More about Location Awareness in Symantec Endpoint Protection (SEP)

Article:TECH97369  |  Created: 2009-01-11  |  Updated: 2013-01-21  |  Article URL http://www.symantec.com/docs/TECH97369
Article Type
Technical Solution


Issue



More about Location Awareness in Symantec Endpoint Protection (SEP)

Symptoms
More details are needed on how to setup and manage clients locations and policies.

 


Solution



About a group's default location

The default location is used if one of the following occurs:

• One of the multiple locations meets location criteria and the last location does not meet location criteria.
• You use location awareness and no locations meet the criteria.
• The location is renamed or changed in the policy. The client reverts to the default location when it receives the new policy.

When the Symantec Endpoint Protection Manager (SEPM) is initially installed, only the default location, named "Default" is set up.  At that time, every group's default location is Default.  This can be changed to the correct location later after you add other locations.  Every group must have a default location.
You may prefer to designate a location like Home or Road as the default location.

About locations and location awareness

Users frequently need to connect to the network from multiple locations. A separate security policy can be assigned for each different type of network connection, such as wireless, Ethernet or VPN, plus the location of the network connection, such as home, an Internet café, or the office.  Symantec eliminates rogues that expose the organization to hackers while automating the process.

In order to protect the network, it is necessary to set up the conditions to trigger this automatic switching or location awareness.  Apply the best security policy to a client or server. The best security policy is typically contingent upon the location from where a user connects.

A set of conditions can be assigned to each group's location that automatically selects the correct security policy for a user's environment.  These conditions are based on information, such as the network settings of the computer from which the request for network access was initiated.  An IP address, MAC address, or the address of a directory server can also function as a condition.

If the security policy is changed in the console, either the management server updates the policy on the client or the client downloads the policy.  If the current location is not valid after the update, then the client switches to another location that is valid or the client uses the default location.

Specify Location Criteria

A number of conditions can be specified to determine when a client computer is allowed to switch to another location, before it is allowed to connect to the network.  Switching locations allows a different set of security policies to apply when a client computer is connecting to the network from a more vulnerable location.  If the conditions match, the computer automatically switches to the designated group's location with its associated policy and the computer is allowed to connect to the network.

The conditions that are set may be positive.  For example, a client computer matches because it uses an IP address that falls within a particular IP address range or has a particular registry key that can be specified.  

The conditions can also be negative.  For example, a computer matches if it does not use a specific Wireless SSID that has been specified.  These condition settings can be added, edited or deleted.


    Table: Available location criteria
    Option
    Description
    Computer IP Address This criterion has the following options:
    · If the client computer has one of the IP addresses listed below
    · If all of the IP addresses of the client computer are listed below
    · If the client computer does not have any of the addresses listed below
    The following criterion types can be specified: IP Address, IP Range, or Subnet Address and Subnet Mask and their values.
    Gateway Address This criterion has the following options:
    · If the Gateway address of the client computer is one of the addresses listed below
    This condition includes all computers that match the listed IP addresses.
    · If the Gateway address of the client computer does not match any address listed below
    The following criterion types can be specified: IP Address, IP Range, Subnet Address and Subnet Mask, or a MAC Address and their values.
    WINS Server Address This criterion has the following options:
    · If the client uses one of the WINS Server addresses listed below
    · If all of the WINS Servers on the client computer are listed below
    · If the client computer does not have any of the WINS Server addresses listed below
    The following criterion types can be specified:  IP Address, IP Range, or Subnet Address and Subnet Mask) and their values.
    DNS Server Address This criterion has the following options:
    · If the client computer uses one of the DNS Server addresses listed below
    · If all of the DNS Servers on the client computer are listed below
    · If the client computer does not use any of the DNS Server addresses listed below
    The following criterion types can be specified:  IP Address, IP Range, or Subnet Address and Subnet Mask and their values.
    DHCP Server Address This criterion has the following options:
    · If the DHCP Server address of the client computer is one of the addresses listed below
    · If the DHCP Server address of the client computer does not match any address listed below
    The following criterion types can be specified:  IP Address, IP Range, Subnet Address and Subnet Mask, or a MAC Address and their values.
    Network Connection Type This criterion has the following options:
    · If the client computer uses the network connection type specified below
    · If the client computer does not use the network connection type specified below
    The following network connection types can be specified:
    · Any networking
    · Dial-up networking
    · Ethernet
    · Wireless
    · Check Point VPN-1
    · Cisco VPN
    · Microsoft PPTP VPN
    · Juniper NetScreen VPN
    · Nortel Contivity VPN
    · SafeNet SoftRemote VPN
    · Aventail SSL VPN
    · Juniper SSL VPN
    Management Server Connection This criterion has the following options:
    · If the client computer can connect to the management server
    · If the client computer cannot connect to the management server
    Trusted Platform Module This criterion has the following options:
    · If the client computer uses the Trusted Platform Module specified below
    · If the client computer does not use the Trusted Platform Module specified below
    The following Trusted Platform Module types can be specified:
    · Any TPM Token
    · IBM TPM Token
    · HP TPM Token
    DNS Lookup This criterion has the following options:
    · If the client computer can resolve the host name specified below
    · If the client computer cannot resolve the host name specified below
    The host name and the DNS resolved address can be specified.
    Registry Key This criterion allows for checking against the following conditions:
    · Whether the specified registry key name or a registry key value name exists or does not exist on the client computer.
    · Whether the specified registry key value data is equal to or not equal to a particular key name, value type (String, DWORD, or Binary), or value name.
    Wireless SSID This criterion has the following options:
    · If the client computer uses one of the Wireless SSIDs listed below
    · If the client computer does not use one of the Wireless SSIDs listed below
    NIC Description This criterion has the following options:
    · If the client computer uses one of the NIC descriptions listed below
    · If the client computer does not use one of the NIC descriptions listed below
    DNS Suffix This criterion has the following options:
    · If the client computer uses one of the DNS suffixes listed below
    · If the client computer does not use one of the DNS suffixes listed below


