Video Screencast Help

Firewall Policy for VPN users

Created: 10 Oct 2012 | 6 comments

Hi I need help understanding some things about the firewall and polices.

I am using SEP 12.1

I have setup several locations:

1. ON_NET

2. OFF_NET

3. VPN

 

The one that is not working the way I want it to is VPN.

If our users are on VPN, they are already connected to an "Untrsuted" network.  When my test computer connects to VPN, the location switches just fine, however I am trying to fine tune access.

 

What I want to do is allow ALL and ANY traffic coming FROM the VPN and going TO the VPN

But then deny everything else.

 

In example, we have Joe User in a coffee shop, Joe gets on the corporate VPN.  I want to be able to RDP or use Dameware to get into Joes computer, however, if Jack Hacker is in the coffee shop, and decides he wants to connect to dameware, it will let him connect (granted, we still have the PW layer of security, but the would be attacker has already gotten part of what he wants, a TCP connection to my system)

Now, I thought I had this working the way I want by making firewall statements specific to the interface  ( I was able to allow pings from VPN to the remote host, but computers on the public network, NOT on VPN could not ping)  You see what I am getting at? 

To put it even more simply, I would want the "Allow all applications" rule to apply ONLY to the VPN tunnel (Yes, I created an interface under my policy for the Anyconnect VPN adaptor, and I got the correct Identifier) 

and, then the Deny all for the rest of the adaptors...but when I do that, it breaks the SSL VPN  (most likely cause its now being denied, as the protocol probably flows from the physical adapter then to the tunnel adapter)

Been screwing with this all day, and I am hoping someone will be willing to help me think this through... I can get you excel files with my rules etc)

 

Comments 6 CommentsJump to latest comment

Seyad's picture

Try creating a rule to to block traffic from all network adapters except the "VPN Network adapter", after the SEP client switches to the VPN loaction. To do this, first you will need to add the VPN adapter to SEPM. Check the link below on "Adding a custom network adapter to the network adapter list".

URL: http://www.symantec.com/docs/HOWTO55471
 

If needed, you can let specific traffic alone to pass through the other adapters.

Seyad.

Mithun Sanghavi's picture

Hello,

For Remote location where users log on through a VPN - The following settings are recommended as best practice for the Firewall policy:

  • Leave as-is all the rules that block traffic on all adapters. Do not change those rules.

  • Leave as-is the rule that allows VPN traffic on all adapters. Do not change that rule.

  • For all rules that use the action Allow, change the Adapter column from All Adapters to the name of the VPN adapter that you use.

  • Enable the rule that blocks all other traffic.

Note: You need to make all of these changes if you want to avoid the possibility of split tunneling through the VPN.

Reference: 

Best practices for Firewall policy settings http://www.symantec.com/docs/HOWTO55279

Also, check : 

About firewall rules

Creating a firewall policy

Automatically allowing communications for essential network services

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SlitterAdmin's picture

Hello Mithun;

 

I have applied these recommendations, and now when the Cisco AnyConnect program establishes a VPN connection, it goes up and down - getting status messages that say "Connecting"  then "Reconnecting"  it finally maintains a connection after a few minutes of going up and down...

However, once the location switches to VPN; I can no longer browse the web, open network drives, etc.

below is an image of the rules table for the VPN location...  I checked the log, and traffic destined for internal addresses, like our email server are matching with the "Deny all other IP traffic" as well as internet traffic.

the traffic destined for private servers is originating from the VPN adaptor of client machine  (Source 192.168.112.163 to destination EMAILSVR)  and traffic for google.com is sourcing from 192.168.200.197 to google.com)

Note VPN subnet is 192.168.112.0 /24

Public Wifi (Our test "Coffee Shop" network) is 192.168.200.0 /24

 

 

SlitterAdmin's picture

I have an update - the custom VPN adaptor I created is no good ( I followed the instructions in the admin guide, still doesnt work for me)  so I am using the "Any VPN" for all the rules where it was suggested to use VPN only.  Now things are working great!  I have all services within my private network accesable through the VPN, however, now I cannot get out to the web -

I made a permit HTTP rule, by adding a custom HTTP service, and some sites work and others do not...

When checking the logs, outbound connections are being allowed, so I am hitting the server, but the reverse connection is getting blocked by the "Block all other" rule....

SlitterAdmin's picture

EDIT -The permit HTTP rule is enabled for "Wireless" adaptors - I will also add Ethernet when done testing.

I DO understand why web is being blocked, there is a rule that allows all applications, but it is only enabled for VPN. Since we do not allow web requests through our VPN tunnel, web traffic goes out the regular wireless adaptor to the public gateway to Internet AKA the coffe shop network - so I added a rule that explicitely permits web traffic, and it works based on the logs (That's how I knew I needed to explicitely permit web in the first place :) 

 

log attached.

AttachmentSize
Book1.xlsx 12.94 KB
SlitterAdmin's picture

Also, exchange won't work anymore either...

I am so close, I have figured most of this out based on the tips given here - I just need exchange to work over the VPN tunnel (out look hangs when it starts up and falls back to an HTTPS connection to our server)

ANd I just need to get web browsing working properly - all other goals have been accomplished.