Comodo Endpoint Security Manager

• Introduction To Comodo Internet Security Configuration Editor
• Prerequisites To Deploying A CIS Configuration
• Deploy Preset Configuration
• The Custom Configuration Editor
  • Firewall Overview
    • Common Tasks
      • My Port Sets
      • My Network Zones
      • My Blocked Network Zones
    • Advanced Tasks
      • Network Security Policy
      • Predefined Firewall Policies
      • Attack Detection Settings
      • Firewall Behavior Settings
  • Defense+ Overview
    • Common Tasks
      • My Protected Files
      • My Blocked Files
      • My Protected Registry Keys
      • My Protected COM Interfaces
      • My Safe Files List
      • My Trusted Software Vendors
    • The Sandbox
      • The Sandboxing Process
      • Sandbox Settings
      • Applications Running Inside Sandbox
    • Advanced Tasks
      • Computer Security Policy
      • Predefined Security Policies
      • Image Execution And Control Settings
      • Defense+ Settings
  • Antivirus Overview
    • Virus Scanner
    • Exclusions
  • Common
    • File Groups
    • Registry Keys
    • COM Groups
  • Miscellaneous Overview
    • Settings
• About Comodo

Network Security Policy

---

 

The Network Security Policy interface is the nerve center of Comodo Firewall and allows advanced administrators to configure and deploy traffic filtering rules and policies on an application specific and global basis.

• Click on Network Security Policy in firewall > Advanced Task to open the 'Network Security Policy' interface.

The interface is divided into two main sections - Application Rules and Global Rules.

 

The Application Rules tab allows administrators to view, manage and define the network and Internet access rights of applications in the system.

 

The Global Rules tab allows administrators to view, manage and define overall network policy that applies to the computer and is independent of application rules.

 

Both Application Rules and Global Rules are consulted when the firewall is determining whether or not to allow or block a connection attempt.

• For Outgoing connection attempts, the Application Rules are consulted first and then the global rules.  

• For Incoming connection attempts, the Global Rules are consulted first and then application specific rules. 

See General Navigation for a summary of the navigational options available from the main Network Security Policy interface.

 

See the section ' Application Rules' for help to configure application rules and policies.

 

See the section 'Global Rules' for help to configure global rules and to understand the interaction between global and application rules.

 

General Navigation Controls for Network Security Policy interface:

 

Window Specific Navigation Controls – Network Security Policy
Menu Element	Element Icon	Description
Add New Group		Allows the administrator to add a new application to the list then create its policy in the Application Rules tab.   Note:This icon is not available in the Global Rules tab.
Add New Rule		Allows the administrator to add a new rule to the selected policy.
Edit		Allows the administrator to edit the selected application policy / rule
Remove		Removes the selected policy / rule
Move Up		Raises the currently selected policy / rule up by one row in the priority list. Administratorscan also re-prioritize policies or re-assign individual rules to another application's policy by dragging and dropping.
Move Down		Lowers the currently selectedpolicy / ruledown by one row in the priority list. Administratorscan also re-prioritize policies or re-assign individual rules to another application's policy by dragging and dropping.

Application Rules

 

See Overview of Policies and Rules for an explanation of rule and policy structure and how these are represented in the main Application Rules interface.

 

See Application Network Access Control interface for an introduction to the rule setting interface.

 

See Creating and Modifying Network Policies to learn how to create and edit network policies.

 

See Understanding Network Control Rules for an overview of the meaning, construction and importance of individual rules.

 

See Adding and Editing a Network Control Rule for an explanation of individual rule configuration.

 

Overview of Policies and Rules

 

Whenever an application makes a request for Internet or network access, Comodo Firewall allows or denies this request based upon the Firewall Policy that is specified for that application. Firewall Policies are, in turn, made up from one or more individual network access rules. Each individual network access rule contains instructions that determine whether the application should be allowed or blocked; which protocols it is allowed to use; which ports it is allowed to use and so forth.

 

To modify the firewall policy for an application: 

• Double click on the application name to begin 'Creating or Modifying Network Policy'

(OR)

• Select the application name and click the  icon to begin 'Creating or Modifying Network Policy'

To modify an individual rule within the policy: 

• Double click on the specific rule to begin 'Adding and Editing a Network Control Rule'

(OR)

• Select the specific rule and click the  icon to begin 'Adding and Editing a Network Control Rule'

Note 1:Administrators can also re-prioritize policies or re-assign individual rules to another application's policy by dragging and dropping.   Note 2: Although each policy can be defined from the ground up by individually configuring its constituent rules, this practice would be time consuming if it had to be performed for every single program in the system. For this reason, Comodo Firewall contains a selection of predefined policies according to broad application category. For example, the policy 'Web Browser' can be applied to 'Internet Explorer', 'Firefox' and 'Opera' applications. Each predefined policy has been specifically designed by Comodo Firewall to optimize the security level of a certain type of application. Administrators can, of course, modify these predefined policies to suit their environment and requirements. For more details, see Predefined Firewall Policies.

