Video Screencast Help

Use Case of Location Awareness and Network Threat Protection with SEP (11/12)

Created: 20 Aug 2012 | 10 comments
Language Translations
toby's picture
+8 8 Votes
Login to vote

Hello,

I want to share with you a concept that took me quite a bit at the beginning to summarize the facts until I was able to transfer it into a Location Awareness template and Policies.

The challenge today that everyone is facing is the various types devices that pops up in the corporate network through several network connection interfaces like Cable, WiFi and VPN. Furthermore the devices will be often corporate devices or even personal devices in terms of BYOD.

So following aspects are important for criteria

  • Location of the endpoint (Internet, Corporate Network)

  • Connection is established by what Interface (Cable, WLAN, VPN)

  • Device is a managed standard corporate device or non-standard allowed device (BYOD)

  • The solution should be tamperproof like Im used within the Microsoft location awareness feature that separates, public, private and domain as DNS requests or pings can be manipulated.

 

Furthermore with a certain size and business of your corporate you may think of managing your devices also when these are connected with the Internet, what will at some point raise the SEPM in a DMZ.

(From that stage actually the common use case of the Location Awareness Feature of SEP – Connected to a SEPM isn’t working as you cant separate which SEPM we are talking about.)

 

So how a scenario could look like to separate the locations appropriate with an exception handling and why also the interface is important to identify.

 

Configuration for determine in corporate network

  1. Condition (standard or non-standard device)

First point you should sort out is the question about the standard or non-standard devices, what would be also the first condition in your location awareness.

In corporates where you have a software distribution you could specify whether a registry key is existing or anything else unique to the corporate. I think every company has something special on their corporate devices.

Interesting side effect is that you can based on this feature also report how many standard or non standard machines are in your console and network. (Ok classical NAC would do the same, but sometimes non-standard devices could be anyhow accepted devices, what will keep NAC a bit out of the game.)

 

  1. Condition (Network connection type)

Now you should have the specification of the network type that is used for the connection.

Probably not everyone needs this, but the importance to determine the connection brings a significant security topic to be solved, otherwise you can also question why we have to use a DMZ and Firewalls.

 

When you know which interface is used you actually can apply firewall rules on this specific interface to avoid split tunneling through another interface and have a dual homed host in your network that can raise the opportunity for potential attackers.

 

Alternatively and for the Location Internet you would specify “Any Network”, that will also bring the 3G and LTE Interfaces in a working state.

 

  1. Condition Management Server Connection

To make sure you are connected to the corporate network you can use as a first and secure way to figure it out, the Management Server Connection criteria.

This will provide an authoritative and authentic answer, BUT only that you have a connection to a management server, that could be also the one reachable from the Internet.

Important to make sure you are connected to the one in your LAN the 4. Condition will be.

 

  1. Retrieve Server Connection

As we figured out before in the 3 Connection when you are connected to a management server you can also recognize to which one you are connected.

Put a condition for a registry key value and put as value your internal IPs of all your management servers.

 

This you can find per SEP version.

SEP 12

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate\LastServerIP

SEP 11

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\LastServerIP

Due to SymProtect this also is tamperproof and you can be sure that you have with the 3 Condition a reliable scenario to determine that you are in the corporate network.

 

 

As a final result you have for a Location that specifies the corporate network the following condition scenario.

 

Configuration for determine in Internet

  1. Condition (standard or non-standard device)

Condition would be the same like above 1.

  1. Condition (Network connection type)

For the Internet you would specify instead of a single interface, “Any network connection” as you are anyway in an untrusted network from the security perspective.

  1. Condition DNS Lookup

Make sure you don’t retrieve your internal network SEPMs what is likely from the Internet.

It makes sense to specify for fault tolerance more than 1 SEPM.

 

As a final result you have for a Location that specifies the Internet the following condition scenario.

Configuration for determine in default(exception)

  1. Condition (standard or non-standard device)

Condition would be the same like above 1.

  1. Condition (Network connection type)

For the Exception handling you would specify does not use any connection as otherwise you would fulfill the Internet condition.

 

Configuration for determine in non standard

  1. Condition (standard or non-standard device)

Condition would be similar the above configuration except that you use the function “Does not exist” to be sure your criteria for determine your standard pcs isn’t given, as I would be for non-standard devices.

 

 

In the end you will have at least the following Locations, these must be also in the following order.

  • Corporate Network
    (here could be a separation like corporate network wifi or corporate network vpn)

  • Internet

  • No Connection (as exception handling for standard clients, otherwise they would be logged as no standard)

  • No Standard Endpoint

 

Based on these locations you can now define your policies.

I think the most important part about this would be how to avoid split tunneling with SEP and this is also the reason why we actually determined the network connection type, as all the other policies specifications and use cases should be clear.

So as you know the interface you could bind specific firewall rules to the according adapter determined in the location awareness and block all the other traffic for all interface what will secure you machine.
Even its not a Interface shutdown but at least effective.

Comments 10 CommentsJump to latest comment

Srikanth_Subra's picture

Hi,

Nice article? But having one doubt what will this location awareness do?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
toby's picture

hi,

thank you!

what do you mean "what will this location awareness do?"

I think the basic approach on why location awareness is clear; to apply different policies to your devices as in different locations like corporate network and internet you want to have some countermeasures for your endpoints.

this location awareness approach will help you to implement a location check that identifies whether you are connected to the corporate network or not. beside I have implemented a check that may be helpful to identify standard machines from non-standard notebook pcs. The important part from my point of view is to have this location awareness in a way tamperproof as with the conventional "is sep connected to a sepm" (not specified which sepm, so also the from the internet available sepm) it is not guaranteed in which location you are.
So most likely people gonna move on with DNS or PINGs that is not a reliable feature when we talk about security related location awareness. Secondary the identification which network interface is used to avoid within the firewall policy then split tunneling.

