar System Events. Click Next. Select which attributes will be examined to determine whether Events are similar or not. For the most part, the attribute options are the same as the information displayed in the columns of the Events list screen. When you have selected which attributes to include in the Event selection process, click Next. Select what type of similar System Events should this rule be applied to.
Note: Notice the Save Auto-Tag Rule option. The selection criteria you have specified can be saved so that you can apply them again at a future date when new events have accumulated. Saved auto-tag rules can be found in the System > Tags screen.

5.

6. 7.

Click Next. Enter some optional comments and click Next.

12-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

8.

Review the Summary of your Event selection criteria and click Finish.

Looking at the Events list, you can see that your original Event and all similar Events have been tagged.
To tag multiple similar Events as well as future similar Events:

The procedure for tagging multiple similar as well as future Events is the same as above except for step 5, where you also select New System Events. Selecting New System Events causes the IDF Server Plug-in to scan its database every five seconds (or more) for new Events and tag the appropriate ones.
Note: Tagging only occurs after Events have been retrieved from the Client Plug-ins to the IDF Server Plug-ins database.

System Settings
The System > System Settings screen lets you control the administration of the IDF system. This section is for managing system configuration settings such as session timeouts, system alerts, communications between Client Plug-ins and the Server Plug-in, heartbeat settings, etc.
Note: The Settings screen has a Save button at the bottom right. Changes made to these settings (all tabs) must be saved before they take effect.

Computers Firewall and DPI Interface Isolation Contexts Reconnaissance Scan Notifications Ranking Updates System

12-6

System

Computers
To configure computer settings:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Computers tab, if it is not already open. In the Communication Direction area, select one of the following: Bidirectional: By default, communications are bi-directional. This means that the Client Plug-in normally initiates the heartbeat but still listens on the Client Plug-in port for Server Plug-in connections. The Server Plug-in is still free to contact the Client Plug-in in order to perform operations as required. This allows the Server Plug-in to apply changes to the security configuration to the Client Plug-in as they occur. Server Plug-in Initiated: With this option selected, all Server Plug-in to Client Plug-in communications are initiated by the Server Plug-in. This includes security configuration updates, heartbeat operations, and requests for Event logs. Client Plug-in Initiated: With this option selected, the Client Plug-in does not listen on port 4118. Instead it contacts the Server Plug-in on the heartbeat port (4120 by default) as dictated by the heartbeat settings. Once the Client Plug-in has established a TCP connection with the Server Plug-in all normal communication takes place: the Server Plug-in first asks the Client Plug-in for its status and for any events. (This is the heartbeat operation). If there are outstanding operations that need to be performed on the computer (e.g., the Security Profile needs to be updated), these operations are performed before the connection is closed. In this mode, communications between the Server Plug-in and the Client Plug-in only occur on every heartbeat. If a Client Plug-ins security configuration has changed, it will not be updated until the next heartbeat.
Note: Client Plug-ins look for the IDF Server Plug-in on the network by the Server Plug-in's hostname. Therefore the Server Plug-in's hostname must be in your local DNS for Client Plug-in initiated or bidirectional communication to work.

To enable communications between the Server Plug-in and the Client Plug-ins, the Server Plug-in automatically implements a (hidden) Firewall Rule (priority four,

12-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Bypass) which opens port 4118 on the Client Plug-ins to incoming TCP/IP traffic. The default settings open the port to any IP address and any MAC address. You can restrict incoming traffic on this port by creating a new priority 4, Force Allow or Bypass Firewall Rule, which only allows incoming TCP/IP traffic from specific IP and/or MAC addresses. This new Firewall Rule will replace the hidden Firewall Rule if the settings match the following: action: force allow or bypass priority: 4 - highest packet's direction: incoming frame type: IP protocol: TCP packet's destination port: 4118 (or a list or range that includes 4118)

As long as these settings are in effect, the new rule will replace the hidden rule. You can then type Packet Source information for IP and/or MAC addresses to restrict traffic to the computer. 3. In the Hostnames area, choose whether to update the Hostname entry if an IP is used as a hostname and a change in IP is detected on the computer after Client Plug-in-initiated communication or discovery: Turn this option on if, for example, your network has no DNS and you are using dynamic IPs. (IDF Server Plug-in always identifies computers/Client Plug-ins by their unique fingerprint, not their IP addresses.) In the Remote Activation area, choose whether to enable Remote Activation. The default process of installing and activating a Client Plug-in on a computer is as follows: the Client Plug-in is installed on a computer and then a user uses the IDF Server Plug-in to activate the Client Plug-in. This activation sends a unique encrypted fingerprint from the Server Plug-in to the Client Plug-in. The Client Plug-in now knows not to accept any instructions not identified as coming from the Server Plug-in by that fingerprint. There may be circumstances, however, where it is desirable for the activation to be initiated by the Client Plug-in rather than by the Server Plug-in. (Large, distributed installations, for example.) In this case the Server Plug-in must be configured to allow Client Plug-ins to communicate with it and initiate activation. Use the Remote Activation panel to set restrictions on which computers can initiate their own Client Plug-in activations.

4.

12-8

System

Client Plug-in initiated activation is performed from the command-line. The following are the Client Plug-ins activation-related command-line options:
TABLE 12-1.
Client Plug-in's activation-related command-line options

U SAGE : DSA _ CONTROL [/ A < STR >] [/ G < STR >] [/ C < STR >] [/ R ]
/a <str> Activate Client Plug-in with IDF Server at specified URL. URL format must be "dsm://hostOrIp:port/" "port" is the Server Plug-in's Heartbeat port. (4120 by default.) /g <str> Client Plug-in URL. Defaults to "https://127.0.0.1:4118/" Certificate file Reset Client Plug-in configuration

/c <str> /r

Note:

You can instruct IDF Server Plug-in to send a default Security Profile to self-activating Client Plug-ins which do not already have a Security Profile assigned to them. Use the Security Profile to assign (when no Security Profile is currently assigned) to select a Security Profile.

5.

In the Heartbeat area, set the following options: Heartbeat Interval (in minutes): How much time passes between heartbeats. Number of Heartbeats that can be missed before an alert is raised: Several missed heartbeats in a row may indicate a problem with the Client Plug-in or the computer. This setting determines how many missed heartbeats are allowed to go by before the Server Plug-in triggers an alert. (For example, entering three will cause the Server Plug-in to trigger an alert on the fourth missed heartbeat.) Maximum change (in minutes) of the local system time on the computer between heartbeats before an alert is raised: For Client Plug-ins that are capable of detecting changes to the system clock (Windows Client Plug-ins) these events are reported to the Server Plug-in as Client Plug-in Event 5004. If the change exceeds the clock change listed here then an alert is triggered. For

12-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Client Plug-ins that do not support this capability (non-Windows Client Plug-ins), the Server Plug-in monitors the system time reported by the Client Plug-in at each heartbeat operation and will trigger an alert if it detects a change greater than the permissible change specified in this setting.
Note: Once a Computer-Clock-Changed alert is triggered, it must be dismissed manually.

6.

In the Automatically Update Computers area, specify whether to automatically update computers. By default, any time you make a change to any element in the IDF system, all affected computers are immediately updated. For example, if you edit a port list, all computers already making use of that port list will get updated immediately. (If you make such a change and then look at the Computers screen, you will see the updates happening.) Not setting the Automatically update all affected computers after changing any aspect of the IDF System option means that after any changes, you will have to find affected computers on the Computers screen, right-click them and choose Update Client Plug-in(s) Now from the context menu.
Note: This applies to Security Updates as well. If a Security Update includes, for example, an updated port list for Oracle servers, the updated port list will be deployed to all computers currently making use of that port list unless you have selected the manual option.

Firewall and DPI Settings

To configure Firewall and DPI settings:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Firewall and DPI tab. In the Network Engine Mode area, choose whether the Client Plug-ins network engine can operate Inline or in Tap Mode. When operating Inline, the live packet stream passes through the network engine. Stateful tables are maintained, Firewall Rules are applied and traffic normalization is carried out so that DPI Rules can be applied to payload content. When operating in Tap Mode, the live packet stream is cloned and diverted from the main stream. In

12-10

System

Tap Mode, the live packet stream is not modified; all operations are carried out on the cloned stream. 3. In the Events area, configure events as follows: You can set the maximum size of each individual log file and how many of the most recent files are kept. Event log files will be written to until they reach the maximum allowed size, at which point a new file will be created and written to until it reaches the maximum size and so on. Once the maximum number of files is reached, the oldest will be deleted before a new file is created. Event log entries usually average around 200 bytes in size and so a 4MB log file will hold about 20,000 log entries. How quickly your log files fill up depends on the number of rules in place. Maximum size of the event log files (on Client Plug-in): Adjust these settings if you begin to see Insufficient Disk Space alerts for one or more computers. Number of event log files to retain (on Client Plug-in): Adjust these settings if you begin to see Insufficient Disk Space alerts for one or more computers. Collect Firewall Events from Client Plug-in: Retrieve the latest Firewall Events from the Client Plug-in at every Heartbeat. Collect DPI Events from Client Plug-in: Retrieve the latest DPI Events from the Client Plug-in at every Heartbeat.
Note: Events are records of individual events. Counters are a record of the number of times individual events have occurred. Events are used to populate the Events screens. Counters are used to populate the Dashboard Widgets (number of Firewall Events over the last 7 days, etc.) and the Reports. You might want to collect only counters if, for example, you are using syslog for event collection; events can potentially take up a lot of disk space and you may not want to store the data twice.

Do Not Record Events with Source IP of: This option is useful if you want IDF to not make record Events for traffic from certain trusted computers.

12-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

The following three settings let you fine tune Event aggregation. To save disk space, IDF Client Plug-ins will take multiple occurrences of identical events and aggregate them into a single entry and append a repeat count, a first occurrence timestamp, and a last occurrence timestamp. To aggregate event entries, IDF Client Plug-ins need to cache the entries in memory while they are being aggregated before writing them to disk.

Cache Size: Determines how many types of events to track at any given time. Setting a value of 10 means that 10 types of events will be tracked (with a repeat count, first occurrence timestamp, and last occurrence timestamp). When a new type of event occurs, the oldest of the 10 aggregated events will be flushed from the cache and written to disk. Cache Lifetime: Determines how long to keep a record in the cache before flushing it to disk. If this value is 10 minutes and nothing else causes the record to be flushed, any record that reaches an age of 10 minutes gets flushed to disk. Cache Staletime: Determines how long to keep a record whose repeat count has not been recently incremented. If Cache Lifetime is 10 minutes and Cache Staletime is two minutes, an event record which has gone two minutes without being incremented will be flushed and written to disk.
Note: Regardless of the above settings, the cache is flushed whenever Events are sent to the IDF Server Plug-in.

Generate Firewall Events for packets that are Out Of Allowed Policy: Select whether you wish to log packets that are dropped because they have not been specifically permitted by an Allow rule or Firewall Rule. (Note that turning this option on can significantly increase the size of your log files. Allow DPI Rules to capture data for the first hit of each rule (in period): Keep the data from the packet that triggered a log entry. (The packets data can be viewed with the log entry. Each rule will only capture data once in a five second period to avoid unduly large log files.) CLOSED timeout: For gateway use. When a gateway passes on a hard close (RST), the side of the gateway that received the RST will keep the connection alive for this amount of time before closing it.

4.

In the Advanced area, configure the Use Custom Driver Settings:

12-12

System

SYN_SENT Timeout: How long to stay in the SYN-SENT state before closing the connection. SYN_RCVD Timeout: How long to stay in the SYN_RCVD state before closing the connection. FIN_WAIT1 Timeout: How long to stay in the FIN-WAIT1 state before closing the connection. ESTABLISHED Timeout: How long to stay in the ESTABLISHED state before closing the connection. ERROR Timeout: How long to maintain a connection in an Error state. (For UDP connections, the error can be caused by any of a variety of UDP problems. For TCP connections, the errors are probably due to packets being dropped by the firewall.) DISCONNECT Timeout: How long to maintain idle connections before disconnecting. CLOSE_WAIT Timeout: How long to stay in the CLOSE-WAIT state before closing the connection. CLOSING Timeout: How long to stay in the CLOSING state before closing the connection. LAST_ACK Timeout: How long to stay in the LAST-ACK state before closing the connection. ACK Storm timeout: The maximum period of time between retransmitted ACKs within an ACK Storm. In other words, if ACKs are being retransmitted at a lower frequency then this timeout, they will NOT be considered part of an ACK Storm. Boot Start Timeout: For gateway use. When a gateway is booted, there may already exist established connections passing through the gateway. This timeout defines the amount of time to allow non-SYN packets that could be part of a connection that was established before the gateway was booted to close. Cold Start Timeout: Amount of time to allow non-SYN packets that could belong to a connection that was established before the stateful mechanism was started. UDP Timeout: Maximum duration of a UDP connection. ICMP Timeout: Maximum duration of an ICMP connection.

