NTP Possible Firewall Leak
I'm wondering if anyone else has experienced this.
I've set up some rules by application and network adapter. Basically ping.exe is blocked through all adapters in one rule. Then in another rule that comes before this ping.exe is allowed through the VPN adapter only. Ping.exe is used for testing purposes as part of a larger project which allows us to see if our rules are working. Ie we want certain business apps to work through the VPN only and to not leak anything outside of the VPN.
About 99.999% of the time ping is blocked as it should be when the VPN is not active. However, every now and then a ping gets through! We have no idea why because no adjustments are being made to the FW at that time.
Does anyone know why this happens? It seems like the SEP NTP firewall is failing once in every many many thousand ping attempts. Our concern is that this might be a leak, rendering the VPN compromised.
SEP V12.1.671.4971 upgraded from V11.??. Windows 7. OpenVPN client integrated with VPN providers solution.
In the logs it indicates that whilst ping.exe sends the request ntoskrnl.exe does the receiving as per a different rule that I presume comes preset in SEP as we did not set it. Ie rule triggered by ping outbound is our ping.exe rule and rule triggered on return is called "Allow ping reply". This rule is not listed in the FW config so it might be to do with the way an app that sends data is allowed to receive data back.