Usage of Location Awareness and Network Threat Protection with SEP 11 and SEP 12.1

Article:TECH195231  |  Created: 2012-08-20  |  Updated: 2012-10-09  |  Article URL http://www.symantec.com/docs/TECH195231
Article Type
Technical Solution

Product(s)

Issue



Understanding the usage of Location Awareness Switching (ALS) and Network Threat Protection (NTP) with Symantec Endpoint Protection (SEP) 11 and SEP 12.1


Environment



Symantec Endpoint Protection 11.x and 12.1


Solution



The challenge today's Network Administrator is facing is the various types of devices that appear in the corporate network through several network connection interfaces such as Eternet, WiFi and VPN.
Furthermore the devices will be often be authorized corporate devices or personal devices.

The following items are important to consider:

  • Location of the endpoint: Internet or the Corporate Network

  • Connection is established by what Interface: Cable, WLAN, VPN

  •  Device is a managed standard corporate device or non-standard allowed device.

  • The solution should be tamperproof like used within the Microsoft location awareness feature that separates, public, private and domain as DNS requests or pings can be manipulated.

Example: Here is how a scenario could look like to separate the locations appropriate with an exception handling and why also the interface is important to identify.

Configuration for determine in corporate network

  1. Condition (standard or non-standard device)

First issue to identify is if the device is standard or non-standard (Personal).

In corporation where software distribution mechanism is used it may be possible to specify if a registry key exists or othe unique items.

One aspect of this feature is that it is possible to generate a  report how many standard or non standard machines are in your console and network. 
 

  1. Condition (Network connection type)

Specify the network type that is used for the connection. 

Probably not everyone needs this, but the importance to determine the connection brings a significant security topic to be solved, otherwise you can also question why we have to use a DMZ and Firewalls.

When the interface used is known, firewall rules for this specific interface can prevent split tunneling through another interface and dual homed connections can be excluded to prevent potential attackers.

Alternatively and for the Location Internet you would specify “Any Network”, that will also bring the 3G and LTE Interfaces in a working state.

  1. Condition Management Server Connection

To make sure you are connected to the corporate network you can use as a first and secure way to figure it out, the Management Server Connection criteria. This will provide an authoritative and authentic answer, BUT only that you have a connection to a management server, that could be also the one reachable from the Internet.

 Important to make sure you are connected to the one in your LAN the 4Condition will be.

  1. Retrieve Server Connection

As we figured out before in the 3 Connection when you are connected to a management server you can also recognize to which one you are connected.

Put a condition for a registry key value and put as value your internal IPs of all your management servers.

This you can find per SEP version.

SEP 12

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastServerIP

SEP 11

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\LastServerIP

Due to SymProtect this also is tamperproof and you can be sure that you have with the 3 Condition a reliable scenario to determine that you are in the corporate network.

As a final result you have for a Location that specifies the corporate network the following condition scenario.

 

Configuration for determine in Internet

  1. Condition (standard or non-standard device)

Condition would be the same like above 1.

  1. Condition (Network connection type)

For the Internet you would specify instead of a single interface, “Any network connection” as you are anyway in an untrusted network from the security perspective.

  1. Condition DNS Lookup

Make sure you don’t retrieve your internal network SEPMs what is likely from the Internet.

It makes sense to specify for fault tolerance more than 1 SEPM.

 

As a final result you have for a Location that specifies the Internet the following condition scenario.

Configuration for determine in default(exception)

  1. Condition (standard or non-standard device)

Condition would be the same like above 1.

  1. Condition (Network connection type)

For the Exception handling you would specify does not use any connection as otherwise you would fulfill the Internet condition.

 

Configuration for determine in non standard

  1. Condition (standard or non-standard device)

Condition would be similar the above configuration except that you use the function “Does not exist” to be sure your criteria for determine your standard pcs isn’t given, as I would be for non-standard devices.

 

 

In the end you will have at least the following Locations, these must be also in the following order.

  • Corporate Network
    (here could be a separation like corporate network wifi or corporate network vpn)

  • Internet

  • No Connection (as exception handling for standard clients, otherwise they would be logged as no standard)

  • No Standard Endpoint


 

Based on these locations you can now define your policies.

I think the most important part about this would be how to avoid split tunneling with SEP and this is also the reason why we actually determined the network connection type, as all the other policies specifications and use cases should be clear.

 

So as you know the interface you could bind specific firewall rules to the according adapter determined in the location awareness and block all the other traffic for all interface what will secure you machine.
Even its not a Interface shutdown but at least effective.

 




Article URL http://www.symantec.com/docs/TECH195231


Terms of use for this information are found in Legal Notices