12-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Allow Null IP: Allow or block packets with no source and/or destination IP address. Block IPv6: Block or Allow IPv6 packets. (DPI Filtering of IPv6 traffic is not supported. It can only be blocked or allowed.) Connection Cleanup Timeout: Time between cleanup of closed connections (see next). Maximum Connections per Cleanup: Maximum number of closed connections to cleanup per periodic connection cleanup (see previous). Block Same Src-Dest IP Address: Block or allow packets with same source and destination IP address. (Doesn't apply to loopback interface.) Maximum TCP Connections: Maximum simultaneous TCP Connections. Maximum UDP Connections: Maximum simultaneous UDP Connections. Maximum ICMP Connections: Maximum simultaneous ICMP Connections. Maximum Events per Second: Maximum number of events that can be written per second. TCP MSS Limit: The MSS is the Maximum Segment Size (or largest amount of data) that can be sent in a TCP packet without being fragmented. This is usually established when two computers establish communication. However, in some occasions, the traffic goes through a router or switch that has a smaller MSS. In this case the MSS can change. This causes retransmission of the packets and the Client Plug-in logs them as Dropped Retransmit. In cases where there are large numbers of Dropped Retransmit event entries, you may wish to lower this limit and see if the volume is reduced. Number of Event Nodes: The maximum amount of kernel memory the driver will use to store log/event information for folding at any one time.
Note: Event folding occurs when many Events of the same type occur in succession. In such cases, the Client Plug-in will fold all the events into one.

Ignore Status Code: This option lets you ignore certain types of Events. If, for example, you are getting a lot of Invalid Flags you can simply ignore all instances of that Event. Ignore Status Code: Same as above.

12-14

System

Ignore Status Code: Same as above. Advanced Logging Policy: Bypass: No filtering of Events. Overrides the Ignore Status Code settings (above) and other advanced settings, but does not override logging settings defined in the IDF Server Plug-in. For example, if Stateful Configuration logging options set from a Stateful Configuration Properties window in the IDF Server Plug-in will not be affected. Default: Will switch to Tap Mode (below) if the engine is in Tap Mode, and will switch to Normal (above) if the engine is in Inline Mode. Normal: All Events are logged except dropped retransmits. Backwards Compatibility Mode: For support use only. Verbose Mode: Same as Normal but including dropped retransmits. Stateful and Normalization Suppression: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, unsolicited udp, unsolicited ICMP, out of allowed policy. Stateful, Normalization, and Frag Suppression: Ignores everything that Stateful and Normalization Suppression ignores as well as events related to fragmentation. Stateful, Frag, and Verifier Suppression: Ignores everything Stateful, Normalization, and Frag Suppression ignores as well as verifier-related events. Tap Mode: Ignores dropped retransmit, out of connection, invalid flags, invalid sequence, invalid ack, max ack retransmit, packet on closed connection.
For a more comprehensive list of which Events are ignored in Stateful and Normalization Suppression; Stateful, Normalization, and Frag Suppression; Stateful, Frag, and Verifier Suppression; and Tap modes, see Advanced Logging Policy Modes on page 13-19.

Note:

Silent TCP Connection Drop: When Silent TCP Connection Drop is on, a RST packet is only sent to the local stack. No RST packet is sent on the wire. This reduces the amount of information sent back to a potential attacker.

12-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Note:

If you enable the Silent TCP Connection Drop you must also adjust the DISCONNECT Timeout. Possible values for DISCONNECT Timeout range from 0 seconds to 10 minutes. This must be set high enough that the connection is closed by the application before it is closed by the IDF Client Plug-in. Factors that will affect the DISCONNECT Timeout value include the operating system, the applications that are creating the connections, and network topology.

Enable Debug Mode: When in debug mode, the Client Plug-in captures a certain number of packets (specified by the setting below: Number of Packets to retain in Debug Mode). When a rule is triggered and debug mode is on, the Client Plug-in will keep a record of the last X packets that passed before the rule was triggered. It will return those packets to the Server Plug-in as Debug Events.
Note: Debug mode can very easily cause excessive log generation and should only be used under Client Services supervision.

Number of Packets to retain in Debug Mode: The number of packets to retain and log when debug mode is on. Log All Packet Data: All internally defined logs (i.e., not FW/DPI/verifier) which have not been aggregated will attach the full packet data to their log. This and the following two settings are equivalent to the matching DPI and FW log settings. Log only one packet within period: If the above is not set, but this is set, then most logs will only contain the header data with a full packet being attached only periodically. Period for Log only one packet within period: The period between when full packet data will be logged if the above is set. Maximum data size to store when packet data is captured: The maximum size of header or packet data to be attached to a log. Generate Connection Events for TCP: Generates a Firewall Event every time a TCP connection is established. Generate Connection Events for ICMP: Generates a Firewall Event every time an ICMP connection is established.

12-16

System

Generate Connection Events for UDP: Generates a Firewall Event every time a UDP connection is established. Bypass CISCO WAAS Connections: This mode bypasses stateful analysis of TCP sequence numbers for connections initiated with the proprietary CISCO WAAS TCP option selected. This protocol carries extra information in invalid TCP Sequence and ACK numbers that interfere with stateful firewall checks. Only enable this option if you are using CISCO WAAS and you are seeing connections with Invalid SEQ or Invalid ACK in the firewall logs. When this option is selected, TCP stateful sequence number checks are still performed for non WAAS enabled connections. Drop Evasive Retransmit: Incoming packets containing data that has already been processed will be dropped to avoid possible evasive retransmit attack techniques. Verify TCP Checksum: The segment's checksum field data will be used to assess the integrity of the segment. Minimum Fragment Offset: Defines the minimum acceptable IP fragment offset. Packets with offsets less than this will be dropped with reason IP fragment offset too small. If set to 0 no limit is enforced. (default 60) Minimum Fragment Size: Defines the minimum acceptable IP fragment size. Fragmented packets that are smaller than this will be dropped with reason First fragment too small as potentially malicious. (default 120) Fragment Timeout: How long to keep fragmented packets. Maximum number of fragmented IP packets to keep: If configured to do so, the DPI Rules will edit the content of a packet (or packet fragment) if that content is considered suspicious. This setting determines how long after editing to wait for the remaining packet fragments before discarding the packet. Send ICMP to indicate fragmented packet timeout exceeded: Whether not to indicate to remote computer with an ICMP packet that a connection timeout has been exceeded.

Interface Isolation Settings

Interface Isolation allows you to force a computer to use only one interface at any one time. This feature was designed to prevent attackers from bridging across two interfaces.

12-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

To configure Interface Isolation settings:

P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2. 3.

Click the Interface Isolation tab. In the Interface Isolation area, choose whether to enable Interface Isolation. In the enforce interface isolation, in the Interface Patterns area, enter string patterns that will match the names of the interfaces on a computer (in order of priority). You can use standard regular expression syntax when creating your list of interfaces.
Note: If you enter a string pattern that matches more than one interface on a computer, then traffic will be allowed on all of those matching interfaces. To make sure that only one interface is active, set the Limit to one active interface option.

Note:

This is an option you may not want to set at the global level, but at more granular levels for particular Security Profiles or computers only. To do this, set the global settings to not enforce interface isolation and then override the setting on the Security Profile or the computer. For more information on overriding settings, see Inheritance and Overrides on page 6-28.

Contexts Settings
Contexts determine whether a protected computer has Internet connectivity or not. Some IDF Rules can be applied conditionally depending on the computer's network connectivity conditions. This is known as Location Awareness. The Internet connectivity condition options for a particular rule can be configured on the Options tab of the rule's Properties window. The Internet Connectivity Test can also be used when implementing Interface Isolation. (See Contexts Settings on page 12-18.)
To configure Contexts settings:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Contexts tab. In the Internet Connectivity Test area, configure the following options:

12-18

System

URL for testing Internet Connectivity Status: The URL to which an HTTP request will be sent to test Internet Connectivity. (You must include http://.) Regular Expression for returned content used to confirm Internet Connectivity Status: A regular expression which will be applied to the returned content to confirm that HTTP communication was successful. Test Interval: The time interval between connectivity tests.

Reconnaissance Settings
The Reconnaissance screen allows you to enable and configure traffic analysis settings on all or selected computers. For each type of attack, the Client Plug-in can be instructed to send the information to the IDF Server Plug-in where an alert will be triggered. You can configure the Server Plug-in to send an email notification when the alerts are triggered. (Go to System > System Settings > Notifications. The Alerts are: Network or Port Scan Detected, Computer OS Fingerprint Probe Detected, TCP Null Scan Detected, TCP FIN Scan Detected, and TCP Xmas Scan Detected.) Select Notify IDF Server Immediately for this option. For more information on Notifications, see Notifications Settings on page 12-21.
Note: Stateful Inspection must be on and TCP and UDP Logging enabled for Reconnaissance protection to function. Stateful Inspection and logging can be enabled in the Firewall > Stateful Configurations screen.

Once an attack has been detected, you can instruct the Client Plug-ins to block traffic from the source IPs for a period of time. Use the Block Traffic drop-down lists to set the number of minutes. Computer OS Fingerprint Probe and Network or Port Scans differ from the other three types of reconnaissance in that they cannot be recognized by a single packet. The Client Plug-in reports a computer or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Normally a Client Plug-in computer will only see traffic destined for itself, so a port scan is by far the most common type of probe that will be detected. However, if a computer is acting as a router or bridge it could see

12-19

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

traffic destined for a number of other computers, making it possible for the Client Plug-in to detect a computer scan (ex. scanning a whole subnet for computers with port 80 open). Detecting these scans can take several seconds since the Client Plug-in needs to be able to track failed connections and decide that there are an abnormal number of failed connections coming from a single computer in a relatively short period of time. The statistical analysis method used in computer/port scan detection is derived from the TAPS algorithm proposed in the paper Connectionless Port Scan Detection on the Backbone published by Sprint/Nextel and presented at the Malware workshop, held in conjunction with IPCCC, Phoenix, AZ, USA in April, 2006.
Note: IDF Client Plug-ins running on Windows computers with browser applications may occasionally report false-positive reconnaissance scans due to residual traffic arriving from closed connections.

For the Notify IDF Server Immediately option to work, the Client Plug-ins must be configured for Client Plug-in initiated or bi-directional communication. (See System > System Settings > Computers.) If enabled, the Client Plug-in will initiate a heartbeat to the IDF Server Plug-in immediately upon detecting the attack or probe.
To configure Reconnaissance settings:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Reconnaissance tab. In the Reconnaissance Scans area, configure the following options: Reconnaissance Scan Detection Enabled: Perform detection. Computers/Networks on which to perform detection: Choose from the drop-down list the IPs to protect. Choose from existing IP Lists. (You can use the Components > IP Lists screen to create an IP List specifically for this purpose.) Do not perform detection on traffic coming from: Select from a set of IP Lists which computers and networks to ignore. (As above, you can use the Components > IP Lists screen to create an IP List specifically for this purpose.)

12-20

System

Computer OS Fingerprint Probe: The Client Plug-ins will recognize and react to active TCP stack OS fingerprinting attempts. Network or Port Scan: The Client Plug-ins will recognize and react to port scans. TCP Null Scan: The Client Plug-ins will refuse packets with no flags set. TCP SYNFIN Scan: The Client Plug-ins will refuse packets with only the SYN and FIN flags set. TCP Xmas Scan: The Client Plug-ins will refuse packets with only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).

Scan Settings
To configure Scan settings:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Scan tab. In the Scanning for Open Ports area, select a port list to be used when the IDF Server Plug-in performs a port scan on discovered computers. (The port lists in the drop-down list are the same ones defined in the Port Lists screen in the Components section.) In the Scanning for Recommendations area, choose whether to perform ongoing scans and set the interval Periodically, the Client Plug-ins can scan their computer for common applications and then make rule recommendations based on what is detected. This setting sets the interval between scans on computers that have been configured to allow them.

3.

Notifications Settings
To configure Notifications:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Notifications tab. In the Alert Notification (from the Server Plug-in) area, enter an email address to which all alert emails will be sent regardless. (Which alerts will trigger the sending of an email can be configured from the System > System Settings > System screen.)

12-21

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

3. 4.

In the Notification Frequency (From the Client Plug-in) area, select how often events are sent from the Client Plug-in to alert recipients. In the Firewall and DPI Event Notification (from the Client Plug-in) area, select Forward Events to a Remote Computer (via Syslog) if you wish to store your logs on a dedicated syslog server, type the required information in these fields. For information on configuring Syslog, see Configuring Syslog Integration on page 13-3. In the System Event Notification (from the Server Plug-in) area, configure the following options if desired: Forward System Events to a Remote Computer (via Syslog): Notifications can be sent to a Syslog server. Type the details of your syslog server here. For information on configuring Syslog, see Configuring Syslog Integration on page 13-3. Forward System Events to a Remote Computer (via SNMP): IDF also supports SNMP. The MIB file (DeepSecurity.mib) is located in: \Trend
Micro\OfficeScan\Addon\Intrusion Defense Firewall\util

5.