Application Network Access Control interface

 

Network control rules can be added / modified / removed and re-ordered through the Application Network Access Control interface. Any rules created using Adding and Editing a Network Control Rule is displayed in this list.  

 

Comodo Firewall applies rules on a per packet basis and applies the first rule that matches that packet type to be filtered (see Understanding Network Control Rules for more information). If there are a number of rules in the list relating to a packet type then the one nearer to the top of the list is applied. 

 

The priority of rules is re-ordered by simply dragging and dropping the rule in question. Alternatively, a rule can be re-prioritized by selecting it and clicking either the 'Move Up' or 'Move Down' button. To begin creating network policies, first read 'Overview of Policies and Rules' then 'Creating and Modifying Network Policies'.

 

Creating and Modifying Network Policies

 

To begin defining an application's network policy, there are two basic steps:

 

(1) Select the application for which the policy is to be applied.

(2) Configure the rules for this application's policy.

(1) Select the application for which the policy is to be applied

1. Click the  icon in the main Application Rules tab. This opens the Application Network Access Control dialog box shown below:

Note: As this is a new application, the 'Application Path' field is blank. While modifying an existing policy, this interface shows the individual rules for that application's policy.

2. Click File Groups button. 

3. Select the required Application Path from the dropdown.

Note 1: The File Group dropdown displays a list of preset files or folders for which firewall policy is created. For example, selecting 'Executables' option creates a firewall policy for any file that attempts to connect to the Internet with the extensions .exe, .dll, .sys, .ocx, .bat, .pif, .scr, .cpl . Other such categories available include 'Windows System Applications' , 'Windows Updater Applications' , 'Start Up Folders' etc - each of which provide a fast and convenient way to apply a generic policy to important files and folders. To view the file types and folders that are affected by choosing one of these options, visit the Defense+ area of Comodo Internet Security by navigating to: Defense+ > My Protected Files.    More details on Files and File Groupings is available in this help guide in the My Protected Files and My Blocked Files sections.   Note 2: To know how to create a new File Group and add a list of files to it, Click here.

(2) Configure the rules for this application's policy

 

There are two broad options available for creating a policy that applies to an application - Use a Predefined Policy or Use a Custom Policy

 

(i) Use a Predefined Policy

1. Select this option to quickly deploy an existing policy on to the target application. 

2. Choose the policy from the drop-down menu. The name of the predefined policy is displayed in the Treat As column for the selected application in the Application Rules interface.

Note: It is not possible to modify Predefined Policies directly from this interface - they can only be modified and defined using the Predefined Firewall Policies interface. To add or modify rules for an application means creating a new custom policy and should be done using the more flexible Use Custom Policy option.

(ii) Use a Custom Policy:Designed for more experienced administrators. 

1. Select this option to enable full control over the configuration of firewall policy and the parameters of each rule within that policy. 

2. Click Copy From button. The various policy groups are displayed in the dropdown.

3. Click on the required policy group to display a list of policies associated with it in another dropdown.

4. Click the desired policy to populate the Network Access Rules section with the constituent rules of the predefined policy.

5. Select the rule and click the  icon to add or edit a Network Control Rule.

General Tips: To create a reusable policy for deployment on multiple applications, add a new Predefined Firewall Policy (or modify the existing ones accordingly), then use the 'Use Predefined Policy' option in this section to roll it out.   To build a bespoke policy for maybe one or two specific applications, choose the 'Use a Custom Policy' option and create a policy either from scratch by adding individual rules or by using one of the built-in policies as a starting point.

Understanding Network Control Rules

 

At their core, each Network Control Rule can be thought of as a simple IF THEN trigger - a set of conditions(or attributes) pertaining to a packet of data from a particular application and an action it enforces if those conditions are met. 

