Endpoint Protection

 View Only
Expand all | Collapse all

Network Threat Best Practices & Default Rules

  • 1.  Network Threat Best Practices & Default Rules

    Posted Jun 11, 2009 03:32 PM
    I read through the "Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper" and I have a couple questions I was hoping someone could answer.  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

    When talking about the rules installed by default it says...

    "The Logging rules include: Do not log broadcast and multicast traffic, block and log IP traffic, and block all other traffic."

    The rule below seems to correspond to the bolded rule above.

    imagebrowser image

    The white paper says it blocks and logs IP traffic.  The rule seems to allow any IP traffic and doesn't log.

    The rule as stated in the white paper makes sense to me.  The default rule above (Rule #13) doesn't make sense to me because it seems to allow any and all IP traffic.

    I can account for and understand all the other rules in the white paper, except the bolded one.

    Did I get something wrong?  Or is the white paper or installed rule wrong?

    Thanks!

    Jamie


  • 2.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 11, 2009 03:34 PM
    Forgot the second question...

    White paper says that "Reverse DNS Lookup" is enabled by default, however when I did a fresh install it was not enabled. 

    Which is correct?


  • 3.  RE: Network Threat Best Practices & Default Rules
    Best Answer

    Posted Jun 11, 2009 03:41 PM
     The rule number 13 you see is just for not doing any damage by default.
    SEP had many issues with the firewall.So the default firewall rules are such that all your application and networks works smoothly.After that users can configure the firewall according to their environment and requirements.
    The same thing with reverse DNS lookup..SEP had few issue with this as well so it has been kept un-checked.

    Firewall is something that is solely based on rules.If the default rules will be strict end users won't be able to use it at all and it will create a huge call volumes.
    Remeber there are people with less technical expertise ( on computers or SEP ) who are using SEP and go by default rules and configurations.


  • 4.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 11, 2009 03:43 PM
    Forgot to mention there are many people who use NTP just for the IPS and they want the firewall to justlog everything not block anything.
    And once I have the logs I can easily define my requirements for the rules. 


  • 5.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 11, 2009 04:28 PM
    Thank you for the comments.  I understand what you are saying.  However, unless I'm reading the rules wrong, the default rules are even less secure than say the default Windows Firewall.  Windows Firewall at least by default blocks everything incoming.  Rules 13 seems to allow any thing to go in any direction just along as it is IPv4.  It is all most like not having a firewall on.  That seems to be more dangerous for people with less knowledge because they take the defaults and later find out nothing is really being blocked.

    Or am I just reading the rules wrong?

    imagebrowser image


  • 6.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 11, 2009 06:35 PM
    sensors, thats true... by default the firewall is very open, but bear in mind there is a powerful IPS engine running behind it, so malicious traffic should be picked up that way.

    As Vikram-Kumar said, when we first released SEP we took the approach "block all incoming" but quickly had to change that as people installed the full client onto their servers without doing much research (hey, it was only an "upgrade" from their AntiVirus product after all) and instantly none of their clients could talk to their servers, or, in extreme cases, get IP leases.

    As you can imagine, that generated a MASSIVE number of support calls and of course, every single one of them was "our fault"  For that reason, the on high decision was made to change the default ruleset to what you see in the product now.  Is it probably too open?  Yes, but we are working on that.  Our SBE product is already a little better in terms of configuration for the firewall and that will come across to SEP in the next version, along with some better default rules, but we are never going to be able to please everyone out of the box :-)




  • 7.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 04:28 AM
    I would also  suggest you to go with the default rule, its more than enough to protect ur network


  • 8.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 08:20 AM
    It is always difficuly to please verybody with firewall configuration...as it is very enviromental.
    Eg. Telnet..by default if we block it...There are many organization whose business critical apps work on telnet..
    But as Firewall security practise security admins will always want this disabled....and more more .. 


  • 9.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 08:44 AM
    Thank you for the explanation!  My comments were not meant as a criticism.  I was worried that I didn't understand the rules.  Especially after reading the best practices knowledge base article which didn't match what I saw.  

    I can now understand how you got to where you are and don't fault anyone for that.  I would only suggest that the best practices knowledge base be updated to match the current defaults.  I think it would also be a good idea to include in that article a slightly more detailed explanation of the default rules.  I know that would have helped me.

    Let me just add that as a customer I really appreciate that Symantec Employees are answering questions on this forum and in a timely manner.


  • 10.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 08:48 AM
    I would trust the default settings for computers that only connected to my LAN because it is protected by the corporate firewall.  However I got laptops that besides being used at home also spend time traveling the world.  I'm not sure I would trust all incoming IP traffic for a laptop using a public WiFi in say China or even in the US.

    For traveling laptops would you still suggest the default rules?


  • 11.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 01:02 PM
    An additional note here. Symantec could allow only traffic to commonly used ports by default. The major drawback here is that malwares and botnets also use the commonly used ports to do their thing.


  • 12.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 01:17 PM
    Another idea is to provide multiple firewall policies just like the multiple AV policies.  Set the current one as default, but provide other tighter ones as examples.

    Speaking of the multiple AV policies...  It would be nice to have way to print out policies.  It would make comparing and reviewing policies easier.  I had to do a lot of clicking to figure out what the exact differences between the three polices were.

    Jamie


  • 13.  RE: Network Threat Best Practices & Default Rules

    Posted Jun 12, 2009 03:11 PM
    I think that is a great suggestion.  I also found it frustrating when we first started playing with the firewall and was very surprised to find that rule, but no sample rule for a "basic stateful firewall".  Symantec should either ship some other sample policies, or at least provide a rule that is disabled by default that is a generic stateful firewall.