Hello,

I hope you can help me with the following request from our security department or tell me what you would suggest to improve in this scenario.

Currently clients that are in a "public network (home/hotels/partner side) do not have very strict firewall rules. However our security management wants to block all kind of filesharing. For this we already blocked USB/SD/Mobile Devices on our clients. When you are at home for example you could simply connect to your private NAS and copy all kind of data. I don't think that you can block this by blocking specific ports because you can also access your NAS system via browsers and normal http/https. Also you are not surfing over any kind of proxy when you are in a public network.

One idea was to block the access as a whole like this:

Client is in a public network --> Block all Connections but some company sites and VPN connection.

When you are connected over VPN everything should work like before as you are using the internal network/proxy now.

This could work in theory but how could we allow additional websites like Hotel WLAN sites etc. and what should we also consider?

 

Thanks and Regards

 

 

 

You could only allow traffic over you VPN adapter and block all other adapters from passing traffic

Hello Brian,

Thanks for the fast response.Yes I could do this but the following things have to work before opening a VPN connection:

- Outlook Webaccess

- Request software VPN Token

I could do this by blocking all traffic and only allowing 80/443 for this special sites I think but thats why i mentioned Hotel WLAN sites.

When you are in hotels you often buy WLAN Acess and get a code. Then you connect to the wlan and browse for a specific website where you have to authenticate to get into the Hotel WLAN.

I can not allow all these in specific.

 

 

 

Yea that was going to be my next suggestion of allowing 80/443 only. As far as I know allowing them should still allow the hotel link. But again you're limited here in that you either have to know for sure or allow a relaxed fw ruleset. You may need to do some research on what ports are needed for a hotel but I assume 80/443 would be fine unless you've seen different

You can use location awarness feature of SEP

How to use location awareness to restrict policies on a Symantec Endpoint Protection client but allow them to be unrestricted by IT personnel

http://www.symantec.com/business/support/index?page=content&id=HOWTO65757

These are just examples, just go through to see if you can get what you are looking for

Use Case of Location Awareness and Network Threat Protection with SEP (11/12)

https://www-secure.symantec.com/connect/articles/use-case-location-awareness-and-network-threat-protection-sep-1112

Hello Rafeeq,

 

Thanks for your response. I know about location awarness and we already use this and its working fine.

The problem is more about the firewall rules that we could use to increase the security in the "Public" location. (Block "surfing" + file sharing)

 

We use the following locations:

Internal_Ethernet: No Firewall Rules + Block WLAN

Intenal_WLAN: No Firewall Rule

Public: Some Basic Firewall Rules

VPN: Some Basic Firewall Rules

Hello Brian,

 

Yes this would work for our internal sites & sites like Hotel WLAN.

However I think it would also possible to use services like Dropbox which is a "nogo".

 

Any further ideas on this?

You could block dropbox in a separate rule (DNS domain: dropbox.com, services: remote 80/443, outgoing) before the 80/443 allow rule.

Unfortunately there are tons of filesharing services (OneDrive, Google Drive to begin with), so you have to do a lot of work here.

 

Hi Greg,

Yes this would work, but like you said it is not really possible to block all filesharing sites.

Hmm I guess I will have to talk to our security department again and tell them that this is not really possible without influencing sites like Hotel Wlans.

Greg hit it on the head. Your ruleset for off network is going to be more comploex and will require multiple rules in place to get the desired result. It's possible but maybe not practical in terms of the testing and resources needed to get this accomplished. Just depends on how much time you want to spend on it.