Ranking Settings
The Ranking system provides a way to quantify the importance of DPI and Firewall Events. By assigning asset values to computers, and assigning severity values to DPI Rules and Firewall Rules, the importance (Rank) of an Event is calculated by multiplying the two values together. This allows you to sort Events by Rank when viewing DPI or Firewall Events.
To configure Ranking:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Ranking tab. In the Firewall Rule Severity Values area, configure any of the following: Firewall Rule Severity Values: Severity values for Firewall Rules are linked to their actions: Deny, Log Only, and Packet Rejection. (The latter refers to packets rejected because of a stateful configuration setting.) Use this panel to edit the severity values which will be multiplied by a computers asset value to determine the rank of a Firewall Event. (A Firewall Rule's actions can viewed and edited in the Rule's Properties window.)

12-22

System

DPI Rule Severity Values: DPI Rule Severity Values are linked to their severity levels: Critical, High, Medium, or Low. Use this panel to edit their values which will be multiplied by a computers asset value to determine the rank of a DPI Event. A DPI Rule's severity setting can be viewed in the Rule's Properties window. Asset Values: Asset Values are not associated with any of their other properties like DPI Rules or Firewall Rules. Instead, Asset Values are properties in themselves. A computer's Asset Value can be viewed and edited from the computer's Details window. To simplify the process of assigning asset values, you can predefine some values that will appear in the Asset Importance drop-down list in the first screen of the computer's Details window. To view existing predefined computer Asset Values, click the View Asset Values... button in this panel. The Asset Values window displays the predefined settings. These values can be changed, and new ones can be created. (New settings will appear in the drop-down list for all computers.)

Updates
To ensure maximum protection you must keep your pattern files and software components current. The Updates tab on the System > System Settings screen allows you to set how DPI Rules are applied when IDF Server Plug-in checks for updates. To see the status of current updates, go to the System > Updates screen.
To configure Updates:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the Updates tab. In the IDF Rule Updates area, configure any of the following: Allow IDF Rule Updates to automatically assign new DPI Rules: New DPI Rules in Security Updates are associated with Application Types (HTTP Server, DNS Client, MS SQL Server, etc.). If this option is checked, new DPI Rules can automatically be assigned to computers on which the new DPI Rule's associated Application Type is active. Two conditions must be met for a rule to be automatically assigned to a computer: This option must be selected on this screen.

12-23

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

The rule itself, created by Trend Micro, must be designed to allow auto-assignment. (Some rules, although associated with an Application Type, are not intended to be auto-assigned. The IDF Server Plug-in will recognize these rules and not apply them even if this option is checked.)

Allow IDF Rule Updates to set an alert on new DPI Rules: Some new DPI Rules are considered important enough by Trend Micro that they are set to trigger an alert by default. Clearing this will override that default behavior.

System
To configure the System:
P ATH : IDF
MAIN MENU

| S YSTEM > S YSTEM S ETTINGS

1. 2.

Click the System tab. In the Alert Configuration area, configure all of IDF Server Plug-in's possible Alerts. For the most part, this means turning them on or off, setting their severity levels, and configuring the Alert's email notification settings. In the SMTP area, type the address of your SMTP mail (with the port if required). Enter a From email address from which the emails should be sent. Optionally enter a bounce address to which delivery failure notifications should be sent if the alert emails cant be delivered to one or more users. If your SMTP mail server requires outgoing authentication, enter the username and password credentials. Once you've entered the necessary information, use the Test SMTP Settings to test the settings. In the Prune area, define how long to store Event records and Counters, older Security Updates, and older versions of Client Plug-in software before a purge removes them from the database. With respect to the Event settings, your decisions should be based on the robustness of the database system you are using, the amount of available storage space, and which events you have decided to log. Some tips on logging: Disable log collection for computers that are not of interest. This can be done through the Advanced Settings in the computer Details window or the Security Profile Details window. Consider reducing the logging of Firewall Rule activity by disabling the logging options in the Stateful Configuration. (For example, disabling the UDP logging will eliminate the unsolicited UDP log entries)

3.

4.

12-24

System

For DPI Rules the best practice is to log only dropped packets. Logging packet modifications may result in a lot of log entries. For DPI Rules, only include packet data (an option in the DPI Rule's Properties window) when you are interested in examining the source of attacks. Otherwise leaving packet data on will result in much larger log sizes.
Logs are used to populate the Events pages. Counters are data aggregated from the logs. They are used to generate Reports and populate the Dashboard widgets.

Note:

5. 6.

In the Export area, you can select the encoding used when you export data files from the IDF Server Plug-in. In the Whois area, you can specify the whois lookup to be used when logging DPI and Firewall Events.

Tags
Event Tagging allows administrators to manually tag events with predefined labels (attack, suspicious, patch, acceptable change, false positive, high priority, etc.) and the ability to define custom labels (Assigned to Tom for review, etc.). In addition to the manual tagging of events, automated event tagging can be accomplished via the use of a Reference Computer. For example, a planned rollout of a patch can be applied to the reference computer, the events associated with the application of the patch can be tagged as Patch X, similar events raised on other systems can automatically be deemed to be acceptable changes and suppressed to reduce the number of events subjected to scrutiny by an administrator. Event tagging enables specialized views of events, dashboards, and reports and can be applied to a single event, similar events, or even to all future similar events. For more information on tagging, including how to add tags, see Event Tagging on page 12-4. Viewing Tags All currently defined tags are displayed in the System > Tags screen. This includes predefined as well as custom tags. (Only tags that are currently in use are displayed.) Delete Tags: Deleting a tag removes the tag from all events to which it is attached.

12-25

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

View Auto-Tag Rules: Auto-Tag Rules are created by selecting events and choosing to tag similar items.

Tasks
Tasks let you schedule certain common tasks. Scheduled Tasks will initiate a procedure according to a defined schedule.
To create a task:
P ATH : IDF M AIN M ENU | S YSTEM > TASKS

1.

Click New ( ) and select New Scheduled Task. The wizard that appears will guide you through the steps of creating a new Task. You will be prompted for different information depending on the type of task. The wizard allows you to schedule the following tasks: Run Script: If the Syslog and SNMP options do not meet your event notification requirements, it may be possible for Trend Micro to provide a solution using custom-written scripts. Please contact Trend Micro for more information. Update Computers: Periodically perform an update operation on selected computers. An update operation ensure that all configuration changes made in the IDF Server Plug-in have been applied. Component Update: Periodically update components. An update operation ensures that all components updates have been applied for IDF Rule updates. Scan Computers for Recommendations: Causes the IDF Server Plug-in to scan the computer(s) for common applications and then make recommendations based on what is detected. Check for New Software: Check if new versions of the Server Plug-in, Client Plug-ins or Filter Driver are available. Backup: Perform regular database backups. (This option is only available if you are using a Derby or Microsoft SQL Server database.)

2.

12-26

System

To view or edit a task:

P ATH : IDF M AIN M ENU | S YSTEM > TASKS

1. 2.

Select a task and click ( ), or right-click and select Properties... from the popup menu. In the properties window, edit the information in the Schedule Information area as desired, and click OK. or Apply.

To duplicate a task:
P ATH : IDF M AIN M ENU | S YSTEM > TASKS

1. 2.

Select a task and click Duplicate ( popup menu.

), or right-click and select Duplicate... from the

To rename the task, click ( ), or right-click and select Properties... from the popup menu and enter a new name in the Properties window.

To delete a task:
P ATH : IDF M AIN M ENU | S YSTEM > TASKS

Select a task and click Delete ( ), or right-click and select Delete from the popup menu.

To run a scheduled task:

P ATH : IDF M AIN M ENU | S YSTEM > TASKS

Select a task and click Run Task Now ( ), or right-click and select Run Task Now from the popup menu.

Licenses
The Licenses screen displays details about your Trend Micro IDF product licenses. You can see the license status by clicking View detailed license online. Contact Trend Micro if you wish to upgrade your license. If Trend Micro has provided you with a new activation code, click New Activation Code and enter it there. Newly licensed features will be immediately available. For complete upgrade instructions, click View license upgrade instructions. Alerts will be raised if any module is about to expire or has expired.

12-27

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Updates
The Updates screen displays the status of current updates. To configure updates, go to System > System Settings > Updates.

Security Updates
Security Updates include new rules as well as modifications of existing DPI Rules. Last Check for Security Updates: When the last check for security updates was performed. Click Download to check for updates. Current Applied Version: Currently applied version of the Security Update.

The View Security Updates... button displays a list of the most recent DPI Rules. If required you can reapply the current Rule set to computers being protected by IDF or rollback to a previous Rule set. You can configure the number of Rule updates that are kept in the IDF Server Plug-in's database by going to the Prune area in the System > System Settings > System tab.

Applying Security Updates

Updates to Intrusion Defense Firewall come from the same OfficeScan server update source. (The URL of the Trend Micro servers can be changed from Updates > Server > Update Source in the OfficeScan console. Consult your OfficeScan documentation for details.)
To manually check for, download, and apply the latest Security Updates:
P ATH : IDF M AIN M ENU > S YSTEM > U PDATES

1. 2.

Click the Download button to check for and retrieve the latest update. Once the update is downloaded, click the View Security Updates... button to open a new window displaying all downloaded updates. The listed updates will have a green check mark in the Applied column indicating if they have been applied to the Client Plug-ins. Select the latest Security Update from the list and click Apply... (or Reapply...) in the menu bar. A new window will open displaying information about the update that will be applied. Click Finish to deploy the update.

3.

4.

12-28

System

Note:

You can revert to a previous Security Update by selecting it and clicking Reapply... in the menu bar.

To automatically check for and download the latest Update:

1. 2. 3. 4. 5. 6.

Navigate to the System > Tasks screen. Click New on the tool bar and select New Scheduled Task to open the New Scheduled Task Wizard. Select Component Update from the Type drop-down list. Follow the steps in the wizard to select how often and at what time to carry out this task. Updates will be automatically downloaded. To automatically apply the latest Security Updates, check Apply IDF Rule Updates Automatically. Click Finish.

Client Plug-in Updates

Client Plug-in Updates apply the latest version of the Client Plug-in and driver. Last Check for Client Plug-in Updates: When the last check for Client Plug-in updates was performed. Click Download to check for updates. Latest 32 Bit Driver Version: Latest version of the 32-bit driver available from Trend Micro. Latest 64 Bit Driver Version: Latest version of the 64-bit driver available from Trend Micro. Latest Client Plug-in Deployment: Number of computers running the latest version of the Client Plug-in.
Updates to IDF Client Plug-ins can all be deployed using the IDF Server Plug-in. New versions of the IDF Server Plug-in, however, must be updated through the OfficeScan Web consoles Plug-in Manager. For information on upgrading the Server Plug-in, see Upgrading the Server Plug-in on page 11-3.

Note:

Click Deploy Latest to deploy the latest version of the Client Plug-in and drivers.

12-29

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Server Diagnostics
You can create a diagnostic package for support. The Diagnostic Package Wizard leads you through the process, allowing you to choose the information that will be included in the package. Click Generate Diagnostic Package... to start the wizard.

12-30

Chapter 13

Logging
This chapter describes how to configure Trend Micro Intrusion Defense Firewall logs. Topics in this chapter: About Logging on page 13-2 Configuring Logs on page 13-2 Configuring Notifications on page 13-2 Configuring Syslog Integration on page 13-3

13-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

About Logging
IDF can be instructed to send information to a Syslog server: the Client Plug-in sends DPI and Firewall Event information, and the Server Plug-in sends System Information. IDF can be configured to send notifications, send information to a Syslog server, and to operate in a Logging Policy mode.

Configuring Logs
By default, IDF Server Plug-in collects logs from the Client Plug-ins via the heartbeat. The number of computers this feature can support depends on the frequency of the heartbeat interval (every 10 minutes by default), how active your computers are, and the log settings. Here are some tips to help maximize the effectiveness of log collection: Disable log collection for computers that are not of interest. Do this by going to System > System Settings and then the Firewall and DPI tab in either the computers Details windows or the Security Profiles Details windows. Consider reducing the logging of Firewall Rule activity by disabling some logging options in the Stateful Configuration Properties window. For example, disabling the UDP logging will eliminate the Unsolicited UDP log entries. For DPI Rules the best practice is to log only dropped packets. Logging packet modifications may result in a lot of log entries. For DPI Rules, only include packet data (an option in the DPI Rules Properties window) when you are interested in examining the source of attacks. Otherwise leaving packet data inclusion on will result in much larger log sizes.

Configuring Notifications
In addition to alert emails via SMTP and logging to the database chosen during install (internal Derby, SQL Server, or Oracle), the IDF system provides several ways of integrating with third-party recording and notification mechanisms.

