Endpoint Protection

I am curious if anyone has played with custom IPS signatures enough to explore some advanced functionality. I am trying to do the following:
- Allow one particular website (google.com in my test)
- Block ALL other HTTP/S traffic to any other websites.
I am well aware of the firewall policy ability to do so, but in my case firewall module is not installed with SEP and I would like to use IPS signature to do so.
I created two IPS policies, as shown below.
Syntax for the first ALLOW one is :
rule tcp, dest=(80), msg="GOOGLE ALLOWED", content="www.google.com"
Syntax for the second BLOCKone is:
rule tcp, dest=(80), msg="HTTP Blocked"



For some reason this is not working, however. Any website I go to, including Google.com is blocked with "HTTP Blocked" listed in Security log on the client. Anyone knows what I'm doing wrong here? Is IPS rulebase not designed to perform tasks like blanket "deny" with selective "allow"?
I've seen all the cases discussed here that BLOCK particular website or function; in my case I want to block almost everything and ALLOW particular website or content.
Thanks in advance!
 

just wanted to make sure that you have followed this before we proceed further :)

 

 

How to block/allow website access using the Symantec Endpoint Protection Manager custom Intrusion Prevention Signature polic

http://service1.symantec.com/support/ent-security.nsf/docid/2008070803545448
i know you mentioned about firewall rule but worth a look
http://service1.symantec.com/support/ent-security.nsf/docid/2009072816443448

http://www.symantec.com/connect/forums/how-block-access-specific-websites-both-url-and-ip-address

How to block all website and allow only certain websites using Network Threat Protection Firewall rule.

 

Hi Rafeeq,
My Google allow rule is actually based on the first link in your reply, so I'm clear there. Regarding the rest, it's all firewall-based, which won't work in my case.
I'm wondering if IPS signature in SEP is even capable to blanket block port and then allow one exception. I wonder if it's even smart enough to do this, or is it strictly to block particular sites/addresses.. 

Intrusion Prevention System will not work without NTP (firewall ) .So if you want to use IPS you should have network threat protection installed in the client ..If you are having some problem with firewall rules you can Withdraw it. For more info refer below doc
Best practices regarding Intrusion Prevention System technology

Aravind,
I misspoke in my original post, we do have firewall module in place, just no firewall rules defined, so this is not our issue.
Thanks! 

OK, I played around with firewall policy a little and even then it's still flaky. For example, using this link as a guide, I can do a blanket deny by domain and only allow necessary domains, but in order for it to work, I need to apply the firewall rule active for ALL network services. If I want to lock it down a little more and use domain blocking for HTTP service only, all of a sudden the rule doesn't work anymore. Has anyone combined the above example with additional conditions and got it to work?

I started testing some of the advanced features of NTP and consistently found they were not working as expected.  In the end, I found other solutions that worked better for those few instances where people wanted certain things blocked.

Eric,
Thanks for your reply. My findings are identical to yours: it looks like IPS and firewall signatures are best left to block a single particular threat. On paper, these items have a lot of hype and hope, however real-world testing proves that in the current implementation they are close to useless, unless you are dealing with a simple, static threat. That's too bad, because this is one less feature in Symantec that is actually working as advertised.

I really suspect that most deployments of SEP don't use these advanced features--most people just don't have the time to tweak these deployments.  If more people started trying to use them, getting them working right might become more of an issue.  But to some extent, its always a matter of using the right tool for the job.  There are much better tools out there to block URLs and filter the web--the big question is, do you have the budget to buy them.

I spent about a week playing with firewall policies and can attest that in my case they proved to have been an utter garbage. I followed this link to create a test policy that allows nothing but Symantec domain. Here are my findings, gathered mostly from Traffic log:
- Initial connection to www.symantec.com is ALWAYS blocked, despite being explicitly allowed (BLOCKED event written in traffic log)
- Consecutive connection to www.symantec.com is allowed, as expected via allow rule (ALLOWED event written in traffic log)
- Occasionally, www.symantec.com would not be opened,  and NOTHING is logged in traffic log
- When this happens, smc -stop or moving machine to a different group restores connectivity
So it looks like firewall policies work sometimes, and sometimes they do not; sometimes they are logging items in traffic log and sometimes they are not. Obviously, deploying something this unreliable in the enterprise is out of the question. So far the following items proved to have been useless in SEP despite looking promising at the time of purchase:
- TruScan
- Central Quarantine
- Local LiveUpdate server
- IPS functionality and custom IPS signatures
- Application blocking by checksum
- Advanced location switching based on multiple hardware and network configurations
- Firewall policies
- Virus and malware detection
I think it's time to look for a new product.

