Design Principles For Security Levels - F-SECURE CLIENT SECURITY 9.00 Administrator's Manual

Design principles for security levels

The basic principles of design behind security levels are described here.
Each security level has a set of pre-configured firewall rules. In addition, you can create new rules for all
security levels for which the
The rules in the Firewall security levels table
When you create new security levels, you should consider the following main principle for defining the firewall
rules associated with them:
• Allow only the needed services, and deny all the rest. This minimizes the security risk. The drawback is
that when new services are needed, the firewall must be reconfigured, This, however, is a small price to
pay for increased security.
The opposite concept - to deny dangerous services and allow the rest - is not acceptable, because no one
can tell with certainty which services are dangerous or might become dangerous in the future when a new
security problem is discovered.
A good security level would look something like this:
1. Deny rules for the most dangerous services or hosts, optionally with alerting.
2. Allow rules for much-used common services and hosts.
3. Deny rules for specific services you want alerts about (e.g. trojan probes) with alerting.
4. More general allow rules.
5. Deny everything else.
Filtering mode Normal
are read from top to bottom.
F-Secure Client Security | Configuring Internet Shield | 89
is displayed in the Firewall security levels table.