Endpoint Protection

 View Only

  • 1.  Building a policy using predefined "if-then-else" statements within SEP

    Posted Jul 06, 2011 07:06 AM

     

    Took from article

    https://www-secure.symantec.com/connect/articles/writing-your-own-policies-symantec-endpoint-protection

    In a modern corporate environment, it is common for employees to be issued computers with both wired and wireless networking capabilities, which can allow those computers to be on two networks at once. If, for example, there is a coffee shop across the street with wireless access, the computer can be on its network as well as your corporate network. The wireless coffee shop connection may not have the same security standards as the corporate network, and may open the secure network to exposure.

    An effective device-control policy would make it possible to disable the wireless network interface card, making it impossible for the computer to be on a second unsecured network.

    Of course, this would be problematic for your laptop users, who are on the corporate network while in the office, but need to access other networks when out of the office, including wireless networks. This is where the location awareness functionality of Symantec Endpoint Protection can be used to allow the wireless network interface card to function when the computer is outside the corporate network. Once it is inside the secure network, it can then be turned off. .

    Establishing the parameters for network detection is a simple matter of building a policy using predefined "if-then-else" statements within Symantec Endpoint Protection. If the IP address received is not on the corporate network, then the agent on the managed laptop will enable the wireless NIC; otherwise, the wireless hardware will be disabled.

    The question: is it possible to build a policy using predefined "if-then-else" statement within SEP? And if it is possible, how can i build it? I could not find any of these.



  • 2.  RE: Building a policy using predefined "if-then-else" statements within SEP

    Posted Jul 06, 2011 02:09 PM

    NO; you can build such policies in Symantec Network access control ( SNAC) its a different product; can be intergrated with SEP



  • 3.  RE: Building a policy using predefined "if-then-else" statements within SEP
    Best Answer

    Posted Jul 06, 2011 03:35 PM

    The two can go hand-in-hand.  There's no one-stop place to set up an if-then-else statement per se, but what you could do is set up locations and different policies.

    As an example, you could set up a location with the criteria that the IP address is a certain range that would specify that the machine is "at work".  Next, you set up an Application and Device Control policy that, say, blocks access to wireless NICs and USB (just as an example), and name it something easy to locate..."at work" or something.

    You modify your polices so that when the machine meets the critieria for "at work", it'll use the policy for Application and Device Control that blocks the wireless card...and when the laptop is taken home, since the IP address (presumably) would be different, it would stop using the policies that you've set for "at work" and go back to using whatever the default rules are.



  • 4.  RE: Building a policy using predefined "if-then-else" statements within SEP

    Posted Jul 07, 2011 01:09 AM

    Thanks for the replies. Answers are extremely usefull, especially the last one. yes