This article is the fifth installment in an on-going series of articles on how to utilize SEP 12.1 for Incident Response. Links to the previous four are below:
- How to utilize SEP 12.1 for Incident Response - PART 1
- How to utilize SEP 12.1 for Incident Response - PART 2
- How to utilize SEP 12.1 for Incident Response - PART 3
- How to utilize SEP 12.1 for Incident Response - PART 4
In this article, I will explain and demonstrate to you on how to use the SEP 12.1 firewall component during an Incident Response. If used properly, the SEP 12.1 firewall is a valuable piece to the security puzzle which will allow you to have a very fine control over the traffic that your clients generate.
When creating my Incident Response group in the SEPM, I took a few issues into consideration:
- I could not completely stop my users from working as this would have a negative impact to the business.
- Internal traffic needed to flow uninterrupted as well traffic to our external facing apps.
- What rules would I log and how did I have enough space to accomodate the extra logs.
I ended up creating six rules for my Incident Response firewall policy, in order from top down as follows:
- Block Malicious Hosts
- All Valid Hosts
- Allow Application Traffic
- Allow Internal Traffic
- Allow External Traffic
- Deny Internet Access
Some further detail on the rules:
The Block Malicious Hosts rule allows me to add any host that I deem to be a threat to our environment. These mainly consist of known C&C hosts or hosts that I've identified via some of our other security layers that let me know we may have had a breach. This rule is logged.
The Allow Valid Domains rule allows me to add any host that I know to be safe. For example, *.microsoft.com, *.google.com, etc. I trust that these are safe and allow our clients to access them. This rule is not logged.
The Allow Application Traffic rule allows me to specify what apps I will allow to send traffic. As of now, so my clients can access the web or external facing apps, Internet Explorer is allowed. This rule is not logged.
The Allow Internal Traffic rule ensures that my internal traffic can flow uninterrupted and not break the business. For example, you can setup the rule to allow all traffic from 10.0.0.0-10.255.255.255. This rule is logged.
The Allow External Traffic rule allows access to external company assets. Again, this is so the business can still function during an Incident. This rule is logged.
The final rule, Deny Internet Access, blocks any traffic that does not match the first five rules. This is the most crucial rule to have logging turned on for. This will give you the best idea of what type of traffic your client is generating and what it's trying to do.
The key to remember here is these work for my environment and may not work for you but with some tweaks you can get it to fit your environment. Make sure to have some discussion and level-set the expectations. If you can completely lock everything down, I envy you :) but for me it is not a reality.
This does help to quickly identify possibly infected machines and get them off the network as quickly as possible for further investigation.
I hope this article gives you some better ideas on how to use the SEP 12.1 firewall and please drop me a line if you have any questions.
Comments/Questions/Criticisms are welcome!