Hope its now more clear what Im trying to describe.

cheers, toby

 

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP 

0
Login to vote
Srikanth_Subra's picture

Thanks for detailed explaination..

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
ferdinandm's picture

I like the ability to disable all other adapters.  But shouldn't you disable all adapters except for the wireless one?  Also, with all other adapters disabled, an IP is still bound to the LAN adapter.  This causes the browser to sometimes choose the wrong adapter.  

0
Login to vote
Viknesh's picture

ferdinandm: Firewall rules are in order of priority. These rules are applied to every traffic that comes in or goes out from the endpoint. As such, rule above the block all other adaptors will take precedence and traffic that is via wireless adaptor will always be allowed. Also take note that the adaptors are not disabled, traffic is simply just blocked by the firewall.

0
Login to vote
Car_Bed's picture

Thats great and all, but why does SEP 11 and 12 use the SAME DNS Transaction ID for mutiple DNS lookups?? I.e I say Condition 1 is Find the Ip address for Server A OR Server B or Server D (Im sure we all have servers that might go away, so this is just..good practice) BUT.. Sep says, let me send all these condition requests in one transaction ID.. The router than says, Uhhhhh isnt this DNS poisoning... and then the rest is history

 

Let me know what Symantecs stance is on this please

Thanks in advance

 

0
Login to vote
toby's picture

Thats a good question Car_Bed. I cant answer you why SEP 11 and 12 is using the same DNS Transaction ID, but I can explain about the concept what might be the solution in itself.

When we consider corporate notebooks, that are normally connected to the corporate network and therefore will not active ask for the DNS = IP...

So for the internal network the risk is quite low as we also have to consider as you said that servers are moving. If we talk about the SEPM server as base of this query, the SEP admin should be well aware about what servers he has in his infrastructure as he also needs to manage his own Management Server Lists.

Talking about the external use case when a corporate notebook is somewhere else like home network or a hotel lobby.

In this case a single pc is using an independent network infrastructure and will not create the load that might poison a DNS cache in the first place. Assuming an attacker is supporting this dns requests and somehow they area able to manipulate the independent LAN with its DNS.

What is happening if the machine would get this response?? In the first place nothing as the other location critera will not be fullfilled either and the most likely location is still the Internet location, so the worst case is for the client machine not a security risk.

 

Did I answer you question from the conceptual perspective? Maybe someone else can answer about the DNS Transaction ID

 

cheers, toby

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP 

0
Login to vote
Car_Bed's picture

Yes, you did Toby, thank you. I do see your point. What I saw is that when the DNS request comes through the router, it spits it out as bad (i.e I have 3 requests using the same TransID and the router spits out all 3 of them due to rejecting the entire "Transaction" if you will). So, and just to understand this, if the DNS is going to be attacked, would the same use case not still apply as the SEP client is still going to send the same criterion (Love that word :) ) for whatever location you are using? Im a pretty heavy Location Awareness Logic user, and LOVE to get feedback. I now use multiple matches for each location I have. I am now using the ICMP response match for 12, instead of the DNS query for the reason outlined above. I found that the VPN adapter logic is great, but for me, it makes no sense. If you have a client that unplugs, they are on a External Location, right...When they connect back in doesnt matter how, as long as they can hit a management server they are now internal..So the VPN adapter logic to me at least, makes no sense...

Let me know your thoughts, and again, thank you for posting the feedback. I do appreciate it.

John

 

Also, One more question (As if I didnt jam pack my questions and feedback into one big paragraph already..) For the HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink LAst Server IP key, is it good practice to perhaps key off this using a Registry value entry? I have seen some do this, but if the client is stood up for the first time through a install, and you have logic to key off this value, will this backfire on your as a new client might not have the Last Server it connected to as it has not connected yet.

0
Login to vote
toby's picture

Question1

assuming following simplified locations with criteria

corporate network
= corporate pc based on a regkey (not necessary but helpful)
= client uses ethernet
= have a management server connection
= regkey of last server exists

internet
= corporate pc based on a regkey (not necessary but helpful)
= client uses any netework connection
= dns queries whether it can not resolve it

So from the security perspective nothing will happen even the router does not handle the dns query due to whatever reason as the client stays in Internet Profile.

For the corporate network it is different as I dont have the dns queries in the corporate network, so thats the difference...
But a ping response can be compromised as well?? In any case DNS or ICMP in that case would do the same as its only to check a non existence of your internal servers if you have f.e. a SEPM in DMZ that would conflict with the "if management connection = true".

 

2) VPN Adapter, but this depends on how often you check the location and so when the clients lost the management connection right when you close the adapter you will fallback to the Internet Profile. At least for me I will be in a 5-10 second timeframe.

3) for fresh installed clients as these will try to connect the SEPM immediatly when these are online the Last Server IP will be filled within seconds.
In case you have troubles you might be interesting in having a firewall rules allowing the software distribution traffic coming through in every profile or interface, what might be anyway given, when you have software distribution also given over the Internet.

 

Hope this answers all questions and confirms the other possibilities

cheers, toby

 

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP 

0
Login to vote
Jake Bake's picture

Hi Toby,

Is the condition to determine the IP address of the connected SEPM also tamperproof?  Eg, is the LastServerIP determined by the IP address that SEP attempted to connect to, or is it returned by the mutually-authenticated SEPM in a tamperproof channel.

Just as DNS requests and pings can be manipulated, so can TCP connections be arbitrarily redirected or dropped.  Eg, the connections to the SEPM on the Internet could be dropped, and connections to the Internal IPs could be redirected to the Internet IPs.

0
Login to vote