Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP Configuration for DMZ Servers

Created: 19 Mar 2013 • Updated: 22 Mar 2013 | 7 comments
Language Translations
Farzad's picture
+7 7 Votes
Login to vote

De-Militarized Zone or the DMZ is the portion of the network which has two main specifications:

1-      Contains servers and services which are accessible from outside of the network.

2-      Any access to these servers and transaction with them should be thoroughly secured, risk free and logged and monitored best.

Hence usually the most restricted and toughest security policies are applied on this zone due to the criticality level of what the DMZ contains and how it is accessed. However the term DMZ most of the time brings the idea of “Gateway designing” and how to plan and manage the firewall and other security systems on the DNZ Gateway. Although the gateway is highly important, however the endpoint protection systems on the servers are as much important as the gateway security is, and in case of attack or intrusion, the endpoint protection system can role as a very strong defensive line. In this article we will see how to configure the Symantec Endpoint Protection to protect the servers in DMZ best.

In order to configure the “DMZ Protection Policy”, first of all you should have a very specified and distinct group and policy for the DMZ zone and usual policies are never enough.

Take into consideration the following hints for each section of policies and note that same as all you have in your network, security policies should be managed and surveyed on regular basis too, while “security is a trend, not a destination”

Antivirus

There are two important parts about the Antivirus policies:

1-      Scanning

You should have two very different planned scanning policies.

First is the regular scan which should be wisely planned. Even if the data of the server is not changing very often, as in webserver, you still should create tough regular Full Scan. The reason is that if by any chance the hacker or the malware successfully had infiltrated into the server and spawned a Trojan or infected the server, the risk should be eliminated AS SOON AS POSSIBLE. And hence, create a daily Full Scan on midnight or any time out of the peak time, so that you can be sure that any infection will not be carried to the next day. In addition to a daily scan, you’d better add a “Quick Scan” every 4 hours and when new definition is downloaded in order to check certain folders and locations.

The second part of scanning is the Auto Protect. Note that benefiting from “File Cache”, you shouldn’t be worried about making the auto protect tough. The file cache technology helps the SEP Clients avoids checking the files which haven’t been changed since the last scan. Therefore even if you apply the toughest auto protect policies, the unchanged files will not be engaged with the policy.

In the auto protection policy, turn on the “File cache” and the “Risk tracer”. Risk tracer will log the source of the attack or the malware origination point so that if any security risk occurs, you may be able to trace the risk and have the log for remediating or blocking the attacker host. Then for the “Startup and Shutdown” instead of “Symantec Endpoint Protection Starts” put the option on “Computer Start”, so that SEP Client will start prior to all the services and startup applications and if the system is infected by an auto-start malware or service, then Symantec will be ready before all. Note that killing some running applications or services can be a very severe task which in some cases you have to boot the windows in safe mode.

2-      SONAR

The SONAR system is the artificial intelligence of the Symantec endpoint protection system. If by any reason the antivirus is unable to detect the malware or the threat as a previously known one, the next step of checking process will be the SONAR. SONAR examines the suspicious file using intelligent Heuristic scan (Dynamic, Static and Insight) to ensure it cannot be a risk in future.

More than simply enabling the SONAR for the DMZ group, you’d better enable the “DNS Change detection” and “Host file change detection” as well. Modifying the DNS or the Host file are very simple methods that a hacker uses to monitor the server transactions or infiltrate in it. By changing the IP address of the DNS server or the Host File of the server, the name resolving query of the server will be misled and forwarded to the hacker’s computer. Then for example instead of the IP address of the google.com website, the hacker will reply its own server IP address, or at least the hacker will obtain the list of accessed URLs. But since we rarely change the DNS or the Host File configuration of the DMZ servers, it is a good idea to block these alteration.

The next configuration which will increase the servers’ security, is to adjust the “Detecting Commercial Application” in the “TruScan legacy Client Settings”. This option will define which action should the SONAR take if it detects a known commercial key logger or remote control application. Now a days hackers have access to many cracked versions of commercial applications, furthermore you know the applications running on the server specifically such risky software. Therefore you’d better set this feature as block and instead, in case of need add an exception rule for your known key logger or remote control application.

