First Published: |
November 2, 2005 |
Last Revised: |
September 21, 2006 |
Whenever a program is newly installed (or upgraded), new firewall
rules must be created, in order for that program to be allowed to access
the Internet. Explicit instructions are given here for
Kerio Personal Firewall 2.1.5 (KPF). Intended for
trained admins only.
PROCEDURE: Create New Firewall Rules
- Switch to "prompting" mode:
- At the system tray (bottom right of screen), right-click
on the blue shield.
- Select Administration.
- Enter the password as prompted.
- Drag the slider to the middle setting:
Ask Me First
- Click Apply. (do not click OK, leave the KPF panel open as a
reminder)
- Create new rule(s):
- Perform the process in your program which will trigger
firewall prompts.
- Confirm the source and nature of the prompts are as
expected.
- Check the box: Create appropriate filter rules and don't
ask me again
- Click Permit.
- Repeat this process as necessary, until all parts of the
program are working. You might need to restart the program each
time.
- Return to "normal" mode:
- From previously opened Kerio Personal Firewall panel:
- Drag the slider to the top setting:
Deny Unknown
- Click OK. (confirm blue shield in system tray)
|
NOTICE: Make sure you have proper
authorization to perform this procedure. Unauthorized tampering of
security settings (even only momentarily) is a serious violation of IT
policies of your firm!
If you're the DIFA, you already received the proper training and
briefing on this and have standing authority. Individual staff members
might be granted specific conditional authority on a per-incident
basis by IT personnel, just before they're instructed to contact
software vendors directly.
The procedure listed above is a simplified version. For maximum
security, rules must be customized.
Exceptions: If any of the
following conditions apply, it is unacceptable to disable the
host-based firewall (Kerio) under any circumstances (even
momentarily).
- You're in a small office with no firewall/gateway router, and
your station is directly
connected to the Internet.
- Your system currently has known/suspected infection or
compromises.
- Your system has been declared "conditionally
safe to use," pending further investigation and thorough
clean-up. Often, during incident response, a "scoop and scoot"
first-aid is performed on the station during business rush hours.
The system is mostly stabilized, with major attacks averted and
contained, but not completely eradicated. Any momentary disabling of
safeguard could have serious consequences.
- The host in question is a server, or designated mission-critical
key workstation; in which case testing/installation must be
administered by IT. Explicit waiver may be granted by IT to a
specific staff, or by management in an emergency.
See also:
|