13-2

Logging

Syslog
Both the Client Plug-ins and the Server Plug-in can be instructed to send information to a Syslog server. The Client Plug-in will send DPI and Firewall Event information, and the Server Plug-in will send System Information. To configure the Syslog settings, go to System > System Settings > Notifications. Notice that there are two panels for configuring Event Notification: one for Firewall and DPI Event Notification and one for System Event Notification. For information on configuring Syslog, see Configuring Syslog Integration on page 13-3.

SNMP
The Server Plug-in also has the option of sending System Event Notifications from the Server Plug-in to an SNMP server. Use the same screen to enter SNMP settings. The MIB file (DeepSecurity.mib) is located in \Trend
Micro\OfficeScan\Addon\Intrusion Defense Firewall\util

Scripts
If the Syslog and SNMP options do not meet your event notification requirements, it may be possible for Trend Micro to provide a solution using custom-written scripts. Please contact Trend Micro for more information.

Configuring Syslog Integration

IDF supports Common Event Format 1.0, a format sponsored by ArcSight (www.arcsight.com). Although IDF supports two other syslog formats (Basic Syslog, and Common Event Format (legacy)), these formats are made available for legacy installations and should not be used for new integration projects.
Note: Enabling Syslog forwarding in the IDF Server Plug-in does not affect default logging. That is, enabling syslog will not turn off the normal logging mechanisms.

13-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Setting up a Syslog on Red Hat Enterprise

The following steps describe how to configure Syslog on Red Hat Enterprise to receive logs from IDF Client Plug-ins. 1. 2. 3. Log in as root. Execute: vi /etc/syslog.conf Add the following two lines of text to the end of the syslog.conf: #Save IDF Server Plug-in logs to IDF Server.log Local4.* 4. 5. 6. 7. 8. 9. /var/log/IDF Server.log Save the file and exit. Create the /var/log/IDF Server.log file by typing touch /var/log/IDF Server.log. Set the permissions on the IDF Server log so that syslog can write to it. Execute: vi /etc/sysconfig/syslog Modify the line SYSLOGD_OPTIONS and add a -r to the options. Save the file and exit.

10. Restart syslog: /etc/init.d/syslog restart. When Syslog is functioning you will see logs populated in: /var/log/IDF Server.log

IDF Server Plug-in Settings

You can configure IDF Server Plug-in to instruct all managed computers to send logs to the Syslog computer, or you can configure individual computers independently.
To configure the Server Plug-in to instruct all managed computers to use Syslog:
P ATH : IDF M AIN M ENU | S YSTEM > S YSTEM S ETTINGS

1. 2. 3. 4. 5.

Click the Notifications tab. In the panel called System Event Notification area, set the Forward System Events to a remote computer (via Syslog) option. Type the hostname or the IP address of the Syslog computer. Enter which UDP port to use (usually 514). Select which Syslog facility to use (Local4 from the Red Hat example above.)

13-4

Logging

6.

Select the Common Event Format 1.0 log format. (The Basic Syslog and Common Event Format (legacy) formats are listed only for legacy support and should not be used for new integrations.)
Common Event Format 1.0 is a format sponsored by ArcSight (www.arcsight.com). The specification can be requested through their Web site.

Note:

You have now configured the IDF Server Plug-in to instruct all existing and new computers to use remote Syslog by default. This default setting can be overridden for specific Security Profiles and on individual computers. To override on a computer, find the computer you want to configure in the Computers screen and double-click it to view its Details window. Go to System > System Settings and click the Notifications tab. Like many other settings on a computer, you can instruct it to inherit default settings, or override them. To instruct this computer to ignore any inheritable default settings, select the Forward Events To: option and enter the details for a different Syslog server, or to not forward logs at all. Follow the same procedure to override the setting on a Security Profile.

Parsing Syslog Messages

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension To determine whether the log entry comes from the IDF Server Plug-in or an IDF Client Plug-in, look at the Device Product field: Sample Log Entry: Jan 18 11:07:53 dsmhost CEF:0|Third Brigade|IDF Server Plug-in|5.0.1659|600|Administrator Signed In|4|suser=Master To further determine what kind of rule triggered the event, look at the Signature ID and Name fields: Sample Log Entry: Mar 19 15:19:15 chrisds7 CEF:0|Trend Micro|IDF Client Plug-in|7.0.0.2036|123|Out Of Allowed Policy|5|cn1=1...

13-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

The following Signature ID values indicate what kind of event has been triggered:
TABLE 13-1.
Signature IDs

S IGNATURE ID S
10 20 21 100-299 300-399 500-899 1,000,000-1,999,999 Custom DPI Rule

D ESCRIPTION

Log Only Firewall Rule Deny Firewall Rule Out of "Allowed" Policy Firewall Rule SSL Events Stateful Configuration Events Trend Micro DPI Rule

Note:

All the CEF extensions described in the tables below will not necessarily be included in each log entry. As well, they may not be in the order described below. If you are using regular expressions (regex) to parse the entries, make sure your expressions do not depend on each key/value pair to be there or for the key/value pairs to be in a particular order.

Note:

Syslog messages are limited to 1024 characters by the syslog protocol specification. In rare cases data may be truncated if long rule and interface names are used.

Firewall Event Log Format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension Sample Log Entry (1): 03-19-2010 16:19:18 Local0.Info 10.52.116.23 Mar 19 15:19:15 chrisds7 CEF:0|Trend Micro|IDF Client Plug-in|7.0.0.2036|123|Out Of Allowed Policy|5|cn1=1 cn1Label=Computer ID act=Deny

13-6

Logging

dmac=00:0C:29:8D:F1:C9 smac=00:1C:23:01:85:37 TrendMicroDsFrameType=IP src=10.52.116.140 dst=10.52.116.23 in=62 cs3=DF 0 cs3Label=Fragmentation Bits proto=TCP spt=24431 dpt=23 cs2=0x00 SYN cs2Label=TCP Flags cnt=1

Sample Log Entry (2): 03-19-2010 16:18:33 Local0.Info 10.52.116.23 Mar 19 15:18:31 chrisds7 CEF:0|Trend Micro|IDF Client Plug-in|7.0.0.2036|123|Out Of Allowed Policy|5|cn1=1 cn1Label=Computer ID act=Deny dmac=00:0C:29:8D:F1:C9 smac=00:1C:23:01:85:37 TrendMicroDsFrameType=IP src=10.52.116.140 dst=10.52.116.23 in=66 cs3=DF 0 cs3Label=Fragmentation Bits proto=TCP spt=24430 dpt=23 cs2=0x00 SYN cs2Label=TCP Flags cnt=1 TrendMicroDsPacketData=AAwpjfHJABwjAYU3CABFAAA0ZjFAAIAGl4cKNHSM CjR0F19uABefXY81AAAAAIACIADD8gAAAgQFtAEDAwIBAQQC
TABLE 13-2. E XTENSION F IELD
act Firewall Event Extension Fields

N AME
Action

D ESCRIPTION
The action taken by the Firewall rule. Can contain: Block, Reset, Insert, Delete, Replace or Log. If the rule or the network engine is operating in detect-only mode, the action value will be proceeded by "IDS:".

E XAMPLES
act=Block act=Reset

13-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 13-2. E XTENSION F IELD

cn1

Firewall Event Extension Fields

N AME
Computer Identifier

D ESCRIPTION
The Client Plug-in Computer internal identifier which can be used to uniquely identify the Client Plug-in Computer from a given syslog event. The friendly name label for the field cn1. The number of times this event was sequentially repeated. (For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set. The friendly name label for the field cs2.

E XAMPLES
cn1=113

cn1Label

Computer ID

cn1Label=Computer ID

cnt

Repeat Count

cnt=8

cs2

TCP Flags

cs2=0x10 ACK cs2=0x14 ACK RST

cs2Label

TCP Flags

cs2Label=TCP Flags

13-8

Logging

TABLE 13-2. E XTENSION F IELD

cs3

Firewall Event Extension Fields

N AME
Packet Fragmentat ion Information

D ESCRIPTION
The "DF" field will be present if the IP "Dont Fragment" bit is set. The "MF" field will be present if the "IP More Fragments" bit is set. The friendly name label for the field cs3. (For the ICMP protocol only) The ICMP type and code stored in their respective order delimited by a space. The friendly name label for the field cs4. Destination computer network interface MAC address. (For TCP and UDP protocol only) Destination computer connection port. cs3=MF

E XAMPLES

cs3=DF MF

cs3Label

Fragmentat ion Bits

cs3Label=Fragmentation Bits

cs4

ICMP Type and Code

cs4=11 0 cs4=8 0

cs4Label

ICMP

cs4Label=ICMP Type and Code

dmac

Destination MAC Address

dmac= 00:0C:29:2F:09:B3

dpt

Destination Port

dpt=80 dpt=135

13-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 13-2. E XTENSION F IELD

dst

Firewall Event Extension Fields

N AME
Destination IP Address

D ESCRIPTION
Destination computer IP Address. (For inbound connections only) Number of inbound bytes read. (For outbound connections only) Number of outbound bytes read. Name of the connection transportation protocol used. Source computer network interface MAC address. (For TCP and UDP protocol only) Source computer connection port. Source computer IP Address.

E XAMPLES
dst=192.168.1.102 dst=10.30.128.2 in=137 in=21

in

Inbound Bytes Read

out

Outbound Bytes Read

out=216 out=13

proto

Transport protocol

proto=tcp proto=udp proto=icmp smac= 00:0E:04:2C:02:B3

smac

Source MAC Address Source Port

spt

spt=1032 spt=443

src

Source IP Address

src=192.168.1.105 src=10.10.251.231

13-10

Logging

TABLE 13-2. E XTENSION F IELD

Firewall Event Extension Fields

N AME
Ethernet frame type

D ESCRIPTION
Connection Ethernet frame type.

E XAMPLES
TrendMicroDsFrameType= IP TrendMicroDsFrameType= ARP TrendMicroDsFrameType= RevARP TrendMicroDsFrameType= NetBEUI

TrendMicroDs FrameType

TrendMicroDs PacketData

Packet data

(If include packet data is set) A Base64 encoded copy of the packet data. The "equals" character is escaped. E.g. "\="

TrendMicroDsPacketData =AA...BA\=

DPI Event Log Format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension Sample Log Entry: 03-19-2010
17:11:05 Local0.Info 10.52.116.23 Mar 19 16:10:58 chrisds7 CEF:0|Trend Micro|IDF Client Plug-in|7.0.0.2036|1000552|Generic Cross Site Scripting(XSS) Prevention|10|cn1=1 cn1Label=Computer ID dmac=00:0C:29:8D:F1:C9 smac=00:1C:23:01:85:37 TrendMicroDsFrameType=IP src=10.52.116.140 dst=10.52.116.23 in=465 cs3=DF 0 cs3Label=Fragmentation Bits proto=TCP spt=26362 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=Log cn3=22 cn3Label=DPI Packet Position cs5=22 cs5Label=DPI Stream Position

13-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

cs1=XSS_Attack cs1Label=DPI Note cs6=8 cs6Label=DPI Flags TrendMicroDsPacketData=R0VUIC8lM0NTQ1JJUFQlM0VhbGVydChkb2N1bWVu dC5jb2... TABLE 13-3. E XTENSION F IELD
act DPI Event Log Format Extensions

N AME
Action

D ESCRIPTION
The action taken by the DPI rule. Can contain: Block, Reset, Insert, Delete, Replace or Log. If the rule or the network engine is operating in detect-only mode, the action value will be proceeded by "IDS:". The Client Plug-in Computer internal identifier which can be used to uniquely identify the Client Plug-in Computer from a given syslog event. The friendly name label for the field cn1. Position within packet of data that triggered the event. The friendly name label for the field cn3.

E XAMPLES
act=Block

cn1

Comput er Identifie r

cn1=113

cn1Label

Comput er ID

cn1Label=Computer ID

cn3

DPI Packet Position DPI Packet Position

cn3=37

cn3Label

cn3Label=DPI Packet Position

13-12

Logging

TABLE 13-3. E XTENSION F IELD

cnt

DPI Event Log Format Extensions

N AME
Repeat Count

D ESCRIPTION
The number of times this event was sequentially repeated. (Optional) A note field which can contain a short binary or text note associated with the payload file. If the value of the note field is all printable ASCII characters, it will be logged as text with spaces converted to underscores. If it contains binary data, it will be logged using Base-64 encoding. The friendly name label for the field cs1. (For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set. cnt=8

E XAMPLES

cs1

DPI Filter Note

cs1=Drop_data

cs1Label

DPI Note

cs1Label=DPI Note

cs2

TCP Flags

cs2=0x10 ACK cs2=0x14 ACK RST

13-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 13-3. E XTENSION F IELD

cs2Label

DPI Event Log Format Extensions

N AME
TCP Flags

D ESCRIPTION
The friendly name label for the field cs2. The "DF" field will be present if the IP "Dont Fragment" bit is set. The "MF" field will be present if the "IP Mote Fragments" bit is set. The friendly name label for the field cs3. (For the ICMP protocol only) The ICMP type and code stored in their respective order delimited by a space. The friendly name label for the field cs4. Position within stream of data that triggered the event. The friendly name label for the field cs5.