Firewall

It is very important to wisely configure the Firewall of the endpoint protection system installed on the DMZ servers. Since this firewall is functioning locally on the server (and not on the gateway), you are able to create drilled down firewall rules which spending a short while for each, will significantly improve your servers hardening.

Below are some consideration about the Symantec endpoint protection Firewall for the DMZ zone:

1-      DMZ Rules

Same as what we configure on the gateway security systems, we should have dedicated rules for the endpoint protection systems on the servers. In order to create such a firewall policy for example for a webserver, you should first allow only HTTP protocol and block the rest of traffic, and of course enable the logging system. After a while, you will consider the list of ports, protocols and services you should allow and block the rest, in order to make it function securely.

2-      The Blue Line

The blue line in the middle of the rules of a firewall policy defines that rules above the line will proceed the below ones. Benefitting from this simple feature, you’d better put the DMZ firewall rules all above the blue line so that you will always be sure that no rule will be merged with them.

3-      Additional security features

The traffic and process’ of the servers in the DMZ zone are not same as the other servers in the network. Therefore it is necessary to inspect the network traffic flow to and from these servers more sensitively. Hence, enable the below features in the Protection and Stealth setting:

a.       Enable Port Scan Detection: So if the hacker tries to capture the open ports, Symantec will detect and block the attempt. Compromising the list of open ports is usually of the first steps of attacks.

b.      Enable denial of service detection: Although this is not a very intelligent feature and in order to block such an attack you need a complex security system, however this feature will block any unknown signature and pattern to block DOS attempts.

c.       Enable anti-MAC spoofing: to block MAC-Spoofing or ARP Poisoning attack, using this feature Symantec blocks any unrequested ARP Reply which by default are accepted by the system. This is a defensive system against MITM (Man in the middle)

Notification

Although many of the administrators know the difference the Reports and Notifications, but in configuration they mostly concentrate on reporting rather than the notification.

One of the most effective items in the notification section, is the “Risk outbreak”. This feature will monitor the security events on the server, and if the number exceeds a certain level, it triggers an action which can be an email to the administrator and even executing a script. For instance if the number of infected files found in an hour on the SQL server passes over 200, Symantec sends an email to the administrator or executes a script. Hence you will be always be informed if your server is at risk.

This was an example for Notifications. There are many other notification conditions which by setting them wisely, you will be immediately noticed on any event or incident.

Farzad Ghafourian

March 15, 2013

Comments 7 CommentsJump to latest comment

fina's picture

thanx for this awesome article
you know , that's a "REAL" article ;-) :)

+2
Login to vote
TORB's picture

Good startout point.
Just a few things you should reconsider :)

1.Why configure legacy settings if your only using SEP 12.1? Legacy settings are only for SEP 11.x clients.

2. Why so many Active scans?

2.1 Active scans on new definitions would run avarage 3 times a day. More than enough. Running it more often is useless as auto-protect would anyway detect it if it is covered by the current virus definition.

3. The blue line does not define the priorty order. The only difference are that rules below the blue line can be edited on the SEP agent if configured in Mixed mode. The firewall rules are always prioritezed from the top rule and down. If any rule the administrator should configure the rules based on what kind of service the server delivers. From my experience the Firewall also often cause headaches on Server OSes (corrupt network cards etc). Especially if you have teamed network cards, so be carefull and test thoroughly before installing on your servers.

A few extra points:
1.Remember to lock down all policies so they can't be edited directly on the server.

2. Make sure the servers have access to the insight servers so the can leverage from insight in SONAR detections
https://ent-shasta-mr-clean.symantec.com:443/incid...
https://ent-shasta-rrs.symantec.com/mrclean
 

3. If the server is really critical. Concider Symantec Critical System Protection instead of or combined with SEP

Torb

+1
Login to vote
John Santana's picture

yes I must admit that this article is great to know and exciting to read :-)

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
nwranich's picture

Very useful information in this article.  Thank you.

+1
Login to vote
Chetan Savade's picture

Hi,

Adding few important articles:

Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ

http://www.symantec.com/business/support/index?page=content&id=TECH178325

Security recommendations regarding SEP client installed on server located in DMZ

http://www.symantec.com/docs/TECH122858

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

+2
Login to vote
John Santana's picture

Many thanks for the sharing Chetan !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
Rash_M's picture

Awesome article, thanks for sharing with us

0
Login to vote