 

As a packet filtering firewall, Comodo Firewall analysis the attributes of every single packet of data that attempts to enter or leave the computer. Attributes of a packet include the application that is sending or receiving the packet, the protocol it is using, the direction in which it is traveling, the source and destination IP addresses and the ports it is attempting to traverse. The firewall then tries to find a network control rule that matches all the conditional attributes of this packet in order to determine whether or not it should be allowed to proceed. If there is no corresponding Network Control Rule, then the connection is automatically blocked until a rule is created.

 

The actual conditions (attributes) seen* on a particular Network Control Rule are determined by the protocol chosen in Adding and Editing a Network Control Rule.

 

For 'TCP' , 'UDP' or 'TCP and UDP', the rule has the form: Action | Protocol| Direction | Source Address | Destination Address | Source Port | Destination Port

 

For 'ICMP', the rule has the form:   Action | Protocol| Direction | Source Address | Destination Address | ICMP Details

 

For 'IP', the rule has the form:   Action | Protocol| Direction | Source Address | Destination Address | IP Details

 

Rule Format – Network Control Rules
Element	Description
Action	The action the firewall takes when the conditions of the rule are met. The rule shows 'Allow', 'Block' or 'Ask'.**
Protocol	States the protocol that the target application attempts to use when sending or receiving packets of data. The rule shows 'TCP',  'UDP', 'TCPor UDP', 'ICMP' or 'IP'
Direction	States the direction of traffic that the data packet attempts to negotiate. The rule shows 'In', 'Out' or 'In/Out'
Source Address	States the source address of the connection attempt. The rule shows 'From'followed by one of the following: IP, IP range, IP Mask, Network Zone, Host Name or Mac Address
Destination Address	States the address of the connection attempt. The rule shows 'To' followed by one of the following: IP, IP range, IP Mask, Network Zone, Host Name or Mac Address
Source Port	States the port(s) that the application must be attempting to send packets of data through. Shows 'Where Source Port Is' followed by one of the following: 'Any', 'Port #', 'Port Range' or 'Port Set'
Destination Port	States the port(s) on the remote entity that the application must be attempting to send to. Shows 'Where Source Port Is' followed by one of the following: 'Any', 'Port #', 'Port Range' or 'Port Set'
ICMP Details	States the ICMP message that must be detected to trigger the action. See Adding and Editing a Network Control Rule for details of available messages that can be displayed.
IP Details	States the type of IP protocol that must be detected to trigger the action: See Adding and Editing a Network Control Rule to see the list of available IP protocols that can be displayed here.

Once a rule is applied, Comodo Firewall monitors all network traffic relating to the chosen application and take the specified action if the conditions are met. Administrators should also see the section 'Global Rules' to understand the interaction between Application Rules and Global Rules.

 

* If a descriptive name is defined while creating the rule, then that name is displayed here rather than it's full parameters. See the next section, 'Adding and Editing a Network Control Rule', for more details.

** Selecting 'Log as a firewall event if this rule is fired' option postfixes the action with "& Log". (e.g. Block & Log)

 

Adding and Editing a Network Control Rule

 

The Network Control Rule Interface is used to configure the actions and conditions of an individual network control rule. 

 

Note: Inexperienced firewall administrators are advised to gain some background knowledge by reading the sections ' Understanding Network Control Rules' , 'Overview of Rules and Policies' and 'Creating and Modifying Network Policies'

 

General Settings

 

Action: Defines the action the firewall takes when the conditions of the rule are met. Options available via the drop down menu are 'Allow', 'Block' or 'Ask'.

 

Protocol: Allows the administrator to specify which protocol the data packet should use. Options available via the drop down menu are 'TCP', 'UDP', 'TCPor UDP', 'ICMP' or 'IP'.

 

Note: Based on the options selected in the Protocol field, the choices available in the tab structure on the lower half of the interface alters.

 

Direction: Allows the administrator to define which direction the packets should travel. Options available via the drop down menu are'In','Out'or 'In/Out'.

 

Log as a firewall event if this rule is fired: Selecting this option creates an entry in the firewall event log viewer whenever this rule is called into operation. (i.e. when ALL conditions have been met).

 

Description: A relative and descriptive name for the rule. Name a rule by it's intended purpose to understand easily, this is the name that is displayed to represent the rule instead of the full actions / conditions in the main Application Rules Interface and the Application Network Access Control interface.



TCP', 'UPD' or 'TCP or UDP' Protocol

If 'TCP', 'UPD' or 'TCP or UDP' is selected as the protocol for the network, then the source and destination IP addresses and ports receiving and sending the information must be defined.


Source Address and Destination Address tab:

 

1. Choose any IP Address by selecting Any option. This menu defaults to an IP range of 0.0.0.0- 255.255.255.255 to allow connection from all IP addresses.