E XAMPLES
cs2Label=TCP Flags

cs3

Packet Fragme ntation Informa tion

cs3=MF cs3=DF MF

cs3Label

Fragme ntation Bits ICMP Type and Code

cs3Label=Fragmentati on Bits

cs4

cs4=11 0 cs4=8 0

cs4Label

ICMP

cs4Label=ICMP Type and Code

cs5

DPI Stream Position DPI Stream Position

cs5=128 cs5=20 cs5Label=DPI Stream Position

cs5Label

13-14

Logging

TABLE 13-3. E XTENSION F IELD

cs6

DPI Event Log Format Extensions

N AME
DPI Filter Flags

D ESCRIPTION
A combined value that includes the sum of the following flag values: 1 - Data truncated Data could not be logged. 2 - Log Overflow Log overflowed after this log. 4 - Suppressed Logs threshold suppressed after this log. 8 - Have Data Contains packet data 16 - Reference Data References previously logged data.

E XAMPLES
The following example would be a summed combination of 1 (Data truncated) and 8 (Have Data): cs6=9

cs6Label

DPI Flags

The friendly name label for the field cs6. Destination computer network interface MAC address.

cs6=DPI Filter Flags

dmac

Destina tion MAC Addres s

dmac= 00:0C:29:2F:09:B3

13-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 13-3. E XTENSION F IELD

dpt

DPI Event Log Format Extensions

N AME
Destina tion Port

D ESCRIPTION
(For TCP and UDP protocol only) Destination computer connection port. Destination computer IP Address.

E XAMPLES
dpt=80 dpt=135

dst

Destina tion IP Addres s Inbound Bytes Read

dst=192.168.1.102 dst=10.30.128.2

in

(For inbound connections only) Number of inbound bytes read. (For outbound connections only) Number of outbound bytes read. Name of the connection transportation protocol used. Source computer network interface MAC address.

in=137 in=21

out

Outbou nd Bytes Read

out=216 out=13

proto

Transpo rt protocol

proto=tcp proto=udp proto=icmp smac= 00:0E:04:2C:02:B3

Smac

Source MAC Addres s Source Port

Spt

(For TCP and UDP protocol only) Source computer connection port.

spt=1032 spt=443

13-16

Logging

TABLE 13-3. E XTENSION F IELD

Src

DPI Event Log Format Extensions

N AME
Source IP Addres s Etherne t frame type

D ESCRIPTION
Source computer IP Address.

E XAMPLES
src=192.168.1.105 src=10.10.251.231

TrendMicro DsFrameTy pe

Connection Ethernet frame type.

TrendMicroDsFrameTy pe=IP TrendMicroDsFrameTy pe=ARP TrendMicroDsFrameTy pe=RevARP TrendMicroDsFrameTy pe=NetBEUI

TrendMicro DsPacketD ata

Packet data

(If include packet data is set) A Base64 encoded copy of the packet data. The "equals" character is escaped. E.g. "\="

TrendMicroDsPacketD ata=AA...BA\=

System Event Log Format

Base CEF Format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension Sample Log Entry (1): 03-19-2010 17:32:07 Local0.Info 10.52.116.23 Mar 19 17:32:00 chrisds7 CEF:0|Trend Micro|IDF Server Plug-in|7.0.1591|160|Authentication Failed|4|src=10.52.116.23 suser=MasterAdmin target=MasterAdmin msg=User password incorrect for username MasterAdmin on an attempt to sign in from 127.0.0.1

13-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Sample Log Entry (2): 03-19-2010 17:34:38 Local0.Info 10.52.116.23 Mar 19 17:34:30 chrisds7 CEF:0|Trend Micro|IDF Server Plug-in|7.0.1591|300|Scan for Recommendations|4|src=10.52.116.23 suser=System target=localhost msg=A Scan for Recommendations on computer (localhost) has completed. Any changes to the computer as a result of this Scan for Recommendations will have been reflected in a 'Computer Updated' system event.
TABLE 13-4. E XTENSION F IELD
src System Event Log Format Extensions

N AME
Source IP Address

D ESCRIPTION
Source IDF Server Plug-in IP Address. Source IDF Server Plug-in user account. The event target entity. The target of the event maybe the administrator account logged into IDF Server Plug-in, or a Computer. Details of the System event. May contain a verbose description of the event.

E XAMPLES
src=10.52.116.23

suser

Source User

suser=MasterAdmin

target

Target entity

target=MasterAdmin target=server01

msg

Details

msg=User password incorrect for username MasterAdmin on an attempt to sign in from 127.0.0.1 msg=A Scan for Recommendations on computer (localhost) has completed...

13-18

Logging

Advanced Logging Policy Modes

To reduce the number of events being logged, the IDF Server Plug-in can be configured to operate in one of several Advanced Logging Policy modes. These modes are set in the System > System Settings > Firewall and DPI screen in the Advanced area. The following table lists the types of Events are ignored in four of the more complex Advanced Logging Policy modes:
TABLE 13-5.
Ignored Events

M ODE
Stateful and Normalization Suppression

I GNORED E VENTS
Out Of Connection Invalid Flags Invalid Sequence Invalid ACK Unsolicited UDP Unsolicited ICMP Out Of Allowed Policy Dropped Retransmit

13-19

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 13-5.

Ignored Events

M ODE
Stateful, Normalization, and Frag Suppression

I GNORED E VENTS
Out Of Connection Invalid Flags Invalid Sequence Invalid ACK Unsolicited UDP Unsolicited ICMP Out Of Allowed Policy CE Flags Invalid IP Invalid IP Datagram Length Fragmented Invalid Fragment Offset First Fragment Too Small Fragment Out Of Bounds Fragment Offset Too Small IPv6 Packet Max Incoming Connections Max Outgoing Connections Max SYN Sent License Expired IP Version Unknown Invalid Packet Info Maximum ACK Retransmit Packet on Closed Connection Dropped Retransmit

13-20

Logging

TABLE 13-5.

Ignored Events

M ODE
Stateful, Frag, and Verifier Suppression

I GNORED E VENTS
Out Of Connection Invalid Flags Invalid Sequence Invalid ACK Unsolicited UDP Unsolicited ICMP Out Of Allowed Policy CE Flags Invalid IP Invalid IP Datagram Length Fragmented Invalid Fragment Offset First Fragment Too Small Fragment Out Of Bounds Fragment Offset Too Small IPv6 Packet Max Incoming Connections Max Outgoing Connections Max SYN Sent License Expired IP Version Unknown Invalid Packet Info Invalid Data Offset No IP Header Unreadable Ethernet Header Undefined Same Source and Destination IP Invalid TCP Header Length

13-21

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE 13-5.

Ignored Events

M ODE

I GNORED E VENTS
Unreadable Protocol Header Unreadable IPv4 Header Unknown IP Version Maximum ACK Retransmit Packet on Closed Connection Dropped Retransmit

Tap Mode

Out Of Connection Invalid Flags Invalid Sequence Invalid ACK Maximum ACK Retransmit Packet on Closed Connection Dropped Retransmit

13-22

Chapter 14

Getting Help
This chapter describes troubleshooting issues that may arise and how to contact support. Topics in this chapter: Contacting Trend Micro on page 14-2

14-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Contacting Trend Micro

Technical Support
Trend Micro provides technical support, pattern downloads, and program updates for one year to all registered users, after which you must purchase renewal maintenance. If you need help or just have a question, please feel free to contact us. We also welcome your comments. Trend Micro Incorporated provides worldwide support to all registered users. Get a list of the worldwide support offices at: http://www.trendmicro.com/support Get the latest Trend Micro product documentation at: http://www.trendmicro.com/download In the United States, you can reach the Trend Micro representatives through phone, fax, or email: Trend Micro, Inc. 10101 North De Anza Blvd., Cupertino, CA 95014 Toll free: +1 (800) 228-5651 (sales) Voice: +1 (408) 257-1500 (main) Fax: +1 (408) 257-2003 Web address: http://www.trendmicro.com Email: [email protected]

14-2

Getting Help

Speeding Up Your Support Call When you contact Trend Micro, to speed up your problem resolution, ensure that you have the following details available: Microsoft Windows and Service Pack versions Network type Computer brand, model, and any additional hardware connected to your computer Amount of memory and free hard disk space on your computer Detailed description of the install environment Exact text of any error message given Steps to reproduce the problem

The Trend Micro Knowledge Base

The Trend Micro Knowledge Base, maintained at the Trend Micro Web site, has the most up-to-date answers to product questions. You can also use Knowledge Base to submit a question if you cannot find the answer in the product documentation. Access the Knowledge Base at: http://esupport.trendmicro.com Trend Micro updates the contents of the Knowledge Base continuously and adds new solutions daily. If you are unable to find an answer, however, you can describe the problem in an email and send it directly to a Trend Micro support engineer who will investigate the issue and respond as soon as possible.

14-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TrendLabs
TrendLabsSM is the global antivirus research and support center of Trend Micro. Located on three continents, TrendLabs has a staff of more than 250 researchers and engineers who operate around the clock to provide you, and every Trend Micro customer, with service and support. You can rely on the following post-sales service: Regular virus pattern updates for all known "zoo" and "in-the-wild" computer viruses and malicious codes Emergency virus outbreak support Email access to antivirus engineers Knowledge Base, the Trend Micro online database of technical support issues

TrendLabs has achieved ISO 9002 quality assurance certification.

Security Information Center

Comprehensive security information is available at the Trend Micro Web site. http://www.trendmicro.com/vinfo/ Information available: List of viruses and malicious mobile code currently "in the wild," or active Computer virus hoaxes Internet threat advisories Virus weekly report Virus Encyclopedia, which includes a comprehensive list of names and symptoms for known viruses and malicious mobile code Glossary of terms

14-4

Getting Help

Sending Suspicious Files to Trend Micro

If you think you have an infected file but the scan engine does not detect it or cannot clean it, Trend Micro encourages you to send the suspect file to us. For more information, refer to the following site: http://subwiz.trendmicro.com/subwiz You can also send Trend Micro the URL of any Web site you suspect of being a phish site, or other so-called "disease vector" (the intentional source of Internet threats such as spyware and viruses). Send an email to the following address and specify "Phish or Disease Vector" as the subject. [email protected] You can also use the Web-based submission form at: http://subwiz.trendmicro.com/subwiz

Documentation Feedback
Trend Micro always seeks to improve its documentation. If you have questions, comments, or suggestions about this or any Trend Micro document, please go to the following site: http://www.trendmicro.com/download/documentation/rating.asp

14-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

14-6

Appendix A

Ports Used by IDF

A number of ports must be accessible for the IDF Server Plug-in and the Client Plug-ins to function as expected. The following is a list of the ports used, the description of the function for which the port is used, the related protocols, the application which initializes the connection, the application to which the connection is made, whether the use of a proxy is possible (and what type of proxy), and whether and where the port can be configured:

Port: 4118
Use: Server Plug-in-to-Client Plug-in communication. Protocol: TCP Initiated By: IDF Server Plug-in Connected To: Client Plug-in Proxy: No Configuration: This port is not configurable (please contact your support provider if this port assignment is problematic.)

Port: 4119 (default)

Use: Access to IDF Server Plug-in Web browser interface. Protocol: TCP

A-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Initiated By: Web browser Connected To: IDF Server Plug-in Proxy: No Configuration: This port is configured during the IDF Server Plug-in installation process.

Port: 4120 (default)

Use: Client Plug-in-to-Server Plug-in communication Protocol: TCP Initiated By: Client Plug-in Connected To: IDF Server Plug-in Proxy: No Configuration: This port is configured during the IDF Server Plug-in installation process.

Port: 514 (default)

Use: Syslog Protocol: UDP Initiated By: Client Plug-in Connected To: Syslog facility Proxy: No Configuration: This port can be configured in System > System Settings > Notifications.

Port: 25 (default)
Use: E-mail Alerts Protocol: TCP Initiated By: IDF Server Plug-in Connected To: Specified SMTP server Proxy: No

A-2

Ports Used by IDF

Configuration: This port can be configured in System > System Settings > System.

Port: 80
Use: Connection to Trend Micro ActiveUpdate Server Protocol: HTTP and SOCKS Initiated By: IDF Server Plug-in Connected To: Trend Micro ActiveUpdate Server Proxy: Yes (optional) Configuration: The proxy address and port can be configured in System > System Settings > Updates.

Port: 389
Use: LDAP directory addition or IDF Server Plug-in Protocol: TCP Initiated By: IDF Server Plug-in Connected To: LDAP server Proxy: No Configuration: This port can be configured in the New Directory wizard.