The firewall part won't work well because of certain sites having a ton of shared IP addresses!
Block any site that uses akamai for example and you'll find you block other good sites, too.
We tried to block facebook.com and ended up blocking walmart and bestbuy.com as well as Symantec.com!
That's because the same address can resolve to several things.......
And it's worse because the state, ICN, has their own akamai server provided by akamai, so it resolves here at this lower level, blocking a ton of sites when we try to block just one.
The IPS sigs work perfectly as you are looking IN the packets and filtering at that leve, however, if you get email alerts on IPS intrusions, you'll get tens of thousands of hits a week in your email because for example, we block twitter.com and facebook.com in the IPS custom sigs, and almost all sites out there like google.com and yahoo.com have faceboook and twitter ads, so that counts as a hit as the browser tries to reach out and load those ads!
For example, in the past 3 weeks, I have 13,376 email messages from IPS telling me of all the intrusions - almost all from facebook and twitter ads on other sites!
But, no one can get to facebook or twitter as any packets with those terms inside are blocked.
So it works like a charm, just turnoff email alerts LOL.
The firewall works, but you block a ton of stuff like I said thanks to akamai............. 

I am using custom IPS signatures to block certain sites perfectly. It works great............

It is exactly for that reason that I'd recommend anyone interested in blocking more then just a handful of sites look at a solution that is designed for this purpose.  They use a combination of IP and DNS filtering to granularly allow and deny websites...sometimes on the fly by the type of content.  But, if you only need to block a small number of sites and SEP gets the job done for you, then save your money.

There are FREE versions of software that do the same things as "websense" for example if you really need web content filtering, etc.
But for the smaller stuff, yeah, SEP is fine.
It's like any tool - sometimes the dedicated tool is the best for huge jobs. SEP was never intended to be a competition to the dedicated web content and filtering products.

Gentlemen,
I agree with your points regarding big deployments and complicated tasks. However in my case I'm testing this on TWO machines, using Symantec's vanilla example: block all sites, allow ONLY Symantec.com. Yet even on this level I can't say whether it works reliably. Like I said above, if I enter www.symantec.com, initial connection is ALWAYS blocked and logged, even though I have an explicit "ALLOW *.*symantec*.* for all services/applications/networks" rule set. Consecutive connection to www.symantec.com will succeed (also logged) and then all of a sudden NOTHING will work and nothing is logged. Again, this is TWO machines with two simple (stupid) firewall rules, as defined in Symantec's own article. I am not doing anything complex or grand, believe me!

<a href="http://www.facebook.com/kay.bell" title=" " target="_TOP" style="font-family: &quot;lucida grande&quot;,tahoma,verdana,arial,sans-serif; font-size: 11px; font-variant: normal; font-style: normal; font-weight: normal; color: #3B5998; text-decoration: none;"> </a>
<br/>

<a href="http://www.facebook.com/kay.bell" title="Kay Bell" target="_TOP">
<img src="http://badge.facebook.com/badge/585906172.1721.1498906036.png" width="120" height="305" style="border: 0px;" /></a>

<br/><a href="http://www.facebook.com/facebook-widgets/" title="Make your own badge!" target="_TOP" style="font-family: &quot;lucida grande&quot;,tahoma,verdana,arial,sans-serif; font-size: 11px; font-variant: normal; font-style: normal; font-weight: normal; color: #3B5998; text-decoration: none;"> </a>

Here is a little bit of the HTML from the page in the link above. I think this is specifically being blocked when this image  http://badge.facebook.com/badge/585906172.1721.1498906036.png is being loaded from the facebook servers. To test this please visit this link on one of your computers that has the IPS signature and see if the pop up happens.

How many sites does this happen on? Is it mainly that one site? If it is I might have a workaround for you, but if it is many sites then it might not be the best solution. 

Cheers
Grant

Grant-
I have only seen this a couple times so far.  This also happened to me on bigtent.com and also on lifehacker.com. Please let me know your workaround. thanks again!