2. Choose a Single IP address by selecting Single IP option and enter the IP address in the IP text box, e.g., 192.168.200.113.

3. Choose an IP Range by selecting IP Range option and enter the the range of IP address in the Start IP and End IP fields respectively.

4. Choose IP Mask by selecting IP Mask option. IP networks can be divided into smaller networks called subnetworks (or subnets). An IP address / Mask is a subnet defined by IP address and mask of the network. Enter the IP address and Mask of the network in the respective fields.

5. Choose an entire network zone by selecting Zone option. This menu defaults to Local Area Network but new zones can also be defined by first creating a Zone through the 'My Network Zones' interface.

6. Choose a named host by selecting a Host Name option, which denotes the IP address of the system being used.

7. Choose a MAC Address by selecting MAC Address option and entering the address in the MAC Address field.

8. Exclude (i.e. NOT the choice below)

Choosing the Exclude option performs the opposite of what is specified. For example, select Allow rule and check the Exclude box in the Source IP tab and enter values for the IP range, then that IP range is excluded.

 

Note: Create separate Allow rule for range of IP addresses that need not be used.

Source Port and Destination Port tab:

 

1. Choose any port number by selecting Any - set by default, 0- 65535.

2. Choose a Single Port number by selecting A Single Port option and selecting the single port numbers from the list.

3. Choose a Port Range by selecting A Port Range option and selecting the port numbers from the From and To list.

4. Choose a predefined port set by choosing A Set of Ports option. To create a port set please see the section 'My Port Sets'.

ICMP Protocol

Selecting ICMP as the protocol in General Settings, shows a list of ICMP message type in the 'ICMP Details' tab alongside the Source Address and Destination Address tabs. The last two tabs are configured identically to the explanation above. 

ICMP Details tab:

ICMP (Internet Control Message Protocol) packets contain error and control information which is used to announce network errors, network congestion, timeouts, and to assist in troubleshooting. It is used mainly for performing traces and pings. Pinging is frequently used to perform a quick test before attempting to initiate communications. It enables the administrator to create rules to allow / block specific types of ping requests. With Comodo Firewall administrators can create rules to allow / deny inbound ICMP packets that provide information and minimize security risk.

 

1. Enter the source / destination IP address. Source IP is the IP address from which the traffic originated and destination IP is the IP address of the computer that is receiving packets of information. 

2. Specify the ICMP Message, Types and Codes. An ICMP message includes a Message that specifies the type, that is, the format of the ICMP message.

• Selecting a particular ICMP message defaults to set its code and type as well. 

• Selecting the ICMP message type 'Custom' prompts to specify the code and type.

IP Protocol

Selecting IP as the protocol in General Settings, shows a list of IP Protocols in the 'IP Details' tab alongside the Source Address and Destination Address tabs. The last two tabs are configured identically to the explanation above. 

 

IP Details

 

1. Select the types of IP protocol that needs to be allowed. The IP protocols listed are ICMP (Internet Control Message Protocol), IGMP (Internet Group Management Protocol), GGP (Gateway-to-Gateway Protocol) , TCP (Transmission Control Protocol), UDP (User Datagram Protocol) and PUP (Parc Universal Packet).

Global Rules

 

Unlike Application rules, which are applied to and triggered by traffic relating to a specific application, Global Rules are applied to all traffic traveling in and out of a computer.

 

Comodo Firewall analyzes every packet of data in and out of a PC using combination of Application and Global Rules.

• For Outgoing connection attempts, the application rules are consulted first and then the global rules second.

• For Incoming connection attempts, the global rules are consulted first and then the application rules second.

Therefore, outgoing traffic has to 'pass' both the application rule then any global rules before it is allowed out of the system. Similarly, incoming traffic has to 'pass' any global rules first then application specific rules that may apply to the packet.

 

Global Rules are mainly, but not exclusively, used to filter incoming traffic for protocols other than TCP or UDP.

 

The configuration of Global Rules is identical to that for application rules. To add a global rule, click the icon. To edit an existing global rule, select a rule and click the icon.

 

See Application Network Access Control interface for an introduction to the rule setting interface.

 

See Understanding Network Control Rules for an overview of the meaning, construction and importance of individual rules.

 

See Adding and Editing a Network Control Rulefor an explanation of individual rule configuration.

 

---

Comodo Endpoint Security Manager | © 2010 Comodo Security Solutions Inc. | All Rights Reserved.