Endpoint Protection

Correct me if I’m wrong, but the SEP12 firewall is a stateful FW, so that it looks at the connection state and packets that match specific rules. As such, does the SEP Firewall block any inbound connections by default? I myself don’t think so but was asked this question. I stated that the SEP12 firewall will allow or block traffic in a stateful “packet” inspection manner, based on predefined rules and or signatures. So if you have the ALLOW ALL rule selected, it will allow inbound and outbound. But by design, I don’t think it just says, anything inbound is blocked.

Let me know, thanks.

Yes, it is stateful.

Have you checked out the default policies:

http://www.symantec.com/docs/TECH180569

These are what is blocked in the default policy applied.

Hello,

Yes, It is stateful.

Firewall rules control how the client protects the client computer from malicious inbound traffic and malicious outbound traffic. The firewall automatically checks all the inbound and the outbound packets against these rules. The firewall then allows or blocks the packets based on the information that is specified in rules. When a computer tries to connect to another computer, the firewall compares the type of connection with its list of firewall rules. The firewall also uses stateful inspection of all network traffic.

When you enable firewall protection, the policy allows all inbound IP-based network traffic and all outbound IP-based network traffic, with the following exceptions:

• The default firewall protection blocks inbound and outbound IPv6 traffic with all remote systems. Note: IPv6 is a network layer protocol that is used on the Internet. If you install the client on the computers that run Microsoft Vista, the Rules list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.

• The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (for example, Windows file sharing).

  Internal network connections are allowed and external networks are blocked.

Check these Articles:

About the Symantec Endpoint Protection firewall

http://www.symantec.com/docs/HOWTO80961

Creating a firewall policy

http://www.symantec.com/docs/HOWTO80974

Symantec Endpoint Protection Manager 12.1 - LiveUpdate - Policies explained

http://www.symantec.com/docs/TECH178257

Hope that helps!!

The default stance of any firewall, is that it will block any/all connections for which there is not a rule specifically allowing it.  This is also true of the SEP FW.  A quick test to demonstrate, is to create and assign a FW policy with no rules at all.  This policy will cause SEP to block all inbound and outbound connections (other than the hidden ones for LiveUpdate and SEPM heatbeats).

The only thing the stateful bit of it adds, is that if a rule is created to allow traffic out, then the response is allowed automatically back in.

http://www.symantec.com/docs/HOWTO80817

Obviously, it's still possible to create rules to explicitly allow unsolicited inbound traffic if you want, but it is blocked by default.

Awesome, thanks..@SMLatCST, thats my understanding, the whole creation that a lot of people sometimes tend to forget is bi-directional rule creation (I.e. thus the SEPs Local/Remote and Source/Dest categories)..

One thing that I don’t like is RDP not being in the list that Mithun (Thank you by the way also) states. RDP is a big no-no to leave wide open when your node leaves the confines of your Network monitored fortress...

The "Allow ALL" is often required to get work done, especially for RND environments.

I just wanted to ensure that if a specific signature based attack hits, and might not match a rule, IPS fires first (As it technically does in fact, 99.9% sure:) ) and grabs said infection..

Thanks for the replies gang, as always, appreciated!

According to the below article, the processing order between IPS and FW are a bit convoluted :

http://www.symantec.com/docs/HOWTO81187

Hope that helps, and doesn't confuse things further.  As always, it'd be appreciated if you could makr any posts you find useful with a "Thumbs Up" or as da Solution 

Another side bar..

Is there a way to set the on or off action for the "Remember" check mark...Do i Hear "Product Enhancement"...

In this case, I dont want the default action to be set to REMEMBER LAST SELECTION..So how can I set this to Default to offf... Why,,,, why..........