Symantec Endpoint Protection Manager - Firewall - Policies explained

Article:TECH104433  |  Created: 2008-01-20  |  Updated: 2010-11-30  |  Article URL http://www.symantec.com/docs/TECH181701
Article Type
Technical Solution


Issue



You need more details about the Options in the Policies of the Symantec Endpoint Protection Manager (SEPM)

 


Solution



Rules: Rules
 

      Use this tab to work with firewall rules. You can add, edit, delete, copy, paste, import, export, inherit, and change the order of firewall rules.

      Table: Rules tab
      Option
      Description
      Maximize Window and Restore Window To view the Rules list, you can change the size of the window in one of the following ways:

      • Maximize Window

        Expands the window to the size of your screen
         
      • Restore Window

        Resizes the window to the width, height, and location of the window before you maximized it.
      Inherit Firewall Rules from Parent Group Inherits only the rules from a parent group's Firewall Policy. You cannot inherit rules from a policy in a location that inherits all its policies from a parent group.
      Rules list Displays the firewall rules. You can add, edit, delete, and move rules in this list.

      The list contains a blue dividing line. Rules that appear above the dividing line are of higher priority than those that appear under the line. You can use the line to separate the rules that are inherited from a parent group and those which have been implemented at the subgroup level. The dividing line also lets you set up the priority of rules for clients in mixed control. Rules above the line take precedence over the rules that the user creates on the client. The rules and the security settings that the users apply to their clients are merged with the rules that the console deploys to the client.

      Shaded rows and cells in the Rules list display the following colors:

      • Inherited rules are shaded in purple.
      • Disabled rules are shaded in gray.
      • Selected rules are shaded in orange and selected table cells are shaded in green.

      See Table: Rules list columns.
      Add Rule Adds a rule by using a wizard that allows an application, a host, or a network service.
      Add Blank Rule Adds a blank rule to the Rules list. The firewall ignores the settings in a blank rule.
      Move Up/Move Down Moves the rule up one row or down one row. Rules are processed in the order that they appear in the table.
      Enable this policy Enables or disables the policy. Firewall Policies are enabled by default. However, you can set up and assign the policy first and enable it later.


      The Rules list displays the default firewall rules, the inherited rules, and the rules that you create. The firewall rules are listed and enforced in the order that they are numbered.

      Table: Rules list columns
      Column name
      Description
      No Displays the order that the firewall processes the rules.
      You can reorder rules to change priorities.
      Enabled Enables the rule. If unchecked, the firewall ignores the rule.
      Name Displays the name of the rule.
      Severity Assigns one of the following levels of importance to the event:

      • Critical
      • Major
      • Minor
      • Information

      The Security Log displays the severity.
      Application Specifies the applications that trigger the rule.

      If the application is detected, the rule takes effect. You can specify an application in the following ways:

      • Define an application by filename, path, size, date modified, or file fingerprint.
      • Search from a list of applications that are uploaded from each client.
      Host Specifies the hosts that trigger the rule.

      You can identify the specific DNS domain, DNS host, IP address, IP address range, MAC address, or subnet for the computers.
      Time Time period during which the rule is active or inactive. You can set up a schedule to include or exclude a time period during which the rule is active.
      Service Specifies the services that trigger the rule.

      Typically, specific types of services occur on specific ports. For example, Web traffic (HTTP and HTTPS) generally occurs on ports 80 and 443. The Service list enables you to group multiple ports together.

      You can select a service from the list, or you can define additional services. You can add any of following ports and protocols:

      • TCP
      • UDP
      • ICMP
      • IP
      • Ethernet

      You can apply the rule to inbound network traffic, outbound network traffic, or network traffic in both directions.
      Adapter Specifies the adapters that trigger the rule. You can select one or more of the following adapters:

      • All Adapters
      • Any VPN
      • Dial-up
      • Ethernet
      • Wireless
      • More Adapters

      Enables you to choose from a list of vendor-specific adapters or custom adapters that you add.
      Screen Saver Specifies which of the following states of the screen saver affects the rule:

      • On
      • Off
      • Any

      The state of the screen saver does not affect the rule.
      Action Specifies what happens to traffic if the traffic matches the following rule conditions:

      • Allow

        Allows any communication of this type to take place.
         
      • Block

        Prevents any communication of this type from taking place.
         
      • Ask

        Asks the user to allow or block the traffic.
      Logging Specifies whether the management server creates a log entry or sends an email message when a traffic event matches the criteria that are set for this rule.

