Endpoint Protection

 View Only
  • 1.  Firewall False Positive on Wireless

    Posted Jul 29, 2009 03:35 PM
    I'm currently seeing SEP firewall blocks on traffic that is NOT wireless

    These are the listed adapters on the system, both of which are wired
    Intel(R) PRO/100 VE Network Connection
    3Com EtherLink XL 10/100 PCI TX NIC (3C905B-TX)

    Please advise on how this can be corrected?



  • 2.  RE: Firewall False Positive on Wireless

    Posted Jul 29, 2009 04:15 PM
    Hello Paul.
    Please tell me. Am I understand true; you want to block your network adapters but not wireless devices? is it true?
    Thank you


  • 3.  RE: Firewall False Positive on Wireless

    Posted Jul 29, 2009 04:21 PM
    No we want all wireless devices blocked, but not wired network adapaters. Therefore we used the firewall rule to block "Wireless Adapters", because we don't have every possible device-id for wireless nics that is required to use App/Device Control.

    What is happening is the SEP firewall thinks wired traffic is really wireless and is blocking it in error.


  • 4.  RE: Firewall False Positive on Wireless

    Posted Jul 29, 2009 04:47 PM
    Trying to figure out how you made a rule to block traffic or the adapter itself...

    NIC -> Wireless and Wired fall under the same category. 
    Unfortunately both use TCP protocols and the stack for transmission. 

    There is no way, I can tell to tell the system to block: 802.11 or 802.2 IEEE standards unfortunately.  It really relies on fingerprinting... 
    You would need to disable the wireless cards on the systems.  Which in turn poses the problem, of when they bring their, likely mobile computers home, they would like to have access to the wireless systems.  Quite a predicamment...



  • 5.  RE: Firewall False Positive on Wireless

    Posted Jul 30, 2009 07:57 AM
    Hi Paul, based on this KB:
    Title: 'Wireless Agents Are Unable To Connect To The LAN.'
    Document ID: 2008031806151648
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008031806151648

    -> Clients won't have access through Wireless unless the "Allow wireless EAPOL" rule is set to allow.
    Set the Rule to deny and place it high enough in the order and you won't have to do any further thinking :)



  • 6.  RE: Firewall False Positive on Wireless

    Posted Jul 30, 2009 01:08 PM
    Sorry guys I don't think you understand what I'm doing

    The SEP firewall has a predefined Network Adapter under Policy Components. There are several there, including one labeled "Wireless"
    When this is used in the firewall policy it can block or permit traffic based on the adapter, which is a component of SEP rules.

    This solution works and I've tested it, although I like using the Device Control better, as it blocks it at the hardware level versus layer 3. The problem with Device control is that you would have to know every possible device ID to have an effective block. So we use the SEP FW instead.

    The problem you mentioned about needing Wireless off-network is easily solved by creating another Location in SEP and that is working fine.

    EAPOL has nothing to do with this as we are permitting it for NAC, not wireless. Thats another problem, "Wireless Eapol" is incorrectly labeled in SEP, as Eapol is more then just wireless traffic.

    The problem IS the Symantec configured object "Wireless" is getting false positives on adapters that are wired. Other then creating a pass rule, which I don't want to do, I want Symantec to fix this "Wireless"Adapter object because its not editable by the user. That is why I listed the NIC models above.


  • 7.  RE: Firewall False Positive on Wireless

    Posted Aug 04, 2009 04:35 AM
    Hi Paul, if you wish Symantec to fix something, we need a case and that advanced to Level 2 and Development, a Defect created. This just won't work through a forum. We can try to find Workarounds here with the given product; work around all flaws and features. But if you need a flaw fixed, a defect is the only option in my opinion.