Protecting Your Server from Network Attacks with Intego VirusBarrier Server 3

Protecting Your Server from Network Attacks

In addition to its powerful anti-malware features, VirusBarrier Server 3 protects your server from network attacks with tools that fall into two groups:

These tools protect you against virtually every kind of attack possible, including Trojan horses, ping attacks, and port scans.

Firewall Protection

VirusBarrier Server 3 includes a two-way firewall that filters all data packets entering or leaving your server through the Internet or a local TCP/IP network. It also protects you from Trojan horses by blocking the ports they use.

To view or change Firewall settings, click the Firewall tab.

When you click the Firewall button, VirusBarrier Server 3 presents its Simple mode for controlling Firewall settings. There are five preset firewall settings that cover all the situations that you will encounter in normal use, each accompanied by an animation that graphically shows the effect of applying the setting. The screen closest to you represents your server; the globe represents the Internet; the screen halfway between the two represents the limit of your local network. Here the default setting, No restrictions, shows how your computer can send and receive information without blockage in either direction.

The five firewall settings are:

These five settings are sufficient for most uses, but if you want more granular control over the firewall you need to switch to VirusBarrier Server 3's Advanced mode.

Advanced Mode

VirusBarrier Server 3 also offers an advanced firewall mode you can use to create your own rules to choose exactly which types of traffic you want to allow or block to and from your server. For more on using Advanced Mode, see Creating Custom Firewall Rules.

Trojan Horse Protection

VirusBarrier Server 3 knows how to spot the actions of the most common Trojan horses and stop them in their tracks. Some such programs send information about users' browsing habits to a central server; other Trojan horses open "back doors" in your computer that allow hackers to take control of it or steal files. In addition, VirusBarrier Server 3 recognizes the actions of Windows Trojan horses, so if you are running Windows in virtualization - with a program such as VMware Fusion or Parallels Desktop - and sharing your server's Internet connection in NAT mode, you'll be protected.

To see VirusBarrier Server 3's Trojan Horse controls, click the Trojan tab at the top of the Firewall screen.

To turn on Trojan horse protection, set the Trojan Horse Protection slider to ON, then click the checkboxes of individual Trojans to select them. The Enable All and Disable All buttons at the bottom are handy shortcuts that select or deselect all checkboxes at once.

You can also enable Trojan blocking for an individual Trojan horse, or for all Trojan horses, by right-clicking on the name of a Trojan, and choosing the appropriate command from the contextual menu that displays.

Antivandal Protection

VirusBarrier Server 3's Antivandal watches over data entering your server and filters it, looking for signs of intrusion. This filtering is transparent: the only time you'll see signs of it working is if it detects suspicious data, in which case an alert displays. Otherwise, Antivandal silently monitors your server's network activity at all times.

To go to the Antivandal screen, click the Antivandal tab.

The Antivandal Policy tab controls how data entering your computer is filtered. The Blocked Addresses and Trusted Addresses tabs store specific hosts, or IP addresses, that you deem suspicious or trustworthy.

Antivandal Policy

The Antivandal Policy panel provides tools to prevent six types of intrusions.

Clicking the checkbox next to each of these enables or disables protection for that intrusion type. By default, clicking on the name of any intrusion type shows the notification and action policies for all intrusion types in the mini-pane to the right. You can implement separate policies for each intrusion type by changing a setting in the Antivandal options: See the section "Unifying Policy Options" below for details.

The two settings allow you to determine how long an address should be considered blocked, and whether you should be informed of the action via e-mail. If you've requested e-mail notification, you must configure your e-mail settings to receive any alert notifications by e-mail. In the Policy section, you do that by clicking Options, then clicking the Configure... button. Enter the necessary information for your e-mail account in Mail Settings dialog that displays. (Before it sends an e-mail message, VirusBarrier Server 3 waits for 30 seconds to see whether there are other intrusion attempts and bundles them all together into one message, rather than sending separate e-mail messages for each one.)

While an intrusion type is selected, clicking the Advanced tab in the right-side pane brings up additional options that are specific to that intrusion type. These are:

Options

Click the Options button in the bottom-left corner of the Antivandal Policy screen to adjust additional filtering settings. The options appear in the pane to the right.

The second part of this screen allows you to be notified by e-mail when an attack is detected; see the previous section for more information.

Unifying Policy Options

Each type of intrusion has settings that determine what actions are taken when that type of intrusion is detected.

