Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Block Web Sites filtered by proxy with FW Rule

Created: 11 Jan 2013 | 8 comments
gbishopSA's picture

Referencing back to this forum post - https://www-secure.symantec.com/connect/forums/blo....

- Essentially when trying to block a DNS Domain with a FW rule, traffic is blocked if it does not traferse a proxy server. A simple test enabling/disabling the proxy server settings in the web browser proves this problem

How do I block traffic to DNS Domain e.g *.yahoo.com when that in fact is filtered by and probably offered by the proxy server?

Are there any updates & thoughts on this problem?

Thanks

Comments 8 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Check this Article:

Configuring the Symantec Endpoint Protection Firewall to filter traffic based on whether its source/destination is from a particular domain

http://www.symantec.com/docs/TECH131681

IPS custom signatures are checking single data packets for a defined pattern. Firewall rules allow or block traffic depending on IP addresses, ports, applications etc.

To block a website, firewall rules are easier and more reliable. IPS custom signatures are very flexible but error-prone. Furthermore, the main purpose of IPS custom signatures is to fight exploits.

To prevent users from using web proxies you could block all known web proxies by a firewall rule. I think it's not a good idea trying to block facebook with a single IPS signature. For example, if you block all traffic with the pattern "www.facebook.com", there may be strong side effects because every site with this pattern in it will be blocked. You have a ton of "false positives" then.

Here is an interesting discussion of this issue:

http://www.symantec.com/connect/forums/how-block-proxy-sites-through-custom-ips

Blocking a Website using Symantec Endpoint Protection:

http://www.symantec.com/docs/TECH92405

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SMLatCST's picture

Install the SEP FW on the proxy server and block it there?

Have to considered teh SWG or Symantec.Cloud for more detailed web filtering capabilities?

http://www.symantec.com/web-gateway

http://www.symantec.com/en/uk/web-security-cloud

gbishopSA's picture

Pls keep in mind, o soltution offered take into consideration that you network has a proxy server, webmarshal etc for browser requests. So when you traverse the domain proxy server & go to a website, the destination is seen as the proxy server and not yahoo.com as an example - hence the issue.

- Why do i want to do this, add large list of malware domain names/ip's that SEP does not block

____

Ashish - thx i already reviewed those articles and did not resolve

Mithun - IPS rules, an option, but i cannot add many dns names, as i can do with Host Groups with FW

SMLatCST - thx that is an option, the system is not windows which makes admin difficult

Gordon

SMLatCST's picture

What proxy software are you using?  I'm quite surprised you can't set any web domain blocking rules there (is it just a squid cahce or something?)

gbishopSA's picture

SMLatCST - It can be done there (Proxy Server), but that is not really what i am focusing on here. I have clients that require management in multiple scenarios, and also without a proxy (Home users) etc.

We are also looking at more advanced analytics / detection / remediation using SEP.

The majority of companies use proxy servers on there network, in this case SEP FW ip/dns blocking will never work through the web browser

SMLatCST's picture

Ahhhh Gotcha, that clarified your use case smiley

In that case, I'd really have to suggest a cloud-based web filtering service like that offered by Symantec.Cloud.  It's going to be difficult to cover all scenarios with SEP (as you've found) as webfiltering is not what it's designed for.

Presumably though (in your current setup), when your users are at home, the SEP FW Rules work fine, and when they are in the office you can block those sites at your proxy.  So it's the duplication of effort, and risk of disparity you're trying to avoid?

gbishopSA's picture

Any suggestions from Symantec Engineers?