Endpoint Protection

 View Only

  • 1.  Windows Server without Firewall feature but with IPS - make it sense?

    Posted Apr 06, 2016 09:39 AM

    Hello community,

    At the moment I'm testing SEP to replace AVIRA on our network.

    The clients are running fine, now I want to test SEP on the first server.

    To handle all the needed firewall ports could be very complex on a few servers and I think about to install only the IPS component, not the firewall. What is your experience, is it running fine and make it sense to let the firewall uninstalled?

    I mean Symantec made it possible in version 12 to separate these features - so I think to install only IPS is definetly an option to get more network protection without the complexe handling of firewall rules.

    We talk only about internal servers I want to protect - public servers are on a much higher level of security and in another part of the network.

     

    Your help and experience is much appreciated, thank you!



  • 2.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted Apr 06, 2016 09:42 AM

    Personally, I would install the firewall as well. You can always withdraw the firewall policy so traffic passes through. Or you can edit the default firewall policy to allow all traffic, which will give you time to test.

    Both components are supported on Server OS so you should be fine. Just be careful with IPS on a high bandwidth server.

    See here:

    Best practices for Endpoint Protection on Windows servers

    Intrusion Protection System (IPS) helps to block attacks and threats based on network traffic. In most cases, using IPS is recommended to prevent against non-file based attacks against servers. The exception to this rule is that, in some cases, IPS can interfere with the operation of high-load or high-throughput servers. Symantec defines high-load or high-throughput as meeting one or all of the following criteria:

    • Average CPU utilization of 35% or more

    • Average TCP/UDP throughput of 300 Mbps or more

    • Use of NIC teaming technology
       

    If a server meets one or more of these criteria, Symantec recommends testing the SEP client on a server in a lab environment that can simulate peak production demands on the system in order to gauge performance before deciding whether it is feasible to use IPS-dependent features on the server. The IPS component was designed, implemented and tested for network speeds up to 1GB/s. It is expected that there will be a performance impact for networks beyond this speed. IPS-dependent features include Advanced Download Protection, SONAR, and IPS itself.



  • 3.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted Apr 08, 2016 05:08 PM

    I understand that you prefer not to install firewall as it will be difficult to configure and manage (which is not). Anyway, the only other reasons that you need firewall on the machine would be to use risk tracer (a feature of SEP which uses firewall to find the source of a network spread infection) and Unmanaged detector (a feature of SEP that allows you to identify the unmanaged computer in the network). For the above 2 features to work, it is enought to just have the firewall installed, you can even withdraw the firewall policy so that all the traffic will be allowed. If you are not planning to use these features and if you prefer not to have the firewall on the server, you don't need to install the firewall component. Just make sure that server is in a secured network.



  • 4.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted Apr 12, 2016 08:43 AM

    Hi baschu,

    I recommend installing firewall and IPS.  The more defenses, the better!  IPS is absolutely essential IMHO. 

    SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy
    https://www-secure.symantec.com/connect/articles/sep-times-city-helpful-symantec-endpoint-protection-analogy

    Hope this helps!

    Mick



  • 5.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted Apr 13, 2016 04:34 AM

    Hello guys,

    Thanks for all your help and the links to the very interesting articles, much appreciated! :-)

    Now it's clear for me that I must install the firewall and IPS to achieve a good protection. If I'm honest I have underrated IPS a little bit, now I know how important it is. The explanation with the City was also very nice to understand this.

    I didn't know about the risk detector until now, very nice feature! I just enabled it in our policy.

    So now I will test it on the server, maybe I have another question and will write again in this thread ;-)

     

    Thanks and have a nice day!

     



  • 6.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted May 02, 2016 10:40 AM

    Hello again,

    Tomorrow I start the rollout of SEP at our client computers as first step and at the moment I'm thinking again what's the best practice for our Windows - File, DB, Web, Exchange and AD-Server.

    I read a lot about but I'm still not sure what's the best for every type of server.

     

    File-Server: Only AV without any other features and only scan modified files with AutoProtect? It has several volumes with more than 2 TB - is a monthly complete scan a good idea? Do you think I should install any of the other features like IPS and Firewall?

    DB: I would only install AV, configure exclusions for the DB files etc and would also only scan with AutoProtect on modified files.

    Web: I would install the complete package except SMTP, Outlook scanner etc. - Would you install Insight and Sonar?

    Exchange: Only AV and exclusions for DB files or also Firewall and IPS because it's also hosting the Webmail?

    AD-Server: Only AV?

    TS-Server: I would install the complete package because users are using Outlook etc. - what do you think?

    Normal member-server which are hosting several applications: Complete package except Outlook-Scanner etc.?

     

    Generally on the servers I would install the firewall I would start with allow all inbound / outbound rules with enabled IPS and see what's happening.

     

    How would you proceed?

    The clients are all fine and not the problem... but the servers make me thinking.

     

    Thank you! Every help is much appreciated.



  • 7.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted May 09, 2016 08:35 AM

    No idea? :-/

    I thought about it the last days and would only install AV, Firewall + IPS on our servers. Firewall for the first time with allow all in/out to see what's needed. On our ERP-system servers I would only install AV, nothing else. It's a very sensible system...

    Do you think I should install SONAR? As I understand Sonar has to inject code in other application to find some unnormal programs and this could maybe cause some trouble with sensible server applications.

    What is your experience wth SEP on servers?



  • 8.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted May 09, 2016 08:37 AM

    No reason to not install all components on servers except for those that are business critical (AV only). I would also start out putting the firewall in allow only mode to monitor to see if any adjustments needs to be made.

    SONAR is fine. It's ADC that injects code, not SONAR.



  • 9.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted May 09, 2016 09:02 AM

    ADC=Application and Device control?

    Ahh, ok. I thought Sonar must also do that to detect strange applications.

    OK, so I will start on less important servers with full protection and allow all firewall rules to see if that works.

    Thanks for your input and clarification.



  • 10.  RE: Windows Server without Firewall feature but with IPS - make it sense?

    Posted May 09, 2016 09:04 AM

    Yes, ADC is application/device control.

    Sounds good.