Security recommendations regarding SEP client installed on server located in DMZ

Article:TECH122858  |  Created: 2010-01-29  |  Updated: 2010-01-09  |  Article URL http://www.symantec.com/docs/TECH122858
Article Type
Technical Solution


Environment

Issue



You need security recommendations when installing SEP client on server located in DMZ


Solution



When configuring a firewall operating between the SEP client in DMZ and SEPM in local LAN it is necessary to allow on the firewall only one of the two ports: HTTP 8014/80 or HTTPS 443, which is answering the security standards and it is limiting open ports to necessary minimum. Limited number of open ports is allowing the firewall Administrator to monitor the communication and create appropriate rules on the application level granting only to SEP processes the rights to use dedicated open ports.

In high security environments where communication between servers located in DMZ and internal LAN is not allowed please consider the following scenarios:

- Installing Unmanaged SEP clients on servers in DMZ updating virus definitions directly from internet
- Installing Unmanaged SEP clients on servers in DMZ updating virus definitions with Intelligent Updater file
- Installing in DMZ a dedicated instance of LiveUpdate Administrator supplying virus definitions only to servers in DMZ
- Installing in DMZ a dedicated instance of SEPM supplying virus definitions only to servers in DMZ

The last solution is the most secure but at the same time requires more investment in terms of administration effort and system resources. We recommend to evaluate what is the security level requested by your business needs and select and implement the solution answering these needs accordingly.



Technical Information
By introducing the SEP product Symantec has established a new standard of performance and security in communication between SEPM and SEP clients by implementing the packets transfer through IIS ports HTTP 8014 (old SEP versions HTTP 80) and HTTPS 443. According to your security requirements you can select the appropriate protocol HTTP or HTTPS and make the communication fully protected against external attacks. The IIS Application Server provides you with the scalable functionality answering potential security and performance needs.




Legacy ID



2010013007471148


Article URL http://www.symantec.com/docs/TECH122858


Terms of use for this information are found in Legal Notices