General Settings for group name: General Settings

Use this dialog to configure the general location awareness and client restart settings. These settings are applied to each client within the selected group.

Table: General settings for client
Option Description
Location Settings • Remember the last location
At an initial logon, the client is assigned the location that it used last. If location awareness is enabled, the client switches to the appropriate location after a few seconds. If location awareness is disabled, the user can manually switch between any of the locations, even when the client is in server control.
If a quarantine location is enabled, the client may change to the quarantine after a short time.
• Enable Location Awareness
Automatically selects the correct location in which to place the clients. The location determines which policy takes effect. Restarts the client in the same location as the location before the user turned off the client computer.
Note: You can use location awareness only for clients in the subgroups that do not inherit their policy contents from a parent group.
This option is enabled by default.
Restart Options Specifies a method by which the client computer restarts after client installation or when the client computer shuts down.
You can configure the following restart options:
• Prompt the user to restart the computer
Displays a notification on the client to prompt the user to restart the client computer. The user can click No to postpone when to restart the client.
You can configure the following options to restart the client computer:
o Message
The additional text that you can add to the notification.
o Maximum number of snooze opportunities
The number of times that the user can postpone the computer restart before the computer automatically restarts.
o Maximum time between snoozes (seconds)
The time period between when the user postpones the computer restart and when the notification appears again.
o The notification window will automatically close after (seconds)
The number of seconds that the notification remains open before the client restarts.
• Force the computer to restart
The computer automatically restarts. The user does not have an opportunity to postpone the restart.

Enabling a client's automatic assignment of policies

Control of the policies that are assigned to clients, is contingent on the location from which a client connects.  Therefore location awareness should be enabled.

To enable a client's automatic assignment of policies:

1. In the console, click Clients.
2. On the Clients page, under View Clients, select the group to implement automatic switching of locations.
3. On the Policies tab, uncheck Inherit policies and settings from parent group "group name".
Modify only the location-independent settings for those groups that have not inherited those policies and setting from a parent group.
4. Under Location-independent Policies and Settings, click General Settings.
5. In the General Settings dialog box, on the General Settings tab, under Location Settings, check Remember the last location.

By default, this option is enabled. The client is initially assigned to the policy that is associated with the location from which the client last connected to the network.

• If Remember the last location is checked when a client computer connects to the network, then the client is initially assigned a policy. This policy is associated with the last-used location. If location awareness is enabled, then the client automatically switches to the appropriate policy after a few seconds. The policy that is associated with a specific location determines a client's network connection. If location awareness is disabled, the client can manually switch between any of the locations even when it is in server control. If a quarantine location is enabled, the client may switch to the quarantine policy after a few seconds.

• If Remember the last location is not checked when a client connects to the network, then the client is initially assigned the policy that is associated with the default location. The client cannot connect to the last-used location. If location awareness is enabled, then the client automatically switches to the appropriate policy after a few seconds. The policy that is associated with a specific location determines a client's network connection. If location awareness is disabled, the user can manually switch between any of the locations even when the client is in server control. If a quarantine location is enabled, the client may switch to the Quarantine Policy after a few seconds.
6. Check Enable Location Awareness.
By default, location awareness is enabled. The client is automatically assigned to the policy that is associated with the location from which the user tries to connect to the network.
7. Click OK.

About planning locations:

Before adding locations to a group, consider the types of security policies that are needed in the environment.   The criteria that define each location also needs to be determined.