The Use same policy for all types of protection checkbox unifies all notifications and actions. With this box unchecked, you could, for example, choose to receive an e-mail when a buffer overflow attack is detected, but not when an intrusion attempt occurs. Checking the box tells VirusBarrier Server 3 that you want to get the same sort of response no matter what type of intrusion occurs.

When you activate this option, you'll see a dialog box that asks which settings should become the model that other intrusion types will follow.

Blocked Addresses and Trusted Addresses

The Blocked Addresses list ensures that once an attempted attack or intrusion has been foiled, communication between the attacking machine and your server won't occur for a period of time that you define.

The Trusted Addresses list is the opposite of the Blocked Addresses list: it lists "friendly" computers that are allowed to connect to your server. While the Blocked Addresses list protects you from foes, the Trusted Addresses list opens the door to your friends. VirusBarrier Server 3's Antivandal tool will not block access to computers listed in the Trusted Addresses list, nor will it set off alerts for any actions they carry out. However, computers in the Trusted Addresses list will still be affected by all active Firewall rules.

The interface for the Trusted Addresses window is essentially the same as for the Blocked Addresses window, so we'll examine them both at the same time, pointing out differences as necessary. Here's the Blocked Addresses window.

The panel on the left displays information about the various IP addresses that are currently in the Blocked Addresses list or Trusted Addresses list, if any.

Blocked/Trusted Address Information

Clicking an item in the Blocked/Trusted Address lists shows some additional information on the right side of the panel. Double-clicking the item opens a new window with the same information.

A Note About DNS Lookups

In various places throughout VirusBarrier Server 3's interface you'll see a question mark in a dark circle. Clicking it toggles nearby information from a numerical IP address to its associated domain name and back again.

Be aware that IP addresses do not always have a one-to-one relationship to domain names. For example, a large domain might have www.example.com hosted on one IP address, forums.example.com hosted on another, and blog.example.com hosted on another.

Meanwhile, small domains often share one IP address with others, all hosted as "virtual domains" on a single computer. In such cases a domain lookup gives an IP address that actually leads to the larger, unexpected machine name, for example apache2-vat.market.example.com.

As a result, entering an IP address could block (or allow) traffic from unintended domains, while entering a domain might not block (or allow) all desired traffic. This is the nature of the Internet domain structure, and isn't an error of VirusBarrier Server 3. If you have problems with unexpectedly blocked or permitted traffic, try using a domain name instead of an IP address, or vice-versa.

Adding Addresses

There are two ways to manually add addresses to the Blocked Addresses list or Trusted Addresses list. (VirusBarrier Server 3 can also add addresses automatically to the Blocked Addresses list in response to attacks, as defined by Antivandal policy.)

The first way to add an address to the Blocked Addresses list or Trusted Addresses list is by selecting an IP address in the Log window and choosing Add to Blocked Addresses or Add to Trusted Addresses from the contextual menu. For more on this, see Using VirusBarrier Server 3 Monitoring Tools.

You can also manually add addresses to the Blocked/Trusted Addresses list by clicking the + button at the bottom of the list. A window appears.

Enter an IP address in the Host field, and select the time this address is to remain in the Blocked Addresses list or Trusted Addresses list by entering a number in the Duration field. Then, select a time unit from the popup menu. If you do not know the numerical IP address of the host you wish to add, enter its name and click the ? button. VirusBarrier Server 3 queries your DNS server and enters the correct number in the field. You can also add comments, such as the reason for adding the address, in the Note field. If you decide you do not wish to add this address to the Blocked Addresses list or Trusted Addresses list, click Cancel.

Using Wildcards

You can use wildcards to indicate ranges of IP addresses in the Blocked Addresses list or Trusted Addresses list. To do so, enter the first part of the IP address you wish to block, followed by asterisks, For example, 192.168.1.* will block all IP addresses from 192.168.1.0 to 192.168.1.255 inclusive; 192.168.*.* will block IP addresses from 192.168.[0-255].[0-255]; and so on.

Removing and Moving Addresses

To remove an address from the Blocked Addresses or Trusted Addresses list, click the address you want to remove, then click the - button.

Another way to remove an address is by right-clicking it then selecting Remove... from the resulting contextual menu. From this contextual menu, you can also move an address from the Blocked Addresses list to the Trusted Addresses list, or vice-versa.

Editing an Address

There are three ways to edit an address in the Blocked Addresses or Trusted Addresses list:

The Blocked/Trusted Addresses Editor window appears. You can change the address, add or change comments, or change the amount of time you want the item to remain on the Blocked/Trusted Addresses list.





‹‹ Protecting Your Server from Viruses and Malware Using VirusBarrier Server 3 Monitoring Tools ››