Port: Randomly selected

Use: DNS lookup for hostnames Protocol: TCP Initiated by: IDF Server Plug-in Connected to: DNS server Proxy: No Configuration: The port is randomly selected when the IDF Server Plug-in needs to lookup a hostname.

A-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

A-4

Appendix B

Computer and Client Plug-in Status

The status column of the IDF Server Plug-in's Computers screen displays the current state of the computer and its Client Plug-in. The status column will usually display the state of the computer on the network followed by the state (in parentheses) of the Client Plug-in providing protection if either is present. If the computer or Client Plug-in is in an error state, that state will also be displayed in the status column. When operations are in progress, the status of the operation will appear in the status column. The following three tables list possible status and error messages that may appear in the status column of the Computers screen.
Note: In addition to the values below, the status column may also display System or Client Plug-in Events. For a list of the Events, see Client Plug-in Events on page C-24 and System Events on page C-8.

B-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Computer States
TABLE B-1.
Computer States

C OMPUTER S TATE
Unmanaged Managed unactivated

D ESCRIPTION

A Client Plug-in is present and activated with no pending operations or errors. The Client Plug-in is being updated with a combination of new configuration settings and security updates. The Client Plug-in will be updated with a combination of new configuration settings and security updates once the computer's access schedule permits. An update will be performed at the next heartbeat.

Updating

Update Pending (Schedule)

Update Pending (Heartbeat) Update Pending (Offline)

The Server Plug-in cannot currently communicate with the Client Plug-in. An update is ready to be applied once the Client Plug-in comes back online. The Server Plug-in is scanning the Computer for open ports. The Server Plug-in is activating the Client Plug-in. The activation of the Client Plug-in is delayed by the amount of time specified in the relevant event-based task. The Client Plug-in is activated. The Server Plug-in is deactivating the Client Plug-in. This means that the Client Plug-in is available for activation and management by another IDF Server Plug-in.

Scanning for Open Ports Activating Activating (Delayed)

Activated Deactivating

B-2

Computer and Client Plug-in Status

TABLE B-1.

Computer States

C OMPUTER S TATE
Deactivate Pending (Heartbeat) Locked

D ESCRIPTION
A deactivate instruction will be sent from the Server Plug-in during the next heartbeat. The computer is in a locked state. While in in a locked state the Server Plug-in will not communicate with the Client Plug-in or generate any computer-related alerts. Existing computer alerts are not affected. Multiple errors have occurred on this computer. See the computer's system events for details. Multiple warnings are in effect on this computer. See the computer's system events for details. The Client Plug-in software on this computer is in the process of being upgraded to a newer version. A Recommendation Scan is underway.

Multiple Errors

Multiple Warnings

Upgrading Client Plug-in Scanning for Recommendations Scan for Recommendations Pending (Schedule) Scan for Recommendations Pending (Heartbeat) Scan for Recommendations Pending (Offline) Checking Status Getting Events

A Recommendation Scan will be initiated once the computer's Access Schedule permits.

The Server Plug-in will initiate a Recommendation Scan at the next heartbeat.

The Client Plug-in is currently offline. The Server Plug-in will initiate a Recommendation Scan when communication is reestablished. The client plug-in state is being checked. The Server Plug-in is retrieving Events from the Client Plug-in.

B-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE B-1.

Computer States

C OMPUTER S TATE
Upgrade Recommended

D ESCRIPTION
A newer version of the Client Plug-in is available. A software upgrade is recommended.

B-4

Computer and Client Plug-in Status

Client Plug-in States

TABLE B-2.
Client Plug-in States

C LIENT P LUG - IN STATE

Activated

D ESCRIPTION
The Client Plug-in has been successfully activated and is ready to be managed by the IDF Server Plug-in. An unactivated Client Plug-in has been detected on the target machine. It must be activated before it can be managed by the IDF Server Plug-in. No attempt has been made to determine whether a Client Plug-in is present. The Server Plug-in has attempted to activate a Client Plug-in that has already been activated by another IDF Server Plug-in. The original IDF Server Plug-in must deactivate the Client Plug-in before it can be activated by the new Server Plug-in. The Client Plug-in is installed and listening and is waiting to be reactivated by an IDF Server Plug-in. The Client Plug-in is online and operating as expected. No contact has been made with the Client Plug-in for the number of heartbeats specified in System > Settings > Computers screen.

Activation Required

Unknown

Deactivation Required

Reactivation Required

Online

Offline

Computer Errors
TABLE B-3.
Computer Errors

E RROR S TATE
Communication error

D ESCRIPTION
General network error.

B-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE B-3.

Computer Errors

E RROR S TATE
No route to computer

D ESCRIPTION
Typically the remote computer cannot be reached because of an intervening firewall or if an intermediate router is down. Unresolved socket address.

Unable to resolve hostname Activation required

An instruction was sent to the Client Plug-in when it was not yet activated. Unable to communicate with Client Plug-in .

Unable to communicate with Client Plug-in Protocol error Deactivation Required

Communication failure at the HTTP layer. The Client Plug-in is currently activated by another IDF Server Plug-in. No Client Plug-in was detected on the target. Indicates that no installer can be found for the platform/version requested. There was an error in sending a binary package to the computer. Internal error. Please contact your support provider. Two computers in the Server Plug-in's Computers list share the same IP address.

No Client Plug-in No valid software version Send software failed

Internal error Duplicate Computer

B-6

Appendix C

Events
This chapter describes IDF events. Topics in this chapter: Firewall Events on page C-2 DPI Events on page C-5 System Events on page C-8 Client Plug-in Events on page C-24

C-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

Firewall Events
TABLE C-1.
Firewall Events

E VENT
CE Flags

N OTES
The CWR or ECE flags were set and the stateful configuration specifies that these packets should be denied. Dropped Retransmit. A fragmented packet was encountered, the size of the fragment was less than the size of a TCP packet (no data). The offsets(s) specified in a fragmented packet sequence is less than the size of a valid datagram. The offsets(s) specified in a fragmented packet sequence is outside the range of the maximum size of a datagram. A fragmented packet was encountered with deny fragmented packets disallowed enabled. Insufficient resources. Internal TCP stateful error. A packet with an invalid acknowledgement number was encountered. An invalid adapter configuration has been received.

Dropped Retransmit First Fragment Too Small

Fragment Offset Too Small Fragment Out Of Bounds

Fragmented

Internal Driver Error Internal States Error Invalid ACK

Invalid Adapter Configuration Invalid Data Offset

Invalid data offset parameter.

C-2

Events

TABLE C-1.

Firewall Events

E VENT
Invalid Flags

N OTES
Flag(s) set in packet were invalid. This could be due to a flag that does not make sense within the context of a current connection (if any), or due to a nonsensical combination of flags. (Stateful Configuration must be On for connection context to be assessed.) Packet's source IP was not valid. The length of the IP datagram is less than the length specified in the IP header. An invalid FTP port command was encountered in the FTP control channel data stream. A packet with an invalid sequence number or out-of-window data size was encountered. An invalid IP header length (< 5*4 = 20) was set in the IP header. An IP packet other than IPv4 or IPv6 was encountered. An IPv6 Packet was encountered, and IPv6 blocking is enabled. The number of incoming connections has exceeded the maximum number of connections allowed. The number of outgoing connections has exceeded the maximum number of connections allowed. The number of half open connections from a single computer exceeds that specified in the stateful configuration. This retransmitted ACK packet exceeds the ACK storm protection threshold.

Invalid IP Invalid IP Datagram Length Invalid Port Command

Invalid Sequence

Invalid IP Header Length IP Version Unknown

IPv6 Packet

Max Incoming Connections Max Outgoing Connections Max SYN Sent

Maximum ACK Retransmit

C-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-1.

Firewall Events

E VENT
Null IP

N OTES
a NULL (0.0.0.0) IP is not allowed by the present firewall configuration The packet does not meet any of the Allow or Force Allow rules and so is implicitly denied. A packet was received that was not associated with an existing connection. This packet fragment overlaps a previously sent fragment. A packet was received belonging to a connection already closed. Source and destination IPs were identical.

Out Of Allowed Policy

Out Of Connection

Overlapping Fragment

Packet on Closed Connection Same Source and Destination IP SYN Cookie Error

The SYN cookies protection mechanism encountered an error. Unrecognized IP version. Data contained in this Ethernet frame is smaller than the Ethernet header. The packet contains an unreadable IPv4 header.

Unknown IP Version Unreadable Ethernet Header Unreadable IPv4 Header Unreadable Protocol Header Unsolicited ICMP

The packet contains an unreadable TCP, UDP or ICMP header. ICMP stateful has been enabled (in stateful configuration) and an unsolicited packet that does not match any Force Allow rules was received. Incoming UDP packets that were not solicited by the computer are rejected.

Unsolicited UDP

C-4

Events

DPI Events
TABLE C-2.
DPI Events

E VENT
Base 64 Decoding Error Client Attempted to Rollback

N OTES
Packet content that was expected to be encoded in Base64 format was not encoded correctly. A client attempted to rollback to an earlier version of the SSL protocol than that which was specified in the ClientHello message. Corrupted Deflate/GZIP Content

Corrupted Deflate/GZIP Content Deflate/GZIP Checksum Error Double Decoding Exploit Edit Too Large

Deflate/GZIP Checksum Error.

Double decoding exploit attempt (%25xx, %25%xxd, etc). Editing attempted to increase the size of the region above the maximum allowed size (8188 bytes). Unable to un-wrap the pre-master secret from the ClientKeyExchange message. Unable to derive the cryptographic keys, Mac secrets, and initialization vectors from the master secret. An error occurred when trying to queue the pre-master secret for decryption. The SSL state engine has encountered a handshake message after the handshake has been negotiated. Illegal character used in uri.

Error Decrypting Pre-master Key Error Generating Master Key(s)

Error Generating Pre-Master Request Handshake Message (not ready) Illegal Character in URI

C-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-2.

DPI Events

E VENT
Incomplete Deflate/GZIP Content Incomplete UTF8 Sequence Int Min/Max/Choice Constraint Failure Internal Error

N OTES
Corrupted deflate/gzip content.

URI ended in middle of utf8 sequence.

A protocol decoding rule decoded data that did not meet the protocol content constraints. The protocol decoding engine detected an internal corruption while processing a loop or nested type. %nn where nn are not hex digits. An internal error occurred causing the protocol decoding stack to become corrupt and halt processing for the connection. An invalid or unreasonable value was encountered while trying to decode the handshake protocol. Tried to use "../../" above root. use of disabled char

Invalid Hex Encoding Invalid Lexical Instruction

Invalid Parameters In Handshake Invalid Traversal Invalid Use of Character Invalid UTF8 encoding Key Exchange Error

Invalid/non-canonical encoding attempt. The server is attempting to establish an SSL session with temporarily generated key. The master secret keys are larger than specified by the protocol identifier. There are more than 2048 positions in the packet with pattern match occurrences. An error is returned at this limit and the connection is dropped because this usually indicates a garbage or evasive packet.

Key Too Large

Max Matches in Packet Exceeded

C-6

Events

TABLE C-2.

DPI Events

E VENT
Maximum Edits Exceeded Memory Allocation Error

N OTES
The maximum number of edits (32) in a single region of a packet was exceeded. The packet could not be processed properly because resources were exhausted. This can be because too many concurrent connections require buffering (max 2048) or matching resources (max 128) at the same time or because of excessive matches in a single IP packet (max 2048) or simply because the system is out of memory. A well formatted handshake message has been encountered out of sequence. Low level problem reading packet data. The SSL state engine has encountered an SSL record before initialization of the session. A region (edit region, uri etc) exceeded the maximum allowed buffering size (7570 bytes) without being closed. This is usually because the data does not conform to the protocol. An SSL session was being requested with a cached session key that could not be located. Runtime error. A protocol decoding rule defined a limit for a search or pdu object but the object was not found before the limit was reached. A rule programming error attempted to cause recursion or use to many nested procedure calls. A protocol decoding rule encountered a type definition and packet content that caused the maximum type nesting depth (16) to be exceeded.

Out Of Order Handshake Message Packet Read Error Record Layer Message

Region Too Big

Renewal Error

Runtime Error. Search Limit Reached

Stack Depth

Type Nesting Too Deep

C-7

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-2.

DPI Events

E VENT
Unsupported Cipher

N OTES
An unknown or unsupported Cipher Suite has been requested. Unsupported Deflate/GZIP Dictionary.

Unsupported Deflate/GZIP Dictionary Unsupported GZIP Header Format/Method Unsupported SSL Version URI Path Depth Exceeded URI Path Length Too Long

Unsupported GZIP Header Format/Method.

A client attempted to negotiate an SSL V2 session.

too many "/" separators, max 100 path depth.

path length is greater than 512 characters.