The following should be considered:

• From which locations are users connecting?
Consider which locations need to be created and how to label each one. For example, users may connect at the office, from home, from a customer site, or from another remote site such as a hotel during travel. Additional qualified locations may be required at a large site.
• Should location awareness be set up for each location?
• How do you want to identify the location if using location awareness?
Identify the location based on IP addresses, WINS, DHCP, or DNS server addresses, network connections, and other criteria.
• Identify the location by network connection, then what type of connection is it?
For example, the network connection may be a connection to the Symantec Endpoint Protection Manager, dial-up networking, or a particular brand of VPN server.
• Should clients be connecting in this location to use a specific type of control, such as server control, mixed control, or client control?
• Should Host Integrity checks at be made each location? Or should that be skipped at any time such as when not connected to the Symantec Endpoint Protection Manager?
• What applications and services should be allowed at each location?
• Should the location to use  be the same communication settings as the other locations in the group or to use different ones? A unique set of communication settings can be used for one location.

Adding a location with a wizard

A location can be added to a group by using a wizard. Each location can have its own set of policies and settings. Criteria (conditions) can be set to trigger the clients to switch to a new location with different security settings whenever the conditions are met. The best security policies to apply typically depend on where the client is located when it connects to the network. When you have location awareness enabled, it ensures that the strictest security policy is assigned to a client when it is needed.

To add a location with a wizard'

1. In the console, click Clients.
2. On the Clients page, under View Clients, select the group to add one or more locations to.
3. On the Policies tab, uncheck Inherit policies and settings from parent group "group name".
Add locations only to groups that do not inherit policies from the parent group.
4. Under Tasks, click Add Location.
5. In the Welcome to the Add Location Wizard panel, click Next.
6. In the Specify Location Name panel, type a name and description for the new location, and click Next.
7. In the Specify a Condition panel, select any of the following conditions under which a client switches from one location to another:
No specific condition Select this option so that the client can choose this location if multiple locations are available.
IP address range Select this option so that the client can choose this location if its IP address is included in the specified range. Specify both the start IP address and end IP address.
Subnet address and subnet mask:  Select this option so that the client can choose this location if its subnet mask and subnet address are specified.
DNS server Select this option so that the client can choose this location if it connects to the specified DNS server.
Client can resolve host name:  Select this option so that the client can choose this location if it connects to the specified domain name and DNS resolve address.
Client can connect to management server:  Select this option so that the client can choose this location if it connects to the specified management server.
Network connection type Select this option so that the client can choose this location if it connects to the specified type of networking connection. The client switches to this location when using any of the following connections:
• Any networking
• Dial-up networking
• Ethernet
• Wireless
• Check Point VPN-1
• Cisco VPN
• Microsoft PPTP VPN
• Juniper NetScreen VPN
• Nortel Contivity VPN
• SafeNet SoftRemote VPN
• Aventail SSL VPN
• Juniper SSL VPN
8. Click Next.
9. In the Add Location Wizard Complete panel, click Finish.

About working with Firewall Policies

The Symantec Endpoint Protection Manager includes a default Firewall Policy with firewall rules and firewall settings for the office environment.  The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers.  Therefore, it is normally more secure than most home environments, where limited boundary protection is available.

When the console is installed for the first time, it adds a default Firewall Policy to each group automatically. Every time a new location is added, the console copies a Firewall Policy to the default location automatically.

If the default protection is not appropriate, it can be customized using the Firewall Policy for each location, such as for a home site or customer site. If the default Firewall Policy is not what is needed, it can be edited or replaced with another shared policy.

Firewall Policies include the following elements:

Firewall rules Firewall rules are policy components that control how the firewall protects computers from malicious incoming traffic and applications. The firewall automatically checks all incoming and outgoing packets against these rules, and allows or blocks the packets based on information specified in rules.
Smart traffic filters Allows the specific types of traffic that are required on most networks such as DHCP, DNS, and WINS traffic.
See Enabling Smart traffic filtering.
Traffic and stealth settings Detects and blocks traffic that comes from certain drivers, protocols, and other sources.
See Enabling traffic and stealth settings.
Peer-to-peer authentication settings Blocks a remote computer from connecting to a client computer until the client computer has authenticated that remote computer.
See Configuring peer-to-peer authentication.

A location can be set to client control or mixed control so that the user can customize the Firewall Policy.
See Configuring Network Threat Protection settings for mixed control.
Firewall Policies can be edited or created similarly to the way other types of policies can be edited or created.  Firewall Policies can be assigned, withdrawn, replaced, copied, exported, imported, or deleted.

Typically  a policy can be assigned to multiple groups in the security network.  Create a non-shared, location-specific policy if there are specific requirements for a particular location.

We recommended becoming familiar with the basics of policy configuration to work with policies.
See About policies.

References
Notes copied from the SEPM's help files.


 



Legacy ID



2009111106333348


Article URL http://www.symantec.com/docs/TECH97369


Terms of use for this information are found in Legal Notices