Video Screencast Help

Symantec Critical System Protection - Linux - Firewall Policy

Created: 01 Nov 2013 | 9 comments

Hi, 

I will like to check when we deploy SCSP linux agent, which firewall (SCSP host-based firewall rules OR linux IPTABLE) will be taking precedent? 

If I will like to use SCSP host-based firewall rules to control the inbound and outbound rules, how can I achieve that?

Please help. Having a hard time deploying linux agent for SCSP! -_-

Operating Systems:

Comments 9 CommentsJump to latest comment

Chuck Edson's picture

SCSP's "firewall" (Network Control) works at the Application Layer.  It blocks applications/processes from establishing a connection to the network stack.

This means that SCSP will allow/deny applications the ability to listen/send on a TCP or UDP port. 

So, any other firewall will block network traffic at the network layer, while SCSP blocks at the application layer.  Both SCSP Network Control and a host based firewall can co-exist.

As far as precedence, it is kind of like comparing apples and oranges.  SCSP will block anything from listening or transmitting at the application level, while a "regular" firewall will intercept the network traffic and drop packets that are destined to ports that are configured to be blocked.

If a post helps you, please mark it as the solution to your issue.

SF002013's picture

thanks for the reply. 

I will like to clarify on something:

On most LINUX applianes, they will have "iptables" for their host based firewall. Which mean, I can deploy SCSP's "firewall" (Network Control) with the LINUX appliance - "iptables" to work together? 

 

Chuck Edson's picture

Yes, you can use IPTables and the Network Control portion of SCSP together, at the same time.

If a post helps you, please mark it as the solution to your issue.

SF002013's picture

My SCSP's "firewall" (Network Control) is not working. I have turned off the IPTABLES on the LINUX with installed SCSP agent.

I tried to block a port on the Global Policy Options > Network Controls. But it is not taking effect.

What else can I do?

 

 

Chuck Edson's picture

That may be because there is something under global that is allowing the behavior.  

Any of the other rules that are found in the out of the box Process Sets, Daemon Options, Interactive Program Options, or Custom Programs can override the Global Policy Options.

What are you doing as a test?  What port are you blocking?

If a post helps you, please mark it as the solution to your issue.

SF002013's picture

We are trying to block a port on the SCSP agent for Syslog. We just want to test the concepts of the network controls rules.

Chuck Edson's picture

How are you testing this?

Note that CSP network controls do not reside at the network layer -- the network controls control the ability of a process to make a connectioon to the network stack.  If you are using a port scanner, then that will give you a false positive, because CSP does not inspect packets and drop them, it works more or less at the application layer.

Do you have a Syslog server on the CSP Agent machine that you want to control?

If a post helps you, please mark it as the solution to your issue.

SF002013's picture

Yes, I have an CSP Agent installed on a Syslog server. 

Machine A, Machine B - Linux OS

Machine A (no CSP Agent install) is trying to send Syslog to Machine B (CSP Agent installed).

Possible to show how can I test the concepts of CSP Network Controls by using the above scenario?

 

Chuck Edson's picture

Create a custom program (custom PSET), and add the executables of the Syslog server to it, then you can control the Syslog server.

You can also profle the application. See https://www-secure.symantec.com/connect/forums/scsp-application-profiling for info on this.

If a post helps you, please mark it as the solution to your issue.