Endpoint Protection

How can I configure a new Firewall Policy to allow all kind of outbound connections, but block any inbound one?
I mean, only my computer can start and estabilish a connection with another host, and the other hosts can't start a connection with my computer.

Refer to this KB for Best Practice White Paper.

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

Thomas

Thanks Thomas, I've read it but still don't know how to configure the rules =/

Is something like this?

(Remote connections to any host allowed. All other traffic, including inbound connections, blocked)

 Do you want to block it for specific application like IE , RDP, VNC etc..so for all.

If you want to block for all then

the rule that you have made move it up to no.1 ( now its on 12)
then create a new blank rule then the action change it from allow to block and then move it to rule no.2

Note: Test the behaviour of the rules in a test group ina test environment before applying the rules in production environment.

Create a new rule and only configure "service". Click "add" and use for example "ethernet" to allow all protocols. Select "outgoing" as a direction and allow the traffic.




Create another rule to block everything and with two rules you are all set for a nice offline firewall policy.

If you enable logging for the "block all rule" you can troubleshoot blocked connection and adjust the rule for your office as well ;)

You can download a rule allowing ping, pong, tracert and RDP here: http://www.niwis.com/forums/downloads.php?do=file&id=80

Man, it was exactly what I wanted!
Worked perfectly, only established connections are allowed, no one can send anything to the computer if it was not requested.

Thanks a lot ;)

After some weeks of tests, I've found a strange behavior: the new policy is effectively blocking all type of non-solicited incoming connections. But when I try to remotely telnet ports 25 and 110, the telnet console seems to stay connected for a couple of seconds before it is automatically dropped. And if I try to do a port scan (like nmap), it shows me that these two ports are open. Although this behavior, if I check the opened ports using netstat, none of these ports are listening. I'm pretty sure that there isn't any kind of software listening to these ports, like IIS.

Is this behavior (of ports 25 and 110) normal?

 Those are related to email....  SMTP and POP I believe.

Yes, you are right

I've just read in this article:
Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email

Is this true? Any Symantec Exmployee could confirm this?

Will this block unnecessary packets if not requested for it.

Grab a test machine and disable the SEP internet email protection.
See if those ports are still open remotely.

SEP does use a sort of proxy to get email but I am assuming if you turn off the functionality it should stop listening on those ports.
I am also guessing the port 25 and 110 stuff is built into the default (hidden rules) which you can never turn off.

Z

Just to let you know: after uninstalling the POP/SMTP protection feature, the machine can't see ports 25 and 110 as Open anymore.

Thanks for all help!