Host-based Firewall is an essential element of asset protection. The Carbon Black Cloud Host-based Firewall feature provides centralized management of asset firewall policies.

Note: The Carbon Black Cloud Host-based Firewall feature requires the Windows sensor v3.9+ and is only available with Carbon Black Cloud Endpoint Standard or higher, or Carbon Black Cloud Workload Advanced or higher.

Carbon Black Cloud delivers a Host-based Firewall solution that addresses the protection of an asset based on rules that govern network and application behavior. These rules take specified actions based on observed behavior. Multiple rules can form a policy, and these policies are applied to assets.

Carbon Black Cloud Host-based Firewall provides the following centralized management features:

  • Consolidated view to manage firewall rules across assets through the Carbon Black Cloud console.
  • Association of ordered (ranked) rule groups to security policies; rule groups can be reused across security policies.
  • Rules are evaluated in order of user-defined precedence.
  • Ability to test rules before enforcement.
  • Count of behaviors blocked by Host-based Firewall policy.
  • Ability to enforce rules based on asset location.
  • Visibility into security posture of assets through the Alerts and Investigate pages in the Carbon Black Cloud console.

How Carbon Black Cloud Host-based Firewall Works

A firewall rule is composed of an action and an object. Available actions are:

  • Allow: Allows the network traffic
  • Block: Blocks the network traffic
  • Block and Alert: Blocks the network traffic and sends an alert to the Alerts page

Firewall rules are based on evaluation of the following types of objects:

  • Local (client computer) and remote (computer that communicates with the client computer)
    Note: The local host is always the local client computer and the remote host is always a remote computer that is positioned elsewhere on the network. This expression of the host relationship is independent of the direction of traffic.
  • IP address and subnet ranges
  • Port or port ranges
  • Protocol (TCP, UDP, ICMP)
  • Direction (inbound and outbound)
  • Application, determined by file path
  • Profile (Public, Private, or Domain)

A firewall rule group is a logical set of firewall rules. A rule group simplifies the management of multiple individual rules into a single group that have a shared purpose (for example, multiple rules to control access to FTP servers).

Rule groups and rules are defined in policies, and policies are assigned to assets.

Rule Precedence

When creating and applying rules, keep in mind the following order of precedence:

  • Bypass rules take precedence over all other rules; therefore, Host-based Firewall rules have lower precedence than Bypass rules.
  • Host-based Firewall rules have higher precedence than Permissions rules that are set to Allow or Allow & Log.
Important: A process-level permission Bypass rule does not only bypass the process specified by the rule, but also bypasses any of its descendants.

Existing sensor conditions can impact the enforcement of rules. For example, the sensor can be in bypass mode or quarantine, or applications can be blocked. Carbon Black Cloud Host-based Firewall maintains the intended action of the rule as specified by the user, although the rule can take a different actual action when it is enforced based on the sensor condition.

For example:

Sensor Mode Intended Host-based Firewall Action Intended Permission or Blocking and Isolation Rule Actual Action Summary
Quarantine Any Any Block Quarantine block rules override Host-based Firewall rules and permission.
Bypass Any Any Allow Because the sensor is in bypass mode, the Host-based Firewall rule is ineffective.
Active Any Process Level Bypass Allow Bypassed processes and their descendants are not blocked by Host-based Firewall rules.
Active Block Allow, Allow & Log Block Host-based Firewall rules take precedence over non-bypass permission rules.
Active Allow Block Block Host-based Firewall allowing a connection does not prevent a Communicates over the Network Blocking and Isolation rule from being enforced.

Using Carbon Black Cloud Host-based Firewall

This section provides a high-level overview of how to create and run firewall rules. Subsequent topics describe these actions in detail.

  1. Select a policy to which to add firewall rules.
  2. Set the default rule (Allow all or Block all).
  3. Create a rule group and populate it with firewall rules.
  4. View, create, and modify rule groups and rules as necessary.
  5. Toggle Host-based Firewall to Enabled on the Sensor tab.
  6. Test the rules.
    Note: You can only test a rule when its Status is set to Disabled.
  7. Review rules outcome. Test rule data displays on the Investigate page.
  8. Modify rules as necessary and retest until the rules perform as expected.
  9. Stop testing rules that are verified to perform as expected and set their Status to Enabled.
  10. If you have disabled it during modifications, toggle Host-based Firewall to Enabled on the Sensor tab.
  11. View firewall-related events and alerts on the Investigate and Alerts pages, respectively.
  12. Continue to modify rules as necessary.