      You can select one ore more of the following log options:

      • Write to Traffic Log
      • Write to Packet Log
      • Send Email Alert

      To send email messages, you must configure a client security alert to appear for any firewall activity on the Notifications tab of the Monitors page.
      Created At Specifies whether the policy was created as a shared policy or a non-shared policy for an individual location.

      The column displays one of the following fields:

      • Shared

        A shared policy.
         
      • Group name, such as Sales.

        A non-shared policy
         

      This column is informational only.
      Description Provides the additional information for the rule, such as how it works.

      Use a description to distinguish the difference between similar rules.





Rules: Notifications
 

      You can enable or disable the notifications that appear on the client when a firewall rule blocks an application or service on the client computer. You can customize the text for this type of notification as well as notifications that appear on the client computer when the following events occur:
      • Applications on the client try to access the network.
      • Applications that normally access the network are upgraded.
      • The client software is updated.

      Table: Notifications tab options
      Option
      Description
      Display notification on the computer when the client blocks an application Displays a standard message on the client when the client blocks an application.

      You specify which applications to block on the Rules tab.
      Additional text to display if the action for a firewall rule is 'Ask' Displays a standard message on the client every time an application asks the user whether to access the network. You cannot enable or disable these messages; you can only add custom text to the standard text.
      Set Additional Text Adds customized text to the bottom of the standard message.





Smart Traffic Filtering
 

      Smart traffic filters allow DNS, DHCP, and WINS traffic on a network.

      Table: Smart traffic filters
      Option
      Description
      Enable Smart DHCP Allows only the outbound DHCP requests and inbound DHCP replies. Smart DHCP also allows DHCP renew.

      If you disable this setting, to use DHCP you must create a firewall rule that allows UDP traffic on remote ports 67 (bootps) and 68 (bootpc).

      The Dynamic Host Configuration Protocol (DHCP) is a protocol that assigns a dynamic IP address to a computer on a network. Dynamic addresses enable a computer to have a different IP address every time it connects to a corporate network. DHCP supports both the static IP addresses and the dynamic IP addresses. Dynamic addresses simplify network administration because the software keeps track of IP addresses. Otherwise, the administrator must manually assign a unique IP address every time a computer is added to a corporate network. If a client moves from one subnet to another, DHCP can make the appropriate adjustments to a client's IP configuration.

      This option is enabled by default.
      Enable Smart DNS Allows the outbound DNS requests to and corresponding inbound replies from assigned DNS servers only.

      If a computer sends out a DNS request and the response comes back within five seconds, the communication is allowed. All other DNS packets are dropped.

      If you disable this setting, you must create a firewall rule that allows UDP traffic for remote port 53 (domain) to use DNS.

      This option is enabled by default.
      Enable Smart WINS Allows the outbound WINS requests to and the corresponding inbound replies from assigned WINS servers only.

      If a computer sends out a WINS request and the response comes back within five seconds, the communication is allowed. All other WINS packets are dropped.

      If you disable this setting, to use WINS you must create a firewall rule that allows UDP packets on remote port 137.

      WINS provides a distributed database that registers and queries dynamic mappings of NetBIOS names for the computers and the groups that a network uses. WINS maps the NetBIOS names to the IP addresses. WINS is used for NetBIOS name resolution in the routed networks that use NetBIOS over TCP/IP. The NetBIOS names are a requirement to establish networking services in earlier versions of Microsoft operating systems. The NetBIOS naming protocol is compatible with network protocols other than TCP/IP, such as NetBEUI or IPX/SPX. However, WINS was designed specifically to support NetBIOS over TCP/IP (NetBT). WINS simplifies the management of the NetBIOS namespace in TCP/IP-based networks.

      This option is enabled by default.





Traffic and Stealth Settings
 

      You can enable the traffic settings on the client to detect and block the traffic that communicates through drivers, NetBIOS, and token rings. You can also configure settings to detect the traffic that uses more invisible attack methods.

      Table: Traffic and stealth settings
      Option
      Description
      Enable driver-level protection Checks traffic that comes from both the TCP/IP stack and other protocol drivers.

      Most attacks in a corporate network occur through Windows TCP/IP connections. Other attacks can potentially be launched through other protocol drivers. Any protocol drivers that access a network are seen as network applications. The client then blocks protocol drivers from accessing the network unless a rule specifically allows it. If a protocol driver tries to access the network, a notification asks if the user wants to allow it.

