Hello,
I want to share with you a concept that took me quite a bit at the beginning to summarize the facts until I was able to transfer it into a Location Awareness template and Policies.
The challenge today that everyone is facing is the various types devices that pops up in the corporate network through several network connection interfaces like Cable, WiFi and VPN. Furthermore the devices will be often corporate devices or even personal devices in terms of BYOD.
So following aspects are important for criteria
-
Location of the endpoint (Internet, Corporate Network)
-
Connection is established by what Interface (Cable, WLAN, VPN)
-
Device is a managed standard corporate device or non-standard allowed device (BYOD)
-
The solution should be tamperproof like Im used within the Microsoft location awareness feature that separates, public, private and domain as DNS requests or pings can be manipulated.
Furthermore with a certain size and business of your corporate you may think of managing your devices also when these are connected with the Internet, what will at some point raise the SEPM in a DMZ.
(From that stage actually the common use case of the Location Awareness Feature of SEP – Connected to a SEPM isn’t working as you cant separate which SEPM we are talking about.)
So how a scenario could look like to separate the locations appropriate with an exception handling and why also the interface is important to identify.
Configuration for determine in corporate network
-
Condition (standard or non-standard device)
First point you should sort out is the question about the standard or non-standard devices, what would be also the first condition in your location awareness.
In corporates where you have a software distribution you could specify whether a registry key is existing or anything else unique to the corporate. I think every company has something special on their corporate devices.
Interesting side effect is that you can based on this feature also report how many standard or non standard machines are in your console and network. (Ok classical NAC would do the same, but sometimes non-standard devices could be anyhow accepted devices, what will keep NAC a bit out of the game.)
-
Condition (Network connection type)
Now you should have the specification of the network type that is used for the connection.
Probably not everyone needs this, but the importance to determine the connection brings a significant security topic to be solved, otherwise you can also question why we have to use a DMZ and Firewalls.
When you know which interface is used you actually can apply firewall rules on this specific interface to avoid split tunneling through another interface and have a dual homed host in your network that can raise the opportunity for potential attackers.
Alternatively and for the Location Internet you would specify “Any Network”, that will also bring the 3G and LTE Interfaces in a working state.
-
Condition Management Server Connection
To make sure you are connected to the corporate network you can use as a first and secure way to figure it out, the Management Server Connection criteria.
This will provide an authoritative and authentic answer, BUT only that you have a connection to a management server, that could be also the one reachable from the Internet.
Important to make sure you are connected to the one in your LAN the 4. Condition will be.
-
Retrieve Server Connection
As we figured out before in the 3 Connection when you are connected to a management server you can also recognize to which one you are connected.
Put a condition for a registry key value and put as value your internal IPs of all your management servers.
This you can find per SEP version.
SEP 12
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastServerIP
SEP 11
HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\LastServerIP
Due to SymProtect this also is tamperproof and you can be sure that you have with the 3 Condition a reliable scenario to determine that you are in the corporate network.
As a final result you have for a Location that specifies the corporate network the following condition scenario.
Configuration for determine in Internet
-
Condition (standard or non-standard device)
Condition would be the same like above 1.
-
Condition (Network connection type)
For the Internet you would specify instead of a single interface, “Any network connection” as you are anyway in an untrusted network from the security perspective.
-
Condition DNS Lookup
Make sure you don’t retrieve your internal network SEPMs what is likely from the Internet.
It makes sense to specify for fault tolerance more than 1 SEPM.
As a final result you have for a Location that specifies the Internet the following condition scenario.
Configuration for determine in default(exception)
-
Condition (standard or non-standard device)
Condition would be the same like above 1.
-
Condition (Network connection type)
For the Exception handling you would specify does not use any connection as otherwise you would fulfill the Internet condition.
Configuration for determine in non standard
-
Condition (standard or non-standard device)
Condition would be similar the above configuration except that you use the function “Does not exist” to be sure your criteria for determine your standard pcs isn’t given, as I would be for non-standard devices.
In the end you will have at least the following Locations, these must be also in the following order.
-
Corporate Network
(here could be a separation like corporate network wifi or corporate network vpn)
-
Internet
-
No Connection (as exception handling for standard clients, otherwise they would be logged as no standard)
-
No Standard Endpoint
Based on these locations you can now define your policies.
I think the most important part about this would be how to avoid split tunneling with SEP and this is also the reason why we actually determined the network connection type, as all the other policies specifications and use cases should be clear.
So as you know the interface you could bind specific firewall rules to the according adapter determined in the location awareness and block all the other traffic for all interface what will secure you machine.
Even its not a Interface shutdown but at least effective.