System Events
The following table lists the System Events that can be recorded by IDF and their default settings. (Notifications cannot be sent for Events that are not recorded.)
TABLE C-3. N UMBER
0 100 101 102 System Events

S EVERITY
Error Info Info Info

E VENT
Unknown Error IDF Server Plug-in Started License Changed Trend Micro IDF Customer Account Changed

R ECORD
On On On On

N OTIFY
On On On On

C-8

Events

TABLE C-3. N UMBER

103 104

System Events

S EVERITY
Warning Warning

E VENT
Check For Updates Failed Automatic Software Download Failed Scheduled IDF Rule Update Download and Apply Failed Scheduled IDF Rule Update Downloaded and Applied IDF Rule Update Downloaded and Applied Script Executed Script Execution Failed System Events Exported Firewall Events Exported DPI Events Exported Scheduled IDF Rule Update Download Failed Scheduled IDF Rule Update Downloaded IDF Rule Update Downloaded IDF Rule Update Applied IDF Server Plug-in Shutdown IDF Server Plug-in Offline IDF Server Plug-in Back Online

R ECORD
On On

N OTIFY
On On

105

Warning

On

On

106

Info

On

On

107

Info

On

On

108 109 110 111 112 113

Info Error Info Info Info Warning

On On On On On On

On On On On On On

114

Info

On

On

115 116 117 118 119

Info Info Info Warning Info

On On On On On

On On On On On

C-9

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

120 121 122

System Events

S EVERITY
Error Error Error

E VENT
Heartbeat Server Failed Scheduler Failed Server Plug-in Message Thread Failed IDF Server Plug-in Forced Shutdown IDF Rule Update Deleted Credentials Generated Credential Generation Failed System Settings Saved

R ECORD
On On On

N OTIFY
On On On

123

Info

On

On

124 130 131 150

Info Info Warning Info

On On On On (cannot be turned off) On On On On On On On On

On On On On

151 152 153 154 155 160 161 166

Info Info Info Info Info Info Info Info

Software Added Software Deleted Software Updated Software Exported Software Platforms Changed Authentication Failed IDF Rule Update Exported Check for New Software Success

On On On On On On On On

C-10

Events

TABLE C-3. N UMBER

167 168

System Events

S EVERITY
Error Info

E VENT
Check for New Software Failed Manual Update Component Success Manual Update Component Failed Server Plug-in Available Disk Space Too Low Alert Type Updated Alert Started Alert Changed Alert Ended Alert Emails Sent Alert Emails Failed Alert Processing Failed Computer Created Computer Deleted Computer Updated Security Profile Assigned to Computer Computer Moved Activation Requested Update Now Requested

R ECORD
On On

N OTIFY
On On

169

Error

On

On

170

Error

On

On

180 190 191 192 197 198 199 250 251 252 253

Info Info Info Info Info Warning Error Info Info Info Info

On On On On On On On On On On On

On On On On On On On On On On On

254 255 256

Info Info Info

On On On

On On On

C-11

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

257 258 259 260 261 262

System Events

S EVERITY
Info Info Info Info Warning Info Locked Unlocked

E VENT

R ECORD
On On On On On On

N OTIFY
On On On On On On

Deactivation Requested Scan for Open Ports Scan for Open Ports Failed Scan for Open Ports Requested Scan for Open Ports Cancelled Client Plug-in Software Upgrade Requested Client Plug-in Software Upgrade Cancelled Warnings/Errors Cleared Check Status Requested Get Events Now Requested Computer Creation Failed Duplicate Computer Components Updated Computers Exported Computers Imported Computer Log Exported

263 264

Info Info

On On

On On

265

Info

On

On

266 267 268 270 275 276 280 281 286

Info Info Info Error Warning Info Info Info Info

On On On On On On On On On

On On On On On On On On On

C-12

Events

TABLE C-3. N UMBER

290 291 292 293 294 295 296 297

System Events

S EVERITY
Info Info Info Info Info Info Info Info

E VENT
Domain Added Domain Removed Domain Updated Interface Renamed Computer Bridge Renamed Interface Deleted Interface IP Deleted Scan for Recommendations Requested Recommendations Cleared Asset Value Assigned to Computer Scan for Recommendations Client Plug-in Software Deployment Requested Client Plug-in Software Removal Requested Computer Renamed Rebuild Baseline Requested Cancel Update Requested SSL Configuration Created SSL Configuration Deleted

R ECORD
On On On On On On On On

N OTIFY
On On On On On On On On

298 299

Info Info

On On

On On

300 301

Info Info

On On

On On

302

Info

On

On

303 306 307 330 331

Info Info Info Info Info

On On On On On

On On On On On

C-13

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

332 350 351 352 353 354 368 369 410 411 412 413 414 420 421 422 423

System Events

S EVERITY
Info Info Info Info Info Info Warning Info Info Info Info Info Info Info Info Info Info

E VENT
SSL Configuration Updated Security Profile Created Security Profile Deleted Security Profile Updated Security Profiles Exported Security Profiles Imported Interfaces Out of Sync Interfaces in Sync Firewall Rule Created Firewall Rule Deleted Firewall Rule Updated Firewall Rule Exported Firewall Rule Imported Stateful Configuration Created Stateful Configuration Deleted Stateful Configuration Updated Stateful Configuration Exported Stateful Configuration Imported Application Type Created

R ECORD
On On On On On On On On On On On On On On On On On

N OTIFY
On On On On On On On On On On On On On On On On On

424 460

Info Info

On On

On On

C-14

Events

TABLE C-3. N UMBER

461 462 463 464 470 471 472 473 474 505 506 507 508 509 510 511 512 513 514 520

System Events

S EVERITY
Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info

E VENT
Application Type Deleted Application Type Updated Application Type Exported Application Type Imported DPI Rule Created DPI Rule Deleted DPI Rule Updated DPI Rule Exported DPI Rule Imported Context Created Context Deleted Context Updated Context Exported Context Imported IP List Created IP List Deleted IP List Updated IP List Exported IP List Imported Port List Created

R ECORD
On On On On On On On On On On On On On On On On On On On On

N OTIFY
On On On On On On On On On On On On On On On On On On On On

C-15

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

521 522 523 524 530 531 532 533 534 550 551 552 553 554 560 561 562 563

System Events

S EVERITY
Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info

E VENT
Port List Deleted Port List Updated Port List Exported Port List Imported MAC List Created MAC List Deleted MAC List Updated MAC List Exported MAC List Imported Schedule Created Schedule Deleted Schedule Updated Schedule Exported Schedule Imported Scheduled Task Created Scheduled Task Deleted Scheduled Task Updated Scheduled Task Manually Executed Scheduled Task Started

R ECORD
On On On On On On On On On On On On On On On On On On

N OTIFY
On On On On On On On On On On On On On On On On On On

564

Info

On

On

C-16

Events

TABLE C-3. N UMBER

565 566 567

System Events

S EVERITY
Info Error Info

E VENT
Backup Finished Backup Failed Sending Outstanding Alert Summary Failed To Send Outstanding Alert Summary Email Failed Sending Report Failed To Send Report Invalid Report Jar Asset Value Created Asset Value Deleted Asset Value Updated Report Uninstall Failed Report Uninstalled Application Type Port List Misconfiguration Application Type Port List Misconfiguration Resolved DPI Rules Require Configuration DPI Rules Require Configuration Resolved

R ECORD
On On On

N OTIFY
On On On

568

Warning

On

On

569 570 571 572 573 574 575 576 577 580

Warning Info Warning Error Info Info Info Error Error Warning

On On On On On On On On On On

On On On On On On On On On On

581

Warning

On

On

582

Warning

On

On

583

Info

On

On

C-17

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

590 700

System Events

S EVERITY
Warning Info

E VENT
Scheduled Task Unknown Type Client Plug-in Software Installed Client Plug-in Software Installation Failed Credentials Generated Credential Generation Failed Activated Activation Failed Client Plug-in Software Upgraded Client Plug-in Software Upgrade Failed Deactivated Deactivation Failed Events Retrieved Client Plug-in Software Deployed Client Plug-in Software Deployment Failed Client Plug-in Software Removed Client Plug-in Software Removal Failed

R ECORD
On On

N OTIFY
On On

701

Error

On

On

702 703 704 705 706

Info Error Info Error Info

On On On On On

On On On On On

707

Warning

On

On

708 709 710 711

Info Error Info Info

On On On On

On On On On

712

Error

On

On

713

Info

On

On

714

Error

On

On

C-18

Events

TABLE C-3. N UMBER

715 720 721 722 723

System Events

S EVERITY
Info Info Error Warning Info

E VENT
Client Plug-in Version Changed Updated Update Failed Get Interfaces Failed Get Interfaces Failure Resolved Insufficient Disk Space Events Suppressed Get Client Plug-in Events Failed Get Client Plug-in Events Failure Resolved Get Events Failed Get Events Failure Resolved Offline Back Online Firewall Rule Engine Offline Firewall Rule Engine Back Online Computer Clock Change Misconfiguration Detected Check Status Failure Resolved

R ECORD
On On On On On

N OTIFY
On On On On On

724 725 726

Warning Warning Warning

On On On

On On On

727

Info

On

On

728 729 730 731 732 733

Error Info Error Info Error Info

On On On On On On

On On On On On On

734 735 736

Warning Warning Info

On On On

On On On

C-19

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

737 738 739 740 741 742 743

System Events

S EVERITY
Error Error Info Error Warning Warning Info

E VENT
Check Status Failed DPI Rule Engine Offline DPI Rule Engine Back Online Client Plug-in Error Abnormal Restart Detected Communications Problem Communications Problem Resolved Events Truncated Last Automatic Retry IDF Server Plug-in Version Compatibility Resolved IDF Server Plug-in Upgrade Recommended (Incompatible Security Component(s)) Client Plug-in Version Compatibility Resolved Client Plug-in Upgrade Recommended Client Plug-in Upgrade Required Incompatible Client Plug-in Version

R ECORD
On On On On On On On

N OTIFY
On On On On On On On

745 750 755

Warning Warning Info

On On On

On On On

756

Warning

On

On

760

Info

On

On

761

Warning

On

On

762

Warning

On

On

763

Warning

On

On

C-20

Events

TABLE C-3. N UMBER

764

System Events

S EVERITY
Warning

E VENT
Client Plug-in Upgrade Recommended (Incompatible Security Component(s)) Computer Reboot Required Network Engine Mode Configuration Incompatibility Network Engine Mode Version Incompatibility Network Engine Mode Incompatibility Resolved Client Plug-in Heartbeat Rejected Contact by Unrecognized Client Scan for Recommendations Failure Resolved Scan for Recommendations Failure Component Update Success Component Update Failure Client Plug-in Initiated Activation Requested Client Plug-in Initiated Activation Failure Alert Dismissed

R ECORD
On

N OTIFY
On

765 766

Warning Warning

On On

On On

767

Warning

On

On

768

Warning

On

On

770

Warning

On

On

771

Warning

On

On

780

Info

On

On

781

Warning

On

On

784 785 790

Info Warning Info

On On On

On On On

791

Warning

On

On

800

Info

On

On

C-21

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

801 850

System Events

S EVERITY
Info Warning

E VENT
Error Dismissed Reconnaissance Detected: Computer OS Fingerprint Probe Reconnaissance Detected: Network or Port Scan Reconnaissance Detected: TCP Null Scan Reconnaissance Detected: TCP SYNFIN Scan Reconnaissance Detected: TCP Xmas Scan IDF Server Plug-in Audit Started IDF Server Plug-in Audit Shutdown IDF Server Plug-in Installed License Related Configuration Change Diagnostic Package Generated Diagnostic Package Exported Diagnostic Package Uploaded Automatic Diagnostic Package Error Usage Information Generated

R ECORD
On On

N OTIFY
On On

851

Warning

On

On

852

Warning

On

On

853

Warning

On

On

854

Warning

On

On

900

Info

On

On

901

Info

On

On

902 903

Info Warning

On On

On On

910 911 912 913

Info Info Info Error

On On On On

On On On On

920

Info

On

On

C-22

Events

TABLE C-3. N UMBER

921

System Events

S EVERITY
Info

E VENT
Usage Information Package Exported Usage Information Package Uploaded Usage Information Package Error Certificate Accepted Certificate Deleted Auto-Tag Rule Created Auto-Tag Rule Deleted Auto-Tag Rule Updated Tag Deleted Command Line Utility Started Command Line Utility Failed Command Line Utility Shutdown System Information Exported Server Plug-in Node Added Server Plug-in Node Decommissioned Server Plug-in Node Updated Tagging Error

R ECORD
On

N OTIFY
On

922

Info

On

On

923

Error

On

On

930 931 940 941 942 943 970 978 979

Info Info Info Info Info Info Info Info Info

On On On On On On On On On

On On On On On On On On On

980 990 991

Info Info Info

On On On

On On On

992 997

Info Error

On On

On On

C-23

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-3. N UMBER

998

System Events

S EVERITY
Error

E VENT
System Event Notification Error Internal Software Error Plug-in Installation Failed Plug-in Installed Plug-in Upgrade Failed Plug-in Upgraded Plug-in Start Failed Plug-in Uninstall Failed Plug-in Uninstalled

R ECORD
On

N OTIFY
On

999 1101 1102 1103 1104 1105 1106 1107

Error Error Info Error Info Error Error Info

On On On On On On On On

On On On On On On On On

Client Plug-in Events

Client Plug-in Events are displayed within a System Event in the System Events screen. For example, double-clicking the "Events Retrieved" System Event will display a window listing all the Client Plug-in Events that were retrieved. Events annotated as "Deprecated" are no longer generated by the most recent Client Plug-ins but may still appear if you are running older versions.
TABLE C-4.
Client Plug-in Events

N UMBER
0

S EVERITY
Error

E VENT
Unknown Client Plug-in Event

N OTES

Driver-Related Events

C-24

Events

TABLE C-4.

