In this article, you will learn everything you need to know about the Firewall product.
1. Description
2. How does Firewall work?
3. HEIMDAL Agent - Firewall
4. Endpoint Detection - Firewall view
5. Endpoint Detection - Firewall Management settings
DESCRIPTION
The Firewall product allows you to control the Windows Firewall from the Heimdal Management Portal.
HOW DOES FIREWALL WORK?
The Firewall product controls the Windows Firewall with Advanced Security and enables you to manage firewall rules from the HEIMDAL Dashboard (through the Heimdal.Firewall.Exe process). It also intercepts any attempts of Brute Force Attacks and automatically blocks the RDP Port to stop the attack. The Firewall module allows you to isolate a computer in case of suspicious activity. The detection of Brute Force Attacks is based on Event ID 4625 which can be found in the Event Viewer -> Windows Logs -> Security -> Audit Logs (Logon category).
HEIMDAL AGENT - FIREWALL
Firewall (inside the HEIMDAL Agent) displays the Firewall Rules that are set by the HEIMDAL Administrator in the Group Policy settings.
In the Firewall Alerts section, you can see the alerts that were triggered on a computer with information on Local IP, Attempts, Detection Type and Date.
ENDPOINT DETECTION - FIREWALL view
The Endpoint Detection - Firewall view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the Windows Firewall rules and alerts intercepted by the HEIMDAL Agent. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Firewall Rules, and Firewall Alerts.
- Firewall Rules
This view displays a table with the following details: Hostname, Username, Application, Port, Profile type, Protocol, Direction, Permission, and Timestamp.
The entries that you see in this view include all the new rules that Windows creates in the Windows Firewall (this is event is logged in the Event Viewer Logs, under Microsoft -> Windows -> Windows Firewall with Advanced Security -> Firewall -> event ID 2004). When a new application has a new rule in the Windows Firewall with Advanced Security, the HEIMDAL Agent sends it to the HEIMDAL Dashboard to be displayed in the Firewall view -> Firewall Rules (if there is no other rule that is matched in the Group Policy under Firewall). The rules created in the Firewall Management settings will not be displayed in the Firewall Rules view. These custom rules will be displayed ONLY in the specific Group Policy, under the Firewall Management sub-tab where they are created. - Firewall Alerts
This view displays a table with the following details: Hostname, Username, Local IP, Attempts Per Username, Attempts Per IP, Detection type, Timestamp, and Risk Level.
The checkbox allows you to select an entry and add the IP Address to the Brute Force Attack Allowlist. The entries that you see in this view include a list of all the unwanted connections that are interpreted as Brute Force Attacks. The detection types are classified as BruteForceAttackPrivate (these attacks are originating from an IP Address on the same network as the affected endpoint/server), BruteForceAtackPublic (these attacks are originating from an IP Address that is coming from outside the network/public IP Address), FailedLocalPasswordAttempt (the password was incorrectly entered on the endpoint/server). Brute Force Attacks alerts are triggered when the local user is failing a number of password attempts:- Low Risk - under 150 failed attempts;
- Medium Risk - between 150 and 200 failed attempts;
- High Risk - over 200 failed attempts.
An external user will trigger a High Risk of Brute Force Attack when a minimum of 5 failed attempts are performed in less than 5 minutes. The failed local password attempts are found in the Event Viewer Logs, under Windows Logs -> Security -> Event ID 4625. During a Brute Force Attack, the Heimdal.Firewall.exe process might use a higher CPU usage (depending on the interval of the Brute Force Attack attempts) of 1% to 60%.
ENDPOINT DETECTION - FIREWALL MANAGEMENT settings
This module allows you to control the Windows Firewall from the HEIMDAL Dashboard.
Firewall Management - turn ON/OFF the management of the Windows Firewall. Turning the Firewall Management ON will enable the Windows Firewall on the endpoints if it is disabled, but turning it OFF will not disable the Windows Firewall on the endpoints;
General Settings
Block RDP port on brute force detection - automatically blocks the default RDP Port (3389) on the endpoint where an audit breach is detected for both TCP and UDP. Once the RDP Port is blocked on an endpoint, you'll see a Blocked RDP icon in the Status column (in the Active Clients' view). To unblock the RDP Port, you have to select the endpoint in question and click on Unblock RDP Port from the dropdown menu;
RDP Port - this field allows you to change the default RDP Port (3389) to another port number (in case of another RDP Port usage);
Enforce manual added rules when computer is isolated - keep the manually added firewall rules in the Group Policy even when the computer is isolated;
Allow ICMP Echo Requests - creates a rule that allows PING requests inside your network;
Use automatic rules - allows you to select any of the profiles to enable/disable the Inbound/Outbound connections;
Use automatic rules - allows you to select any of the profiles to enable/disable the Inbound/Outbound connections;
Allow isolation - allows you to isolate an endpoint in your network from the rest of the endpoints. If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems. Once the option is enabled, the endpoint can be isolated from the Active Clients view, by selecting the endpoint you want to isolate and by pressing the Isolate button:
Isolate on Tamper Detection - allows you to automatically isolate an endpoint when the end-user is trying to stop/pause the HEIMDAL services (when the end-user is trying to break the Anti-Tamper Protection);
Isolation rules - allows you to add specific predefined rules in the Windows Firewall if the computer is isolated. The rules come as a group (more specifically as a profile that adds some rules for a certain application, e.g. TeamViewer, ISL Online). The rules will be deleted when the endpoint is unisolated. Please note the fact that any HEIMDAL process/application is allowed by default.
Firewall Rules - this option allows you to add/edit/remove Firewall rules in the Windows Defender Firewall. In order to create a Firewall Rule you need to follow the required conditions:
- Name - allows you to set the rule name (the name of the rule needs to be unique). Each rule will include a suffix (corresponding to the protocol type) in the rule name (e.g. Block SQL Server port-TCP or Block SQL Server Port-UDP);
- Application - specify the application path or * for any application;
- Remote IP - specify an IP Address or * for any IP Address;
- Port - specify the port value or * for any Port (values can be set only for TCP or UDP protocols);
- Direction - specify the direction of the flow (In, Out, Both directions);
- Protocol - specify the protocol type (TCP, UDP, or Any);
- Permission - specify whether to block or allow;
- Profile Types - specify on what profile the rule applies (Domain, Private, Public).
Additional Settings - Local AD Computer Groups - allows you to apply the rule to the computer(s) that are part of the specified Local Active Directory Computer groups;
- Remote AD Computer Groups - allows you to apply the rule to any remote IP Address belonging to computers that are part of the specified AD Computer Groups (this setting will take into consideration the selected IP type: public/private/both);
- Local IP - allows you to apply the rule to a computer that uses the specified IP Address(es). Multiple IP Addresses can be specified, separating them by a comma;
- IP Type - allows you to select between Public, Private or Both.
Firewall Predefined Rules - allows you to enable/disable predefined rules based on a list of groups. These firewall groups are mapped in order to provide network connectivity for Windows programs and services and the user cannot alter them.
The Show details button allows you to see additional details regarding the predefined rules (that are not present in the grid).
Allowlist Brute Force IP - allows you to add an IP Address that is detected as Brute Force Attack and is considered a false positive;