Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Port Scan Detection Exceptions

Created: 22 Aug 2013 • Updated: 23 Aug 2013 | 3 comments
This issue has been solved. See solution.

I am running SEP 12.1.3001.165, and have the firewall policy enabled w/option for Port Scan Detection also enabled, and the option checked to automatically block an attacker's address for x seconds.  This works great, and blocks/logs port scanning activity.

However, I would like to create an exception so that certain internal IPs can scan our network for open ports and perform other types of port scanning activity.  Generally, these IPs would belong to our security staff, incident response, patching, anti-virus and networking teams.

I've figured out a few options that allow me to do this, but none seem totally ideal, and am wondering if there is another "best method" that I am missing.

Option 1.

Create two firewall policies, one in which port scan detection is enabled, and the other disabled.  Create two groups, and apply each policy to one of the groups.  Create a host group containing all the hosts that are authorized to conduct port scanning on the network, and create a rule in the firewall policies to always allow traffic from those IP addresses.  Then, to prevent the return traffic from being detected as a port scan, also add those computers to the second group with the policy that disables the feature.

The problem with this, is that if any computer on the authorized list becomes infected with something, all traffic from their PCs will be allowed on the network without being blocked by the firewall.

Option 2.

Enable port scan detection, but do not enable blocking.

The problem with this is that even though the port scan will be allowed, it is not blocked.  It is only logged, thus, it doesn't really increase security except to let us know there was a port scan performed.

Perhaps an option to "Allow port scans from this Host Group" could help in a future version of SEP, but in the meantime, how can I take advantage of this awesome security feature, but still allow my administrative staff to conduct port scans on our own network without being blocked by our own security software?

Operating Systems:

Comments 3 CommentsJump to latest comment

.Brian's picture

In the IPS policy, add the IP under the Excluded Hosts option.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Wright1968's picture

Wouldn't that merely disable IPS on those clients?  I still want IPS to be turned on, I only want to allow them to conduct port scans on our network.

.Brian's picture

It sure would but because there is no easy way around this, you need to pick an option that will leave you the most secure while doing this.

Option 2 would be ideal I suppose. Are these scans going to be happening on a constant basis? If not, they could just disable NTP to do their work and re-enable (can be done automatically after a certain time period).

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION