Passa al contenuto principale
  • Effettua gli ordini in modo rapido e semplice
  • Visualizza gli ordini e monitora lo stato della spedizione
  • Crea e accedi a un elenco dei tuoi prodotti

How to Use VMware Carbon Black Cloud Host-Based Firewall

Riepilogo: VMware Carbon Black Host-Based Firewall is used by configuring firewall rules.

Questo articolo si applica a Questo articolo non si applica a Questo articolo non è legato a un prodotto specifico. Non tutte le versioni del prodotto sono identificate in questo articolo.

Istruzioni


Affected Products:

  • VMware Carbon Black Cloud Standard
  • VMware Carbon Black Cloud Advanced
  • VMware Carbon Black Cloud Enterprise

Affected Versions:

  • Windows Sensor 3.9 or higher

Affected Operating Systems:

  • Windows

Note: For more information about VMware Carbon Black Cloud versions, reference What are the Differences Between VMware Carbon Black Cloud Versions.

Host-Based Firewall Rules

A firewall rule is composed of an action and an object. Available actions are:

  • Allow: Allows the network traffic
  • Block: Blocks the network traffic
  • Block and Alert: Blocks the network traffic and sends an alert to the Alerts page

Firewall rules are based on evaluation of the following types of objects:

  • Local (client computer)
  • Remote (computer that communicates with the client computer)
Note: The local host is always the sensor-installed client computer. The remote host is any computer or device with which it communicates. This expression of the host relationship is independent of the direction of traffic.
  • IP address and subnet ranges
  • Port or port ranges
  • Protocol (TCP, UDP, ICMP)
  • Direction (inbound and outbound)
  • Application, determined by file path

Firewall rules can be combined into what is called a firewall rule group. A firewall rule group is a logical set of firewall rules that simplifies the management of multiple individual rules into a single group that have a shared purpose (for example, multiple rules to control access to FTP servers).

Rule groups and rules are defined in policies, and policies are assigned to assets.

Rule Precedence

When creating and applying rules, keep in mind the following order of precedence:

  • Bypass rules take precedence over all other rules. Because of this, Host-based Firewall rules have lower precedence than Bypass rules.
  • Host-based Firewall rules have higher precedence than Permissions rules that are set to Allow or Allow & Log.
Note: A process-level permission Bypass rule does not only bypass the process specified by the rule, but also bypasses any of its Child Processes.

Existing sensor conditions can impact the enforcement of rules. For example, the sensor can be in bypass mode or quarantine, or applications can be blocked. Carbon Black Cloud Host-based Firewall maintains the intended action of the rule as specified by the user, although the rule can take a different actual action when it is enforced based on the sensor condition.

For example:

Sensor Mode Intended Host-Based Firewall Action Intended Permission or Blocking and Isolation Rule Actual Action Summary
Quarantine Any Any Block Quarantine block rules override Host-based Firewall rules and permission.
Bypass Any Any Allow Because the sensor is in bypass mode, the Host-based Firewall rule is ineffective.
Active Any Process Level Bypass Allow Bypassed processes and their descendants are not blocked by Host-based Firewall rules.
Active Block Allow, Allow & Log Block Host-based Firewall rules take precedence over non-bypass permission rules.
Active Allow Block Block Host-based Firewall allowing a connection does not prevent a Communicates over the Network Blocking and Isolation rule from being enforced.

Using Carbon Black Cloud Host-Based Firewall

This section provides a high-level overview of how to create and run firewall rules.

  1. Select a policy to which to add firewall rules.
  2. Set the default rule (Allow all or Block all).
  3. Create a rule group and populate it with firewall rules.
  4. View, create, and modify rule groups and rules as necessary.
  5. Switch Host-based Firewall to Enabled on the Sensor tab.
  6. Test the rules.
Note: You can only test a rule when its Status is set to Disabled.
  1. Review the rules outcome. Test rule data displays on the Investigate page.
  2. Modify rules as necessary and retest until the rules perform as expected.
  3. Stop testing rules that are verified to perform as expected and set their Status to Enabled.
  4. If you have disabled it during modifications, switch Host-based Firewall to Enabled on the Sensor tab.
  5. View firewall-related events and alerts on the Investigate and Alerts pages, respectively.
  6. Continue to modify rules as necessary. Association of ordered (ranked) rule groups to security policies; rule groups can be reused across security policies.
    • Rules are evaluated in order of user-defined precedence.
    • Ability to test rules before enforcement.
    • Count of behaviors blocked by Host-based Firewall policy.
    • Visibility into security posture of assets through the Alerts and Investigate pages in the Carbon Black Cloud console.
Note: The Carbon Black Cloud Host-based Firewall add-on requires the Windows sensor v3.9 and higher.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Prodotti interessati

VMware Carbon Black
Proprietà dell'articolo
Numero articolo: 000214381
Tipo di articolo: How To
Ultima modifica: 31 mag 2023
Versione:  2
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.