      This option is enabled by default.
      Enable NetBIOS protection Blocks the NetBIOS traffic from an external gateway.

      You can use Network Neighborhood file and printer sharing on a LAN and protect a computer from NetBIOS exploits from any external network. This option blocks the NetBIOS packets (UDP 88, UDP 137, UDP 138, TCP 135, TCP 139, TCP 445, and TCP 1026) that originate from IP addresses that are not part of the defined ICANN internal ranges. These ranges include 10.x.x.x, 172.16.x.x, 192.168.x.x, and 169.254.x.x, with the exception of the 169.254.0.x and 169.254.255.x subnets.

      Note:
        NetBIOS protection can cause a problem with Microsoft Outlook if the client computer connects to a Microsoft Exchange Server that is on a different subnet. Therefore, you may want to create a firewall rule that specifically allows access to that server.

      This option is disabled by default.
      Allow token ring traffic Allows the clients that connect through a token ring adapter to access the network, regardless of the firewall rules on the client.

      If you disable this setting, any traffic that comes from the computers that connect through a token ring adapter cannot access the corporate network. The firewall does not filter token ring traffic. It either allows all token ring traffic or blocks all token ring traffic.

      This option is disabled by default.
      Enable reverse DNS lookup Allows the client to process the firewall rules that define a host that uses a domain name.

      The firewall performs a reverse DNS lookup on inbound packet IP addresses and compares the DNS name with the name defined in the rule.

      Note:
        To identify a host by its DNS name, you must have this option enabled. If this option is enabled, you can define a rule that uses a fully qualified domain name instead of the IP address. The format for a fully qualified domain name is www.mycompany.com. If this option is disabled, the client does not process the rule.

      This option is disabled by default.
      Enable anti-MAC spoofing Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log.

      Media access control (MAC) addresses are hardware addresses that identify the computers, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two computers. When computer A wants to communicate with computer B, computer A may send an ARP packet to computer B.

      Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND message within a period of 10 seconds. All client rejects all unsolicited ARP RESPOND messages.

      This option is disabled by default.
      Enable stealth mode Web browsing Detects HTTP traffic from a Web browser on any port and removes the browser name and version number, the operating system, and the reference Web page. It stops Web sites from detecting which operating system and browser the computer uses. It does not detect HTTPS (SSL) traffic.

      Warning:
        Stealth mode Web browsing may cause some Web sites to not function properly. Some Web servers build a Web page based on information about the Web browser. Because this option removes the browser information, some Web pages may not appear properly or at all. Stealth mode Web browsing removes the browser signature, called the HTTP_USER_AGENT, from the HTTP request header and replaces it with a generic signature.

      This option is disabled by default.
      Enable TCP resequencing Prevents an intruder from forging or spoofing an individual's IP address.

      IP spoofing is a process that hackers use to hijack a communication session between two computers, such as computer A and B. A hacker can send a data packet that causes computer A to drop the communication. Then the hacker can pretend to be computer A and communicate with and attack computer B. To protect the computer, TCP resequencing randomizes TCP sequence numbers.

      Note:
        OS fingerprint masquerading works best when TCP resequencing is enabled.

      Warning:
        TCP resequencing changes the TCP sequencing number when the client service runs. Because the sequencing number is different when the service runs and when the service does not run, network connections are terminated when you stop or start the firewall service. TCP/IP packets use a sequence of session numbers to communicate with other computers. When the client does not run, the client computer uses the Windows number scheme. When the client runs and TCP resequencing is enabled, the client uses a different number scheme. If the client service suddenly stops, the number scheme reverts back to the Window number scheme and Windows then drops the traffic packets. Furthermore, TCP resequencing may have a compatibility issue with certain NICs that causes the client to block all inbound and outbound traffic.

      This option is disabled by default.
      Enable OS fingerprint masquerading Prevents a program from detecting the operating system of a client computer. The client changes the TTL and identification value of TCP/IP packets to prevent a program from identifying an operating system.

      Note:
        OS fingerprint masquerading works best when TCP resequencing is enabled.

      Warning:
        TCP resequencing may have a compatibility issue with certain NICs that causes the client to block all inbound and outbound traffic.

      This option is disabled by default.



References
Online Help - SEPM



Technical Information
 


 



Legacy ID



2008032011023248


Article URL http://www.symantec.com/docs/TECH181701


Terms of use for this information are found in Legal Notices