Hello all,
I’m a security consultant in my company which is focused on all aspects of IT security but I’m only Symantec focused, for now :)
I want to share a successful SEP deployment adventure with one of our customers who did not allow us to share their name for this experience.
I can tell their structure though. This is a Holding consists of many companies from military manufacturing, energy, banking to textile and etc. having around 10.000 employees in 4 main branches with many banking branches and even with branches on deserts abroad. Main branches are connected to each other with MetroEthernet and DSL to failover. Other branches within the country have only DSL links and branches in the middle of deserts only have 64kbps sattelite links.
They were already using TrendMicro and they were thinking that its management capabilities are limited. There were of course many AV software options on the table to be considered. We did demos, POC, created a test environment and left it for them to test thoroughly. They finally came down to 3 options which was obvious in the beginning since they are the biggest players in the market: McAfee and Symantec. You may not believe but, McAfee didn’t pass the detailed performance tests (now I understand how it feels for them to blame a product for its performance values :). So Symantec was left in hand succsessfully standing.
What they expected and concerned about SEP while protecting their assets was of course zero-day-protection, little false positives, good performance, centralised management, stability and reliability. Thus, we gave them the answers on all of these such as Symantec’s protection network, SEP client’s detailed features down to the little web server it shall run when it is assigned as a GUP. However, we also told them what the caveats and the known issues are along with the SEP’s roadmap. Thus, they had all the deepest and slightest information we can share within that time frame. That was outstanding for them and they were surprised about how informed we were on SEP compared to other products’ techicians.
We’ve prepaired detailed documentation on planning, implementation and maintenance. We only had 1 month to finish and clear up our responsibilities. Following it with a 3 day education.
As for their technical expectations, they were far more higher. They wanted to have a complete protection suite with very high managability and updatablity supporting location awareness, easy to deploy and upgrade. They had many technical concerns and
I want to list those tricky ones only since you already know the classical ones. I’ll list them one by one together with how we resolved them:
Demand : They needed a failover structure and administration delegation along with security.
Solution : We’ve set up 5 SEP Managers in one SEP site, using 1 cluster of SQL 2005 Server as their common database. That way they were reaching the same structure on every SEP Manager. We placed 1 SEP Manager to DMZ to make it available to users connected to the internet outside the organization. We have created different Management Server Lists for different groups to keep them connected if one or two SEP Managers are down. To increase security, we tried to use custom ports and encrypted communication wherever structure allowed us.
Demand : They had roaming clients between desert branches. They wanted them to download their updates locally at the related branch regularly without using the 64kbps sattelite links since these lines were already loaded with company communication.
Solution : GUP didn’t help us on these kind of slow connections. So, we’ve set up a LiveUpdate Administrator server in the Headquarters and prepared an IIS server on each of the desert locations where they already have servers in every one of them. LUA distributes the downloaded updates to those locations. We have created one LiveUpdate policy for all desert branches and set up the DNS servers in each branch to resolve the local IIS LiveUpdate distribution center. We didn’t even use Location Awareness for these locations because that meant a little more mess in the interface and many different policies. So DNS trick was enough for us and worked great!
Demand : They had a completely restricted section who were not allowed to access outside of their LAN. They wanted USB, CD/DVD drives and any other external equipment, even printers blocked. And of course, they somehow needed to update the SEP clients in this section.
Solution : To update the clients, we have set up another distribution center in LUA which was a UNC path (mapped network drive) to a removable disk drive. They were going to plug the disk to the private LAN’s server every morning and plug it back to the LUA in the evening (hard to follow, but they didn’t want to use Jdb updates since it only gives AV and AS updates). Device concerns of this demand was handled with Device Control.
Demand : There is a group of pepole who can only browse to HTTPS web sites and they are only allowed to use the Firefox as their browser.
Solution : So easy. Just used the firewall policy. Allow Firefox application to communicate to port 443. Then block all traffic to port 80.
Demand : Allowed USB drives should be used only for document transfers.
Solution : Some groups were not allowed to use USB storage at all. Some groups got the chance to use the USB drives if their Device IDs are allowed, but with limited access. This simple move made the life so easy for them : Allow doc, xls, ppt, pdf files and etc. ; Block read access to all other types of files. That way flash disk viruses just gave up trying :)
Demand : File server was full of media files such as MP3s, AVIs etc. This should be resolved.
Solution : Prevent users from accessing to media files on network drives. When we designated a read access block, then they couldn’t copy any media files to the file server any more. Then one script was enough to free the File Server’s disks.
I should thank global support and especially to Cormac Doyle on helping our cases out. We left a so good impression on this customer that even we were impressed :)
There is a NAC project coming for them and that is going be another blog post when the project is complete.
That’s all for me now. Enjoy and protect !
Best regards,
Bekir Burak Durmaz