How to block all Wireless traffic when an Ethernet interface is active using Symantec Endpoint Protection

Article:TECH104970  |  Created: 2008-01-21  |  Updated: 2014-04-01  |  Article URL http://www.symantec.com/docs/TECH104970
Article Type
Technical Solution


Issue



How to block all Wireless traffic while an Ethernet interface is connected using the Symantec Endpoint Protection 11.0 / 12.1 agent.

 


Solution



There are two ways to accomplish this goal:

  1. Using a "Firewall rule" to block the wireless traffic.
  2. Using an "Device blocking rule" to disable the wireless interface fully.

    Locations for "Ethernet" and "Wireless" will need to be set up for either method selected. See below for instructions on setting up the locations for "Ethernet" and "Wireless" followed by instructions for blocking the wireless traffic while an Ethernet interface is connected using Symantec Endpoint Protection 11.0 / 12.1.


 

  • Setting up automatic location switching
    1. Select Clients> Policies in the Symantec Endpoint Protection Manager console.
    2. Under "Tasks", select Add Locations.
    3. In "Specify Location Name" type: Ethernet
    4. Click Next.
    5. Under "Specify the Condition", select Network Connection Type.
    6. Under "Connection Type" select Ethernet.
    7. Click Next> Finish.
    8. Under "Tasks", select Add Locations.
    9. In "Specify Location Name" type: Wireless
    10. Click Next.
    11. Under "Specify the Condition", select Network Connection Type.
    12. Under "Connection Type" select Wireless.
    13. Click Next> Finish.
    14. Select Manage Locations
    15. Select to highlight Wireless.
    16. Under "Switch to this location when:" select Client computer uses Wireless
    17. Click Add
    18. Select Add Criteria with AND Relationship.
    19. Under "Specify Location Criteria", select Network Connection Type
    20. Select If the client computer does not use the network connection type specified below.
    21. Select Ethernet.
    22. Click OK> OK.
      Note: By using the second requirement in the "Wireless location", the agent will switch away from this location as soon as an ethernet cable is attached.


 

  • Block Wireless traffic using a Firewall rule
    1. Select Clients> Policies in the Symantec Endpoint Protection Manager console.
    2. Under "View Policies", select Firewall.
    3. Double click the Firewall Policy for the "Ethernet" location.
    4. Select Rules on the left
    5. Click the "Add a new Blank Rule." button on the lower right side of the window.
    6. Select the Blank Rule made in the previous step and move it to the top of the rule list.
    7. Double click Action and select Block.
    8. Double click Adapter and select Wireless.
    9. Leave "Application", "Host", "Service" and "Time" as Any.
    10. Click OK. The action is now completed.

      Note: When using this method some initial packets (like DHCP) can still be sent over the Wireless interface while the agent is in the Ethernet location.

       
  • Block Wireless traffic using a Device Blocking rule
    This method is slightly more complicated, as it requires finding the hardware device ID string for the specific wireless adapters that you like to block. The ID for a hardware device can be found either manually in the "Windows registry", or automatically using the "DevViewer.exe" tool supplied on the Symantec Endpoint Protection 11.0 / 12.1 CD.

    To find a device ID in the Windows registry
      1. Open regedit.exe and navigate to the key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
      2. Open up the sub-key:
        {4D36E972-E325-11CE-BFC1-08002bE10318}
      3. The 0000, 0001 etc. sub-keys under this key correspond to various networking components. Locate the one that matches the Wireless network card that you seek to block. The DriverDesc value in each subkey offers the best clue.
      4. Copy the "ComponentId" string value to the clipboard.

    To find a device ID using DevViewer
      1. Run "DevViewer.exe" from the Tools\NoSupport\DevViewer folder on the "Symantec Endpoint Protection 11.0 / 12.1 Additional Tools" CD (CD2)
      2. Locate and select the hardware device that needs to be blocked in the "Device Tree."
      3. Right-click and select Copy Device ID

    Once the "Device ID" string has been found

      The "Device ID" string will have a format similar to the following:
      PCI\VEN_8086&DEV_4220&SUBSYS_27128086&REV_03\1&F31B64E&0&21BC

      Wildcards can be used for the Device ID, and it is recommended to shorten the string enough to match all hardware of the same model.
      For example: PCI\VEN_8086&DEV_4220&SUBSYS_27128086*
      1. Open the Symantec Endpoint Protection Manager console and navigate to the "Policies" tab
      2. Expand the Policy Components list and select Hardware Devices.
      3. Select Add Hardware Device and enter the <name> paste in the <Device ID> string for the wireless adapter (Do not enter as "Class ID")
      4. Go to Clients> Policies in the console.
      5. Create a new (or edit the existing) "Application and Device Control Policy" for the Ethernet location.
      6. Select Device Control and add the newly created Hardware Device to the "Blocked Devices" list.

         
      Note: Hardware devices can be identified and blocked by either "Class/GUID" or "Device ID." The "Class/GUID" option cannot be used in this case as it would typically be the same for all network adapters.




Legacy ID



2008052110185348


Article URL http://www.symantec.com/docs/TECH104970


Terms of use for this information are found in Legal Notices