Network security policy defines how the firewall handles unknown network traffic (i.e. traffic which does not match with any network security rule). Initial network security policy (i.e. how the firewall behaves after its installation) can be defined in the installation wizard (see chapter 2.3. Installation, Upgrade and Uninstallation).
The following types of network security policy are available in Kerio ServerFirewall:
All unknown traffic is dropped
Any network traffic which is not explicitly allowed by any network security rule is dropped. This policy provides the highest security possible, however, it may cause unavailability of services for which no special rule allowing the traffic is defined (by default, all services of the server are unavailable).
This type of security policy can be enabled by simply switching to the corresponding action (Drop) in the default rule. If a rule that Permits all outgoing traffic is defined, it must be disabled or removed.
It is recommended to set this policy when the firewall configuration is completed (i.e. when network security rules are defined for all desirable services). This security policy cannot be set as initial policy during installation of the firewall.
TIP: For definition of efficient security policy, monitor blocked traffic to detect desirable traffic and to create corresponding rules for it. For details, see chapter 5.5. Recommended Actions.
Only outgoing traffic is permitted (all incoming traffic is dropped)
The firewall allows only traffic initiated from the server. All traffic initiated from other hosts is blocked (unless permitted by a network security rule). This policy protects the server from attacks from outside. Services which require authentication to the network are not blocked (e.g. authentication at the domain, updates of the operating system, etc.)
It is recommended to enable this policy during the installation (by selecting Secured — see chapter 2.3. Installation, Upgrade and Uninstallation) to enable an immediate protection of the server when short-time unavailability of services of the server is acceptable. However, this policy is not capable to protect the server from worms or Trojan horses connecting from the server to the Internet. Therefore, it is recommended to switch to the policy which blocks all unknown traffic immediately after all basic network security rules are set.
This policy can be defined as follows:
Add a rule allowing outgoing traffic for any process, network service or remote IP address. This rule should be always added to the very end of the list (before the default rule).
In the default rule, set the Drop action (all traffic will be blocked).
All unknown traffic is permitted
The firewall allows any network traffic in any direction (except traffic blocked explicitly by a network security rule). In such a case, the server is not protected (except by detection and blocking of known attacks — refer to chapter 7. Intrusion Prevention).
If even a short-time unavailability of the server's services is unacceptable, select this policy during the installation of the firewall (by selecting No filtering — see chapter 2.3. Installation, Upgrade and Uninstallation). For security reasons, policies should be switched immediately after creation of basic network security rules.
This policy can be defined simply by setting of the Permit action in the default rule.
TIP: To create efficient network security policy in this case, monitor permitted traffic and create denial rules for the undesirable traffic. For details, see chapter 5.5. Recommended Actions.
Note: It is also possible to allow incoming traffic only. However, this option is meaningless (the server would not be protected and some crucial services might be unavailable).