Client Plug-in Events

N UMBER
1000 1001 1002 1003 1004

S EVERITY
Error Error Warning Warning Warning

E VENT
Unable To Open Engine Engine Command Failed Engine List Objects Error Remove Object Failed Engine Returned Bad Rule Data

N OTES

Deprecated

Configuration-Related Events 2000 Info Security Configuration Updated Invalid Firewall Rule Assignment Invalid Stateful Configuration Save Security Configuration Failed Invalid Interface Assignment Invalid Interface Assignment Invalid Action Invalid Packet Direction Invalid Rule Priority Unrecognized IP Format Deprecated Deprecated Deprecated

2001

Warning

2002

Warning

Deprecated

2003

Error

2004

Warning

2005

Warning

2006 2007 2008 2009

Warning Warning Warning Warning

C-25

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-4.

Client Plug-in Events

N UMBER
2010 2011 2012

S EVERITY
Warning Warning Warning

E VENT
Invalid Source IP List Invalid Source Port List Invalid Destination IP List Invalid Destination Port List Invalid Schedule Invalid Source MAC List Invalid Destination MAC List Invalid Schedule Length Invalid Schedule String Unrecognized IP Format Object Not Found Object Not Found Invalid Rule Assignment Firewall Rule Not Found Traffic Stream Not Found DPI Rule Not Found Pattern List Not Found Traffic Stream Conversion Error

N OTES
Deprecated Deprecated Deprecated

2013

Warning

Deprecated

2014 2015 2016

Warning Warning Warning

Deprecated Deprecated Deprecated

2017 2018 2019 2020 2021 2022 2050 2075 2076 2077 2078

Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning Warning

Deprecated

Deprecated Deprecated Deprecated Deprecated Deprecated

C-26

Events

TABLE C-4.

Client Plug-in Events

N UMBER
2079

S EVERITY
Warning

E VENT
Invalid DPI Rule XML Rule Conditional Firewall Rule Not Found Conditional DPI Rule Not Found Empty DPI Rule DPI Rule XML Rule Conversion Error Security Configuration Error Unsupported IP Match Type Unsupported MAC Match Type Invalid SSL Credential Missing SSL Credential

N OTES
Deprecated

2080

Warning

Deprecated

2081

Warning

Deprecated

2082 2083

Warning Warning

Deprecated Deprecated

2085

Error

2086

Warning

2087

Warning

2088 2089

Warning Warning

Hardware-Related Events 3000 3001 3002 3003 Warning Warning Warning Error Invalid MAC Address Get Event Data Failed Too Many Interfaces Unable To Run External Command

C-27

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-4.

Client Plug-in Events

N UMBER
3004

S EVERITY
Error

E VENT
Unable To Read External Command Output Operating System Call Error Operating System Call Error File Error Machine-Specific Key Error Unexpected Client Plug-in Shutdown Client Plug-in Database Error Get Windows System Directory Failed Read Local Data Error

N OTES

3005

Error

3006

Error

3007 3008

Error Error

3009

Error

3010

Error

3600

Error

Deprecated

3601

Warning

Windows error. Windows error. Windows error. File size error. Windows error. Windows error.

3602

Warning

Windows Service Error

3603

Error

File Mapping Error

3700

Warning

Abnormal Restart Detected System Last Boot Time Change

3701

Info

C-28

Events

TABLE C-4.

Client Plug-in Events

N UMBER

S EVERITY

E VENT

N OTES

Communication-Related Events 4000 Warning Invalid Protocol Header Content length out of range. Content length missing.

4001

Warning

Invalid Protocol Header

4002

Info

Command Session Initiated Configuration Session Initiated Command Received Failure to Contact Server Plug-in Heartbeat Failed

4003

Info

4004 4011

Info Warning

4012

Warning

Client Plug-in-Related Events 5000 5001 5002 5003 5004 5005 Info Error Error Info Warning Info Client Plug-in Started Thread Exception Operation Timed Out Client Plug-in Stopped Clock Changed Client Plug-in Auditing Started

C-29

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

TABLE C-4.

Client Plug-in Events

N UMBER
5006

S EVERITY
Info

E VENT
Client Plug-in Auditing Stopped Filter Driver Connection Failed Filter Driver Connection Success Filter Driver Informational Event

N OTES

5008

Warning

5009

Info

5010

Warning

Logging-Related Events 6000 6001 6002 6003 Info Info Info Info Log Device Open Error Log File Open Error Log File Write Error Log Directory Creation Error Log File Query Error Log Directory Open Error Log File Delete Error Log File Rename Error Log Read Error Log File Deleted Due To Insufficient Space Events Were Suppressed

6004 6005 6006 6007 6008 6009

Info Info Info Info Info Warning

6010

Warning

C-30

Events

TABLE C-4.

Client Plug-in Events

N UMBER
6011 6012

S EVERITY
Warning Error

E VENT
Events Truncated Insufficient Disk Space

N OTES

Attack/Scan/Probe-Related Events 7000 Warning Computer OS Fingerprint Probe Network or Port Scan TCP Null Scan TCP SYNFIN Scan TCP Xmas Scan

7001 7002 7003 7004

Warning Warning Warning Warning

C-31

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

C-32

Index
A Alerts 4-2 configuring 4-3 emailing 4-4 Application Types 9-15, 9-29 archiving logs 11-8 arithmetic comparison 9-26 B backup 11-1011-12 scheduled 11-13 bitwise 9-27 break 9-24 Bypass Rule 8-12 logging 8-13 optimization 8-12 Stateful Configuration 8-12 C case-sensitive matching 9-18 Cisco NAC about C-1 Client Plug-in 2-2, 6-11 activating 6-14 configuring communications 6-11 deactivating 6-16 deploying 6-13 Events C-24 states B-5 status B-1 stopping and starting 6-15 uninstalling 6-17 Updates 12-29 updating 6-15 upgrading 6-16 Components 10-2 Contexts 10-6 IP Lists 10-2 MAC Lists 10-3 Port Lists 10-4 Schedules 10-8 Computers 6-2, 6-18 asset value 6-20 assigning Security Profiles 6-10 clearing warnings/errors 6-19 details 6-21 errors B-5 locking 6-19 preview 6-3 Scan for Open Ports 6-5 Scan for Recommendations 6-6 searching for 6-3 states B-2 status 6-3, B-1 synchronizing with OfficeScan 6-4 System Settings 12-7 unlocking 6-19 viewing information 6-2 Contexts 10-6 counters 9-19 custom DPI Rules 9-13 D Dashboard 3-1 configuring 3-6 customizing 3-3 filtering by computer and domain 3-6 filtering by date/time 3-6

IN-1

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

filtering by tags 3-5 saving configurations 3-7 Widget layout 3-4 Widgets 3-2 database migrating 11-10 minimizing space 11-8 optimizing 11-7 size of 11-9 Deep Packet Inspection 9-2, 13-11 accessing registers 9-23 Application Types 9-15, 9-29 case-sensitive matching 9-18 comments 9-16 comparing registers 9-23 counters 9-19 creating and editing Rules 9-10 creating custom Rules 9-13 detect mode 9-16 distance constraints 9-18 drop 9-16 Events 9-4, 9-6, C-5 exporting Event log 9-7 filtering Events 9-5 order of execution 9-27 packet processing sequence 9-2 patterns 9-20 prevent mode 9-16 query rules 9-29 register assignments 9-22 resetting a connection 9-169-17 Rule actions 9-21 Rules 9-9 searching for Events 9-5 setdrop 9-17 state 9-15, 9-18 System Settings 12-10

tagging Events 9-7 turning on and off 9-3 UDP pseudo connections 9-28 Web resource 9-29 Web Rules 9-289-29 distance constraints 9-18 documentation feedback 14-5 drop 9-16 E emails configuring 4-4 equality 9-25 errors clearing 6-19 computer B-5 Event log format 13-11 Events 6-18 Client Plug-n C-24 Computer 6-18 DPI 9-49-6, C-5 exporting 8-6, 12-4 Firewall 8-2, C-2 System 12-2, C-8 tagging 9-7 F Firewall 8-2 Event log 13-6 Events 8-2, 8-5, C-2 exporting events 8-6 filtering Events 8-5 policy 8-15 Rules 8-8 searching for Events 8-5 System Settings 12-10 tagging Events 8-6

IN-2

Index

turning on and off 8-2 Firewall Rules 8-8 applying 8-17 Bypass Rule 8-12 creating 8-17 logging 8-14 rule action 8-8, 8-10 rule priority 8-10 sequence 8-13 stateful filtering 8-11 I if-Statement 9-23 inheritance 6-28 Interface Isolation 12-17 Intrusion Defense Firewall about 1-2 IP Lists 10-2 K Knowledge Base 14-3 L Licenses 12-27 logging 13-2 advanced logging policy modes 13-19 bypass rule 8-13 configuring 13-2 DPI Event log format 13-11 Firewall Event log 13-6 notifications 13-2 scripts 13-3 Server Plug-in settings 13-4 SNMP 13-3 Syslog 13-313-4 Syslog integration 13-3 Syslog messages 13-5

M MAC Lists 10-3 migrating computers 11-611-7 Server Plug-in 11-3 modulo32 comparison 9-26 N new features 1-2 Notifications Settings 12-21 O OfficeScan synchronizing computers 6-4 Web console 2-3 optimizing 11-7 order of execution 9-27 overrides 6-28, 6-32 P patterns 9-20 Port Lists 10-4 ports A-1 Q query rules 9-29 R Ranking Settings 12-22 Reconnaissance Settings 12-19 registers accessing 9-23 assignments 9-22 comparing 9-23 Reports 5-2 restore 11-10, 11-1211-13 rule action 8-8, 8-10

IN-3

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

rule priority 8-10 S Scan for Open Ports 6-5 cancelling 6-6 Scan for Recommendations 6-6 clearing 6-9 configuring Rules 6-9 results 6-8 Scan Settings 12-21 Schedules 10-8 scripts 13-3 Security Information Center 14-4 Security Profiles 7-2 creating 7-2 editing 7-3 viewing 7-3 Security Updates 12-28 server diagnostics 12-30 Server Plug-in backup and restore 11-10 database size 11-9 migrating 11-3, 11-6 migrating computers 11-7 migrating to another database 11-10 minimizing database space 11-8 optimizing embedded database 11-7 securing 11-2 Syslog settings 13-4 uninstalling 11-14 upgrading 11-3 setdrop 9-17 signed comparison 9-25 SNMP 13-3 SQL Server Express archiving logs 11-8 limitations 11-8

state 9-18 Stateful Configuration 8-12, 8-23 stateful filtering 8-11 states Client Plug-in B-5 computer B-2 status Client Plug-in B-1 computer B-1 suspicious files 14-5 Syslog 13-313-4 integration 13-3 parsing messages 13-5 System 12-2 applying Security Updates 12-28 Client Plug-in Updates 12-29 Computer Settings 12-7 configuring the System 12-24 Contexts Settings
Contexts 12-18

Events 12-2, C-8 filtering Events 12-3 Firewall and DPI Settings 12-10 Interface Isolation 12-17 Licenses 12-27 Notifications Settings 12-21 Ranking Settings 12-22 Reconnaissance Settings 12-19 Scan Settings 12-21 server diagnostics 12-30 settings 12-6 tagging Events 12-4 Tasks 12-26 Updates 12-23, 12-28 T Tags 12-25 Dashboard 3-5

IN-4

Index

Events 8-6 System Events 12-4 viewing 12-25 Tasks 12-26 Technical Support 14-2 U UDP pseudo connections 9-28 uninstalling Client Plug-in 6-17 Server Plug-in 11-14 unsigned comparison 9-25 Updates 12-23, 12-28 Client Plug-in 12-29 Security 12-28 upgrading Client Plug-in 6-16 Server Plug-in 11-3 W warnings clearing 6-19 Web console 2-3 Web resource 9-29 Web Rules 9-289-29 Web threats 10-2 Widgets 3-2 adding and removing 3-5 layout 3-4 X XML quoting 9-14

IN-5

Trend Micro Intrusion Defense Firewall 1.5 Administrators Guide

IN-6