About the CPM Firewall and Policies

The CPM firewall is optionally available with the Trend Micro Core Protection Module and allows you to enable client-level firewall protection. It is policy-based, and provides bi-directional port-control to all or selected endpoints. You can also apply policies selectively and automatically in real-time, according the user’s current IP address. For example, you can have one policy for in-office network connections and another for unsecured connections such as in an airport. The appropriate policy will automatically be applied as the end user changes location.

The firewall configuration is not available from the BigFix Console by default; you need to add the firewall site before the Wizard will appear in the Core Protection Module site folder. Firewall policies are automatically enabled and active when you deploy them to the endpoints. There are no installation steps required.

Several examples of the firewall versatility are worth pointing out. Procedures for each appear later in this chapter:

• Uniform security: You can create a policy, apply it to all your endpoints, enable one or more of the global exceptions, and then deploy the policy to all your endpoints in just a few minutes.

• Targeted security: You can create multiple policies, each with a different set of ports enabled, and then use different Tasks to selectively target the different policies to different endpoints.

• Smart (flexible) security: You can create two policies, each with different rules, and create two Tasks, each of which deploys one of the policies to the same endpoints. By attaching a different Location Property to each Task prior to deployment, the targeted endpoints will receive both policies. Whenever conditions on an endpoint change to those set for one of the Locations, the policy in affect for that endpoint will also change. In this way, you can create different policies for the same computer, and they will automatically adapt to different conditions.