HI,
Creating a firewall policy
The Symantec Endpoint Protection includes a default Firewall policy with default firewall rules and default firewall settings for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments, where limited boundary protection is available.
When you install the console for the first time, it adds a default Firewall policy to each group automatically.
Every time you add a new location, the console copies a Firewall policy to the default location automatically. If the default protection is not appropriate, you can customize the Firewall policy for each location, such as for a home site or customer site. If you do not want the default Firewall policy, you can edit it or replace it with another shared policy.
When you enable firewall protection, the policy allows all inbound IP-based network traffic and all outbound IP-based network traffic, with the following exceptions:
· The default firewall protection blocks inbound and outbound IPv6 traffic with all remote systems.
Note:
|
IPv6 is a network layer protocol that is used on the Internet. If you install the client on the computers that run Microsoft Vista, the Rules list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.
|
· The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (for example, Windows file sharing).
Internal network connections are allowed and external networks are blocked.
describes the tasks that you can perform to configure a new firewall policy. You must add a firewall policy first, but thereafter, the remaining tasks are optional and you can complete them in any order.
Table: How to create a firewall policy
Task
|
Description
|
Add a firewall policy
|
When you create a new policy, you give it a name and a description. You also specify the groups to which the policy is applied.
A firewall policy is automatically enabled when you create it. But you can disable if you need to.
|
Create firewall rules
|
Firewall rules are the policy components that control how the firewall protects client computers from malicious incoming traffic and applications. The firewall automatically checks all incoming packets and outgoing packets against these rules. It allows or blocks the packets based on the information that is specified in rules. You can modify the default rules, create new rules, or disable the default rules.
When you create a new Firewall policy, Symantec Endpoint Protection provides default firewall rules.
The default firewall rules are enabled by default.
|
Enable and customize notifications to users that access to an application is blocked
|
You can send users a notification that an application that they want to access is blocked.
These settings are disabled by default.
|
Enable automatic firewall rules
|
You can enable the options that automatically permit communication between certain network services. These options eliminate the need to create the rules that explicitly allow those services. You can also enable traffic settings to detect and block the traffic that communicates through NetBIOS and token rings.
Only the traffic protocols are enabled by default.
.
If the Symantec Endpoint Protection client detects a network attack, it can automatically block the connection to ensure that the client computer is safe. The client activates an Active Response, which automatically blocks all communication to and from the attacking computer for a set period of time. The IP address of the attacking computer is blocked for a single location.
This option is disabled by default.
|
Configure protection and stealth settings
|
You can enable settings to detect and log potential attacks on the client and block spoofing attempts.
You can enable the settings that prevent outside attacks from detecting information about your clients.
All of the protection options and stealth options are disabled by default.
|
Integrate the Symantec Endpoint Protection firewall with the Windows firewall
|
You can specify the conditions in which Symantec Endpoint Protection disables the Windows firewall. When Symantec Endpoint Protection is uninstalled, Symantec Endpoint Protection restores the Windows firewall setting to the state it was in before Symantec Endpoint Protection was installed.
The default setting is to disable the Windows firewall once only and to disable the Windows firewall disabled message.
|
Configure peer-to-peer authentication
|
You can use peer-to-peer authentication to allow a remote client computer (peer) to connect to another client computer (authenticator) within the same corporate network. The authenticator temporarily blocks inbound TCP and UDP traffic from the remote computer until the remote computer passes the Host Integrity check.
Note:
|
You can only view and enable this option if you install and license Symantec Network Access Control.
|
This option is disabled by default.
|
Best practices for Firewall policy settings
Firewall policy best practices
Scenario
|
Recommendation
|
Remote location where users log on without a VPN
|
The following settings are recommended as best practice for the Firewall policy:
· Assign the strictest security policies to clients that log on remotely without using a VPN.
· Enable NetBIOS protection.
Note:
|
Do not enable NetBIOS protection for the location where a remote client is logged on to the corporate network through a VPN. This rule is appropriate only when remote clients are connected to the Internet, not to the corporate network.
|
· To increase security, also block all local TCP traffic on the NetBIOS ports 135, 139, and 445.
|
Remote location where users log on through a VPN
|
The following settings are recommended as best practice for the Firewall policy:
· Leave as-is all the rules that block traffic on all adapters. Do not change those rules.
· Leave as-is the rule that allows VPN traffic on all adapters. Do not change that rule.
· For all rules that use the action Allow, change the Adapter column from All Adapters to the name of the VPN adapter that you use.
· Enable the rule that blocks all other traffic.
Note:
|
You need to make all of these changes if you want to avoid the possibility of split tunneling through the VPN.
|
|
Office locations where users log on through Ethernet or wireless connections
|
Use your default Firewall policy. For the wireless connection, ensure that the rule to allow wireless EAPOL is enabled. 802.1x uses the Extensible Authentication Protocol over LAN (EAPOL) for connection authentication.
|
Regards
Ajin